troldesh | hxxp://Google[.]com

Analysis

max time kernel
358s
max time network
357s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
04/04/2025, 13:55

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

http://Google.com

Score

10^/10

troldesh defense_evasion discovery persistence ransomware trojan upx

Malware Config

Signatures

Troldesh family
troldesh
Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
ransomware trojan troldesh
Disables Task Manager via registry modification
defense_evasion

Executes dropped EXE 1 IoCs

pid	Process
956	csrss.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	[email protected]

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	[email protected]
File opened (read-only)	\??\R:	[email protected]
File opened (read-only)	\??\S:	[email protected]
File opened (read-only)	\??\A:	[email protected]
File opened (read-only)	\??\E:	[email protected]
File opened (read-only)	\??\I:	[email protected]
File opened (read-only)	\??\L:	[email protected]
File opened (read-only)	\??\M:	[email protected]
File opened (read-only)	\??\U:	[email protected]
File opened (read-only)	\??\V:	[email protected]
File opened (read-only)	\??\W:	[email protected]
File opened (read-only)	\??\Y:	[email protected]
File opened (read-only)	\??\B:	[email protected]
File opened (read-only)	\??\G:	[email protected]
File opened (read-only)	\??\N:	[email protected]
File opened (read-only)	\??\T:	[email protected]
File opened (read-only)	\??\X:	[email protected]
File opened (read-only)	\??\Z:	[email protected]
File opened (read-only)	\??\H:	[email protected]
File opened (read-only)	\??\J:	[email protected]
File opened (read-only)	\??\K:	[email protected]
File opened (read-only)	\??\O:	[email protected]
File opened (read-only)	\??\P:	[email protected]

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
197	raw.githubusercontent.com
200	camo.githubusercontent.com
195	raw.githubusercontent.com
196	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\Desktop\Wallpaper	[email protected]

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3404-636-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3404-637-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3404-639-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3404-641-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3404-638-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/956-648-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/956-649-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/956-650-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3404-667-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3404-668-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3404-699-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3404-709-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3404-719-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3404-1014-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3404-1036-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3404-1040-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3404-2263-0x0000000000400000-0x00000000005DE000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]

Checks processor information in registry 2 TTPs 20 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Kills process with taskkill 2 IoCs

defense_evasion

pid	Process
3616	taskkill.exe
1184	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133882485536338768"	chrome.exe

Modifies registry class 8 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428\Moniker = "cr.sb.odm3E4D1A088C1F6D498C84F3C86DE73CE49F82A104"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428\Children	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000_Classes\Local Settings	chrome.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\icon.ico"	[email protected]
Key created	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-869607583-2483572573-2297019986-1000\{CD02C96E-8FBA-426C-B91D-28E1906193AC}	[email protected]
Key created	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428\DisplayName = "Chrome Sandbox"	chrome.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
3684	chrome.exe
3684	chrome.exe
3404	[email protected]
3404	[email protected]
3404	[email protected]
3404	[email protected]
956	csrss.exe
956	csrss.exe
956	csrss.exe
956	csrss.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	8	chrome.exe
Token: SeCreatePagefilePrivilege	8	chrome.exe
Token: SeShutdownPrivilege	8	chrome.exe
Token: SeCreatePagefilePrivilege	8	chrome.exe
Token: SeShutdownPrivilege	8	chrome.exe
Token: SeCreatePagefilePrivilege	8	chrome.exe
Token: SeShutdownPrivilege	8	chrome.exe
Token: SeCreatePagefilePrivilege	8	chrome.exe
Token: SeShutdownPrivilege	8	chrome.exe
Token: SeCreatePagefilePrivilege	8	chrome.exe
Token: SeShutdownPrivilege	8	chrome.exe
Token: SeCreatePagefilePrivilege	8	chrome.exe
Token: SeShutdownPrivilege	8	chrome.exe
Token: SeCreatePagefilePrivilege	8	chrome.exe
Token: SeShutdownPrivilege	8	chrome.exe
Token: SeCreatePagefilePrivilege	8	chrome.exe
Token: SeShutdownPrivilege	8	chrome.exe
Token: SeCreatePagefilePrivilege	8	chrome.exe
Token: SeShutdownPrivilege	8	chrome.exe
Token: SeCreatePagefilePrivilege	8	chrome.exe
Token: SeShutdownPrivilege	8	chrome.exe
Token: SeCreatePagefilePrivilege	8	chrome.exe
Token: SeShutdownPrivilege	8	chrome.exe
Token: SeCreatePagefilePrivilege	8	chrome.exe
Token: SeShutdownPrivilege	8	chrome.exe
Token: SeCreatePagefilePrivilege	8	chrome.exe
Token: SeShutdownPrivilege	8	chrome.exe
Token: SeCreatePagefilePrivilege	8	chrome.exe
Token: SeShutdownPrivilege	8	chrome.exe
Token: SeCreatePagefilePrivilege	8	chrome.exe
Token: SeShutdownPrivilege	8	chrome.exe
Token: SeCreatePagefilePrivilege	8	chrome.exe
Token: SeShutdownPrivilege	8	chrome.exe
Token: SeCreatePagefilePrivilege	8	chrome.exe
Token: SeShutdownPrivilege	8	chrome.exe
Token: SeCreatePagefilePrivilege	8	chrome.exe
Token: SeShutdownPrivilege	8	chrome.exe
Token: SeCreatePagefilePrivilege	8	chrome.exe
Token: SeShutdownPrivilege	8	chrome.exe
Token: SeCreatePagefilePrivilege	8	chrome.exe
Token: SeShutdownPrivilege	8	chrome.exe
Token: SeCreatePagefilePrivilege	8	chrome.exe
Token: SeShutdownPrivilege	8	chrome.exe
Token: SeCreatePagefilePrivilege	8	chrome.exe
Token: SeShutdownPrivilege	8	chrome.exe
Token: SeCreatePagefilePrivilege	8	chrome.exe
Token: SeShutdownPrivilege	8	chrome.exe
Token: SeCreatePagefilePrivilege	8	chrome.exe
Token: SeShutdownPrivilege	8	chrome.exe
Token: SeCreatePagefilePrivilege	8	chrome.exe
Token: SeShutdownPrivilege	8	chrome.exe
Token: SeCreatePagefilePrivilege	8	chrome.exe
Token: SeShutdownPrivilege	8	chrome.exe
Token: SeCreatePagefilePrivilege	8	chrome.exe
Token: SeShutdownPrivilege	8	chrome.exe
Token: SeCreatePagefilePrivilege	8	chrome.exe
Token: SeShutdownPrivilege	8	chrome.exe
Token: SeCreatePagefilePrivilege	8	chrome.exe
Token: SeShutdownPrivilege	8	chrome.exe
Token: SeCreatePagefilePrivilege	8	chrome.exe
Token: SeShutdownPrivilege	8	chrome.exe
Token: SeCreatePagefilePrivilege	8	chrome.exe
Token: SeShutdownPrivilege	8	chrome.exe
Token: SeCreatePagefilePrivilege	8	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
4284	firefox.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
4284	firefox.exe
4284	firefox.exe
4284	firefox.exe
4284	firefox.exe
4284	firefox.exe
4284	firefox.exe
4284	firefox.exe
4284	firefox.exe
4284	firefox.exe
4284	firefox.exe
4284	firefox.exe
4284	firefox.exe
4284	firefox.exe
4284	firefox.exe
4284	firefox.exe
4284	firefox.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe

