Analysis
-
max time kernel
280s -
max time network
281s -
platform
windows10-2004_x64 -
resource
win10v2004-20250502-en -
resource tags
arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system -
submitted
05/06/2025, 13:26
Static task
static1
Behavioral task
behavioral1
Sample
22690936904.zip
Resource
win10v2004-20250502-en
General
-
Target
22690936904.zip
-
Size
34KB
-
MD5
5a2f950bf5262330d50636c42af4fcd2
-
SHA1
849ad09e2823fdfbe7d990ea5ab1d8786825e484
-
SHA256
2a803e948cdc5d3122b59f4421b77d059e14a577b8b56570c9ba472992adf184
-
SHA512
300787d1c7253249d985407bb02a1a62d6813d849119da06ce87dcf816da48c9f9555e82442380414a042224c5c6d2e7c35adc804885e52b16931dcca1b94312
-
SSDEEP
768:eAB5CDMEqPc35+EnrEaBzocaW0Rta9poxdVff/7WGT6CznBV0amKjDa:ezwPkpPTpaxsorVXjWGThznP0amKjDa
Malware Config
Extracted
F:\$RECYCLE.BIN\S-1-5-21-3299287909-2279959458-198972791-1000\how_to_back_files.html
https://tox.chat/download.html
https://www.bleepingcomputer.com/forums/
Signatures
-
GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
-
Globeimposter family
-
Renames multiple (9128) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Downloads MZ/PE file 1 IoCs
flow pid Process 96 2100 chrome.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\International\Geo\Nation ransomware.exe -
Executes dropped EXE 7 IoCs
pid Process 5248 ransomware.exe 5576 decrypt_GlobeImposter.exe 2168 decrypt_GlobeImposter.exe 3068 decrypt_GlobeImposter.exe 2532 decrypt_GlobeImposter.exe 1924 decrypt_GlobeImposter.exe 5900 decrypt_GlobeImposter.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\BrowserUpdateCheck = "C:\\Users\\Admin\\AppData\\Local\\ransomware.exe" ransomware.exe -
Drops desktop.ini file(s) 50 IoCs
description ioc Process File opened for modification C:\Users\Admin\Documents\desktop.ini ransomware.exe File opened for modification C:\Users\Admin\Documents\desktop.ini ransomware.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini ransomware.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini ransomware.exe File opened for modification C:\Users\Public\Pictures\desktop.ini ransomware.exe File opened for modification C:\Users\Public\Documents\desktop.ini ransomware.exe File opened for modification C:\Users\Public\Desktop\desktop.ini ransomware.exe File opened for modification C:\Users\Admin\Videos\desktop.ini ransomware.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini ransomware.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini ransomware.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini ransomware.exe File opened for modification C:\Users\Admin\Music\desktop.ini ransomware.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini ransomware.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini ransomware.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini ransomware.exe File opened for modification C:\Program Files (x86)\desktop.ini ransomware.exe File opened for modification C:\Program Files\desktop.ini ransomware.exe File opened for modification C:\Users\Public\desktop.ini ransomware.exe File opened for modification C:\Users\Public\Videos\desktop.ini ransomware.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini ransomware.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini ransomware.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini ransomware.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini ransomware.exe File opened for modification C:\Users\Admin\3D Objects\desktop.ini ransomware.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-3299287909-2279959458-198972791-1000\desktop.ini ransomware.exe File opened for modification C:\Users\Public\Desktop\desktop.ini ransomware.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini ransomware.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini ransomware.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini ransomware.exe File opened for modification C:\Program Files\desktop.ini ransomware.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI ransomware.exe File opened for modification C:\Users\Public\Libraries\desktop.ini ransomware.exe File opened for modification C:\Users\Admin\Videos\desktop.ini ransomware.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini ransomware.exe File opened for modification C:\Users\Admin\Links\desktop.ini ransomware.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini ransomware.exe File opened for modification C:\Users\Public\Downloads\desktop.ini ransomware.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini ransomware.exe File opened for modification C:\Users\Admin\Music\desktop.ini ransomware.exe File opened for modification C:\Users\Admin\Links\desktop.ini ransomware.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-3299287909-2279959458-198972791-1000\desktop.ini ransomware.exe File opened for modification C:\Users\Public\Music\desktop.ini ransomware.exe File opened for modification C:\Users\Admin\Searches\desktop.ini ransomware.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini ransomware.exe File opened for modification C:\Users\Admin\3D Objects\desktop.ini ransomware.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI ransomware.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3299287909-2279959458-198972791-1000\desktop.ini ransomware.exe File opened for modification C:\Users\Public\Downloads\desktop.ini ransomware.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini ransomware.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini ransomware.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
