inc_ransom | hxxps://bazaar[.]abuse[.]ch/sample/5415400adb1453caa8cda8dd9a5c4db49960530fc8e51b678d85ddc059912b1e/

Analysis

max time kernel
332s
max time network
336s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
20-11-2024 21:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://bazaar.abuse.ch/sample/5415400adb1453caa8cda8dd9a5c4db49960530fc8e51b678d85ddc059912b1e/

Score

10^/10

inc_ransom credential_access discovery ransomware stealer

Malware Config

Extracted

Path

C:\ProgramData\Adobe\Setup\INC-README.html

Ransom Note

<html> <head> <title>INC Ransom</title> </head> <body style="width: 100%; height: 100%; display: flex; flex-direction: column; justify-content: center; align-items: center; overflow: hidden;"> <div style="display: flex; justify-content: space-between; max-width: 80%; overflow-y: auto;"> <div style="width: 80%;"> <div style="display: flex; flex-direction: column;"> <span style="font-size: 20px; font-weight: 600;">Your data is stolen and encrypted.</span> <span style="font-size: 14px; margin-top: 8px;">If you don't pay the ransom, the data will be published on our TOR darknet sites.</span> <span style="font-size: 14px;">The sooner you pay the ransom, the sooner your company will be safe.</span> </div> <div style="display: flex; flex-direction: column; margin-top: 16px;"> <span style="font-size: 20px; font-weight: 600;">Blog Tor Browser Link:</span> <span style="font-size: 14px; margin-top: 8px; text-decoration: underline;">http://incblog6qu4y4mm4zvw5nrmue6qbwtgjsxpw6b7ixzssu36tsajldoad.onion/</span> <span style="font-size: 14px; margin-top: 8px; text-decoration: underline;">http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/</span> </div> <div style="display: flex; flex-direction: column; margin-top: 16px;"> <span style="font-size: 20px; font-weight: 600;">Blog Link for normal browser:</span> <span style="font-size: 14px; margin-top: 8px; text-decoration: underline;">http://incapt.su/</span> </div> <div style="display: flex; flex-direction: column; margin-top: 16px;"> <span style="font-size: 20px; font-weight: 600;">You need to contact us on TOR darknet sites with your personal ID</span> <span style="font-size: 14px; margin-top: 8px;">Download and install Tor Browser https://www.torproject.org/</span> <span style="font-size: 14px; margin-top: 8px;">Write to the chat room and wait for an answer, we'll guarantee a response from you.</span> <span style="font-size: 14px; margin-top: 8px;">Sometimes you will have to wait some time for our reply, this is because we have a lot of work and we attack tens of companies around the world.</span> </div> <div style="display: flex; flex-direction: column; margin-top: 16px;"> <span style="font-size: 20px; font-weight: 600;">Chat Tor Browser Link:</span> <span style="font-size: 14px; margin-top: 8px; text-decoration: underline;">http://incpaykabjqc2mtdxq6c23nqh4x6m5dkps5fr6vgdkgzp5njssx6qkid.onion/</span> </div> <div style="display: flex; flex-direction: column; margin-top: 16px;"> <span style="font-size: 20px; font-weight: 600;">Your personal ID: </span> <span style="font-size: 14px; margin-top: 8px; text-decoration: underline;">665af7f73547f22b7c347ef4</span> </div> <div style="display: flex; flex-direction: column; margin-top: 16px;"> <span style="font-size: 20px; font-weight: 600;">Don't go to recovery companies!</span> <span style="font-size: 14px; margin-top: 8px;">They are essentially just middlemen who will make money off you and cheat you.</span> <span style="font-size: 14px; margin-top: 8px;">We are well aware of cases where recovery companies tell you that the ransom price is $5M dollars, but in fact they secretly negotiate with us for $1M.</span> <span style="font-size: 14px; margin-top: 8px;">If you approached us directly without intermediaries you would pay several times less.</span> </div> <div style="display: flex; flex-direction: column; margin-top: 16px;"> <span style="font-size: 20px; font-weight: 600;">For those who have cyber insurance against ransomware attacks.</span> <span style="font-size: 14px; margin-top: 8px;">Insurance companies require you to keep your insurance information secret.</span> <span style="font-size: 14px; margin-top: 8px;">In most cases, we find this information and download it.</span> </div> </div> <div style="width: 80%;"> <div style="display: flex; flex-direction: column;"> <span style="font-size: 20px; font-weight: 600;">What guarantees are that we won't fool you?</span> <span style="font-size: 14px; margin-top: 8px;">We are not a politically motivated group and we want nothing more than money.</span> <span style="font-size: 14px; margin-top: 8px;">If you pay, we will provide you with decryption software and destroy the stolen data.</span> <span style="font-size: 14px; margin-top: 8px;">After you pay the ransom, you will quickly restore your systems and make even more money.</span> <span style="font-size: 14px; margin-top: 8px;">Treat this situation simply as a paid training for your system administrators, because it is due to your corporate network not being properly configured that we were able to attack you.</span> <span style="font-size: 14px; margin-top: 8px;">Our pentest services should be paid just like you pay the salaries of your system administrators. Get over it and pay for it.</span> <span style="font-size: 14px; margin-top: 8px;">If we don't give you a decryptor or delete your data after you pay, no one will pay us in the future.</span> <span style="font-size: 14px; margin-top: 8px;">You can get more information about us on Twitter https://twitter.com/hashtag/incransom?f=live</span> </div> <div style="display: flex; flex-direction: column; margin-top: 16px;"> <span style="font-size: 20px; font-weight: 600;">Warning! Don't delete or modify encrypted files, it will lead to problems with decryption of files!</span> </div> <div style="display: flex; flex-direction: column; margin-top: 16px;"> <span style="font-size: 20px; font-weight: 600;">Don't go to the police or the FBI for help. They won't help you.</span> <span style="font-size: 14px; margin-top: 8px;">The police will try to prohibit you from paying the ransom in any way.</span> <span style="font-size: 14px; margin-top: 8px;">The first thing they will tell you is that there's no guarantee to decrypt your files and remove stolen files.</span> <span style="font-size: 14px; margin-top: 8px;">This is not true, we can do a test decryption before paying and your data will be guaranteed to be removed because it's a matter of our reputation.</span> <span style="font-size: 14px; margin-top: 8px;">Paying the ransom to us is much cheaper and more profitable than paying fines and legal fees.</span> <span style="font-size: 14px; margin-top: 8px;">The police and the FBI don't care what losses you suffer as a result of our attack, and we'll help you get rid of all your problems for a modest sum of money.</span> <span style="font-size: 14px; margin-top: 8px;">If you're worried that someone will trace your bank transfers, you can easily buy cryptocurrency for cash, thus leaving no digital trail that someone from your company paid our ransom.</span> <span style="font-size: 14px; margin-top: 8px;">The police and FBI won't be able to stop lawsuits from your customers for leaking personal and private information.</span> <span style="font-size: 14px; margin-top: 8px;">The police and FBI won't protect you from repeated attacks.</span> </div> <div style="display: flex; flex-direction: column; margin-top: 16px;"> <span style="font-size: 20px; font-weight: 600;">If you do not pay the ransom, we will attack your company again in the future.</span> </div> </div> </div> </body> </html>