Suspicious use of SendNotifyMessage 44 IoCs

pid	Process
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
4284	firefox.exe
4284	firefox.exe
4284	firefox.exe
4284	firefox.exe
4284	firefox.exe
4284	firefox.exe
4284	firefox.exe
4284	firefox.exe
4284	firefox.exe
4284	firefox.exe
4284	firefox.exe
4284	firefox.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4284	firefox.exe
2024	[email protected]
2024	[email protected]

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 8 wrote to memory of 3984	8	chrome.exe	88
PID 8 wrote to memory of 3984	8	chrome.exe	88
PID 8 wrote to memory of 4892	8	chrome.exe	89
PID 8 wrote to memory of 4892	8	chrome.exe	89
PID 8 wrote to memory of 4892	8	chrome.exe	89
PID 8 wrote to memory of 4892	8	chrome.exe	89
PID 8 wrote to memory of 4892	8	chrome.exe	89
PID 8 wrote to memory of 4892	8	chrome.exe	89
PID 8 wrote to memory of 4892	8	chrome.exe	89
PID 8 wrote to memory of 4892	8	chrome.exe	89
PID 8 wrote to memory of 4892	8	chrome.exe	89
PID 8 wrote to memory of 4892	8	chrome.exe	89
PID 8 wrote to memory of 4892	8	chrome.exe	89
PID 8 wrote to memory of 4892	8	chrome.exe	89
PID 8 wrote to memory of 4892	8	chrome.exe	89
PID 8 wrote to memory of 4892	8	chrome.exe	89
PID 8 wrote to memory of 4892	8	chrome.exe	89
PID 8 wrote to memory of 4892	8	chrome.exe	89
PID 8 wrote to memory of 4892	8	chrome.exe	89
PID 8 wrote to memory of 4892	8	chrome.exe	89
PID 8 wrote to memory of 4892	8	chrome.exe	89
PID 8 wrote to memory of 4892	8	chrome.exe	89
PID 8 wrote to memory of 4892	8	chrome.exe	89
PID 8 wrote to memory of 4892	8	chrome.exe	89
PID 8 wrote to memory of 4892	8	chrome.exe	89
PID 8 wrote to memory of 4892	8	chrome.exe	89
PID 8 wrote to memory of 4892	8	chrome.exe	89
PID 8 wrote to memory of 4892	8	chrome.exe	89
PID 8 wrote to memory of 4892	8	chrome.exe	89
PID 8 wrote to memory of 4892	8	chrome.exe	89
PID 8 wrote to memory of 4892	8	chrome.exe	89
PID 8 wrote to memory of 4892	8	chrome.exe	89
PID 8 wrote to memory of 4700	8	chrome.exe	90
PID 8 wrote to memory of 4700	8	chrome.exe	90
PID 8 wrote to memory of 2756	8	chrome.exe	92
PID 8 wrote to memory of 2756	8	chrome.exe	92
PID 8 wrote to memory of 4824	8	chrome.exe	93
PID 8 wrote to memory of 4824	8	chrome.exe	93
PID 8 wrote to memory of 2756	8	chrome.exe	92
PID 8 wrote to memory of 2756	8	chrome.exe	92
PID 8 wrote to memory of 2756	8	chrome.exe	92
PID 8 wrote to memory of 2756	8	chrome.exe	92
PID 8 wrote to memory of 2756	8	chrome.exe	92
PID 8 wrote to memory of 2756	8	chrome.exe	92
PID 8 wrote to memory of 2756	8	chrome.exe	92
PID 8 wrote to memory of 2756	8	chrome.exe	92
PID 8 wrote to memory of 2756	8	chrome.exe	92
PID 8 wrote to memory of 2756	8	chrome.exe	92
PID 8 wrote to memory of 2756	8	chrome.exe	92
PID 8 wrote to memory of 2756	8	chrome.exe	92
PID 8 wrote to memory of 2756	8	chrome.exe	92
PID 8 wrote to memory of 2756	8	chrome.exe	92
PID 8 wrote to memory of 2756	8	chrome.exe	92
PID 8 wrote to memory of 2756	8	chrome.exe	92
PID 8 wrote to memory of 2756	8	chrome.exe	92
PID 8 wrote to memory of 2756	8	chrome.exe	92
PID 8 wrote to memory of 2756	8	chrome.exe	92
PID 8 wrote to memory of 2756	8	chrome.exe	92
PID 8 wrote to memory of 2756	8	chrome.exe	92
PID 8 wrote to memory of 2756	8	chrome.exe	92
PID 8 wrote to memory of 2756	8	chrome.exe	92
PID 8 wrote to memory of 2756	8	chrome.exe	92
PID 8 wrote to memory of 2756	8	chrome.exe	92
PID 8 wrote to memory of 2756	8	chrome.exe	92