resource yara_rule behavioral1/files/0x00080000000243c0-624.dat upx behavioral1/memory/5576-11633-0x0000000000400000-0x0000000000773000-memory.dmp upx behavioral1/memory/5576-12179-0x0000000000400000-0x0000000000773000-memory.dmp upx behavioral1/memory/2168-15051-0x0000000000400000-0x0000000000773000-memory.dmp upx behavioral1/memory/3068-16420-0x0000000000400000-0x0000000000773000-memory.dmp upx behavioral1/memory/3068-17076-0x0000000000400000-0x0000000000773000-memory.dmp upx behavioral1/memory/2532-19208-0x0000000000400000-0x0000000000773000-memory.dmp upx behavioral1/memory/1924-20984-0x0000000000400000-0x0000000000773000-memory.dmp upx behavioral1/memory/1924-21185-0x0000000000400000-0x0000000000773000-memory.dmp upx behavioral1/memory/5900-21229-0x0000000000400000-0x0000000000773000-memory.dmp upx behavioral1/memory/5900-21231-0x0000000000400000-0x0000000000773000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\LinkedInboxLargeTile.scale-150.png ransomware.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.NET.Native.Framework.1.7_1.7.25531.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\Autogen\JSByteCodeCache_64 ransomware.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Microsoft.Msn.Weather.exe ransomware.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_scale-100.png ransomware.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-32.png ransomware.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Square44x44\PaintAppList.scale-150.png ransomware.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Mira.Core.Engine.winmd ransomware.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\27.jpg ransomware.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libwave_plugin.dll ransomware.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\_Resources\21.rsrc ransomware.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\System.Windows.Forms.Design.resources.dll ransomware.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSplashLogo.scale-400.png ransomware.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageBadgeLogo.scale-100_contrast-white.png ransomware.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-black\MedTile.scale-125.png ransomware.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\DcfMsoWrapper.dll ransomware.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Grace-ppd.xrm-ms ransomware.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\LinkedInboxBadge.scale-150.png ransomware.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\StopwatchLargeTile.contrast-black_scale-200.png ransomware.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\Timer3Sec.targetsize-24.png ransomware.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WideTile.scale-125.png ransomware.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationUI.dll ransomware.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.IO.MemoryMappedFiles.dll ransomware.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.Tracing.dll ransomware.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-white_targetsize-80.png ransomware.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTest-pl.xrm-ms ransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-file-l2-1-0.dll ransomware.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\System.Windows.Controls.Ribbon.dll ransomware.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-36.png ransomware.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-64_contrast-black.png ransomware.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MINSBPROXY.DLL ransomware.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\UIAutomationClient.resources.dll ransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\zh-tw\ui-strings.js ransomware.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\it-it\how_to_back_files.html ransomware.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-64_altform-unplated.png ransomware.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-256_altform-unplated.png ransomware.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ffd27a_256x240.png ransomware.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\msoadfsb.exe ransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-processenvironment-l1-1-0.dll ransomware.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\Accessibility.dll ransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\tr-tr\ui-strings.js ransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javafx_iio.dll ransomware.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\UIAutomationClient.resources.dll ransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\arrow-down.gif ransomware.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi420_10_p010_plugin.dll ransomware.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MEDIA\CLICK.WAV ransomware.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp-ul-oob.xrm-ms ransomware.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraMedTile.contrast-white_scale-100.png ransomware.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNewNoteMedTile.scale-150.png ransomware.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\Common.FileUtils.Resources.dll ransomware.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\codecpacks_heif.winmd ransomware.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\FetchingMail.scale-125.png ransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\fr-ma\ui-strings.js ransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\scan.png ransomware.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNotebookSmallTile.scale-200.png ransomware.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial4-ul-oob.xrm-ms ransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\da-dk\ui-strings.js ransomware.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\PeopleSplashScreen.scale-100.png ransomware.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\180.png ransomware.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Retail-ul-phn.xrm-ms ransomware.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Glyph_0xe7dc.png ransomware.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_BypassTrial180-ppd.xrm-ms ransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\progress_spinner_dark.gif ransomware.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_targetsize-36.png ransomware.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SmallTile.scale-150_contrast-white.png ransomware.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ransomware.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ransomware.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language decrypt_GlobeImposter.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language decrypt_GlobeImposter.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language decrypt_GlobeImposter.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language decrypt_GlobeImposter.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language decrypt_GlobeImposter.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language decrypt_GlobeImposter.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier chrome.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133936036897875242" chrome.exe -
