teslacrypt | 9b1622602d4ae8196316deeb91fbdd1346a4b31453f3762be119e24c84827217

max time kernel
150s
max time network
151s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
26-11-2024 11:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a0340430d4b1c1f6dd4048ab98f2e4b2_JaffaCakes118.exe
Size

388KB
MD5

a0340430d4b1c1f6dd4048ab98f2e4b2
SHA1

a43ff275972b4ed9b7f3ece61d7d49375db635e9
SHA256

9b1622602d4ae8196316deeb91fbdd1346a4b31453f3762be119e24c84827217
SHA512

54ca85bee0ded2a742c767565159c0e3121d8cd1d97cebc751d067b1ea45d9fca86b6d5acad5b472eddef23d20afcc8ae3497cdd411fd9f393d80e0c90f2cd8d
SSDEEP

12288:XhTjRwlkwFrnAEryLFcG3yBrZTRDgZ8zOhG6:p4DRw7325gPh

Score

10^/10

teslacrypt defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\Recovery+ejikb.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-4096. More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/E3F53C7ECFD34BEE 2. http://kkd47eh4hdjshb5t.angortra.at/E3F53C7ECFD34BEE 3. http://ytrest84y5i456hghadefdsd.pontogrot.com/E3F53C7ECFD34BEE If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/E3F53C7ECFD34BEE 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://tt54rfdjhb34rfbnknaerg.milerteddy.com/E3F53C7ECFD34BEE http://kkd47eh4hdjshb5t.angortra.at/E3F53C7ECFD34BEE http://ytrest84y5i456hghadefdsd.pontogrot.com/E3F53C7ECFD34BEE *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/E3F53C7ECFD34BEE

URLs

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/E3F53C7ECFD34BEE

http://kkd47eh4hdjshb5t.angortra.at/E3F53C7ECFD34BEE

http://ytrest84y5i456hghadefdsd.pontogrot.com/E3F53C7ECFD34BEE

http://xlowfznrg4wf7dli.ONION/E3F53C7ECFD34BEE

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Teslacrypt family
teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (814) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Control Panel\International\Geo\Nation	a0340430d4b1c1f6dd4048ab98f2e4b2_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Control Panel\International\Geo\Nation	jbljcmhyesyb.exe

Drops startup file 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+ejikb.txt	jbljcmhyesyb.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+ejikb.html	jbljcmhyesyb.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+ejikb.png	jbljcmhyesyb.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+ejikb.txt	jbljcmhyesyb.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+ejikb.html	jbljcmhyesyb.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+ejikb.png	jbljcmhyesyb.exe

Executes dropped EXE 2 IoCs

pid	Process
2744	jbljcmhyesyb.exe
2832	jbljcmhyesyb.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\credqrkraovg = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\jbljcmhyesyb.exe\""	jbljcmhyesyb.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3160 set thread context of 2204	3160	a0340430d4b1c1f6dd4048ab98f2e4b2_JaffaCakes118.exe	103
PID 2744 set thread context of 2832	2744	jbljcmhyesyb.exe	107