URLs

https://twitter.com/hashtag/incransom?f=live</span>

Extracted

Path

F:\INC-README.txt

Family

inc_ransom

Ransom Note

~~~~ INC Ransom ~~~~ -----> Your data is stolen and encrypted. If you don't pay the ransom, the data will be published on our TOR darknet sites. The sooner you pay the ransom, the sooner your company will be safe. Tor Browser Link: http://incblog6qu4y4mm4zvw5nrmue6qbwtgjsxpw6b7ixzssu36tsajldoad.onion/ http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/ Link for normal browser: http://incapt.su/ -----> What guarantees are that we won't fool you? We are not a politically motivated group and we want nothing more than money. If you pay, we will provide you with decryption software and destroy the stolen data. After you pay the ransom, you will quickly restore your systems and make even more money. Treat this situation simply as a paid training for your system administrators, because it is due to your corporate network not being properly configured that we were able to attack you. Our pentest services should be paid just like you pay the salaries of your system administrators. Get over it and pay for it. If we don't give you a decryptor or delete your data after you pay, no one will pay us in the future. You can get more information about us on Twitter https://twitter.com/hashtag/incransom?f=live -----> You need to contact us on TOR darknet sites with your personal ID Download and install Tor Browser https://www.torproject.org/ Write to the chat room and wait for an answer, we'll guarantee a response from you. Sometimes you will have to wait some time for our reply, this is because we have a lot of work and we attack tens of companies around the world. Tor Browser Link for chat: http://incpaykabjqc2mtdxq6c23nqh4x6m5dkps5fr6vgdkgzp5njssx6qkid.onion/ Your personal ID: 665af7f73547f22b7c347ef4 -----> Warning! Don't delete or modify encrypted files, it will lead to problems with decryption of files! -----> Don't go to the police or the FBI for help. They won't help you. The police will try to prohibit you from paying the ransom in any way. The first thing they will tell you is that there's no guarantee to decrypt your files and remove stolen files. This is not true, we can do a test decryption before paying and your data will be guaranteed to be removed because it's a matter of our reputation. Paying the ransom to us is much cheaper and more profitable than paying fines and legal fees. The police and the FBI don't care what losses you suffer as a result of our attack, and we'll help you get rid of all your problems for a modest sum of money. If you're worried that someone will trace your bank transfers, you can easily buy cryptocurrency for cash, thus leaving no digital trail that someone from your company paid our ransom. The police and FBI won't be able to stop lawsuits from your customers for leaking personal and private information. The police and FBI won't protect you from repeated attacks. -----> Don't go to recovery companies! They are essentially just middlemen who will make money off you and cheat you. We are well aware of cases where recovery companies tell you that the ransom price is $5M dollars, but in fact they secretly negotiate with us for $1M. If you approached us directly without intermediaries you would pay several times less. -----> For those who have cyber insurance against ransomware attacks. Insurance companies require you to keep your insurance information secret. In most cases, we find this information and download it. -----> If you do not pay the ransom, we will attack your company again in the future.

URLs

http://incblog6qu4y4mm4zvw5nrmue6qbwtgjsxpw6b7ixzssu36tsajldoad.onion/

http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/

http://incapt.su/

https://twitter.com/hashtag/incransom?f=live

http://incpaykabjqc2mtdxq6c23nqh4x6m5dkps5fr6vgdkgzp5njssx6qkid.onion/

Signatures

INC Ransomware
INC Ransom is a ransomware that emerged in July 2023.
ransomware inc_ransom
Inc_ransom family
inc_ransom
Renames multiple (323) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Executes dropped EXE 1 IoCs

pid	Process
4496	win.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	win.exe