Modifies registry class 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428\Children chrome.exe Key created \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428 chrome.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428\DisplayName = "Chrome Sandbox" chrome.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428\Moniker = "cr.sb.odm3E4D1A088C1F6D498C84F3C86DE73CE49F82A104" chrome.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 4028 chrome.exe 4028 chrome.exe 4028 chrome.exe 4028 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs
pid Process 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2824 ransomware.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 5940 chrome.exe Token: SeCreatePagefilePrivilege 5940 chrome.exe Token: SeShutdownPrivilege 5940 chrome.exe Token: SeCreatePagefilePrivilege 5940 chrome.exe Token: SeShutdownPrivilege 5940 chrome.exe Token: SeCreatePagefilePrivilege 5940 chrome.exe Token: SeShutdownPrivilege 5940 chrome.exe Token: SeCreatePagefilePrivilege 5940 chrome.exe Token: SeShutdownPrivilege 5940 chrome.exe Token: SeCreatePagefilePrivilege 5940 chrome.exe Token: SeShutdownPrivilege 5940 chrome.exe Token: SeCreatePagefilePrivilege 5940 chrome.exe Token: SeShutdownPrivilege 5940 chrome.exe Token: SeCreatePagefilePrivilege 5940 chrome.exe Token: SeShutdownPrivilege 5940 chrome.exe Token: SeCreatePagefilePrivilege 5940 chrome.exe Token: SeShutdownPrivilege 5940 chrome.exe Token: SeCreatePagefilePrivilege 5940 chrome.exe Token: SeShutdownPrivilege 5940 chrome.exe Token: SeCreatePagefilePrivilege 5940 chrome.exe Token: SeShutdownPrivilege 5940 chrome.exe Token: SeCreatePagefilePrivilege 5940 chrome.exe Token: SeShutdownPrivilege 5940 chrome.exe Token: SeCreatePagefilePrivilege 5940 chrome.exe Token: SeShutdownPrivilege 5940 chrome.exe Token: SeCreatePagefilePrivilege 5940 chrome.exe Token: SeShutdownPrivilege 5940 chrome.exe Token: SeCreatePagefilePrivilege 5940 chrome.exe Token: SeShutdownPrivilege 5940 chrome.exe Token: SeCreatePagefilePrivilege 5940 chrome.exe Token: SeShutdownPrivilege 5940 chrome.exe Token: SeCreatePagefilePrivilege 5940 chrome.exe Token: SeShutdownPrivilege 5940 chrome.exe Token: SeCreatePagefilePrivilege 5940 chrome.exe Token: SeShutdownPrivilege 5940 chrome.exe Token: SeCreatePagefilePrivilege 5940 chrome.exe Token: SeShutdownPrivilege 5940 chrome.exe Token: SeCreatePagefilePrivilege 5940 chrome.exe Token: SeShutdownPrivilege 5940 chrome.exe Token: SeCreatePagefilePrivilege 5940 chrome.exe Token: SeShutdownPrivilege 5940 chrome.exe Token: SeCreatePagefilePrivilege 5940 chrome.exe Token: SeShutdownPrivilege 5940 chrome.exe Token: SeCreatePagefilePrivilege 5940 chrome.exe Token: SeShutdownPrivilege 5940 chrome.exe Token: SeCreatePagefilePrivilege 5940 chrome.exe Token: SeShutdownPrivilege 5940 chrome.exe Token: SeCreatePagefilePrivilege 5940 chrome.exe Token: SeShutdownPrivilege 5940 chrome.exe Token: SeCreatePagefilePrivilege 5940 chrome.exe Token: SeShutdownPrivilege 5940 chrome.exe Token: SeCreatePagefilePrivilege 5940 chrome.exe Token: SeShutdownPrivilege 5940 chrome.exe Token: SeCreatePagefilePrivilege 5940 chrome.exe Token: SeShutdownPrivilege 5940 chrome.exe Token: SeCreatePagefilePrivilege 5940 chrome.exe Token: SeShutdownPrivilege 5940 chrome.exe Token: SeCreatePagefilePrivilege 5940 chrome.exe Token: SeShutdownPrivilege 5940 chrome.exe Token: SeCreatePagefilePrivilege 5940 chrome.exe Token: SeShutdownPrivilege 5940 chrome.exe Token: SeCreatePagefilePrivilege 5940 chrome.exe Token: SeShutdownPrivilege 5940 chrome.exe Token: SeCreatePagefilePrivilege 5940 chrome.exe -
Suspicious use of FindShellTrayWindow 58 IoCs
pid Process 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe -
Suspicious use of SendNotifyMessage 40 IoCs
pid Process 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe -
Suspicious use of SetWindowsHookEx 11 IoCs
pid Process 5576 decrypt_GlobeImposter.exe 2168 decrypt_GlobeImposter.exe 2168 decrypt_GlobeImposter.exe 3068 decrypt_GlobeImposter.exe 3068 decrypt_GlobeImposter.exe 2532 decrypt_GlobeImposter.exe 2532 decrypt_GlobeImposter.exe 1924 decrypt_GlobeImposter.exe 1924 decrypt_GlobeImposter.exe 5900 decrypt_GlobeImposter.exe 5900 decrypt_GlobeImposter.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5940 wrote to memory of 1856 5940 chrome.exe 105 PID 5940 wrote to memory of 1856 5940 chrome.exe 105 PID 5940 wrote to memory of 2100 5940 chrome.exe 106 PID 5940 wrote to memory of 2100 5940 chrome.exe 106 PID 5940 wrote to memory of 1540 5940 chrome.exe 107 PID 5940 wrote to memory of 1540 5940 chrome.exe 107 PID 5940 wrote to memory of 1540 5940 chrome.exe 107 PID 5940 wrote to memory of 1540 5940 chrome.exe 107 PID 5940 wrote to memory of 1540 5940 chrome.exe 107 PID 5940 wrote to memory of 1540 5940 chrome.exe 107 PID 5940 wrote to memory of 1540 5940 chrome.exe 107 PID 5940 wrote to memory of 1540 5940 chrome.exe 107 PID 5940 wrote to memory of 1540 5940 chrome.exe 107 PID 5940 wrote to memory of 1540 5940 chrome.exe 107 PID 5940 wrote to memory of 1540 5940 chrome.exe 107 PID 5940 wrote to memory of 1540 5940 chrome.exe 107 PID 5940 wrote to memory of 1540 5940 chrome.exe 107 PID 5940 wrote to memory of 1540 5940 chrome.exe 107 PID 5940 wrote to memory of 1540 5940 chrome.exe 107 PID 5940 wrote to memory of 1540 5940 chrome.exe 107 PID 5940 wrote to memory of 1540 5940 chrome.exe 107 PID 5940 wrote to memory of 1540 5940 chrome.exe 107 PID 5940 wrote to memory of 1540 5940 chrome.exe 107 