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\es-MX\Recovery+ejikb.png	jbljcmhyesyb.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\Recovery+ejikb.html	jbljcmhyesyb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Unlock.png	jbljcmhyesyb.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\en\Recovery+ejikb.txt	jbljcmhyesyb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Recovery+ejikb.html	jbljcmhyesyb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\co\Recovery+ejikb.png	jbljcmhyesyb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\kn\LC_MESSAGES\Recovery+ejikb.txt	jbljcmhyesyb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	jbljcmhyesyb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\VBA\Recovery+ejikb.png	jbljcmhyesyb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.AnalysisServices.SPClient.Interfaces\Recovery+ejikb.png	jbljcmhyesyb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lo\LC_MESSAGES\Recovery+ejikb.png	jbljcmhyesyb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ta\LC_MESSAGES\Recovery+ejikb.png	jbljcmhyesyb.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VGX\Recovery+ejikb.txt	jbljcmhyesyb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\management\Recovery+ejikb.html	jbljcmhyesyb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.scale-100.png	jbljcmhyesyb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\DEEPBLUE\Recovery+ejikb.png	jbljcmhyesyb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\Recovery+ejikb.html	jbljcmhyesyb.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\Recovery+ejikb.txt	jbljcmhyesyb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	jbljcmhyesyb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-1000-0000000FF1CE}\Recovery+ejikb.txt	jbljcmhyesyb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Portal\1033\Recovery+ejikb.png	jbljcmhyesyb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Recovery+ejikb.png	jbljcmhyesyb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\as_IN\Recovery+ejikb.html	jbljcmhyesyb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sr\Recovery+ejikb.png	jbljcmhyesyb.exe
File opened for modification	C:\Program Files\Windows Defender Advanced Threat Protection\es-ES\Recovery+ejikb.png	jbljcmhyesyb.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\MEIPreload\Recovery+ejikb.txt	jbljcmhyesyb.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\VisualElements\SmallLogoDev.png	jbljcmhyesyb.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\images\Recovery+ejikb.txt	jbljcmhyesyb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA6\Recovery+ejikb.txt	jbljcmhyesyb.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\C090ACEC-8080-468A-BCB9-0DA47A438E94\root\vfs\Recovery+ejikb.txt	jbljcmhyesyb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Recovery+ejikb.png	jbljcmhyesyb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sl\LC_MESSAGES\Recovery+ejikb.png	jbljcmhyesyb.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\en-US\Recovery+ejikb.png	jbljcmhyesyb.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fr-CA\Recovery+ejikb.html	jbljcmhyesyb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\assets\assets\images\Recovery+ejikb.html	jbljcmhyesyb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Source Engine\Recovery+ejikb.html	jbljcmhyesyb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\Recovery+ejikb.png	jbljcmhyesyb.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\de\Recovery+ejikb.txt	jbljcmhyesyb.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\Recovery+ejikb.html	jbljcmhyesyb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ru\Recovery+ejikb.png	jbljcmhyesyb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\Recovery+ejikb.txt	jbljcmhyesyb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_gloss-wave_35_f6a828_500x100.png	jbljcmhyesyb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\es_MX\LC_MESSAGES\Recovery+ejikb.html	jbljcmhyesyb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\kk\LC_MESSAGES\Recovery+ejikb.html	jbljcmhyesyb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\server\Xusage.txt	jbljcmhyesyb.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\Recovery+ejikb.txt	jbljcmhyesyb.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ug.txt	jbljcmhyesyb.exe
File opened for modification	C:\Program Files\Common Files\System\ado\de-DE\Recovery+ejikb.html	jbljcmhyesyb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\da\Recovery+ejikb.html	jbljcmhyesyb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\zh_TW\LC_MESSAGES\Recovery+ejikb.txt	jbljcmhyesyb.exe
File opened for modification	C:\Program Files\Windows Sidebar\Recovery+ejikb.txt	jbljcmhyesyb.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Recovery+ejikb.png	jbljcmhyesyb.exe
File opened for modification	C:\Program Files\Microsoft Office\Office16\Recovery+ejikb.txt	jbljcmhyesyb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\1033\Recovery+ejikb.txt	jbljcmhyesyb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fy\LC_MESSAGES\Recovery+ejikb.html	jbljcmhyesyb.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bn.txt	jbljcmhyesyb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hy\LC_MESSAGES\Recovery+ejikb.html	jbljcmhyesyb.exe
File opened for modification	C:\Program Files\Windows Media Player\Visualizations\Recovery+ejikb.txt	jbljcmhyesyb.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\lv.pak	jbljcmhyesyb.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\WidevineCdm\_platform_specific\win_x64\Recovery+ejikb.txt	jbljcmhyesyb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\WATERMAR\Recovery+ejikb.png	jbljcmhyesyb.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\en-US\Recovery+ejikb.txt	jbljcmhyesyb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\security\Recovery+ejikb.png	jbljcmhyesyb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\uk\Recovery+ejikb.html	jbljcmhyesyb.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File created	C:\Windows\jbljcmhyesyb.exe	a0340430d4b1c1f6dd4048ab98f2e4b2_JaffaCakes118.exe
File opened for modification	C:\Windows\jbljcmhyesyb.exe	a0340430d4b1c1f6dd4048ab98f2e4b2_JaffaCakes118.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a0340430d4b1c1f6dd4048ab98f2e4b2_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a0340430d4b1c1f6dd4048ab98f2e4b2_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jbljcmhyesyb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jbljcmhyesyb.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133770950772163644"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2319007114-3335580451-2147236418-1000\{899B17DF-2664-4C28-B5D4-DA8F60F39547}	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings	jbljcmhyesyb.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2032	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4764	chrome.exe
4764	chrome.exe
2832	jbljcmhyesyb.exe
2832	jbljcmhyesyb.exe
2832	jbljcmhyesyb.exe
2832	jbljcmhyesyb.exe
1204	WMIC.exe
1204	WMIC.exe
1204	WMIC.exe
1204	WMIC.exe
2832	jbljcmhyesyb.exe
2832	jbljcmhyesyb.exe
2832	jbljcmhyesyb.exe
2832	jbljcmhyesyb.exe
2832	jbljcmhyesyb.exe
2832	jbljcmhyesyb.exe
2832	jbljcmhyesyb.exe
2832	jbljcmhyesyb.exe
2832	jbljcmhyesyb.exe
2832	jbljcmhyesyb.exe
2832	jbljcmhyesyb.exe
2832	jbljcmhyesyb.exe
2832	jbljcmhyesyb.exe
2832	jbljcmhyesyb.exe
2832	jbljcmhyesyb.exe
2832	jbljcmhyesyb.exe
2832	jbljcmhyesyb.exe
2832	jbljcmhyesyb.exe
2832	jbljcmhyesyb.exe
2832	jbljcmhyesyb.exe
2832	jbljcmhyesyb.exe
2832	jbljcmhyesyb.exe
2832	jbljcmhyesyb.exe
2832	jbljcmhyesyb.exe
2832	jbljcmhyesyb.exe
2832	jbljcmhyesyb.exe
2832	jbljcmhyesyb.exe
2832	jbljcmhyesyb.exe
2832	jbljcmhyesyb.exe
2832	jbljcmhyesyb.exe
2832	jbljcmhyesyb.exe
2832	jbljcmhyesyb.exe
2832	jbljcmhyesyb.exe
2832	jbljcmhyesyb.exe
2832	jbljcmhyesyb.exe
2832	jbljcmhyesyb.exe
2832	jbljcmhyesyb.exe
2832	jbljcmhyesyb.exe
2832	jbljcmhyesyb.exe
2832	jbljcmhyesyb.exe
2832	jbljcmhyesyb.exe
2832	jbljcmhyesyb.exe
2832	jbljcmhyesyb.exe
2832	jbljcmhyesyb.exe
2832	jbljcmhyesyb.exe
2832	jbljcmhyesyb.exe
2832	jbljcmhyesyb.exe
2832	jbljcmhyesyb.exe
2832	jbljcmhyesyb.exe
2832	jbljcmhyesyb.exe
2832	jbljcmhyesyb.exe
2832	jbljcmhyesyb.exe
2832	jbljcmhyesyb.exe
2832	jbljcmhyesyb.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