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://Google.com
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:8
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fffc2a9dcf8,0x7fffc2a9dd04,0x7fffc2a9dd10
  2⤵
  PID:3984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1968,i,2570859661635090065,3824767671348176708,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=1736 /prefetch:2
  2⤵
  PID:4892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=2116,i,2570859661635090065,3824767671348176708,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2232 /prefetch:3
  2⤵
  PID:4700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2396,i,2570859661635090065,3824767671348176708,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2408 /prefetch:8
  2⤵
  PID:2756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=2868,i,2570859661635090065,3824767671348176708,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2888 /prefetch:1
  2⤵
  PID:4824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=2872,i,2570859661635090065,3824767671348176708,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3204 /prefetch:1
  2⤵
  PID:2024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4372,i,2570859661635090065,3824767671348176708,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4388 /prefetch:2
  2⤵
  PID:1396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4672,i,2570859661635090065,3824767671348176708,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4688 /prefetch:1
  2⤵
  PID:2256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5400,i,2570859661635090065,3824767671348176708,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5436 /prefetch:8
  2⤵
  PID:712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5488,i,2570859661635090065,3824767671348176708,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5480 /prefetch:8
  2⤵
  PID:4540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4876,i,2570859661635090065,3824767671348176708,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4660 /prefetch:8
  2⤵
  PID:1960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=3556,i,2570859661635090065,3824767671348176708,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3884 /prefetch:8
  2⤵
  PID:2312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=3204,i,2570859661635090065,3824767671348176708,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4808 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=on_device_model.mojom.OnDeviceModelService --lang=en-US --service-sandbox-type=on_device_model_execution --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4824,i,2570859661635090065,3824767671348176708,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2836 /prefetch:8
  2⤵
  PID:908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=3884,i,2570859661635090065,3824767671348176708,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3904 /prefetch:1
  2⤵
  PID:4148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5796,i,2570859661635090065,3824767671348176708,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5888 /prefetch:1
  2⤵
  PID:3492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=2996,i,2570859661635090065,3824767671348176708,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=6032 /prefetch:8
  2⤵
  PID:2788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=2836,i,2570859661635090065,3824767671348176708,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5700 /prefetch:1
  2⤵
  PID:4484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6004,i,2570859661635090065,3824767671348176708,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5948 /prefetch:8
  2⤵
  PID:3616

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:4796

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2108

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3724

C:\Users\Admin\AppData\Local\Temp\Temp1_NoMoreRansom.zip\[email protected]
"C:\Users\Admin\AppData\Local\Temp\Temp1_NoMoreRansom.zip\[email protected]"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\Windows\csrss.exe"
1⤵
PID:3732
- C:\ProgramData\Windows\csrss.exe
  C:\ProgramData\Windows\csrss.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:956

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:3396
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:4284
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 1992 -prefsLen 27099 -prefMapHandle 1996 -prefMapSize 270279 -ipcHandle 2084 -initialChannelId {3c456846-d8b6-4138-9cbf-9df68b81cdad} -parentPid 4284 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4284" -appDir "C:\Program Files\Mozilla Firefox\browser" - 1 gpu
    3⤵
    PID:1968
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2452 -prefsLen 27135 -prefMapHandle 2456 -prefMapSize 270279 -ipcHandle 2476 -initialChannelId {72661628-311e-4655-9f3b-e27a86dafb18} -parentPid 4284 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4284" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 2 socket
    3⤵
    PID:3084
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3780 -prefsLen 27276 -prefMapHandle 3784 -prefMapSize 270279 -jsInitHandle 3788 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3796 -initialChannelId {bb7818a8-1313-404a-9432-63e473db7ffb} -parentPid 4284 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4284" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 3 tab
    3⤵
    - Checks processor information in registry
    PID:1408
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 3976 -prefsLen 27276 -prefMapHandle 3980 -prefMapSize 270279 -ipcHandle 4056 -initialChannelId {ba0c6551-7af4-41ca-ae25-1b3a387ffd69} -parentPid 4284 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4284" -appDir "C:\Program Files\Mozilla Firefox\browser" - 4 rdd
    3⤵
    PID:5096
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 2968 -prefsLen 25213 -prefMapHandle 2864 -prefMapSize 270279 -jsInitHandle 3004 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 2768 -initialChannelId {50d4d04e-1169-4653-bd36-8e6199efe818} -parentPid 4284 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4284" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 5 tab
    3⤵
    - Checks processor information in registry
    PID:2744
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 4500 -prefsLen 25213 -prefMapHandle 4504 -prefMapSize 270279 -jsInitHandle 4508 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 2864 -initialChannelId {1894a6f5-c53f-4999-98ec-5450811543d5} -parentPid 4284 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4284" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 6 tab
    3⤵
    - Checks processor information in registry
    PID:3688
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 4508 -prefsLen 25213 -prefMapHandle 4504 -prefMapSize 270279 -jsInitHandle 4500 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 4692 -initialChannelId {5165d0cb-6efb-408c-8f09-77555974cded} -parentPid 4284 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4284" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 7 tab
    3⤵
    - Checks processor information in registry
    PID:4392
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5248 -prefsLen 39264 -prefMapHandle 5252 -prefMapSize 270279 -jsInitHandle 5256 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5264 -initialChannelId {9ded1db3-5cd5-4dfc-9379-a5341e80079f} -parentPid 4284 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4284" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 8 tab
    3⤵
    - Checks processor information in registry
    PID:3324
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -sandboxingKind 0 -prefsHandle 5256 -prefsLen 39452 -prefMapHandle 5180 -prefMapSize 270279 -ipcHandle 4824 -initialChannelId {55729f4b-2a7b-44bd-be63-8823c32be488} -parentPid 4284 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4284" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 9 utility
    3⤵
    - Checks processor information in registry
    PID:5388

C:\Users\Admin\AppData\Local\Temp\Temp1_000.zip\[email protected]
"C:\Users\Admin\AppData\Local\Temp\Temp1_000.zip\[email protected]"
1⤵
- Enumerates connected drives
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2024
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\windl.bat""
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2240
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:3616
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im taskmgr.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:1184
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic useraccount where name='Admin' set FullName='UR NEXT'
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1340
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic useraccount where name='Admin' rename 'UR NEXT'
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5124
- - C:\Windows\SysWOW64\shutdown.exe
    shutdown /f /r /t 0
    3⤵
    PID:5968

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa38c0855 /state1:0x41c64e6d
1⤵
PID:6004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Windows\csrss.exe

Filesize
1.4MB

MD5
63210f8f1dde6c40a7f3643ccf0ff313

SHA1
57edd72391d710d71bead504d44389d0462ccec9

SHA256
2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f

SHA512
87a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\82878c29-946f-4d10-9889-16c446071cf8.tmp