PID 5940 wrote to memory of 1540 5940 chrome.exe 107 PID 5940 wrote to memory of 1540 5940 chrome.exe 107 PID 5940 wrote to memory of 1540 5940 chrome.exe 107 PID 5940 wrote to memory of 1540 5940 chrome.exe 107 PID 5940 wrote to memory of 1540 5940 chrome.exe 107 PID 5940 wrote to memory of 1540 5940 chrome.exe 107 PID 5940 wrote to memory of 1540 5940 chrome.exe 107 PID 5940 wrote to memory of 1540 5940 chrome.exe 107 PID 5940 wrote to memory of 1540 5940 chrome.exe 107 PID 5940 wrote to memory of 1540 5940 chrome.exe 107 PID 5940 wrote to memory of 1540 5940 chrome.exe 107 PID 5940 wrote to memory of 5096 5940 chrome.exe 108 PID 5940 wrote to memory of 5096 5940 chrome.exe 108 PID 5940 wrote to memory of 5096 5940 chrome.exe 108 PID 5940 wrote to memory of 5096 5940 chrome.exe 108 PID 5940 wrote to memory of 5096 5940 chrome.exe 108 PID 5940 wrote to memory of 5096 5940 chrome.exe 108 PID 5940 wrote to memory of 5096 5940 chrome.exe 108 PID 5940 wrote to memory of 5096 5940 chrome.exe 108 PID 5940 wrote to memory of 5096 5940 chrome.exe 108 PID 5940 wrote to memory of 5096 5940 chrome.exe 108 PID 5940 wrote to memory of 5096 5940 chrome.exe 108 PID 5940 wrote to memory of 5096 5940 chrome.exe 108 PID 5940 wrote to memory of 5096 5940 chrome.exe 108 PID 5940 wrote to memory of 5096 5940 chrome.exe 108 PID 5940 wrote to memory of 5096 5940 chrome.exe 108 PID 5940 wrote to memory of 5096 5940 chrome.exe 108 PID 5940 wrote to memory of 5096 5940 chrome.exe 108 PID 5940 wrote to memory of 5096 5940 chrome.exe 108 PID 5940 wrote to memory of 5096 5940 chrome.exe 108 PID 5940 wrote to memory of 5096 5940 chrome.exe 108 PID 5940 wrote to memory of 5096 5940 chrome.exe 108 PID 5940 wrote to memory of 5096 5940 chrome.exe 108 PID 5940 wrote to memory of 5096 5940 chrome.exe 108 PID 5940 wrote to memory of 5096 5940 chrome.exe 108 PID 5940 wrote to memory of 5096 5940 chrome.exe 108 PID 5940 wrote to memory of 5096 5940 chrome.exe 108 PID 5940 wrote to memory of 5096 5940 chrome.exe 108 PID 5940 wrote to memory of 5096 5940 chrome.exe 108 PID 5940 wrote to memory of 5096 5940 chrome.exe 108 PID 5940 wrote to memory of 5096 5940 chrome.exe 108
Processes
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\22690936904.zip1⤵PID:1216
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2108
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5940 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcdc0ddcf8,0x7ffcdc0ddd04,0x7ffcdc0ddd102⤵PID:1856
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1628,i,5975702873053253611,4939578412301801690,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=2204 /prefetch:32⤵
- Downloads MZ/PE file
PID:2100
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2076,i,5975702873053253611,4939578412301801690,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=2056 /prefetch:22⤵PID:1540
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2436,i,5975702873053253611,4939578412301801690,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=2452 /prefetch:82⤵PID:5096
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3136,i,5975702873053253611,4939578412301801690,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=3152 /prefetch:12⤵PID:3068
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3012,i,5975702873053253611,4939578412301801690,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=3212 /prefetch:12⤵PID:5324
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4344,i,5975702873053253611,4939578412301801690,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=4352 /prefetch:22⤵PID:4512
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4768,i,5975702873053253611,4939578412301801690,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=4772 /prefetch:12⤵PID:5692
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5436,i,5975702873053253611,4939578412301801690,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=5452 /prefetch:82⤵PID:4024
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5528,i,5975702873053253611,4939578412301801690,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=5548 /prefetch:82⤵PID:220
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5448,i,5975702873053253611,4939578412301801690,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=5668 /prefetch:82⤵PID:1296
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5544,i,5975702873053253611,4939578412301801690,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=5580 /prefetch:82⤵PID:2476
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5608,i,5975702873053253611,4939578412301801690,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=5644 /prefetch:82⤵PID:4324
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4652,i,5975702873053253611,4939578412301801690,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=5452 /prefetch:82⤵PID:4832
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5676,i,5975702873053253611,4939578412301801690,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=5620 /prefetch:12⤵PID:6120
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=3180,i,5975702873053253611,4939578412301801690,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=3944 /prefetch:12⤵PID:5416
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=3400,i,5975702873053253611,4939578412301801690,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=3364 /prefetch:12⤵PID:2460
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=3328,i,5975702873053253611,4939578412301801690,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=5764 /prefetch:82⤵PID:1000
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=4848,i,5975702873053253611,4939578412301801690,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=4872 /prefetch:12⤵PID:4556
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=5920,i,5975702873053253611,4939578412301801690,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=5884 /prefetch:12⤵PID:4580
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=3332,i,5975702873053253611,4939578412301801690,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=4904 /prefetch:82⤵PID:2660