pid	Process
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
1532	msedge.exe
1532	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeDebugPrivilege	2204	a0340430d4b1c1f6dd4048ab98f2e4b2_JaffaCakes118.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
1532	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4764 wrote to memory of 4368	4764	chrome.exe	83
PID 4764 wrote to memory of 4368	4764	chrome.exe	83
PID 4764 wrote to memory of 3000	4764	chrome.exe	84
PID 4764 wrote to memory of 3000	4764	chrome.exe	84
PID 4764 wrote to memory of 3000	4764	chrome.exe	84
PID 4764 wrote to memory of 3000	4764	chrome.exe	84
PID 4764 wrote to memory of 3000	4764	chrome.exe	84
PID 4764 wrote to memory of 3000	4764	chrome.exe	84
PID 4764 wrote to memory of 3000	4764	chrome.exe	84
PID 4764 wrote to memory of 3000	4764	chrome.exe	84
PID 4764 wrote to memory of 3000	4764	chrome.exe	84
PID 4764 wrote to memory of 3000	4764	chrome.exe	84
PID 4764 wrote to memory of 3000	4764	chrome.exe	84
PID 4764 wrote to memory of 3000	4764	chrome.exe	84
PID 4764 wrote to memory of 3000	4764	chrome.exe	84
PID 4764 wrote to memory of 3000	4764	chrome.exe	84
PID 4764 wrote to memory of 3000	4764	chrome.exe	84
PID 4764 wrote to memory of 3000	4764	chrome.exe	84
PID 4764 wrote to memory of 3000	4764	chrome.exe	84
PID 4764 wrote to memory of 3000	4764	chrome.exe	84
PID 4764 wrote to memory of 3000	4764	chrome.exe	84
PID 4764 wrote to memory of 3000	4764	chrome.exe	84
PID 4764 wrote to memory of 3000	4764	chrome.exe	84
PID 4764 wrote to memory of 3000	4764	chrome.exe	84
PID 4764 wrote to memory of 3000	4764	chrome.exe	84
PID 4764 wrote to memory of 3000	4764	chrome.exe	84
PID 4764 wrote to memory of 3000	4764	chrome.exe	84
PID 4764 wrote to memory of 3000	4764	chrome.exe	84
PID 4764 wrote to memory of 3000	4764	chrome.exe	84
PID 4764 wrote to memory of 3000	4764	chrome.exe	84
PID 4764 wrote to memory of 3000	4764	chrome.exe	84
PID 4764 wrote to memory of 3000	4764	chrome.exe	84
PID 4764 wrote to memory of 4908	4764	chrome.exe	85
PID 4764 wrote to memory of 4908	4764	chrome.exe	85
PID 4764 wrote to memory of 4352	4764	chrome.exe	86
PID 4764 wrote to memory of 4352	4764	chrome.exe	86
PID 4764 wrote to memory of 4352	4764	chrome.exe	86
PID 4764 wrote to memory of 4352	4764	chrome.exe	86
PID 4764 wrote to memory of 4352	4764	chrome.exe	86
PID 4764 wrote to memory of 4352	4764	chrome.exe	86
PID 4764 wrote to memory of 4352	4764	chrome.exe	86
PID 4764 wrote to memory of 4352	4764	chrome.exe	86
PID 4764 wrote to memory of 4352	4764	chrome.exe	86
PID 4764 wrote to memory of 4352	4764	chrome.exe	86
PID 4764 wrote to memory of 4352	4764	chrome.exe	86
PID 4764 wrote to memory of 4352	4764	chrome.exe	86
PID 4764 wrote to memory of 4352	4764	chrome.exe	86
PID 4764 wrote to memory of 4352	4764	chrome.exe	86
PID 4764 wrote to memory of 4352	4764	chrome.exe	86
PID 4764 wrote to memory of 4352	4764	chrome.exe	86
PID 4764 wrote to memory of 4352	4764	chrome.exe	86
PID 4764 wrote to memory of 4352	4764	chrome.exe	86
PID 4764 wrote to memory of 4352	4764	chrome.exe	86
PID 4764 wrote to memory of 4352	4764	chrome.exe	86
PID 4764 wrote to memory of 4352	4764	chrome.exe	86
PID 4764 wrote to memory of 4352	4764	chrome.exe	86
PID 4764 wrote to memory of 4352	4764	chrome.exe	86
PID 4764 wrote to memory of 4352	4764	chrome.exe	86
PID 4764 wrote to memory of 4352	4764	chrome.exe	86
PID 4764 wrote to memory of 4352	4764	chrome.exe	86
PID 4764 wrote to memory of 4352	4764	chrome.exe	86
PID 4764 wrote to memory of 4352	4764	chrome.exe	86
PID 4764 wrote to memory of 4352	4764	chrome.exe	86
PID 4764 wrote to memory of 4352	4764	chrome.exe	86

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	jbljcmhyesyb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	jbljcmhyesyb.exe

C:\Users\Admin\AppData\Local\Temp\a0340430d4b1c1f6dd4048ab98f2e4b2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a0340430d4b1c1f6dd4048ab98f2e4b2_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3160
- C:\Users\Admin\AppData\Local\Temp\a0340430d4b1c1f6dd4048ab98f2e4b2_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\a0340430d4b1c1f6dd4048ab98f2e4b2_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2204
- - C:\Windows\jbljcmhyesyb.exe
    C:\Windows\jbljcmhyesyb.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:2744
  - - C:\Windows\jbljcmhyesyb.exe
      C:\Windows\jbljcmhyesyb.exe
      4⤵
      Checks computer location settings
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      System policy modification
      PID:2832
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1204
    - - C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
        5⤵
        System Location Discovery: System Language Discovery
        Opens file in notepad (likely ransom note)
        
        PID:2032
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM
        5⤵
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        
        PID:1532
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x124,0x134,0x7ffe5e0f46f8,0x7ffe5e0f4708,0x7ffe5e0f4718
        6⤵
        
        PID:1444
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,6888534858876523300,13384454728485026176,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2
        6⤵
        
        PID:5200
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2172,6888534858876523300,13384454728485026176,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:3
        6⤵
        
        PID:5208
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2172,6888534858876523300,13384454728485026176,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2780 /prefetch:8
        6⤵
        
        PID:5232
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,6888534858876523300,13384454728485026176,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
        6⤵
        
        PID:5524
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,6888534858876523300,13384454728485026176,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
        6⤵
        
        PID:5536
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive
        5⤵
        
        PID:212
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\JBLJCM~1.EXE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6100
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\A03404~1.EXE
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4844