File opened (read-only)	\??\N:	win.exe
File opened (read-only)	\??\Q:	win.exe
File opened (read-only)	\??\R:	win.exe
File opened (read-only)	\??\S:	win.exe
File opened (read-only)	\??\A:	win.exe
File opened (read-only)	\??\M:	win.exe
File opened (read-only)	\??\I:	win.exe
File opened (read-only)	\??\K:	win.exe
File opened (read-only)	\??\L:	win.exe
File opened (read-only)	\??\T:	win.exe
File opened (read-only)	\??\V:	win.exe
File opened (read-only)	\??\W:	win.exe
File opened (read-only)	\??\X:	win.exe
File opened (read-only)	\??\Z:	win.exe
File opened (read-only)	\??\E:	win.exe
File opened (read-only)	\??\B:	win.exe
File opened (read-only)	\??\H:	win.exe
File opened (read-only)	\??\J:	win.exe
File opened (read-only)	\??\O:	win.exe
File opened (read-only)	\??\P:	win.exe
File opened (read-only)	\??\U:	win.exe
File opened (read-only)	\??\Y:	win.exe
File opened (read-only)	\??\F:	win.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\system32\spool\PRINTERS\PP_899knq2v3wrl7bmlly6q_xs.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\00002.SPL	win.exe
File created	C:\Windows\system32\spool\PRINTERS\00003.SPL	win.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\background-image.jpg"	win.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	win.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ONENOTE.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	ONENOTE.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	ONENOTE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1"	ONENOTE.EXE

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133766115325284574"	chrome.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\5415400adb1453caa8cda8dd9a5c4db49960530fc8e51b678d85ddc059912b1e.zip:Zone.Identifier	chrome.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
5704	ONENOTE.EXE
5704	ONENOTE.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1904	chrome.exe
1904	chrome.exe
5704	ONENOTE.EXE
5704	ONENOTE.EXE

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1904	chrome.exe
Token: SeCreatePagefilePrivilege	1904	chrome.exe
Token: SeShutdownPrivilege	1904	chrome.exe
Token: SeCreatePagefilePrivilege	1904	chrome.exe
Token: SeShutdownPrivilege	1904	chrome.exe
Token: SeCreatePagefilePrivilege	1904	chrome.exe
Token: SeShutdownPrivilege	1904	chrome.exe
Token: SeCreatePagefilePrivilege	1904	chrome.exe
Token: SeShutdownPrivilege	1904	chrome.exe
Token: SeCreatePagefilePrivilege	1904	chrome.exe
Token: SeShutdownPrivilege	1904	chrome.exe
Token: SeCreatePagefilePrivilege	1904	chrome.exe
Token: SeShutdownPrivilege	1904	chrome.exe
Token: SeCreatePagefilePrivilege	1904	chrome.exe
Token: SeShutdownPrivilege	1904	chrome.exe
Token: SeCreatePagefilePrivilege	1904	chrome.exe
Token: SeShutdownPrivilege	1904	chrome.exe
Token: SeCreatePagefilePrivilege	1904	chrome.exe
Token: SeShutdownPrivilege	1904	chrome.exe
Token: SeCreatePagefilePrivilege	1904	chrome.exe
Token: SeShutdownPrivilege	1904	chrome.exe
Token: SeCreatePagefilePrivilege	1904	chrome.exe
Token: SeShutdownPrivilege	1904	chrome.exe
Token: SeCreatePagefilePrivilege	1904	chrome.exe
Token: SeShutdownPrivilege	1904	chrome.exe
Token: SeCreatePagefilePrivilege	1904	chrome.exe
Token: SeShutdownPrivilege	1904	chrome.exe
Token: SeCreatePagefilePrivilege	1904	chrome.exe
Token: SeShutdownPrivilege	1904	chrome.exe
Token: SeCreatePagefilePrivilege	1904	chrome.exe
Token: SeShutdownPrivilege	1904	chrome.exe
Token: SeCreatePagefilePrivilege	1904	chrome.exe
Token: SeShutdownPrivilege	1904	chrome.exe
Token: SeCreatePagefilePrivilege	1904	chrome.exe
Token: SeShutdownPrivilege	1904	chrome.exe
Token: SeCreatePagefilePrivilege	1904	chrome.exe
Token: SeShutdownPrivilege	1904	chrome.exe
Token: SeCreatePagefilePrivilege	1904	chrome.exe
Token: SeShutdownPrivilege	1904	chrome.exe
Token: SeCreatePagefilePrivilege	1904	chrome.exe
Token: SeShutdownPrivilege	1904	chrome.exe
Token: SeCreatePagefilePrivilege	1904	chrome.exe
Token: SeShutdownPrivilege	1904	chrome.exe
Token: SeCreatePagefilePrivilege	1904	chrome.exe
Token: SeShutdownPrivilege	1904	chrome.exe
Token: SeCreatePagefilePrivilege	1904	chrome.exe
Token: SeShutdownPrivilege	1904	chrome.exe
Token: SeCreatePagefilePrivilege	1904	chrome.exe