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4068,i,5975702873053253611,4939578412301801690,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=6192 /prefetch:82⤵PID:5060
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4892,i,5975702873053253611,4939578412301801690,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=3300 /prefetch:82⤵PID:1464
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6052,i,5975702873053253611,4939578412301801690,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=4888 /prefetch:82⤵PID:4900
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --field-trial-handle=4356,i,5975702873053253611,4939578412301801690,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=4464 /prefetch:22⤵PID:4876
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --field-trial-handle=4820,i,5975702873053253611,4939578412301801690,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=3372 /prefetch:12⤵PID:2960
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5804,i,5975702873053253611,4939578412301801690,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=5796 /prefetch:82⤵PID:4436
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=5492,i,5975702873053253611,4939578412301801690,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=3436 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4028
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --field-trial-handle=3008,i,5975702873053253611,4939578412301801690,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=5812 /prefetch:12⤵PID:1116
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --init-isolate-as-foreground --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --field-trial-handle=5672,i,5975702873053253611,4939578412301801690,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=4828 /prefetch:22⤵PID:1748
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --pdf-renderer --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--jitless --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --field-trial-handle=6376,i,5975702873053253611,4939578412301801690,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=6032 /prefetch:12⤵PID:4604
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=on_device_model.mojom.OnDeviceModelService --lang=en-US --service-sandbox-type=on_device_model_execution --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4900,i,5975702873053253611,4939578412301801690,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=6540 /prefetch:82⤵PID:2332
-
-
C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"1⤵PID:5280
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:1060
-
C:\Users\Admin\Documents\22690936904\ransomware.exe"C:\Users\Admin\Documents\22690936904\ransomware.exe"1⤵
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
PID:2824 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\Documents\22690936904\ransomware.exe > nul2⤵
- System Location Discovery: System Language Discovery
PID:4800
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\ransomware.exe1⤵PID:3152
-
C:\Users\Admin\AppData\Local\ransomware.exeC:\Users\Admin\AppData\Local\ransomware.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:5248 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\ransomware.exe > nul3⤵
- System Location Discovery: System Language Discovery
PID:1900
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"1⤵PID:804
-
C:\Users\Admin\Downloads\decrypt_GlobeImposter.exedecrypt_GlobeImposter.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5576
-
-
C:\Users\Admin\Downloads\decrypt_GlobeImposter.exe"C:\Users\Admin\Downloads\decrypt_GlobeImposter.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2168
-
C:\Users\Admin\Downloads\decrypt_GlobeImposter.exe"C:\Users\Admin\Downloads\decrypt_GlobeImposter.exe" C:\Users\Admin\Desktop\UpdateSend.3gp2.schrodingercat C:\Users\Admin\Desktop\backup.schrodingercat1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3068
-
C:\Users\Admin\Downloads\decrypt_GlobeImposter.exe"C:\Users\Admin\Downloads\decrypt_GlobeImposter.exe" C:\Users\Admin\Desktop\UpdateSend.3gp2.schrodingercat1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2532
-
C:\Users\Admin\Downloads\decrypt_GlobeImposter.exe"C:\Users\Admin\Downloads\decrypt_GlobeImposter.exe" C:\Users\Admin\Desktop\UpdateSend.3gp2.schrodingercat C:\Users\Admin\Desktop\backup.schrodingercat1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1924
-
C:\Users\Admin\Downloads\decrypt_GlobeImposter.exe"C:\Users\Admin\Downloads\decrypt_GlobeImposter.exe" C:\Users\Admin\Desktop\UpdateSend.3gp2.schrodingercat C:\Users\Admin\Desktop\UpdateSend.3gp21⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5900
Network
MITRE ATT&CK Enterprise v16
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_cancel_18.svg
Filesize3KB
MD58f5b10c7bdb7bbb3e805bfa770b79519
SHA1b9e34c12851495e409bdc9fae3fb1b793a834e05
SHA256c7488d6e223538dc17437c96ebc4c096bab368fe4d31446b8415a6556fc82e2d
SHA5123e7277496801fd4e6f89aad5feaf2718fd107fd2b3c9c82e266835272ddcc72ff5caa9660f7f34099547808b9330ed37fd910ea56fc19228f6b0556e62b824c1
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_sortedby_selected_18.svg
Filesize2KB
MD51ae3db37dfd721ce599388d6a36f0270
SHA13d5a1e7c2c62c8ab7af530315dd630a463b0b83b
SHA256e0dff5fb03220a313bb7d6e808ee71bec73add96c2316e33b54b5c32c1a19602
SHA51216cf8a7d5ce5f471017232627db2aa7409684018455ee9a408a531117095a89f9b2ccfa2e1ea1f25a34e175e94210ce8a4f41a133577242d24aa09525dd0a7fb
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_fillandsign_18.svg
Filesize3KB
MD522e0ab5e9b56e23e83194b0e1c9c85c9
SHA1362dc64b72e95ac8853f1117f5542195b5c8849e
SHA25689cd3b24705e83c6c469f6cdd50db16ce8c6c8f522d1c1b615ca7f05dc9a1f0d
SHA51242ab401b9cc56a4d0485a8c8a01af810cce3716d4fc968403ef4e90bacefdb51f19a67db2ded18aa4e7f2bbe29f22b8bda3caaa8316fd10abf8e5b04b247219d
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fi-fi\ui-strings.js
Filesize5KB
MD5d53ceff9f1b8531c5e142a050b8170ed
SHA12a8331d7783ec12254ef4ef4cddd655aadc1d01b
SHA2566eff5bfece4ee04e8d38032c76497277c045c342fb9e8dc7316cae915b0bd002