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x234,0x238,0x23c,0x210,0x240,0x7ffe7159cc40,0x7ffe7159cc4c,0x7ffe7159cc58
  2⤵
  PID:4368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1804,i,12073735274050340846,7765428472710998382,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=1712 /prefetch:2
  2⤵
  PID:3000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2176,i,12073735274050340846,7765428472710998382,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2196 /prefetch:3
  2⤵
  PID:4908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2264,i,12073735274050340846,7765428472710998382,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2468 /prefetch:8
  2⤵
  PID:4352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3144,i,12073735274050340846,7765428472710998382,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3164 /prefetch:1
  2⤵
  PID:3556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3408,i,12073735274050340846,7765428472710998382,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3400 /prefetch:1
  2⤵
  PID:2376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4576,i,12073735274050340846,7765428472710998382,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4552 /prefetch:1
  2⤵
  PID:4536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4796,i,12073735274050340846,7765428472710998382,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4860 /prefetch:8
  2⤵
  PID:1200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4908,i,12073735274050340846,7765428472710998382,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4868 /prefetch:8
  2⤵
  PID:1420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4432,i,12073735274050340846,7765428472710998382,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5152 /prefetch:1
  2⤵
  PID:1976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=3252,i,12073735274050340846,7765428472710998382,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3508 /prefetch:1
  2⤵
  PID:2316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=3500,i,12073735274050340846,7765428472710998382,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:1036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=5244,i,12073735274050340846,7765428472710998382,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5248 /prefetch:1
  2⤵
  PID:1292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=3340,i,12073735274050340846,7765428472710998382,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5404 /prefetch:1
  2⤵
  PID:2080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=3184,i,12073735274050340846,7765428472710998382,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5552 /prefetch:1
  2⤵
  PID:5044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=5532,i,12073735274050340846,7765428472710998382,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5420 /prefetch:8
  2⤵
  PID:3952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5580,i,12073735274050340846,7765428472710998382,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5536 /prefetch:8
  2⤵
  - Modifies registry class
  PID:2128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5792,i,12073735274050340846,7765428472710998382,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5720 /prefetch:8
  2⤵
  PID:4080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=5860,i,12073735274050340846,7765428472710998382,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5920 /prefetch:1
  2⤵
  PID:764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=4844,i,12073735274050340846,7765428472710998382,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:2064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=5820,i,12073735274050340846,7765428472710998382,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5640 /prefetch:1
  2⤵
  PID:2440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3536,i,12073735274050340846,7765428472710998382,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5552 /prefetch:8
  2⤵
  PID:1308

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3124

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:804

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x320 0x2fc
1⤵
PID:2944

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5500

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\Recovery+ejikb.html

Filesize
9KB

MD5
14e9449a994f6d4b98da8baf441b407a

SHA1
9e8eb61abbf3ade160376fd7774e693b871f90a2

SHA256
a2e8251128f9863b501686d5e0e35387b55c7b7f65731de31d951e298a94e940

SHA512
c8d46f067717b0b12a6f250b16fc85c09e093735496a2f50a202722247b99ce7b14769f621fbe0c6eaf3310920bbb107ec4fa9acf998152b9dab539305d0540c

Download Submit
C:\Program Files\7-Zip\Lang\Recovery+ejikb.png

Filesize
62KB

MD5
473f570a8a6d4282758ddd25e0a9cab0

SHA1
67e349d122160937f27787fee6a800bb16aa99ea

SHA256
c026ae2fcb5dbf91f6b346df66d94c71946c7c52f99ba1711a9e91d2b75ce0d7

SHA512
ebfa77f2bb9067989e8bf2d23670724ba315b792fa21e4c44d89f83dedafb72afeaa33493aa43ef90cbadf27bfaba9200c6283ea3c9c323cb7a928942960bff4

Download Submit
C:\Program Files\7-Zip\Lang\Recovery+ejikb.txt

Filesize
1KB

MD5
0bdd519fae9b63c286e3b2760c6a4f55

SHA1
2b386dc3171ef2392c890352bf32537a6b94fada

SHA256
484119ca86ac68516f33ed0b397b97946c4749f7f5913463dadd554b5dcad0e3

SHA512
722931a0a79cf9a8ed2f787c66dab3cc700b68a066804cb92895c1ea85819d12a1710824efc59fa30d1cce8a6cc9d5ef1bb30154e14ea5fb1cdab741faa06619

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
560B

MD5
377c81b64ccad01f70c09001358ec676

SHA1
9dc37008176aa8190532a74d9c49c00b3b60199a

SHA256
ce5ff229ebd9a6e9bbfe0c6bed18293b01025fa13a97f6aeb7f8e84a6478180a

SHA512
7e8ff25661827ba6ba8ec533d637fca10083fc051b629f07d77d821a5ea0c7d69a02fbb140ff28f272db97723c630197605cca1081774b348bb1e579d509f37e

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
560B

MD5
f36a9b83fa554896ea63e3df225008ac

SHA1
2414fc6e86cdfc68d12691ce67679cdab21dea09

SHA256
aafd81ef52f58e2a5018f3a8d8ebacd353cac8ab23f5b761714f864762a636a6

SHA512
f0c56d3e575ca290334942270690f896dd0310dc2295df4b4ec75e784591968dbcaaba89b06ae351f183437d879a8d88ae368ba6322b8f4e1deea0ca02953d74

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
416B

MD5
e4385d7ddf51bd26c7f13773f31ae66a

SHA1
2c941a0c615481af72f1459a65000f2b331c857f

SHA256
2bd4c9cee9f68f6ae970684750978ebe59b56df982831d680f19dd53ec23a955

SHA512
b79240fbf3472f4a590d2d9859441791b371b0204e95d65c45db8ff8b488e9a486c5ca364762a7bd932fa824dffe007eeba785e83730b59e4e9d0593f88bb418

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
d46296a3623992727c284f8028b72e07

SHA1
086990d2ed06739e70d9c1ee7e90290089c16fbe

SHA256
550d032d5b2c432f680ad38e479168d137e2c9c0506d6083f8380851518cbd3d

SHA512
c639a5cb96235a6f78de954274bb75eb8e3f6baec7477e2709c2eb4de7f852a5861109d33e6cbd1dfc8df86874badca352ca3eda09c1227d03465b4778dddccb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000e