Filesize
81KB

MD5
27781906c2c250ac50efe647aba43b0b

SHA1
c0a79726faff3b242eaa98a79aba8435b157c16f

SHA256
6b5ff3eed713a17fa3625ba319ba306e5ca9932c19285a86539b80148e4c535f

SHA512
77eba8f7fbfc92e79333fb528d79d7e47c78ffb01a77b474d23df0aa9bab5fcf7ad605f25e23a47c60fb400f04fb3827397300010f93e36ff7357ee6c951841c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
dbbcf575207ba0bcb3984df108ce7410

SHA1
bf140044fc1848b79f73aa62a9500d549226bff9

SHA256
aae3e30e3fd3faa64a24210a5d7ba5506bb5e7e50f6802ffe28ed3658b1f900f

SHA512
f071fe1426e3e389a7f4849ad154e8ae99b64edc45fc88387ec3d857f8b698e558aab0ebebcc0717778bc42ddba795363de3e91553bb6707a045f34a8656218b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
6febc9636450519a1460e7edc66d983e

SHA1
1be044737d146571920f24ef097a7ac4a18479de

SHA256
0a01b63a30ff87d533441a074ebd7542ee8b45ab34a10c0172663fa96d8330bc

SHA512
7bc72975f02b8c856ccf5eae3d63f54b1658bc200aa86ad98de0ec66055707d3387e1bc9344eec1ba3a14dcbcf917f7e689131ce8db83fc517261df9b54030e0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
01b1d5e90a9f5bc8c5ca5c5ba9ec326a

SHA1
f5a5d885bf4660ee74b4d92df687d6f5f2cd79ac

SHA256
aa613d449aeb34e994f974d0be7220383cd5ff6bae0a2f5ed34bcb677b36b6d4

SHA512
dd1890deeab613bc6c90c9948bbed6e9f0a57b9afe16128833ccff1551b12d3535821276a30a9041fe8af6dc65e8acefb89d28fe93a4fe04c77a5c539bab9dc2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
f4cd61dc3b7c0065b7c291878b442bb0

SHA1
3b63b6ab4965dde3b1d5b95d96bfcd0bc9818950

SHA256
fc737ea59b5e2272a44d7e344898ffdc1d25010582285dd4d497f67997082603

SHA512
9ea330b356e0f1f09f342f6cfde4e75091528ef8093534c1cc812bfaf07372f9c986e47c5876cdd2d98af397c3909017463138adedb1ad0a1b0e422c7b14c284

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
c59b19097fa1fb47609701e316bbb5ae

SHA1
5d5a4ae5465640908a13be103e2082f6062a1658

SHA256
f81d5f4bd54631d29bfc9883aca2166b086b18e46c20c923503a4aa98d16f934

SHA512
7c7f72af7c40a6c3bc76cea0533c3b03db4b054ad6b333fb9fa0aede0b92b1b39c34ce4951ab072600d1aab1c9ab3f2496b7fc57e161f0c730c31457c434ad94

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
ce7cc8862719a623e950702305a411b6

SHA1
762acb192d5dcc014a356df45346a577720271ae

SHA256
30dd53606b4bc8f32c906c2a7669659a825f442984b94f5a354c228343edaab0

SHA512
5a6cff9162c70acabe87bb7df54525643dc6eea999de4de6ee54fb42512d1a341b89b2c117c3edfbce7bfce81d03faac54f002522b7fe703c34a1cf23b6fdfd4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
2b3ef7059d6ecbc3d5960a34a7fa27ce

SHA1
e238b927e3db5c0e78ea7f4f707c5070b7224b11

SHA256
6652256f33fec8ee3c94ae72d955af6c39cf3973c4ae9bac9e620f14d33b0313

SHA512
aff52e0ce34637edeb803ecc904b3ffe69a34d0c972276e8bfdf644bbe476bc9718a38478e3e6647c70552b56ced80ca21fae338381b239ee20b8dd084d6b6f9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
3826cbe417410f368cc24594eaadfd08

SHA1
2ad51d5558354a7cb8ed2207854ea8e0790f0cd1

SHA256
74078f8c8693a64c5b147b55b4a910ad6c3ff0902d81f999bcf1d85bc2634793

SHA512
3e5efd4ca1ec6ee258df7f774fb9244dfe90c6ffb873bac720d7d6b61cb53689253bce8e36e6d000dbced7301ceebfb6b28ce8633129aa3904209e20db5d5bf6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
9511644024e11482a19b27a646ab57e7

SHA1
586fab99683d2d6889f82374f40c9eaa837127da

SHA256
4d60c277984d25e589cf64200fc526cef858ba00a554367b6443d02439e43ca8

SHA512
ca053995265e2d6c4e66d17972497bbb994dddeb5452dbe7bf81e9948c191325360ff07f854cce8d9b5e6b7ca80d3bc1ea30730e959324770c17c0d76ce743f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
ac00dbee0257505e01f10cd442071ffd

SHA1
33720b3fa809c337fb4de513c448066888dc7337

SHA256
cb8bda2dc51e8644566fb937a4154ede14ca87bf35cddf4566991da9e0ca9192

SHA512
a1de58ca24324364835c38ef55e254e73b2e92af482e8a1b813bf18c64c21e356520f68dd3b05ec6f90ddbaeec357e93f2873730a65e05b933df710ba8fb5640

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
e1ae9982ef94a14696f7f18bc0ba0ce7

SHA1
d028983ea81729b96c340c29e12a841213656870

SHA256
acf612f5fd27042595fc59d18e6e530dbf0f9d93b4008704cade36366bb7cc4f

SHA512
92a25f61cf7f18f9845911156a25272cc86cf62a47991b8ef577a984bf3f8850a4d9d022e3560d4e6ea74fda5e23cc410e06b13aedd0bfad9cca104d30c17000

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
d01a89dba9db3366b1f1ff927bff4a6b

SHA1
c8631432f65cb6576aa263342920173bcae35140

SHA256
602911aea80efe97713ad2baa7cb287f415842279e6c1a88ae3d406aae8f9a4e

SHA512
1f715763ed48f4f192bbf8bd4a7bca05408b39b6a4049e2941252920a7bfdc5fb3ee7eb341c797cb62f90eb9929a99e8d0dc1dbd3b07eaf30914d189e6b9c511