SHA512c8098b4b51ccf903489d2a87a69d46be9380fcb64c4025aa9a345061540c3e8282237797dc371999e8ca176771db55baeb6f1276d7b5e3fdb8a4c6bf15a7870b
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\rhp_world_icon_2x.png
Filesize2KB
MD54f9020a4a4e01b440bd78ec30da3d956
SHA16c9f6bbeddcb06d6b3a54a9c73a6d85aba1bcdc2
SHA256ac94210dedaf9c0abfae610706243e22913e7fd07c978ec2d85c591c52d21a94
SHA5129cd9dec7f8ddda1b274dd672915502c229031d2d721206280170584982bf25fb0db241a4b8d7f45c9cd612e5c87aa456e16279ab8c6b49af291c09baf4f6410c
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\s_radio_selected_18.svg
Filesize1KB
MD50dfaa7b06c3d6eba72a29c699147c1b0
SHA1edca8384ea3d395d19b8eed20e04070829a05fd9
SHA2563051a7a9ad80a24cbf248bf91848687a5f02b3061b7def6be6ff35a12ce9d2b5
SHA512dde03d262aaed2e7c9bde4745621b7c632dc227da24e6237bdb388d5d6ad84bb1c1c39c1abfa2545e47300a8721a0a9675b3b7d61672c4c5acafd716c1b78a56
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\icons.png
Filesize9KB
MD5286480ca79e763ef066caf1751967cd5
SHA1053794d6273c95058ac8c74bc51bf84ab6ac15f1
SHA2561873401cd1a234c7524befbc4b55c1315776362eb133436170c6e0966c283bdd
SHA51245564313f9dd2e04cbcaecb28e2825d5b8ece95c49bd346880314b54dc5e8902725efc203222ce1959c1e7901c3456fa18eedbcc2472c517a1abcb83994466a2
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\fullscreen.svg
Filesize5KB
MD5d0957f01b2dbdacf455bd642b609704b
SHA1d9365c4c2fc499fa613a5257508f22c1fc17fb1c
SHA256619e536b2383bdc7f2b26f5e22f7dcd3479f6ab536f65e58e02636b8f95a854d
SHA5123a8d18e74249600cd224b2c8ed52c977f8dd755b05db11030c5326d087bc6a94a019cece98f76e6e05b40520ae47f275bf980ac78d81e2fefb38b1d8706c49da
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\pl-pl\ui-strings.js
Filesize17KB
MD521949e85d65f554cd1ab290ae2d2da94
SHA1ca0ef8bb51752f4210fcf41a270daca571d18e09
SHA2564865b34205deae4dd95c28e8da3c5a05c5d383e8c535a45d6ff4f651a52ccaf5
SHA5127811368f82ee5c2c51e7e5df6ae9a5dbc7c6edd6911c574a5d1efb57b2dfe55d1e7b822b2665dfe60f767f4a9df704f24d7f350011f8fd0a9f8b01e82e454315
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\themes\dark\progress.gif
Filesize21KB
MD51b48cb34af63ffbfe5620c97cbbaa886
SHA1b3bf29060dab150d8666461e178913b23ed71f01
SHA256d5bb7c94fa4e5af2e267539109c0af4de14ffa154f0cb783b443fd0fe587e0b4
SHA5128a89a271cbadb332eda294c4ce711ca2c6cfb1f0c0f0458ab236b631f3ed18043f03f4f52d0c04d222e28bca4ac7decbaea9ea17b6015f7bbcae85dffa9bfbfa
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\themes\dark\sfs_icons.png
Filesize5KB
MD58c7cd55adacb629ee2febd5c92555795
SHA1219e2c7e6c3d867215c35a1c9cdf2c4c1b02722c
SHA25633cec3a722f288e625e8d70ce013dacebc356239773cdec2ed98ebf6ba11d1dc
SHA5123d2afd961971d9759196dda7240b5fbf6b18e22367bf23fbc08a27d8e8ebe91c145ad85c66cff8db798b581a5d9bbf72d8cf60a532bd662ea21b7b44d726e053
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\nub.png
Filesize1KB
MD55ec2fb51efef9ea0a634db4f7a172b94
SHA1f96a56c0bd4e53859a79e069d548fcef921d46d5
SHA2564ae44c75cbbccaef0fbb61cd4445ce240395859b9271d7e14a63e4976108b164
SHA512b6a220a049482261e13bb85e53b49a3641b9484f3b0d936954dea3707ca74df40c654500ef86aa6a9596470e0b01da25f363ded0290ad646dde3a4ef3a7d89a9
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\dd_arrow_small2x.png
Filesize2KB
MD5696ba15e63586df2a3cd964f20268648
SHA1878b146d757e9bf2111ea418d8b337f58134808a
SHA256708ccff54b2ac3eb2e0fe4ea13e5a74bf393e672d7666ebec95abaacf05f22e6
SHA512cb8ac6c98ae01bf31d548f65931eef065fac61bcd1ef129c0f372036872679aefc8307a47bc12ca8fc2ec89e61b689f22e45cdfa2243ddd86bf921f1a1a931d9
-
C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\HarvardAnglia2008OfficeOnline.xsl
Filesize279KB
MD598dfec5465a9fddacf3e49fcb932e74d
SHA1a99a09adea248d06873c337271d8db0ae7e2400e
SHA256646da97e674d250f9f8d3bc4b489901690146ca9ba2c3c54e17dc2c84261838d
SHA5122edfd622f106b2818411a62c6b8f77b78f3da4551c221cca45d6beb164012efa0abc0e0f56ec915176d0f225e62c97246e6cc81fcf532df6947a5d7ab6104e14
-
C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-black_scale-140.png
Filesize2KB
MD58287da63dfef523617298da4b959a05d
SHA1ffdbe56e642c2c0a6148d3c9d85d614f5a3af08c
SHA256ae52132cb161a32f90a0d394a7fe48cb1725e7080e91b214e1134b6ecd783769
SHA5123daa2cc24374841afe4f5f005b74df325097b1205a127d4f078ba704363bf3472a459d97f0814c6501dfbb5c4689fe3e29c1f66a6425fa03d262fe83c2af60c8
-
C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-black_scale-180.png
Filesize2KB
MD5e9f2e3d68f04307b061f5d94b0bdd060
SHA13565b98c3f09bf72b8a73471082c39c5aef3b53a
SHA256ccf095501a809b919021f6493e40ff523ea45a7b2c0bb42dc89b3200a9e1e59f
SHA5128ec3aede9541bf286f00ea2c2bfbd4a2e48b13c89847e24325a4f911c96a76bbc1643f0287d2abe9fb68c3c17ba7bc922883ac0434963ef9356cb0790d7699e1
-
Filesize
5KB
MD55f29ba50fc7dc5387fc0152c8f2f9752
SHA1654125579bca747c7d8c8024180e7a4dc24e9ffa
SHA2561fbd67e12216341aa5d51cf9e8aef75cdd93f3e38ba45d8c2d9d7382361c7e33
SHA512b8cd93db2389eeca06f8072f8624e1c051e767f225c47e7fbedafdbf7831c18dc9d992d303907d3d9c4911bc94024e7741ec75fda343fd8dca91269a767c55b5
-
C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-black_scale-180.png
Filesize2KB
MD5db12694fede0ec342abbc8e888bc4016
SHA1cc1e517fd2dc61f3a5614d37e4ce547c602f745e
SHA256dc3dc884506ab6029adb864f6abd1e1867aaf7d0f88e635c8900dac5d816b4ac
SHA512a3284e1186ebacf154f8fd7acc57c990c22598c6f87a2e7ec8f5fc278396b0e3ff2521d27f0e0839df9f7229d43be3df41b7a6c1bbfd1dac7d1d0e06c0126b32
-
Filesize
6KB
MD5bd71e56b6ef54529f1be2502e1e2157d
SHA1668d88ac610dd13a8072fb8265543a171ff43fa7
SHA256cfb752e5184007e41dd92b6199522c2ea0d21e7063d76cddcb2019c8ef16df7a
SHA51242565c74030be6d5273f9b95afec32d581f29fd97733b5f4ff2fa35a4a966267a008e7bdbf26311e1e5cd870bc8e3eb7f135aa6b70cf1628aaa6035ce8e24c48
-
Filesize
2KB
MD5136eb25b053239c6f35ff3b4ac479574
SHA1626a6a89484ac56fa3cfee4f9087a118e5fcc297
SHA25682cb0c30adabfcbdba17d6980734caed1c961be699d7710e2d270ee5df89a4bd
SHA51263da537637a2cb4c5b176d89a4c349fb70642ca3d95fa1a80639ec4c0f4ab6212371bc92b7e00e44fd12889db18ced82bb125327b611c3393c42a4ead7eb566e
-
C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]
Filesize2KB
MD58135dda890bf190ddd8e55cf639c6d80
SHA120ed64223d718901eae4014ee81702259686c133
SHA25677229f69167be76de86a55eab2494c7edb3ac8f0f577530e92fd34faf5c56e62