Token: SeShutdownPrivilege	1904	chrome.exe
Token: SeCreatePagefilePrivilege	1904	chrome.exe
Token: SeShutdownPrivilege	1904	chrome.exe
Token: SeCreatePagefilePrivilege	1904	chrome.exe
Token: SeShutdownPrivilege	1904	chrome.exe
Token: SeCreatePagefilePrivilege	1904	chrome.exe
Token: SeShutdownPrivilege	1904	chrome.exe
Token: SeCreatePagefilePrivilege	1904	chrome.exe
Token: SeShutdownPrivilege	1904	chrome.exe
Token: SeCreatePagefilePrivilege	1904	chrome.exe
Token: SeShutdownPrivilege	1904	chrome.exe
Token: SeCreatePagefilePrivilege	1904	chrome.exe
Token: SeShutdownPrivilege	1904	chrome.exe
Token: SeCreatePagefilePrivilege	1904	chrome.exe
Token: SeShutdownPrivilege	1904	chrome.exe
Token: SeCreatePagefilePrivilege	1904	chrome.exe

Suspicious use of FindShellTrayWindow 38 IoCs

pid	Process
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1508	7zG.exe
2768	7zG.exe
888	7zG.exe
1724	7zG.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe

Suspicious use of SetWindowsHookEx 21 IoCs

pid	Process
5704	ONENOTE.EXE
5704	ONENOTE.EXE
5704	ONENOTE.EXE
5704	ONENOTE.EXE
5704	ONENOTE.EXE
5704	ONENOTE.EXE
5704	ONENOTE.EXE
5704	ONENOTE.EXE
5704	ONENOTE.EXE
5704	ONENOTE.EXE
5704	ONENOTE.EXE
5704	ONENOTE.EXE
5704	ONENOTE.EXE
5704	ONENOTE.EXE
5704	ONENOTE.EXE
5704	ONENOTE.EXE
5704	ONENOTE.EXE
5704	ONENOTE.EXE
5704	ONENOTE.EXE
5704	ONENOTE.EXE
5704	ONENOTE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1904 wrote to memory of 4276	1904	chrome.exe	79
PID 1904 wrote to memory of 4276	1904	chrome.exe	79
PID 1904 wrote to memory of 3344	1904	chrome.exe	80
PID 1904 wrote to memory of 3344	1904	chrome.exe	80
PID 1904 wrote to memory of 3344	1904	chrome.exe	80
PID 1904 wrote to memory of 3344	1904	chrome.exe	80
PID 1904 wrote to memory of 3344	1904	chrome.exe	80
PID 1904 wrote to memory of 3344	1904	chrome.exe	80
PID 1904 wrote to memory of 3344	1904	chrome.exe	80
PID 1904 wrote to memory of 3344	1904	chrome.exe	80
PID 1904 wrote to memory of 3344	1904	chrome.exe	80
PID 1904 wrote to memory of 3344	1904	chrome.exe	80
PID 1904 wrote to memory of 3344	1904	chrome.exe	80
PID 1904 wrote to memory of 3344	1904	chrome.exe	80
PID 1904 wrote to memory of 3344	1904	chrome.exe	80
PID 1904 wrote to memory of 3344	1904	chrome.exe	80
PID 1904 wrote to memory of 3344	1904	chrome.exe	80
PID 1904 wrote to memory of 3344	1904	chrome.exe	80
PID 1904 wrote to memory of 3344	1904	chrome.exe	80
PID 1904 wrote to memory of 3344	1904	chrome.exe	80
PID 1904 wrote to memory of 3344	1904	chrome.exe	80
PID 1904 wrote to memory of 3344	1904	chrome.exe	80
PID 1904 wrote to memory of 3344	1904	chrome.exe	80
PID 1904 wrote to memory of 3344	1904	chrome.exe	80
PID 1904 wrote to memory of 3344	1904	chrome.exe	80
PID 1904 wrote to memory of 3344	1904	chrome.exe	80
PID 1904 wrote to memory of 3344	1904	chrome.exe	80
PID 1904 wrote to memory of 3344	1904	chrome.exe	80
PID 1904 wrote to memory of 3344	1904	chrome.exe	80
PID 1904 wrote to memory of 3344	1904	chrome.exe	80
PID 1904 wrote to memory of 3344	1904	chrome.exe	80
PID 1904 wrote to memory of 3344	1904	chrome.exe	80
PID 1904 wrote to memory of 3568	1904	chrome.exe	81
PID 1904 wrote to memory of 3568	1904	chrome.exe	81
PID 1904 wrote to memory of 72	1904	chrome.exe	82
PID 1904 wrote to memory of 72	1904	chrome.exe	82
PID 1904 wrote to memory of 72	1904	chrome.exe	82
PID 1904 wrote to memory of 72	1904	chrome.exe	82
PID 1904 wrote to memory of 72	1904	chrome.exe	82
PID 1904 wrote to memory of 72	1904	chrome.exe	82
PID 1904 wrote to memory of 72	1904	chrome.exe	82
PID 1904 wrote to memory of 72	1904	chrome.exe	82
PID 1904 wrote to memory of 72	1904	chrome.exe	82
PID 1904 wrote to memory of 72	1904	chrome.exe	82
PID 1904 wrote to memory of 72	1904	chrome.exe	82
PID 1904 wrote to memory of 72	1904	chrome.exe	82
PID 1904 wrote to memory of 72	1904	chrome.exe	82
PID 1904 wrote to memory of 72	1904	chrome.exe	82
PID 1904 wrote to memory of 72	1904	chrome.exe	82
PID 1904 wrote to memory of 72	1904	chrome.exe	82
PID 1904 wrote to memory of 72	1904	chrome.exe	82
PID 1904 wrote to memory of 72	1904	chrome.exe	82
PID 1904 wrote to memory of 72	1904	chrome.exe	82
PID 1904 wrote to memory of 72	1904	chrome.exe	82