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
3f2199a244a075964003074dfd9baf16

SHA1
0f513ca4189a30dee0cd251de204054037afe3aa

SHA256
6b3ab20ebb6d8615e06818c2889cc644dacecfd122d43692b16d38b40f49a641

SHA512
55d156522eb05a4cf17c2c29ca26f57445e832dfee88cd7a239ccf62ee5575e8aa3a8e4a0fe98805baec9e98ad7058197d1bf84e9489e09e514c0bc493db79d4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
e130fceed45be1b932c32dee381ad6b7

SHA1
75e5bc23e75bd586686902873a9e397eec07e0c9

SHA256
44b274628d9a4831730f3570dde7eeb8ae604cf3dd3c790cd9124e801a900a02

SHA512
1633502adf47170fcd1e397ede09849d77e7586304af44804b2341ced3f635a4942946128baa763e81d7efbb51602131692601d115132d50e1f3705a80809f42

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
62f1cbffd9db446fbfd6b679514fcfaa

SHA1
a264f6b90a08504fac47db0779f4a7f6101a8c87

SHA256
7e8ad2c719512e5a244933570ab39e17ac734c3519eb72a7a5f2201398469f6c

SHA512
6de4057dbf8dcb68adb0a9f72c28e501bd79bca451eb2747a7cd1d083a66e4f86c143bfafaa111f306d25df5bea836edebae8fd0a4e7c98eb280f044e0efd7af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
60ab0c9780eae9ae6f69c46c58035d01

SHA1
2e1867f47a418bfd4383c90add7a1c25a44135d9

SHA256
7860538edae4d833e451613ed0017470ab2629dc94e0e3613e3ec1479d25ed69

SHA512
2743dcd775af1196b84d2e6ae44a088438db94d730ad18dfbc9d5de8653498765f1351952e84d26722a77d968db8bc07995e03185f4649c51198eb942f13f4d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
4950b7d71a8a94898b5a39c690366bf5

SHA1
6f6e63bf10125ccbeea8f3ecf623f67e2633f0d5

SHA256
22f1e1f60ef994093f1339eda09076a46c2da63643cd8d137ee8de02cb356007

SHA512
ffc289c99a3436f4a89b6ccd5bb068580c52c1cc6387d2864075e8cf48c69911f05bf7731975e1d2f4787b175255af7119e2a0e7f169da0ee98aec8577b79211

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
6eac6aa4320516c2559ff480a1c6d59b

SHA1
8952f23d48347b8e2408e3e1da72688a06fcbb45

SHA256
507acf25f0ddfa26925a4050f6a88e2b50f20f689cfeb90fbfd391ec6e89946b

SHA512
e5f7a9af6c9d0cceeb0720ab1666613e04c0bdfd229da23a1ca79fd86239261f68a8b550fda29ecdabf22c880494891ec20108370616c6c8a0a768046c0d2dff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57ec54.TMP

Filesize
48B

MD5
f1e4551551c39f6efdba38b5c0e18d3c

SHA1
1ba81be78ca53661288274a012757ec4cc1c1877

SHA256
fe409aaef0186abbd656df4828106ecf2a6cb1feba560fbbb927821e1e67d893

SHA512
2c317d67b21804243c4e89830b4baf478e6eaba62ac2aa02399bd3ae916aa36f47e3a4761ce67061c3744f9f68b5790b83931cc6ca31c6b8c068904aee799c1b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Shared Dictionary\cache\index-dir\the-real-index

Filesize
72B

MD5
fa5cb5d3af03286cbd30aae91d18475b

SHA1
4c32b16e387222c6880eacd97bdcb8d56d30b33c

SHA256
7416335b6a6a0087e98cccf77897ce501147387033e2228a7dab2bb6bd801e9b

SHA512
7fffbc64ab5923486508d57d66b96bc2abaab5b1290120d99f887189a6e3c1c4ceccb8bb37e1158386399304bad6981a499d8c87962aa79a96a8fd4be69d143f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
81KB

MD5
9a9c63cceb0720df6582f0dde3bf6da1

SHA1
f4d3c0b183bda4e2228ff83aec1c7e124ed44378

SHA256
edf42898abb313272a01763d13c99d58b02927f662635806cb2a9810f72a941a

SHA512
9f032f542d4fa5bcaaf01fa2f570f4ae6df1638c272435950f8e138ce8bc0f94de09245d80ac92c58f6380d498707311cd92f7066c2cade8b54ca6bfd7810663

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
81KB

MD5
d5611ca94119cadb67550aaa25bc2c3d

SHA1
20eced6508e4b88f86944782077871568caad1f8

SHA256
51253b2ea6ccd6f2d35a3d89f54b03825e9874a2b86ba9d043d3233fc2e15110

SHA512
96886ad96a561e92d938a2129633579cf23d174b0401f49749e7a079e0234d61cb90c267f90ee5f9591057488bdd98b59edc206f1743511139668cc7f455b6c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
80KB

MD5
aa86752272c0e14f11d105636b3d7898

SHA1
2e1e700e4a48ff3f49014db775ccedcfdad1f052

SHA256
bc68a37736f1ecc98d8efbb1e5bb9935a1848a6f4baaf61512556ae6c09c3f19

SHA512
1acd1cb5fca97d479c38b32ea8eb578118e78581defba3fb5139dde6fabaade10dbcf13fa2062895736973280ee9e3c8265e5028ee992b814c7bd26b527c8046

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
896KB

MD5
2ed7d2ee96fcf1343475d004d374e13b

SHA1
8bbc09bbd3e4b1310327cfa2d9c5e70bf62e13ed

SHA256
6eab64f37b3c8dbfebe99360f391950df171ece4aee9524c2f2fce9bfc84f9a2

SHA512
d0c779cab21f67dbc4f27ccb0506de217b73d536756bf93a10976064eee718c65ef9859ee9bc4d6dc7c3970499c07026187b8996b9ce0e31ac8abe3e5ff0220d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.2\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\60pbrgcr.default-release\activity-stream.discovery_stream.json.tmp