SHA512a1dc3e1eaafd5524d4891c90f86b2efcf310b0805880c92e937e7c9ff1d6601e5cf45c42081e5ec86f4721fef0de32a84a2841b4cacd27360874b54e551e0703
-
Filesize
6KB
MD5ddb2e9bda508f419d0534296d57ce0e5
SHA11c2c9dd1613fa6b0708f2ffa89db10ffdab0d789
SHA256979fc42573895e413f5a5d612e28f0cc805bad24e858fb01ec5eb5c1c2fc7edc
SHA512410d0d322150b19a3cc8b8d4a5e42c465beaf0ac8b8ec434d974e4beaacf9a7aea2d6bd6a25f1736a2fe0a35c620b6be6677698b5bb1e8ad1c1b1467e2813780
-
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-core-file-l2-1-0.dll
Filesize20KB
MD5ab9ffd10154df7adb8f4add7a8ba1242
SHA138e12ed4aa6aeb1f3868f616dfe8754ac1105cce
SHA2564620d8076d4aa6c04c34eb3914163ca8ac57382dc443bc74714f9f9b03fb5202
SHA51218da4704c41fdbe6ba2c7cfcdbe52f8954989470ccef1ac9f12279cfe9cf73c4967b3838db28ca996f55cb7012df42dfa5de251f9e4430f8af215c1ab9e21b01
-
Filesize
16KB
MD595eb240d8f0b252c80168955d9fed507
SHA1727ffa7344d4872283e28d833ce82eab58691003
SHA2564a55e040c18cb9c071b140166fc1a779cc2061359333e3db1b61b14cdc8e3998
SHA512b8b11482d6a833e26759d99115441aa7ce5a5106f8b19b531c625bf3caafbbe12dfdb86539af3a4e1d7f55a6cbbfd09ac894c1b54dfd6523292bc1cfcd6f3733
-
Filesize
41KB
MD52b3d204e9648d9f7de292d2f61b9a4a6
SHA1059388684628629a1083cd1356f6e6184380c4ee
SHA256861bf2e95335ba2db347e14171618383926ce6676f1a3903b1bcf24c4e4dd766
SHA51268da99aad66cba86341c073a05fbe75ab8dbe68a6d842de28b6f344b4e99d6b624e738e923ad693cc821297e5cfa3e2751cdcdfc10054614245be15a6aaf409f
-
Filesize
44KB
MD51508c71f337e8833eeb1fa322aaf46c5
SHA101154e39d6e1a623c6765e2760d9f1c9193053a3
SHA256266ffe0d71885a1db77a88c494f996d80fca2898af809a14b5189f1289af1a3a
SHA51236396173ddf8ae5be35ba3ea69515a5b775ed1c86d999e9f4286d84fe59ef180ef589f8d40167bf579b79fa9320352df0afce3c724aa633bd2048b2a1aa2e55c
-
Filesize
41KB
MD5fc5849508bd15c4328c61ed8fff12887
SHA16e1f38bb26e7fd9f765f8e1b13b90c8b0296558f
SHA25691c5d87a7a0b1510aafd72034f425d8f6cd85ff02b0fc05098a90a255f76426f
SHA51297cde4bf66f71796716d0ea20da4b82853b12354edbce9d8c944794fe2f14c4a5c2b0d4ed123d1f1acabac17ed5715c4b5800934ec96bd84456e7f3d40e18946
-
Filesize
414B
MD5d1aa93265ebe616cd0e89439039ffca2
SHA1cd19af9cc24f7a0132f4857dac42507495296215
SHA25608135f789662134d264b459acc8fba6fbc635867b61143d6040ee0ce6912b4dc
SHA512ba5b9377bbdfcf0fe9c5a1e32016a12bb66e523146e820becd53bf1586bddeb3beae5711470190671e27927a3324bd007edd7ec77ff9f4239ec194263f99e9f6
-
Filesize
270KB
MD54be8adaf33a1f57481cce8789a4b2f8e
SHA1d51ca58dbda01ef7987c24d23a8801bb5fe10937
SHA2562f429fb17647097b45b6776460f5bcb2afbb45e35b1c59fe1831c8da42a83e95
SHA512f631b60560285c9084ceaf32935edb3e5aa7fa036c6585e477b282566b69e9a54836cad84e109e1a8f2f275df65c8b9431b0011c6ecc34a808c2243a3b453a71
-
Filesize
1010KB
MD5615c7ede7a624382f870604bd8660f31
SHA125ef0191be23b1750a75efef1dcc3e1197cdcdad
SHA256f9878072f7683d64d8cae047278dd8a49e736b49516d7de35ee4e27eb0581136
SHA51267e313eda2294f80e69b6265c18c738705bc9407187949482cbf04395fadb73dc37330a45a09a638deba56cbf16b71db3d642c191cb547b6e047f10701ae424f
-
Filesize
1KB
MD54e5a1359f68937e129b4e4aac357c255
SHA1aeae97b8ade5b491d063f2ca256c39aaeb88c721
SHA256696fd9bcf7d2e2ae42e2b154e4908023ed10d0433ca31e8601f7b61476dc1b11
SHA512d6859781ea82d85e8165f44a2738c24fc5fe7962865a65c43fce2eeaa80ba4a4b72d172e63d458866444c5eaf39d1594c1af6ad4378fe2026839c2916aa02527
-
Filesize
1KB
MD583f1179a24f030f5819f13c6e3ab9158
SHA160df1418867003e9e19bebaa9a80236b29b712df
SHA2568556c37a2085eb3f3394ff98dc79ba8e23930d56c56cf4b8ce27fb943e919a3f
SHA5122e7e57b10c9cd29b343159987aa8dfdb53d05c12492750228ddbec9875d35d21403c3cc6f18e4233941dbb2b2c4e6809ff2794428cbeed37b542dc12f8cd4b1f
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.92.1_0\dasherSettingSchema.json
Filesize854B
MD54ec1df2da46182103d2ffc3b92d20ca5
SHA1fb9d1ba3710cf31a87165317c6edc110e98994ce
SHA2566c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6
SHA512939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d
-
Filesize
3KB
MD556e6d18ab1434e4cb024e36cb29a4b3d
SHA17f5846d55c3c60977eadb89c0c50b06fcdec6499
SHA256af8c3ca460fae9b0d6b687d2001f2cb2819eceb717a868a9bc3ad5c424217733
SHA512c03fac2c672d84f80f217b4190e1597ed9aaaa3fd1fd86aa2b047ff4296acd15801bc32d28bbdf7e6ea037e0e0682828fc2696b233c0042725a2e58fc617214c
-
Filesize
3KB
MD563a4ae16d49f3fa5978ada0e60308256
SHA17ea80dbc027b4a3eeafec7d5903e9a4665c502cd
SHA256ad002fe498715efdcbdd1388f1522700216638b1c9214f2179b16b3e8ba85272
SHA5129b3eae6f1dc103cbd1a704697c33fa04737a4dd1a99efbc0a6da118d525354b6ffc2049fdf1807f34239b951f20816aa25736414af3687a96474575ae8d73242
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
12KB
MD59e67c14e7b1af2bb7698e0ed62191ce1
SHA180deece5ce029d92345b2a3e8829eb7bdd6e474c
SHA2569f5a3694c1c746dfe4026b80202ad1fd603075cf1d4ef7ada0cfea5ff057cf1a
SHA5125de4e99bf8fe7e3d10f6dea495c60142be04123171f3a7c7c690c6016fc3cd71fdd8627d7de404bae6d6180a051c01b868299dc8c208e9e159449759d562329b
-
Filesize
11KB
MD517fb94748dc8054adb69f4a376a66573
SHA1592843198f32ba1ce6471ca4924209c0caa869d4
SHA256d2baf4a114e326b1d85fbe6401e3ea2743851cd4bcd587bd9a82f4f7d62ed9fd
SHA512f325dd25f7d680506c6de6b35fe27cb151679aad4d36f346d1e46b43262de9d9bbd132ffc23f00daf73d918d167f388299e38941028c3a19ae1c32853f6c6bfe
-
Filesize
11KB
MD55b124171b139d2f1184fc0764a709a91
SHA1b71b829b068dfbd1458851013e44f1ccf2243cc7
SHA2560dacd7e8a09e2107eba8b81b3fd2db35066c9673a67912fa658187f21f73b919
SHA5123b2ee8d87577b740295e7e297eea5c130fb8d389747fa4cbd25274a8477f2f05f6bd283c9613ae6179e80c084240e84bba62c5db27c209fefbb395bd5d275eb3
-
Filesize
12KB
MD506a9a13d3eeaf9afd81560dab4c7c152
SHA1c0979301f171d132cbce6a381a3122f3f41aa8ff
SHA256853487a791e4410befdb35d508d6314c3621a4a570e23518f83e4ac43e4ce090
SHA51222163e0353809b22ff6a5a3206ac858bc29093dfdba4705bea28ef3448c8e50fd1544440b63a6e42273f9b87c90963580aacb35b52775dd27237cc53260b900f
-
Filesize
12KB
MD5cba76a70ad3ceb6ddecd316de9a34751
SHA188f7be92a2004f86923c19b20ffbd79586fb9a06
SHA256068c625650e0db76cb6685b265e166d4b497cf3901348a347f94487078985949
SHA512361e772662aa141050ebbc3eec9d742f92580b44d121ae1cd82b7c18d4ff41e7db6bb3fafe581ebc618d77105d953d5d20f228929411aeef43c9fca95d09b085
-
Filesize
12KB
MD5864797957cbbe3e9318b65a930f02a41
SHA118fb451656147410be2ab57be7965c360df2f2c3
SHA2567bb136d5253caf348c941bf439e94e549907f0811c46723e5f521927f61e36c9