PID 1904 wrote to memory of 72	1904	chrome.exe	82
PID 1904 wrote to memory of 72	1904	chrome.exe	82
PID 1904 wrote to memory of 72	1904	chrome.exe	82
PID 1904 wrote to memory of 72	1904	chrome.exe	82
PID 1904 wrote to memory of 72	1904	chrome.exe	82
PID 1904 wrote to memory of 72	1904	chrome.exe	82
PID 1904 wrote to memory of 72	1904	chrome.exe	82
PID 1904 wrote to memory of 72	1904	chrome.exe	82
PID 1904 wrote to memory of 72	1904	chrome.exe	82
PID 1904 wrote to memory of 72	1904	chrome.exe	82

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://bazaar.abuse.ch/sample/5415400adb1453caa8cda8dd9a5c4db49960530fc8e51b678d85ddc059912b1e/
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb99e7cc40,0x7ffb99e7cc4c,0x7ffb99e7cc58
  2⤵
  PID:4276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1804,i,4605375868047032533,13339168251838202179,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1880 /prefetch:2
  2⤵
  PID:3344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1952,i,4605375868047032533,13339168251838202179,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1944 /prefetch:3
  2⤵
  PID:3568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2172,i,4605375868047032533,13339168251838202179,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2288 /prefetch:8
  2⤵
  PID:72
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3076,i,4605375868047032533,13339168251838202179,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3104 /prefetch:1
  2⤵
  PID:1392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3092,i,4605375868047032533,13339168251838202179,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3140 /prefetch:1
  2⤵
  PID:3820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4440,i,4605375868047032533,13339168251838202179,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4344 /prefetch:1
  2⤵
  PID:4792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4628,i,4605375868047032533,13339168251838202179,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4776 /prefetch:8
  2⤵
  PID:3168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5032,i,4605375868047032533,13339168251838202179,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3224 /prefetch:8
  2⤵
  - NTFS ADS
  PID:1692

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1824

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1536

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2008

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap18002:190:7zEvent1104
1⤵
- Suspicious use of FindShellTrayWindow
PID:1508

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap1907:190:7zEvent6089
1⤵
- Suspicious use of FindShellTrayWindow
PID:2768

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\5415400adb1453caa8cda8dd9a5c4db49960530fc8e51b678d85ddc059912b1e\" -ad -an -ai#7zMap13021:190:7zEvent1830
1⤵
- Suspicious use of FindShellTrayWindow
PID:888

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\5415400adb1453caa8cda8dd9a5c4db49960530fc8e51b678d85ddc059912b1e\5415400adb1453caa8cda8dd9a5c4db49960530fc8e51b678d85ddc059912b1e\" -ad -an -ai#7zMap6419:320:7zEvent24528
1⤵
- Suspicious use of FindShellTrayWindow
PID:1724

C:\Users\Admin\Downloads\5415400adb1453caa8cda8dd9a5c4db49960530fc8e51b678d85ddc059912b1e\5415400adb1453caa8cda8dd9a5c4db49960530fc8e51b678d85ddc059912b1e\win.exe
"C:\Users\Admin\Downloads\5415400adb1453caa8cda8dd9a5c4db49960530fc8e51b678d85ddc059912b1e\5415400adb1453caa8cda8dd9a5c4db49960530fc8e51b678d85ddc059912b1e\win.exe"
1⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
PID:4496

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:5492

C:\Windows\system32\printfilterpipelinesvc.exe
C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
1⤵
- Drops file in System32 directory
PID:5596
- C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
  /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{E34DF56F-B679-44F5-B0EF-81F7301DE148}.xps" 133766116863900000
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Modifies Internet Explorer settings
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:5704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Windows Credential Manager

T1555.004