Filesize
215KB

MD5
2be38925751dc3580e84c3af3a87f98d

SHA1
8a390d24e6588bef5da1d3db713784c11ca58921

SHA256
1412046f2516b688d644ff26b6c7ef2275b6c8f132eb809bd32e118208a4ec1b

SHA512
1341ffc84f16c1247eb0e9baacd26a70c6b9ee904bc2861e55b092263613c0f09072efd174b3e649a347ef3192ae92d7807cc4f5782f8fd07389703d75c4c4e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1008B

MD5
a4d377b75faf52f5f4e1f102ebd6f601

SHA1
9b597d2083d2eb93f46385b1b0f613f3fe1b3cab

SHA256
20d111fe679665ffaa77eb5e1285f10af4dc4e0ca84900d2b33e1be158b3e5cd

SHA512
d9dcdc934ce6ee13a02348de0bc17c9c3be40c35253b4b8298ad94d3a047140dc5d506ede47e898845aa2288c8d0b6cbe7b26948285334a7c3d041422b734e90

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
4504e7ae224da3cc74f90063e1a145d9

SHA1
4305dfef6e35b7ff2563f47cacdb318dde3f015a

SHA256
8b4f5f2392e4880593dfd8f08a4f1a3da678002f3c475a4eb42751cb0f176760

SHA512
dd66be0688ba37c94be144f9bc2889640337be62463440100de5e183b695b34f6ca01aa3b60f8beecb76e12f24937d78db6257b21abcff996deac1600b0ac209

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
456B

MD5
6e67dda7b111e58b3542937146409405

SHA1
ed88ec38fcd52b616287f3c4d1b24746bb05991d

SHA256
7251d963d35f8772a08a1133a8b64f8b5d637670a56fcd306db31160181ada35

SHA512
e5ef958b246169b26d893e4a99c968c28631fe69d5216ccb4b341763428997fc0602aeb18175f4348a4135e641d767aa4a0a04bef21b7f6ccad5628c1dd7fced

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
16KB

MD5
56d6e2c8a5e375e0490cb2f5cc73df37

SHA1
653804138c1c9b3d93de535136742b2981f8b2db

SHA256
a675726c11f4e5265b25d966cd63517fc0b77d6a65739b27d53b3e65b049f727

SHA512
805f8af7f49241f1ca86b705cbc392ba2f9deaa5e6635987412e340b42882e5549a8efe10b6566d5cb226015e32f9b438df3096b37b16ae4f1821001d3fe9c22

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
7787753db623fe8c85bfb282fb64c12d

SHA1
f6e93583aff5e272f565df7eed90559e5b6edc7a

SHA256
958a979209c3d9b2f8efbcbcb8d47ae0e4872fb4cc8dbba16b2f36f64f8e7898

SHA512
8a227976fdd7da7b8cc5da4089c9f547079f62e75d335840388bd49a5bdc6484986f2f89571c9678035e103191d5aa088ad5ba54c77e97f21f484c3ea80e71dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
8e9bfebd05754862ae07bcf1176cd9c0

SHA1
597213b5e1029449e7fb49c68c29538141c3da9b

SHA256
15e390f85c116e28124fcc8d9940b575e278b9858da5fea252f2eed0b5812d26

SHA512
24e621e92e8cad8c83ddf2615a40f80e1e4f0701e4c23d30b9acdd7b3d68ce036ac2cbd45bddd454419aeb8e63401843444500c0e67c2c00d3237f0a1928175c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
ab1f9ec88e31c9cd7e8fa59c1bd3f48c

SHA1
7d1a05e2a53d8706bd27c8cbe63a08c4362309df

SHA256
13c8eea0a5cc87177092b9028aa271ad7eea980a483b176926905bbf48cac8bb

SHA512
af3eff8af71673062cc3a3a7616e6a554a3d62751a3ea38228649bda9fd5916a09cd94ee6851ee409288d8555460da9e3159b5105a332ce76114e982ed9ff8a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
d2824ac58b1cb5b15b05d0aa17e923ed

SHA1
b5e93666d83f19d2d0d78f50491b2f2958a7b318

SHA256
708938b3115a5ffdfd469b88ab5f4d1777d5f2fe2a73106d14d525506aef0fbf

SHA512
e585f5f6ddd88d1de2cf38814bfd2719eb6b3155240fec5d30f72c3f1a61ccc1ae40036f42e795c7c4b1338a7b6db1f3d0407e02b975cf3ddf22e0b106496eae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
5c9920cc9a72d5af793ef1157825a5b7

SHA1
592c8d0f2551eb652a6082b502ae0478645973b2

SHA256
4388902c3a47b7bda478e574508d35c620d8b6a2747b5a9ae422ea2ad9653ce7

SHA512
380f0a7c71f7e6a6c6debec92bcc6b57a5f376b62ed016b1b9e3a534c5155439f1583e4dde05687892424bb7e06c48c33aec80e28a563e8517e0705a7776add4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
f51599e3f805638c5b117d220134ffa9

SHA1
acd530916d1d46deec7df937412e14bcf9f9d0cf

SHA256
20b301bad4987fe2d22eadb01b2a7cddf393aa636a51649146c59fb01acd0ba0

SHA512
b780048cb3f4c816ebf84c1d5fd9f2701e1456f3aa17b0829dab6204e0f25625f587226cad926c4ae5e6e62cc3b262f68771954e3154501afde0cad1ba5825ea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
81e13ac07ce362dd906e3f60acb0d147

SHA1
a5012de40c4e304a9427016914d8ba968d0b98af

SHA256
5684f344898315472376db55f00a77dca361b05aad8fe2170ef227596febd000

SHA512
398fe29951c4d65b52eb6d2a0c8495fc30c419afeaa6361574f10f63f8b6b6e10be4df3f5c263eae946d0e207649da83ae185c482836e17856dfd5436ad1237c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
ce906daa831638ec4488e012dbfc3fc5

SHA1
e9d472d5f42d0f77daf57880f484a61857c3e54a

SHA256
06bece1cbf8047b5f836d082bc2168a50e8d7a7fc63f8d36d84fd9d9702b85bd

SHA512
a6ec34b18dafc10ada34bd05488f5d953ad75b0eae1365a9a6a99ff63345ca4066372c6e1be2f27d8b663c8819d03d4ed1b30055192ee2b421cc937f6488a6e8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
baf1bb8b240392e74f557980414a6e25