Filesize
22KB

MD5
aa9f3718a2828b5d9414472f0ddb322d

SHA1
cf4e42868cac65d121cb17b27abf5af2193e1e5a

SHA256
9d718c8aac0ac18ac349e342bf08263f2f73fca2521b4018d940d42a778c06f0

SHA512
229a9d8a1df57cfe4434e7dcec2e1b1a2f3c6ce591b580b9f61efc7ecc56d7b3e74e779063774955bd34737304774163ced8927c422a71a47c6dc42c69bafa0a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\60pbrgcr.default-release\cache2\entries\A585344A45AF937E3AB7D706291A9A3ED8D581D9

Filesize
13KB

MD5
87dd49cdb929c3bc5856bfaf8ab34654

SHA1
cad029181ffa726d1c2d190d37246670a506b052

SHA256
d981d32295d3683776ad7c9aabae1ba954356b92d8a7dcc76ccdbe64dbb77ab7

SHA512
f13d4276699c83f3d11b80519037c4779d4325d304432222e0956644232b66c152a42bea266d6331a6edd8c0deaae5e52798d6bec3740c61883ae76896a54ddd

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\60pbrgcr.default-release\startupCache\webext.sc.lz4

Filesize
105KB

MD5
1d083094688810384921573896f94a1e

SHA1
2084cdac9e3b48d81fa16d5a74ed2b974e28fe35

SHA256
4e4a872f2b073ef8f4552ee1d69b84220be52856cd7683d3820606bc362a0c69

SHA512
85818caced538ea8f59b05bb33303dc224b536a456dbbeabf78548f4e82b6274868fdbaef5b6e95e58553f873865f0abefa33d5ea8c670465ed36544dc6b5d8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\one.rtf

Filesize
403B

MD5
6fbd6ce25307749d6e0a66ebbc0264e7

SHA1
faee71e2eac4c03b96aabecde91336a6510fff60

SHA256
e152b106733d9263d3cf175f0b6197880d70acb753f8bde8035a3e4865b31690

SHA512
35a0d6d91178ec10619cf4d2fd44d3e57aa0266e1779e15b1eef6e9c359c77c384e0ffe4edb2cde980a6847e53f47733e6eacb72d46762066b3541dee3d29064

Download Submit
C:\Users\Admin\AppData\Local\Temp\rniw.exe

Filesize
76KB

MD5
9232120b6ff11d48a90069b25aa30abc

SHA1
97bb45f4076083fca037eee15d001fd284e53e47

SHA256
70faa0e1498461731f873d3594f20cbf2beaa6f123a06b66f9df59a9cdf862be

SHA512
b06688a9fc0b853d2895f11e812c48d5871f2793183fda5e9638ded22fc5dc1e813f174baedc980a1f0b6a7b0a65cd61f29bb16acc6dd45da62988eb012d6877

Download Submit
C:\Users\Admin\AppData\Local\Temp\text.txt

Filesize
396B

MD5
9037ebf0a18a1c17537832bc73739109

SHA1
1d951dedfa4c172a1aa1aae096cfb576c1fb1d60

SHA256
38c889b5d7bdcb79bbcb55554c520a9ce74b5bfc29c19d1e4cb1419176c99f48

SHA512
4fb5c06089524c6dcd48b6d165cedb488e9efe2d27613289ef8834dbb6c010632d2bd5e3ac75f83b1d8024477ebdf05b9e0809602bbe1780528947c36e4de32f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
11KB

MD5
25e8156b7f7ca8dad999ee2b93a32b71

SHA1
db587e9e9559b433cee57435cb97a83963659430

SHA256
ddf3ba4e25a622276755133e0cce5605b83719c7cab3546e09acbfed00d6a986

SHA512
1211b2fa997ba13ff926aec58b6b35a81d7fe108b0caa8f4d6369d0a37f8481373b78a4b201651243adde9e2b2699ce929482a46226ff6299b0a0e40fe2ddc56

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
14.0MB

MD5
bcceccab13375513a6e8ab48e7b63496

SHA1
63d8a68cf562424d3fc3be1297d83f8247e24142

SHA256
a6af95a209b2e652ed6766804b9b8ad6b6a68f2c610b8f14713cd40df0d62bf9

SHA512
d94483deaae98bf9212699f1ab0bd913f6151a63e65ebc1ea644ab98d5e3ebd74ecaa08f70aca31e11a5d2c64d1504b723817af35bbe9d7b05c758dd6945d484

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
502KB

MD5
e690f995973164fe425f76589b1be2d9

SHA1
e947c4dad203aab37a003194dddc7980c74fa712

SHA256
87862f4bc8559fbe578389a9501dc01c4c585edb4bb03b238493327296d60171

SHA512
77991110c1d195616e936d27151d02e4d957be6c20a4f3b3511567868b5ddffc6abbfdc668d17672f5d681f12b20237c7905f9b0daaa6d71dcdac4b38f2448b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\windl.bat

Filesize
771B

MD5
a9401e260d9856d1134692759d636e92

SHA1
4141d3c60173741e14f36dfe41588bb2716d2867

SHA256
b551fba71dfd526d4916ae277d8686d83fff36d22fcf6f18457924a070b30ef7

SHA512
5cbe38cdab0283b87d9a9875f7ba6fa4e8a7673d933ca05deddddbcf6cf793bd1bf34ac0add798b4ed59ab483e49f433ce4012f571a658bc0add28dd987a57b6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60pbrgcr.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
2ba1071e2fbf78718f1079f3068850b2

SHA1
d5bb5928f6e665fd4fd92ec4fe59444d3669a191

SHA256
7e6d723c792bc9e8786042064f72bfa8138020cbb0f753e8a6cd0a4b69dd2983

SHA512
71bda34df2b5a63959d1ad4723ba7ce02d31daa643fde3a2636948f13c6b6a2f7084498bb1817127e5deb655ee81bc1b4af6f815c12fc1cc649f7d8e52bf82ac

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60pbrgcr.default-release\datareporting\glean\db\data.safe.tmp

Filesize
7KB

MD5
e4d15bce5c0fb18a3f1ecd9935390436

SHA1
88e942e31e27950b689dfba484c06a85fcab15f6

SHA256
c3018f5afe5292e37c3ccf9e7028dcfb9fae9de1606836d71a0474934fdb7648

SHA512
9663e910203e6bea6112745b3ee0d3c02b2416ce6bb7a36e653fb176b42e0604a115ccdd494cf635513be6789b4ede9f876a0b6144804f38b772abcbdb6d96b9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60pbrgcr.default-release\datareporting\glean\events\events