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Adobe\Setup\INC-README.html

Filesize
8KB

MD5
fe75098393bf7204cb97b2efdc2b3125

SHA1
dd77bc4c4cf68ed563eb2c9858aecd5a6b7361e9

SHA256
cbae2cba2f77cddee022999f1b1c7932999eb8695201aa8c6655d2752af89aae

SHA512
cee45654469f9c375f408ebfa68162fded19ef7254da57f0970da6e4c3cc771dfa89fdb28a4d26a98b7823810459761aeb0dbf0811bee0860f3404d3e23f61a9

Download Submit
C:\ProgramData\Microsoft\SmsRouter\MessageStore\edbres00002.jrs

Filesize
64KB

MD5
fcd6bcb56c1689fcef28b57c22475bad

SHA1
1adc95bebe9eea8c112d40cd04ab7a8d75c4f961

SHA256
de2f256064a0af797747c2b97505dc0b9f3df0de4f489eac731c23ae9ca9cc31

SHA512
73e4153936dab198397b74ee9efc26093dda721eaab2f8d92786891153b45b04265a161b169c988edb0db2c53124607b6eaaa816559c5ce54f3dbc9fa6a7a4b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
902665179734a46aa9c728132acc7c45

SHA1
516fe25899b229a7f2072c4497609b6c59a8bb9a

SHA256
b98f1490d80a98e43cecbf3abf9e2ac184b59348cabd9de4c5ce042f1ae188b2

SHA512
6752b39f3f3ed1df513c46eccfa16283aebd739c38b765396c294cdacf4a6b0eb15020006420e96310a10ad26a93a76757c81c7bd57bd4d9f1afa3cb40e7b659

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000b

Filesize
215KB

MD5
e579aca9a74ae76669750d8879e16bf3

SHA1
0b8f462b46ec2b2dbaa728bea79d611411bae752

SHA256
6e51c7866705bf0098febfaf05cf4652f96e69ac806c837bfb1199b6e21e6aaf

SHA512
df22f1dff74631bc14433499d1f61609de71e425410067fd08ec193d100b70d98672228906081c309a06bcba03c097ace885240a3ce71e0da4fdb8a022fc9640

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
480B

MD5
3e813d92a83c4bcd40f69b82b478fd2e

SHA1
561eacf2f79a906731e629b5c67a61cb38e3d71b

SHA256
713c3f20656bf06f9a063dcc0e744050ffd9b1a89832212aa70e123b1f996edd

SHA512
eb4195fa04f3c439c3ca0721d20f667a0b2faec8a55601fb56d15e5f60d4eeeb26ecfadac792a1dcacea0c1aef629cd9809c4dd3ed36eb680323c88b1c5382c6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
312B

MD5
5e811fa6f19f1464027aeb850c7abed7

SHA1
7fe9e796a717c840970ad55c2e6e92aa9a2f2f05

SHA256
9a7b0921f6cd713dc0708ab477c011a43a724df68470cee4421713a7b1a713df

SHA512
d5703f0351743b038755c37131601e6f167ce7f2c72b1641bce4be7b8ecf37c294ca7627fc8d183726ddbdcac1b214e7bf095f68a1c85bcf228b4eab01396eeb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
3a4e991ed86141e5060cb0dcd84bccc8

SHA1
966b1026595fae2296114cc5810e8bcab7d9e365

SHA256
21883a651e30474cc2c0f5a09f5e191cfa688db9d219837401b759a3c6db972f

SHA512
98dc0d7541b84e66fbe0acc74f8aeb83d855a322578141e8f77884da6d3750606a66503b40f99c4f9094644afe4629f524645bdc7607de1e6e3c5be5ed8fe450

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
5368b0c51ef429cf69ac3a30fb55f17a

SHA1
5336b76820005ff3aa8eacae44b484e1607148c7

SHA256
1aeb559daa6cb1934a29fdf6a4de590ba19322d526270d5039f6fb6b49a8957e

SHA512
ebdc77317b01630ad4581889394c745202dc837601add1546c3eed5ac81a1fdf8987a13a932b317168e75720325421d55e959fabaa40b38609e017c7c1639bb4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
8c28c6846105dcecf3ae3c4889093fec

SHA1
171d5259e2c3a2bafa1cf986f6626aeee061efc8

SHA256
12df4ac87abc75d30cb7494aa9bf6cd08c09d5488b5cbec790012a768c25a8cd

SHA512
c3abec413dccdae0d5eb81241306ec727d5f513b31e80d834e04e1062f8f0f8502595d408cb3cb90020ae1a28094ed77c4fa654f1a856ff4e29d248ab0f68e13

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
688B

MD5
a3ccafb4ec1e3c4dce36e63ad57da9ea

SHA1
1b778bbd4572425de6404d675e09d6ad21ff65a8

SHA256
f967ebf284c378f6836906b9b069a803049c6035415a98e0ee9a99b17f27e753

SHA512
6c29e48775900b58a0fddb06b9a881b041a1ec5bdec5980463261631dd48cc0c47d55a0e93d05956451f8fb56d954a5ef230deff4ddef85d63506d25741a4871

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
688B

MD5
f7d5479e03d1b63dd2a9d73af8a08d44

SHA1
fefb66d7e4a820b739e4337e3a2ddd6193170fb8

SHA256
258fb049febd7e9644a709c0a2036689da9ad934b0faf496dc9cfc322da01832

SHA512
baccdde9cf3e7037d3b1180e0f1e3403ba2bcf88e331493d1fb1119bbf361aee273eeca7f3ecd3648e2b97ce4662a3477bacf485186b417a6a5ec2f2439a936e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
02d4f09a2ff1fcc2c5096a4b05c67d8b

SHA1
c1b6a294d609785b986a5458836c631976501d21

SHA256
f2f2fbe7ea92f63e657aa84924c57f1c6d6c548d53a0801926c1b19666a49bc1

SHA512