SHA1
cd95a97f1e15a5e71e91f229edd02187d4c6fcf4

SHA256
7c0b4e4079c966c45185160860dda65f65593d2da8c37c76d15dbd0948d775e6

SHA512
dd40724e096e7744b386e1ef78312264475b498183d5e81ebbdd18ef60df5318e18da3ef69338b81258584b9d18c4109b9679f83e4a2cadb6cf0fb9bf61661b6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Platform Notifications\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
81c956eccecd434eff0350d91b6aa3ee

SHA1
d625ef51b7ca47f748e27c0c94cebea765b806c5

SHA256
e5ed7cd2ebbaeea108b62d28d44a657c621fd44fcd51d96ba347923b5d5cc786

SHA512
91b73045c0ad9d819054e768fbf83d26f9e3bafc91e375338b0f2efdab3e9900584f31875a235e1a29a47cad2d0b2b9d14f770c93ae25cddbc3de48e5feb5ace

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e79e18ba31ad495a02c3e0d9f43e0cc8

SHA1
b4374e7d28fccb51fe064079664d298b104ee544

SHA256
728842b2f971c1e304ec645df606d6cd005f1f7c6bd774cd9724a308ab487bca

SHA512
fa459c9172c22880be6d85dd788629d3d1af0c84c5f8e9e05a78ca5bfcc6abafea6ea6b2745daabdf6c32d2d798ad39ddf001285ad1b1a2626c9b5bc5187c584

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
c4271c3e82dc3e0f342afeaabf16dbab

SHA1
7d65f7f4065d75626a48f713b74128eda7666961

SHA256
f027c773ecd0d3b557c618c06efe55f5803d3dc28e08a743ac55b60569aa1733

SHA512
db62e244838015809896f0261b4b5c27f9b61969dce0e1cb32908b8f916b0b1c405615360d7e717f2b51249cad6c6b204ff71f3a496f9c3b1a9d842adb1149c9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
fbefe309dfe45e4c2d56500c44585189

SHA1
f1c6a9f2ef14287d9c4c5fc855e44650b97821f2

SHA256
28353b6b768d5d61b253c4713d6a8d843404f168957f3ab36474441acf457b6d

SHA512
e3f19e7048918d325e3764139f2db9dd76ebc1e4f25329926293327e4f50f4dee5202bd2cf9b4023344157edd6b64b18e4b4537d2aa761468820262335e9feda

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
204d697e5f498a6476f6fa61be810842

SHA1
3438dd081516fe2a736b8e5f372c5151b5b26fea

SHA256
66bf8efc97346ae26d842ce2d34f065e51a5da2f715928e9545f20b01b4f0219

SHA512
8de821c4ae8ca390e8c07ed3d61a1dc0532ef5bc484df88947f90a521f9a277f1f0c6ce14d76eab61e25ad99fa055af0fb54e34308a34ee2116ca30c26300f13

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
d8216d2b5a3ddd98775b75d16a8a563a

SHA1
261673f3ba8438d5f6be15112be1d096d5b1c140

SHA256
faffad7affb240630ebf2ea00b66853451a69d7b9944b341506e228361ac719e

SHA512
119b13fb915a22909d03fa5c977eb74924a2c3b4b482c619633fce24bd8d3154c1602a8e997cbd3967084931ad89ee16c25e6659e6666c34e791f05e4cd15d05

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
017a14272502818cb48935fd1d940fd2

SHA1
70eba22eb88781a9836bbd2ae010cc8b59943a57

SHA256
98d59488d7dd72fad91e1828be1acf4bd419b036dce38a4627c22c01a9b090bd

SHA512
21fa7f5194a98ad8d456ecc846f2d8737440e7653b28e3c14642feec052b8af205478f8afff61d4a398c7fe34b470d650130c67160ed280705c046cd6a67a26d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
b311aff38c1c2d52493eaed5f9ce6e72

SHA1
f8e3851353497feec1b6135b92697879329c2b94

SHA256
3d6d46cd40b3048e096c51032fb485c5d6b01953a4e23abe69af1bbcaf964778

SHA512
f2bc9c2f8ca4a8c19cd12cfed3c4a1aba0d1391c85fb368b4d44dfa8e212958d09365d614d92db0febbd75befae55f137857f873a47f14bc9fe8dc2ede69789d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
43b0b3eee1f45a87a23f8eec3a98be15

SHA1
31282bc23f6466db43aea4d44fc946bc409984c3

SHA256
9e69bd86e0957381ff1f5eede6ade2a3d416b1968aa8f7546bb7fd4830afa75d

SHA512
771a60e316ab1e12ce894099c17d64019c9b5bd399873b197b62e9c13c726fc7ee670c8ce49319f3d7f6f502529be5010404f7aaccc4390134de1b1cd3f14441

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
bfddff99333ae8d00fbc232d2329cf56

SHA1
44413642c4c1a971aa9c9b206fb7a3c06b466c32

SHA256
b309eff0a56067c0cf88e43283fa85afe3a4cdeeedb3552bf8f9f4e5e2cc4184

SHA512
01bd2cf4dc79019ae94e5f099d23cb93353455a6aaf2ad69a0ba094f856239c1aaaee5a6ef7b286b44d4fb3aae70302421162cebb1c43738bfd74bf78f72d394

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
0bc81bdb056a2c4f36912211f8c8edf9

SHA1
3af7b3f4721293eb5f9df82d49175a920e09a896

SHA256
5213241e1d6b4ee04e8bb274da94309e2d12d533380b3f6e06a83b44d979f007

SHA512
e9d34953bab144873910c2715d935d72eb430d8b8432d071b259f6a607949f70fb71ed7f0b028b8c4af947e948372496b30b13c6085ef636653a312091517d9b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\bc216235-1095-42e9-8909-3e1e6547d18a\index-dir\the-real-index