Filesize
2KB

MD5
27a3cf4c25722df994ac9fc61b51f238

SHA1
25169d8228dc7a800262bde2db3ab4be45cb0ab6

SHA256
9f5538c01a37d2860ce0954086143cda75458c6764403dbc43ff43f90b80521b

SHA512
92a0ee9dde060cbecebe893bb3e44a1e61efe4af7062795b938b3b90eb083ae83d19955582b873ddca7292d856d37e8b9a21d93bd5b9d5d3b908eb3c840f77d7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60pbrgcr.default-release\datareporting\glean\pending_pings\373ce0ed-1a86-4fe6-b2f8-3ee2820252ab

Filesize
16KB

MD5
e0e24b7d19ac0e3931369a4cd489537f

SHA1
404b4e72167600213e3205ebb647865c52d620a8

SHA256
f877a2a1d4e032f57e5b1ff26e69d9824dfb899b90cb38e4b811ac495f30c817

SHA512
fe6d277230c03e1fb6a983e340cc436ec8931191d2fe9056c1c71dad97946ffc041ba60c109909e869d9e0b896067bb0e6c0252eee80c47dc665b6a550fbe0d4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60pbrgcr.default-release\datareporting\glean\pending_pings\3a16d7b0-2b29-425e-9441-88daec261999

Filesize
886B

MD5
82d97594903c029a7293582ea517a548

SHA1
170af9e3ad77abd8a21c2d3341dd6ebf8e27aacf

SHA256
736a489b44512e97049b78ca982eccd1c146bb2dd74682af9a43e17c488d126f

SHA512
6b4bf7fefad743c708df6ed26db1a05343a03a5510c70138e9cbbf47338192e443546e2046492ed003a1f13f1f9a2e7ff55cff12b17479f873ec15cb5dea0fe8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60pbrgcr.default-release\datareporting\glean\pending_pings\4006498d-cca0-47bd-890f-27f130585bda

Filesize
883B

MD5
c54fd08255c469d4fc29b7ad875c612c

SHA1
224e5536521465c78d805b296d66e66744f5e335

SHA256
d45d22697351b801e5d7fba4bbc8eb6644bdeb147aecf6205005ccf0355cb356

SHA512
6177576cd928a4073eaff08904196fbdd47041b0a18eea41d935e64178a606789f353ad634c15247a1ace10a635abc6d87357ae5dec45bdeb6d205c35fd457a3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60pbrgcr.default-release\datareporting\glean\pending_pings\58602406-f0d6-4d60-baba-cd4ebe3435af

Filesize
2KB

MD5
d2bf50d358a1a9815b3e79ec6fcbf998

SHA1
e540500be547037ef2cb8874811f4a3c300ad23f

SHA256
87ef008b3007b225ac24cdb8448bb94a45bfe2545e952dd8f0471cce14469c79

SHA512
3f9c574d17c70d5a29cf53fbbf1c7b0dff41586781ebd20891909514f608f994341f60e62e1338117529e80010cdd74d2b198328495bf8526bbf8f8f5c69d12f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60pbrgcr.default-release\datareporting\glean\pending_pings\924e8a6f-d423-4f7c-8613-1bf3ce0f6721

Filesize
235B

MD5
f5c2563d8feda0f3298527af4e9db11b

SHA1
f056fc3432647f356a1b6b38711924bf311e635e

SHA256
5f31a7443836bc94a97d1d793af8d7cc0e2034d6865cb214d00e639c603a02bb

SHA512
82ece718f32eec380c32798ca160b69d5766dd73c3a90b22c2fc71b184c0e92a6b9cb27bb628582175711753bd35b3c0209be6759349a91f0d6df37bcb11ca97

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60pbrgcr.default-release\datareporting\glean\pending_pings\fbe5f621-07d9-4b28-a3af-99d9f7f3085c

Filesize
235B

MD5
5b5bc9746365101c94d5d53bdcd635a7

SHA1
48b6b2a600d9344457f4a821ddf034d2c7b16b1a

SHA256
323dbf3ca6fb80e224f364fb91cce34be8e92d7f49f86f1f9fad353ca7b36b8e

SHA512
afab37be51cfcff933c8b3ae50f1cf2fab6d02b88aa37845148ac5da462a21c59821807fe0813d8bf761e3760152af04d3cf43ce2d172dbf025a1a6fcb683ca8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60pbrgcr.default-release\extensions.json

Filesize
16KB

MD5
72927a126c2b7239d24985336ddd8261

SHA1
aa19a003cbb28e5add34ef80e695d1a2d7de108c

SHA256
c44a5ee0b220200678afe3b18059b36c0ea6aeae18e0466140751e6ef6f04a1f

SHA512
8cdeaf37cebc06eed60c1a04993283d4f956b0b01c38bfa31a47db2bfaa271519be551893252718f5784c984671a7981abd1265a5bfdaaef88360dc90a0a735f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60pbrgcr.default-release\gmp-gmpopenh264\2.6.0\gmpopenh264.dll

Filesize
1.1MB

MD5
626073e8dcf656ac4130e3283c51cbba

SHA1
7e3197e5792e34a67bfef9727ce1dd7dc151284c

SHA256
37c005a7789747b412d6c0a6a4c30d15732da3d857b4f94b744be1a67231b651

SHA512
eebdeef5e47aeadfeebdbab8625f4ec91e15c4c4e4db4be91ea41be4a3da1e1afeed305f6470e5d6b2a31c41cbfb5548b35a15fccd7896d3fde7cdf402d7a339

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60pbrgcr.default-release\gmp-gmpopenh264\2.6.0\gmpopenh264.info

Filesize
116B

MD5
ae29912407dfadf0d683982d4fb57293

SHA1
0542053f5a6ce07dc206f69230109be4a5e25775

SHA256
fe7686a6281f0ab519c32c788ce0da0d01640425018dcffcfcb81105757f6fe6

SHA512
6f9083152c02f93a900cb69b1ce879e0c0d69453f1046280ca549a0301ae7925facdda6329f7ccb61726addee78ba2fffc5ba3491a185f139f3155716caf0a8d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60pbrgcr.default-release\gmp-widevinecdm\4.10.2891.0\manifest.json