4a2a95d9ba4004ef58ec224ed6b4e271d710fcd07c2aa64f615d87ba7673b78f15f3059a6d575f3560cd70fb9f414748af454ab69d265dfd0316643982d641f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c630dcf2b9a4e1e8a9cfaaa4a21ee030

SHA1
2b3c4fa62cdab311f31ff2aeb66c577a574e4ef2

SHA256
4270354c13bfed6ffaa8f9b786d7b638dbb380267e002c9c77dd5418039764c1

SHA512
d335c6cbe80454b774fcbad461ea69a29c72fb483743ddfb6d62bc1aed8c0571d11ef12fde30c86b42d24fba059a1a2a9ad697d2790f54723fefa9a588a2ffd4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
80f2c3dc01212283dca4bd58ce7fe76e

SHA1
8ec848723ae7168c9f4879c7c9482af324f14d8b

SHA256
960ec51a423e94510f44a003ed09cb292721bb19b8b0d24437bec11777b2d76d

SHA512
a37bc7f868cbdac6b1cf31dd1855087df23ae60b047892480a4534ddd38c0a7b10ffebb27c5e3040230731d28b809bfe34f5f4378dc06d8a99b8164086a4147a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
ecd3cd1e05e8435843291738c89c4ab4

SHA1
9de16b79d0d5addb2f29af6f8c98d30a770b33ff

SHA256
3f47a32746484e54806bc690d17fdcc71d366a67760153a159464e5cdc064ec4

SHA512
c8dd83c54a52b252c7ffe7a1b71881e8e94d92bee79cf9cbf7870adb4a57c9299844f3a467a0e19222a3ebb55fa3f723da516668eac6ca5fc3beca78ee51ee0d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f828d28d129ae5cad86f1cc5509220c1

SHA1
e92cef29c39899bff2102c588eb707c8cfa674ab

SHA256
bb68ccfb9a37d0a68fcff6f6ff00f90a5d3ccefc97840e0677c9e3b38384ed6f

SHA512
768da5a6d8a647c03da21bce840bd8ac754d06326cc87939038c55783fb62a9beaa8dc6313c57c218172df3977e5a313b6fca9a663251e933ecebe9427a75c27

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
29baab5cd38d805ac708f7fbe7ffc3db

SHA1
95aeeee11e145ecc45e7107815742a77850f387c

SHA256
ea1298d3ecc5849bbe4cc9c6e74f45f33ed8664d46281d7dc682204ceb958817

SHA512
f38552b5e1961f07237c5a265e65cb5de1cbd2c68d4dfac93608a524ceb70688f013e65846d6790837865eaaed49e4d3120a77d8e24c119247c3c71b8e9130c2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
2003bbfab19e80b5f77c54bbfe067a3b

SHA1
c627763dda8d6660e36f8e8fe9aacb4967fdd12d

SHA256
7a94f1be753c2fb7990ae9a21a8194552106829d8c179df9df956c5c60cb6858

SHA512
2569a8ae1ada2a85efa6825e372122a4cc4e8f7cc4094d1960081538a1212e925020a276f65baabb131fea611892795f226c4e8efecee3f673c6a3d70edd0ae3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
bf0bd5074d20de3d45b6d7039638be22

SHA1
999ab0f23f90f734d57bf2f589d2eb5b64b1e074

SHA256
a5b8110856ed9458e9f05851b91717509722cd9c7cd16c2b601519ed2e4dbcf2

SHA512
2ba812fba1b664274479fa73eeb448cf5e174397faca79cb22a46c0dea6ca3a120b9cdab20c41ff9b4232b53763e0217729a18e1e439d6b01db87a6698b46bc9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
914b42392222f0a72f383ea29534516b

SHA1
b67a11f9f5928950269e6278874f870d76d3e04b

SHA256
4f0296924e3d4bfb9f3ab57189969c162c18f79d5ce4bcb80facb5231fdc3a03

SHA512
f3150862500b74fd961bd0f1229e53a38bccf7aca3e52dbd502a4c8fd62592a4651118e03b8ccae65130c719c1329768579b48a10c93bfea4fa5c72272f4413d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
bad9ea1dbbd592bc68eee8f44f5090af

SHA1
fc30389022e399fae54b364234d327b574759681

SHA256
3016d243c037848eb92d03b4d2caa00ccb49edf9398cf496d5920dee3890f7d0

SHA512
e024c41991eeb7ad230af9c35e044a74b2e6d95679b94b3dd55a703f2490d7d200a34805122ff641f0ea9da46865f45ba549550a9012d6e17e7ae09d1b30b7d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\odc.officeapps.live.com\6EA39AB9-9366-4183-923D-592DA95807F0

Filesize
397B

MD5
2f82426450332b558a61ae9ca551abd9

SHA1
abdbf8f8bdd7572bcdefbd1e0b7da8d3cf17144d

SHA256
57d6315a8f1f11aaa111a9956ddd0d560f791f757c379ed77bbb5a1b5b577f52

SHA512
dbc43dab6cbde98647c5a88cd508a1528ef79c030286cf82cb4cb03c4af81930ad1c3b2644ead9eceea27cd5772324f42a51f04f1693102254567205a6abf0b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\odc.officeapps.live.com\961F0693-1E71-4667-BF12-C82730F45F7C

Filesize
1KB

MD5
85ad173999ed440af6120f3b4fd436fa

SHA1
eebe3bae40b0c82db581b905e2a4c4a90055c9b3

SHA256
2fb3e7ca57b5ec8657ff2b909c74dee246e7ed2b30abd60dec96fc4fb88bd165

SHA512
3c506252a27bc4a3d718fc2ad89036850ee3c9d5fd79966fc5e28debe1844d96e8d2777e160e8537034129fd8109dff027bf5eb4a082c99d0db93730ec31427e

Download Submit
C:\Users\Admin\AppData\Local\Temp\{CCAE7DA7-F451-4792-AAFC-D5BD928610AA}

Filesize
4KB

MD5
85b81f1409ca22b1baa9f628a428d985

SHA1