Filesize
2KB

MD5
d3e4f5705859b92254cdc03739bd6164

SHA1
79262146dcc181cf700c49d1d552c5df25eaaaf9

SHA256
a01831b0d0dcf34618685200835576019aa00aa430c6d246ce5a727b89b5f193

SHA512
068c9849835cd57f35f34e1af9db698a4e93161364e632e0ee26e3b65af16f7e510d70b67b46dfbeec5f34dd7a5b3128f704ed4e644ad2d2058391f08b90af7e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\bc216235-1095-42e9-8909-3e1e6547d18a\index-dir\the-real-index~RFe5988ae.TMP

Filesize
48B

MD5
7da35cd7551cba075e52b727a0497013

SHA1
9b073d58bc15dabd6ae998bb4d788047de4345a0

SHA256
ab10425f0666fa802a41608f2fcdac1152029d836cb9c7f3a3f4807e44bfdd93

SHA512
f1ba0f188593112070e6761a0ef1a36488325973de026306a71562c09f6499fbb17acf2544dc8a755f869fb1588aca36498f7a31bc6766f873ee019864a17afc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
176B

MD5
ee1e307139fbe22d0fa3bb17c87b5ca4

SHA1
0dbaa729b5977ed0663cca118ab443945a54d85b

SHA256
1e3167194b66d585f470cf1e0baabf936a59ea549bb2387d3756532319e6fadb

SHA512
2bd26e33f834911a216352080247809c69f77fa92677557366a74a89c0c340520911cb7f710f09bf98d3a95638ff6fe16c442aa8230c31a13315b00fb3b5d66f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
112B

MD5
e480eb5d90f20f225976c6a3472f8953

SHA1
97575c311c61be51b9b63d4bd853cb6257d58d66

SHA256
01f2bcb5795fc41f0f46cdc929d1dbd34f2bca52f5e28c7461ec784bbae0ca87

SHA512
77cb811cef76957ae638a68be1de9d38c89dd9c1105efc8f55b06657979b124239a6dd18fcd86c7098ce037f0a655481adc36c4df19a9a910c900efd0cdee959

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
114B

MD5
9a64451bfec0b6334d9fe248bc572114

SHA1
156a513ab388b0e85ad25eacb30e732d0560e87c

SHA256
a3168f24007b0852cb3cf540dd6e2508ef2866596afb41d68da48fe689a5080d

SHA512
6e923aa9145452b6807674ff29310605bcb98de4f864a5668d00466bbb7dfee99ec5314bdbefaa9e58e46f2f87efb50fbda0d7abfdc9a12f26410a5e97e2672c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe5910bf.TMP

Filesize
119B

MD5
0ba9c4c5e53ae3276cead21c3b87030d

SHA1
48a226f487ad86ad657d38348ad84bb03ffb88d1

SHA256
aa6976f1fe829d55b08270855e856e28057302ddad00ae805d0fa3cea605b7f0

SHA512
d6306bb6605e38e2be075bd7d72058570e01cf0baee5a9931115ab63b0a00f89007c38ccf79c12f9bfb4b65b12ee11621140b8e74c8691d47d0136c957097aa3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
120B

MD5
e6bc864207b921eb6e4fa09161f5ba6a

SHA1
f8d4a184ed7d6afa429d0cdea6776f8ad4281886

SHA256
71337952f4c9700175867ca8b97fc3668ce4a1c08b577cadb5a7547a4a94fca0

SHA512
57f84870eab03d90232968b8154758e97a8b9485398de3a841b84d12bfa2497740c53d98841a61ab388625e9b9422cac95eb2c32ac9224188bee9911793b8c90

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
ec3d1a9b23839b0c469915693298ee82

SHA1
256e514b4296c3c829c8e95f9e311e231a4a953b

SHA256
b14d9eb482e3d798888097bac4d2c15621d16efad410a99787ba94dd64223a30

SHA512
5c30842d26defad546801f26a1c0f49df718af3114c8bda311ee3c1c69e14c854d2605f1430881e27d275d28e88900f59f13ce29db0c7a96e83abf9a4c85ad32

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe595f9b.TMP

Filesize
72B

MD5
5284f4cf40d2523989cb207cb71e38dc

SHA1
fc5294188d6aed67fec47f1a8f77533859f2f624

SHA256
149ca8b10e17e07ae061967ad3bc88a4c95b7c58f049ab8b38ae5983dc2ed5aa

SHA512
cf3f8e037ec83361911e208c06280e9be17d91fa9fa9e3076db90907d0e4e0e8d42d1cad55cb9ec68313b03b643828538439aaa3640780f9057052d244a86060

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
236KB

MD5
72cb9d20a799d9e437cf42c12d764268

SHA1
e4da465a26d3f7bf157399b73cba6cca174c41c4

SHA256
1243bf4b2da9eb0bb553dc75e562b1e8dca44a60f722cf62eed69540b86dd898

SHA512
0432c77b89fdd90261bd70ac0cc250b97d200eab3d8d3a797cc8f953b4ac77aaccd65f211bb94119a4581b30bb2289922bdce6092aaa089882c3c1197440a425

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
236KB

MD5
d5f0fc5388d3aa0900b2c074729358f3

SHA1
2fe9b09aa2041fab5ebe49ab77e9187026645e1d

SHA256
72b963c86deeb27c4ec28144953bc236c81a7551a66faec4b01512a16f5eb3ad

SHA512
422607a4b7c1e09bf58ff51815c216e135d5708f2ca63d35353e1b05cc57ea08ac76e8d1260363961de4c226826a687d44194d8d444da4c13f8f6bd97e81b797

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
236KB

MD5
4307139b999278897a0aafdd4ff39900

SHA1
fc6bf183af327738285732df180d0456bd0ddcb8

SHA256
9e2ce46342c4a7220cdac1a44c302c54605ff885d79e4ede61f24c4c301243c8

SHA512
d4d8192dcb43f6b20b33a04838594e28f22c828b3386852ecaa031e50f19a6a4fb39ed58171cc137523234541e5f16f5178cf3e8bd93cd8762ac341599ad57e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
236KB

MD5
a935b089d4ab47657a51f1716cabd77a

SHA1
cd00862b0dd43b677557247b9c57c485e49f006a

SHA256
00d834d148cf422af994f6555b7830bfcac373a1e8eb3667d5330bea1378b6e0

SHA512
3b14693ef55b85b073b9ef0ad54fa145a11cd643f31c2bbe8ebd771e63047f04e8181d262ca83401bc47b5f64e001297ef2450944965a8f1001db1171e699ac1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
32d05d01d96358f7d334df6dab8b12ed

SHA1
7b371e4797603b195a34721bb21f0e7f1e2929da

SHA256
287349738fb9020d95f6468fa4a98684685d0195ee5e63e717e4b09aa99b402e

SHA512
e7f73b1af7c7512899728708b890acd25d4c68e971f84d2d5bc24305f972778d8bced6a3c7e3d9f977cf2fc82e0d9e3746a6ccb0f9668a709ac8a4db290c551c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b5fffb9ed7c2c7454da60348607ac641

SHA1
8d1e01517d1f0532f0871025a38d78f4520b8ebc

SHA256
c8dddfb100f2783ecbb92cec7f878b30d6015c2844296142e710fb9e10cc7c73

SHA512
9182a7b31363398393df0e9db6c9e16a14209630cb256e16ccbe41a908b80aa362fc1a736bdfa94d3b74c3db636dc51b717fc31d33a9fa26c3889dec6c0076a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
6878cb3ea1351761ff961a0b9ec5eef4

SHA1
373c0a69cd940d7d88182c3424c9f055df008a83

SHA256
4f9c94863dfd5864a8572d40baad097dd3b0762d6f2d79686a629c7379ad9fe6

SHA512
905bffd03adeb19177db42371f6215e28fe3ea3d151e5df691924170415ac7dfa85c3cb74201322cbaa26f5179d927aeb1073948ba209783709015baa04be54b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
4KB

MD5
66a9c490cf42e83cb25717e4ff361236

SHA1
1aacbc2099b789212fb1955adb4e3389f082e3ad

SHA256
692ee519dc8212ec86208067283c232452662e4bc4737a426cd7557b3dacaf30

SHA512
6ad77addaf3c04c87b61d7a46b1e3f423a6707956f00bcbbf4c92c7556c8dc3d5a44b097f8d470c5ceeb83b5a4b2a22fefa57c4b5817cb1d84cd4cde751e8597

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
ac2b76299740efc6ea9da792f8863779

SHA1
06ad901d98134e52218f6714075d5d76418aa7f5

SHA256
cc35a810ed39033fa4f586141116e74e066e9c0c3a8c8a862e8949e3309f9199

SHA512
eec3c24ce665f00cd28a2b60eb496a685ca0042c484c1becee89c33c6b0c93d901686dc0142d3c490d349d8b967ecbbd2f45d26c64052fb41aad349100bd8f77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
6e466bd18b7f6077ca9f1d3c125ac5c2

SHA1
32a4a64e853f294d98170b86bbace9669b58dfb8

SHA256
74fc4f126c0a55211be97a17dc55a73113008a6f27d0fc78b2b47234c0389ddc

SHA512
9bd77ee253ce4d2971a4b07ed892526ed20ff18a501c6ba2a180c92be62e4a56d4bbf20ba3fc4fbf9cf6ce68b3817cb67013ad5f30211c5af44c1e98608cb9e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
e641908de0a5f1f4773f70107b0008a7

SHA1
14474ce8d226ae79d64738888621062b5153725f

SHA256
b91867123eb51621a683a324a4414cf8c6059c67fe239c0242b45d211d541e7e

SHA512
490ca1002fb51ebea07e1b339997b3113ed5b4150560d3e8c08889c5b56c81eef85649d02c0322e34f0e27d8ff8f83138291b55d9c67fa37699f01f02a9803ad

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133741667982236483.txt

Filesize
53KB

MD5
3da82d8cb45039e5146759a12a0d9401

SHA1
7ae50a694d0d2ff9c19ac0ccf2fee7a2af2843ca

SHA256
322f0dcfea700fe1492dd34e0d3a27aa8670da061cd80a167fc5f523fb2b5068

SHA512
bad5a08a4960cab3248339209934913e7fd134ab73c88732f5a151375afbbc8f993fefdd6c26a6cc764d1af008d4f533c0e08ac6d7f0643a8eeeb4ed7bc8736a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133741676773551507.txt

Filesize
82KB

MD5
fec313ff065222488c002f3901b65fdf

SHA1
a15be4b0f2f344b634877ea159c0ba24043466ee

SHA256
e34211d407c144dbfc482b3f15a4b63274659b14f4b7de746299966950287ee7

SHA512
345afb2cbb12438004ecda87d5f70f9dc536f509a58266dafdb9b3ff013a44818f937735ab16e190b8c9a2ab18d2c7060da9d3ae80951266427a267cb8d7d5d8

Download Submit
C:\Windows\jbljcmhyesyb.exe

Filesize
388KB

MD5
a0340430d4b1c1f6dd4048ab98f2e4b2

SHA1
a43ff275972b4ed9b7f3ece61d7d49375db635e9

SHA256
9b1622602d4ae8196316deeb91fbdd1346a4b31453f3762be119e24c84827217

SHA512
54ca85bee0ded2a742c767565159c0e3121d8cd1d97cebc751d067b1ea45d9fca86b6d5acad5b472eddef23d20afcc8ae3497cdd411fd9f393d80e0c90f2cd8d

Download Submit
memory/2204-97-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2204-95-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2204-105-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2204-99-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2204-96-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2832-11008-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2832-10992-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2832-10895-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2832-176-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2832-175-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2832-2361-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2832-11006-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2832-11154-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2832-8905-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2832-4878-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2832-6714-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2832-740-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2832-171-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2832-172-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3160-33-0x0000000000690000-0x0000000000693000-memory.dmp

Filesize
12KB

Download
memory/3160-98-0x0000000000690000-0x0000000000693000-memory.dmp

Filesize
12KB

Download
memory/3160-0-0x0000000000690000-0x0000000000693000-memory.dmp

Filesize
12KB

Download