SHA5125f6a6e039518ea57d3e69718d78f57caaac8ff61f07a80a76394cd78d782b611e13241c91404d4c9d7cec9edfb7718620480e86debf39616b6e9bb9205b5e308
-
Filesize
18KB
MD5ff1d38ac8961fff09736a17980b043ad
SHA1af1e7df9a04dff8470ab62c9d5a5d5a145727169
SHA256dbb638b4733ed13f3c6c0038aceb1ebd7f653884548f5e6c0446323a305338e0
SHA51244c2ff66738b16038993489396d32de69675b17e682521cfbf4a8a283fc7c09ca62bd797bfebd1a28031bec0de04e8023e27e67bd545628e936afbeca1a511b1
-
Filesize
15KB
MD582346c5e5798fbcdf23e7f9870bcf260
SHA1afaf352dc2512c2ede0b6b95d03e7090e7534afc
SHA2560d6356a697b2f8d0e106783672ab61de8e249fcd4f875ac681e0c2ae9505c25e
SHA512658ff9f2791d87db7821070aace32b4b142eba90b6ff1780d979080a04959b93a7e2ef439cacf0d6b559bffb15f990e483e0d23f333a78e901d3641e3785460b
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize72B
MD5e95a3c48a10bf214125e22ac33443b1a
SHA16d781cc074bf5672a06d5b941723847150d61794
SHA256d0d765a7055bcdc04936503c2e1a22e961bb920f0843a06047379369937d4d17
SHA51210613e47bd6afd8cf337341a47a1be7bd3e911db4efee16ec96f58f9b2b3cdabbaa3b621d8dc45a74a283bb075b864920e646abd4a22260812b1b153d8c9fb27
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize72B
MD5c9e059c8946aabbc7bdc0cb26d979620
SHA1f0a4c8dcfc5fbba889e179152bf8a5a0dfa3183d
SHA256b56b608b534cf31b6bcf0d27e361febc04a5f9654d2a105f65efb66df4fc09e6
SHA51272ab5009def551bf8116ab9b4cc905131d2a2071668f0f60a1fbbb6de53e881bcfe950b2cb9be610d11bca9583cb19213f355ab4485b88128107adaf1b7fc224
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe590769.TMP
Filesize48B
MD5ddd2b3bf55c6353f8c2af7130bad665c
SHA1de49fd824fe2911f79fee3800bf05caff38c7fad
SHA25622af3e147ac507e2010eee8059bca4182f78292708385941f1c3288107f60cb9
SHA512620acc1c244eba93c54abd4b83f118dd920134f0c90934ecaabe853babd95b8aae18c94cc0fc9fc748ab227a30991b5c3f01a11e34c5525aeb0d9328c5c82918
-
Filesize
157KB
MD5a7d8a3d74915bfea1b4bee5c07f0397b
SHA1da1d50a4ac5f169eeff6a8a9901b8da2e62102ed
SHA25624ece4e2aabbb7945e5250e6db1e802fc7002e0113293d0ec52189fdc3683882
SHA512f35ba71793061474f7b11bb08cd87035bbf415976aca22530986bb604ae05e4c0c59b202b63528fa4ebcaca17e394c6e5af33f3e2204a36db03bc4db0a7b762f
-
Filesize
157KB
MD5090d8f9c0ee9e6585ad59cf9e0a03688
SHA114c48060a7359bab5e669dc8ff4beff852eb2f68
SHA25618b58515d4465ece2aaeeccc1082f7ba7dacf611ab83db236cb75c32e224b257
SHA51289e274e1c866e15d6df9a33114ffbe13272cae37e3e3d7bdf719f0d56498fc4e2cd3a42e149598973f2659bfb3444b19c6fa5bf53387048ec28b91c79189cafd
-
Filesize
79KB
MD5734d6626dc50c0cf2a649435be4c3025
SHA12d8b8c7c51b57b49d2989ce065253f3abd550e04
SHA256c162f03b217e16c0373ce346718675f42af362149c310f0493d4781ec24a1b51
SHA512584d894a890ab92e407d266510e9bd989a4b56161990026e9d39b4d2fb2f1179e702a1d70a2184ee97fcfd9903146b46b2929da594ea70e1b9c92fd9412ffbe0
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\Settings\settings.dat
Filesize9KB
MD5f4279fa6a6227349dd1efa81e91568c7
SHA1fb0654a8a3fcdf55d5339688cd477a6f2b836a52
SHA256917162605c4c883cce529e05bf50e57cecff661478b019c0cfd26ac2db8a9503
SHA512151dac993c74bfbdd696d0b568eab9c771cf95a387ee11f987359337309a5edfedbacad035be8cb340936382be0c28bd8a620fee410817fe937c313a8a264cd7
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\Settings\settings.dat
Filesize129KB
MD57ac4be0a5728819728224c16892de4f6
SHA104591267b073011b6e91a9c4ccbbebab2178ee8f
SHA25638ae64fb14644198df2378dcaadb885cabcd6a9d16e323bd8fd02710031e1c0d
SHA512c23292d11d8a6cfb2a64ba1a90ae0b23b86b76aa908095db68f44b66f78bb70b22d6f2b76e8ef8d44a4800876a25bc6aec7d23dec6193220d7ff91ffcf45d052
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133906692908702636.txt
Filesize79KB
MD550b677fbf7bf58eedb99b084714cb1e8
SHA1bc7004c0f8f80996b3a283e1e42eb0940c663cd1
SHA2568f52fe85183b0b208326c9c9591684b37b429b0f9f67a3708f83daf113df73f6
SHA512e66b610480b6e613c518387e37d1577cb9dd5228df6604fbd39527eab2c9fd44de9131c7cc2cf12525c479d1d16e29ce877f9f8839a7c167c96c5dadb7ce8fb5
-
C:\Users\Admin\AppData\Local\Temp\scoped_dir5940_1164459267\14e80d96-9f6f-4749-a050-bc24b53d9491.tmp
Filesize153KB
MD5cc05ed3e66468e692745ba6563c69740
SHA1eae9dbd4d36aa91fd43f7d452ac3d252b103759d
SHA256fb1311fb7142825abacb3c7aedddf948f5c9b258e447c953ce0f7f4b19c6dfff
SHA5124b527db02d6ea36b914558a3e44fd3d15772bf2be4ba0a640bf70427af07dcde5ed6967930cc3624a244cfc82290f125eea2754812586216b3d5a37757ce8db4
-
Filesize
58KB
MD50fca1caea4c61d7c3f05ab8352a92e2e
SHA12025242ebb4550134b34809faa3c0a9ecd8bf46e
SHA256446d6a5e6a87c510bd81e0cad36038a52c5314d0645d2442f2800e7fa4234607
SHA5120d9da9b042074dd1de16b2235160ed3ab77e347897a9c8859473b0ef6e117a585eef369c14f664145166fa7ac2bbf11253dd7e309b296b463157a639bfdbd334
-
Filesize
136KB
MD558c7434d827311c874c835d734eef4a0
SHA12988090af4be1c8de9823b4eacc9144de85f992e
SHA2568e1f9f7f4196be9c5334734f3f174674c1ced42aa38e066886ea26c9ec3a332d
SHA512b467c81c8c99bb0b0c25250a843d65358ce790047981248cdfd6e6bb9d434e7cd137da4ba4f8c0d3c184ade1ef167da1422726f1e7e49f465fe1470a572685ff
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
1011KB
MD53a9d37282d86f37caf44e354b738ae0c
SHA1021b3a167f415f0df2c126a6c0c922eb75639c00
SHA256a36693f9febdb110e1df831f6f3ca6c60fed74ebe37e6987cd07aeb5a1cc763c
SHA512efe06b0970345e14dd94badeef68734731ac8557623dca78c0a02a2b759f4ad769a86eb31ce92c783739c85c8095ecd8a035ee52efab31d5c0b1c076a5688df0
-
Filesize
1KB
MD56926259916116085f57ba5bb6990690c
SHA1c24f84844e3f3146f9b547ba3f6d4707f1b91c47
SHA256c3dde90ce20c550042b27df37f18bad8c9c349cada59e1f0f7c1ab569e40b027
SHA512d6c97710a8633a25a7183670c02e2d042edc11b0b45ace4cbed67e2f9c36a028c2f61ef93d2213122d10887fec04b95e59340867a17329f60e68d939cc97030b
-
Filesize
1KB
MD59c6014d225798523497cfa9b35231875
SHA1d66b59a0bbeba0648f9338a0d44e9c0c4242b117
SHA2563f56aa1b3f781c567e68fb79e0775c4443cbd1ade8b298deab84453c2927f921
SHA512e87fa58549ee1177707ed9cb4ad112cf89938756eba8e075182503930972bffa452e649ee5affd005f09e32eb0d7c8073bb8de43297511e1c24dfeb5ca0cad67
-
Filesize
8KB
MD5d534f949a2eb2a5469d2b5a0ec1971b9
SHA17496c09af45403815e4cf306f3456842c08212f0
SHA256b9bdc85e9a4195cbfbbb99ea7e7db4b47030e3bc3f684607f282c3e0cb2da60e
SHA512140f031cd79417d9e0236dab611a4a1f666552184e66c6a4ed79f554c0568951f6a8c1655c08ab5c983b980d052b326e53bfb15da6f01c73d01d626393b5f20a