fe75362ecee3e3195e8eb164697817720e547b45

SHA256
ac0e84521f4466514ccfc57a7fb01b9dad8d14b687ec50ca5c40f0308fb61102

SHA512
d01ce240afaa46783b18e38ef8a494f1d1ea3b619d09187068b5d670594ba242a5862c33385068c8d77bd03227c4fc139981e83a81c82ff5d4415a1cdf72f2b1

Download Submit
C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2

Filesize
4KB

MD5
5b946535a5af0189662d1789346f249d

SHA1
18a201044fd7655429135a994a67c9976d079979

SHA256
92a135b9bcb0acf0454acd4d4dafe95844d7d1293cf52bcbe816a4c9ae8ae9bc

SHA512
bf330f7462ae814cd8a37c6ec518ffcd3c73e86d95609d6778d8d2a078eb2e74a74574f5f466d99f8d030eadc60ef41a77f7262ac5b32787d29e90cd6728063a

Download Submit
C:\Users\Admin\Documents\OneNote Notebooks\Quick Notes.one

Filesize
4KB

MD5
c7e3ce7ea40341501c2706fb1e15d436

SHA1
3215d5d23623d86ba756270341ff33e5f40d8d8c

SHA256
2e63bb533197ddd97716978a035adcbfb03389d80850b74b67a0cf8eebc711f9

SHA512
9dde3fd38c6b0c694c60ec34e6999bbf0f9d533681257e15ac0d16f544a5f7670f56b0ba60de432af37411de955859aa0340e7c9c8499cc7cc0cea917a84bb3a

Download Submit
C:\Users\Admin\Downloads\5415400adb1453caa8cda8dd9a5c4db49960530fc8e51b678d85ddc059912b1e.zip

Filesize
81KB

MD5
94c0c45e17770a79a83f740c42cf1828

SHA1
8ac6675010ab226ad3a298708f33e789e206954a

SHA256
664ef11ed1ff2505e15906f5a426fb89b1a0ee1b475775afdbac40e7fd9123f2

SHA512
495c9cebfee4d3fb86f0eec666c5eda0dbce0b065a507c431624798a850115afe88c2052e85d7739f8fe32b9909e77a5af52f0ba7b398d8d6d4bbf9a4eeeb062

Download Submit
C:\Users\Admin\Downloads\5415400adb1453caa8cda8dd9a5c4db49960530fc8e51b678d85ddc059912b1e.zip:Zone.Identifier

Filesize
202B

MD5
62f2e4abbc18afe2285f984651f6ba9f

SHA1
9d4d9f245f87c9bd946c9b49be81106b1b575a56

SHA256
5763ae791122d5747b09b2394744c6c8dcc5b9eebad8e0f5ae3d1daa6cd880fb

SHA512
125c87562dc956ea0e0da7a3129e12650bb206ae84d976ef7567609c9ba36bc51d1e50c92793ffe68ea738727966d91c7b68ee4ead51cea1b843dc01715a432b

Download Submit
C:\Users\Admin\Downloads\5415400adb1453caa8cda8dd9a5c4db49960530fc8e51b678d85ddc059912b1e\5415400adb1453caa8cda8dd9a5c4db49960530fc8e51b678d85ddc059912b1e.zip

Filesize
80KB

MD5
51307fbd67f8d451bc4df2a0e4f0ee52

SHA1
256375d9be45d00f6eedd1a06f7a2bc94761c1cd

SHA256
5415400adb1453caa8cda8dd9a5c4db49960530fc8e51b678d85ddc059912b1e

SHA512
729553692bf14506349f1d13a43b2bbff3cb778fdc30dbaef9a3ecb77b4f6ffb0da5983ba3c218f31e884ae62984e6dba70a8142d5e45fa8a9ab1419fcdd14eb

Download Submit
C:\Users\Admin\Downloads\5415400adb1453caa8cda8dd9a5c4db49960530fc8e51b678d85ddc059912b1e\5415400adb1453caa8cda8dd9a5c4db49960530fc8e51b678d85ddc059912b1e\win.exe

Filesize
161KB

MD5
d18ef5a6c2bd443864132e5c7feb0c2f

SHA1
4a34764809f4a95d87e98abb834721be41060a6b

SHA256
02472036db9ec498ae565b344f099263f3218ecb785282150e8565d5cac92461

SHA512
dd1b3cee1145ef4332ef8c217f3d4cb3b7e74ac7a3033a467b6553e00a918940ff6c4db4c61ebd2686bc0d2424e9f2b0a207937e9b0a5b642c26a13e6a056dec

Download Submit
F:\INC-README.txt

Filesize
3KB

MD5
8cd444fe4738cd48735de6d254de4080

SHA1
01ee9698aca64c48ececaaf843783ab1fe756ccc

SHA256
b0a13a45d517990ebf23ce1f8b947abe96da6a643274df8c8a038c7b95c624ec

SHA512
36de1a2aabb67bb5631f16ddc4a1e6dc8d59897139874228520dac56ad24a1be6be35a80da2fd4d4720069a2883658be31138ee3cd83b39f6129c921778c3d4f

Download Submit
memory/5704-1843-0x00007FFB691D0000-0x00007FFB691E0000-memory.dmp

Filesize
64KB

Download
memory/5704-1848-0x00007FFB66FB0000-0x00007FFB66FC0000-memory.dmp

Filesize
64KB

Download
memory/5704-1847-0x00007FFB66FB0000-0x00007FFB66FC0000-memory.dmp

Filesize
64KB

Download
memory/5704-1842-0x00007FFB691D0000-0x00007FFB691E0000-memory.dmp

Filesize
64KB

Download
memory/5704-1845-0x00007FFB691D0000-0x00007FFB691E0000-memory.dmp

Filesize
64KB

Download
memory/5704-1846-0x00007FFB691D0000-0x00007FFB691E0000-memory.dmp

Filesize
64KB

Download
memory/5704-1844-0x00007FFB691D0000-0x00007FFB691E0000-memory.dmp

Filesize
64KB

Download
memory/5704-1953-0x00007FFB691D0000-0x00007FFB691E0000-memory.dmp

Filesize
64KB

Download
memory/5704-1952-0x00007FFB691D0000-0x00007FFB691E0000-memory.dmp

Filesize
64KB

Download
memory/5704-1951-0x00007FFB691D0000-0x00007FFB691E0000-memory.dmp

Filesize
64KB

Download
memory/5704-1950-0x00007FFB691D0000-0x00007FFB691E0000-memory.dmp

Filesize
64KB

Download