Filesize
1001B

MD5
32aeacedce82bafbcba8d1ade9e88d5a

SHA1
a9b4858d2ae0b6595705634fd024f7e076426a24

SHA256
4ed3c6389f6f7cd94db5cd0f870c34a296fc0de3b1e707fccf01645b455790ce

SHA512
67dfe5632188714ec87f3c79dbe217a0ae4dfb784f3fac63affd20fef8b8ef1978c28b3bf7955f3daaf3004ac5316b1ffa964683b0676841bab4274c325c6e2b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60pbrgcr.default-release\gmp-widevinecdm\4.10.2891.0\widevinecdm.dll

Filesize
18.5MB

MD5
1b32d1ec35a7ead1671efc0782b7edf0

SHA1
8e3274b9f2938ff2252ed74779dd6322c601a0c8

SHA256
3ed0dec36754402707c2ae4fbfa887fe3089945f6f7c1a8a3e6c1e64ad1c2648

SHA512
ab452caa2a529b5bf3874c291f1ffb2a30d9ea43dae5df6a6995dde4bc3506648c749317f0d8e94c31214e62f18f855d933b6d0b6b44634b01e058d3c5fcb499

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60pbrgcr.default-release\prefs-1.js

Filesize
8KB

MD5
f389f2439e15dc131ef21e3a87fec762

SHA1
114bcb1c18c92f076c47bb0fd23bf645b145ce29

SHA256
cd273ae24ae4a391a51f90356cfb68b064c9c6a9ea49228a86f4758410e3a58d

SHA512
db6ada6db1f8c8e6b346438e60fd6381389a1982a1d3e047bd0a5fc504ace81d1523b1c9a1eb3cd460e504e363e245b9ed82cbfd2f959d4780502d4169776eec

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60pbrgcr.default-release\prefs-1.js

Filesize
11KB

MD5
721c3b5a342e9e9d22a184b8e05243d2

SHA1
5c6e89deee8a0169fadf872b301fe4dc5115275f

SHA256
b58815b2186c9f431474b0239ef95fb7f17320abe3138a03ce8ea736f4e08420

SHA512
6b016e4d552f02552a06778d70d1afc4a89b811b0d01fe12ed6c31df42ac8cbab17923ac4e15a1dda3839927a51e83e24dadcfb6d76569aaa1655d2ff4075fbd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60pbrgcr.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
3.5MB

MD5
aa4fc8bba79d8c458b4047bfb5870154

SHA1
035cca616d1f6b844a4d79cfa85531fb7c269571

SHA256
42fa0c60a29307f534d59bc197d78fd14a50e078d18c91652b7e9470f1afb4a7

SHA512
3115f79fda741f50b9ef7487f555c2456aa20c6685c4c334d87d6174c39ca473cdae102303571a36a700f7090a62c2da51f7eb721d51c59e9512dd29a7ee7538

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60pbrgcr.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
3.5MB

MD5
5e5b3c4fe8592d0754fc26b4d5eb24b1

SHA1
ffd915422d5781d4ab1695a9c8a9ea1a8d35af4d

SHA256
4b7941ae075e1e51626597a66e9660534f79e5d0278c2e30bcf60371334f3956

SHA512
a7e715fe470246297fed1ee521c3716b7a19ee324873ab008b5cec1c6a32d1f5c3cba2a07747d0a9202a03340a08091655bedb61f77c8669725dad846a337dd4

Download Submit
C:\Users\Admin\Downloads\NoMoreRansom.zip.crdownload

Filesize
916KB

MD5
f315e49d46914e3989a160bbcfc5de85

SHA1
99654bfeaad090d95deef3a2e9d5d021d2dc5f63

SHA256
5cbb6442c47708558da29588e0d8ef0b34c4716be4a47e7c715ea844fbcf60d7

SHA512
224747b15d0713afcb2641f8f3aa1687516d42e045d456b3ed096a42757a6c10c6626672366c9b632349cf6ffe41011724e6f4b684837de9b719d0f351dfd22e

Download Submit
memory/956-650-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/956-649-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/956-648-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2024-1083-0x000000000C000000-0x000000000C010000-memory.dmp

Filesize
64KB

Download
memory/2024-1079-0x000000000BA60000-0x000000000BA70000-memory.dmp

Filesize
64KB

Download
memory/2024-1080-0x000000000BA60000-0x000000000BA70000-memory.dmp

Filesize
64KB

Download
memory/2024-1078-0x000000000BA60000-0x000000000BA70000-memory.dmp

Filesize
64KB

Download
memory/2024-1077-0x000000000BA60000-0x000000000BA70000-memory.dmp

Filesize
64KB

Download
memory/2024-1087-0x000000000C000000-0x000000000C010000-memory.dmp

Filesize
64KB

Download
memory/2024-1085-0x000000000BA60000-0x000000000BA70000-memory.dmp

Filesize
64KB

Download
memory/2024-1084-0x000000000BA60000-0x000000000BA70000-memory.dmp

Filesize
64KB

Download
memory/2024-1071-0x000000000B9F0000-0x000000000BA28000-memory.dmp

Filesize
224KB

Download
memory/2024-1081-0x000000000C000000-0x000000000C010000-memory.dmp

Filesize
64KB

Download
memory/2024-1072-0x000000000B9B0000-0x000000000B9BE000-memory.dmp

Filesize
56KB

Download
memory/2024-1045-0x0000000006210000-0x00000000067B4000-memory.dmp

Filesize
5.6MB

Download
memory/2024-1044-0x0000000000B00000-0x00000000011AE000-memory.dmp

Filesize
6.7MB

Download
memory/3404-1040-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3404-1036-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3404-1014-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3404-719-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3404-709-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3404-699-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3404-668-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3404-667-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3404-638-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3404-641-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3404-639-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3404-637-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3404-636-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3404-2263-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3404-635-0x0000000002320000-0x00000000023EE000-memory.dmp

Filesize
824KB

Download
memory/6004-2355-0x00007FFFD1A40000-0x00007FFFD1AFE000-memory.dmp

Filesize
760KB

Download
memory/6004-2354-0x00007FFFD2050000-0x00007FFFD2245000-memory.dmp

Filesize
2.0MB

Download
memory/6004-2384-0x00007FFFD1ED0000-0x00007FFFD1F9D000-memory.dmp

Filesize
820KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads