qakbot | 7b65db91b674c077640b43395bef733f4e843073fa36be6e153a644aa751c886

Resubmissions

05-08-2022 09:33

220805-ljglhahgf2 8

03-08-2022 14:10

220803-rg1jgsbhf2 10

Analysis

max time kernel
1448s
max time network
1473s
platform
windows7_x64
resource
win7-20220718-en
resource tags

arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
submitted
03-08-2022 14:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Report Jul 14 15082.html
Size

1.1MB
MD5

17478bdc88d5d8101ff1058ab0a44116
SHA1

68021e91cba64f8934552793b5576a5a784c2576
SHA256

7b65db91b674c077640b43395bef733f4e843073fa36be6e153a644aa751c886
SHA512

b4d188fb18594902ae866a29e7eafd8876a2d5a3e7ebec9254467e8fc3c9b7a5010777de13ef06b540874595eca1fd095c8ed3a4f1fa24f6a1b5d5c8241532a2

Score

10^/10

qakbot obama201 1657815129 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

403.780

Botnet

obama201

Campaign

1657815129

70.46.220.114:443

179.111.8.52:32101

208.107.221.224:443

176.45.218.138:995

24.158.23.166:995

24.54.48.11:443

89.101.97.139:443

24.55.67.176:443

24.139.72.117:443

120.150.218.241:995

174.69.215.101:443

38.70.253.226:2222

41.228.22.180:443

217.165.157.202:995

172.115.177.204:2222

173.21.10.71:2222

69.14.172.24:443

47.23.89.60:993

104.34.212.7:32103

66.230.104.103:443

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Executes dropped EXE 2 IoCs

Processes:

calc.exeChromeRecovery.exe

pid process

1596 calc.exe
2312 ChromeRecovery.exe
Loads dropped DLL 3 IoCs

Processes:

calc.exeregsvr32.exeregsvr32.exe

pid process

1596 calc.exe
3008 regsvr32.exe
880 regsvr32.exe

pid	process
1596	calc.exe
2312	ChromeRecovery.exe

pid	process
1596	calc.exe
3008	regsvr32.exe
880	regsvr32.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Program Files directory 7 IoCs

Processes:

elevation_service.exe

description	ioc	process
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir1080_2031617621\ChromeRecoveryCRX.crx	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir1080_2031617621\ChromeRecovery.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir1080_2031617621\ChromeRecovery.exe	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir1080_2031617621\manifest.json	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir1080_2031617621\manifest.json	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir1080_2031617621\_metadata\verified_contents.json	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir1080_2031617621\_metadata\verified_contents.json	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2456 schtasks.exe

pid	process
2456	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 105db69853a7d801	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\TypedURLsTime	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\TypedURLs\url1 = "http://virustotal.com/"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url7 = 0000000000000000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url1 = f0effae756a7d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "366308021"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\DOMStorage\adobe.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\TypedURLs\url4 = "https://www.facebook.com/"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\DOMStorage\adobe.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url2 = 108e8f6455a7d801	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\TypedURLs\url3 = "http://dontpad.com/ph15k1t5"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url2 = 9024406155a7d801	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\TypedURLs\url6 = "https://login.live.com/"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\TypedURLs\url1 = "https://www.adobe.co/"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.adobe.com\ = "42"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\DOMStorage\adobe.com\Total = "42"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url1 = 108e8f6455a7d801	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.adobe.com\ = "22"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\DOMStorage\adobe.com\Total = "22"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "48"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\TypedURLs\url2 = "http://dontpad.com/ph15k1t5"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url2 = 0000000000000000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\TypedURLs	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\TypedURLs\url1 = "http://dontpad.com/ph15k1t5"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\TypedURLs\url5 = "https://signin.ebay.com/ws/ebayisapi.dll"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.adobe.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\TypedURLs\url3 = "https://login.aliexpress.com/"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Main\DefSpellLang = 65006e002d005500530000000000	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url3 = 9024406155a7d801	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\TypedURLs\url5 = "https://login.aliexpress.com/"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\TypedURLs\url7 = "https://twitter.com/"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\TypedURLs\url6 = "https://twitter.com/"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\TypedURLs\url3 = "https://www.facebook.com/"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\TypedURLs\url6 = "https://signin.ebay.com/ws/ebayisapi.dll"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.adobe.com\ = "48"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url4 = 0000000000000000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\TypedURLs\url2 = "http://virustotal.com/"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\TypedURLs\url8 = "https://twitter.com/"	iexplore.exe

Modifies data under HKEY_USERS 13 IoCs

Processes:

explorer.exepowershell.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Agukaxwyrwaz\350ba6ba = 271012830cbca5a317f5bcfe91922928b7cfed8253bd8d68338200c1ac17b8828fba7bdae80b4c67c7727d249fcfad	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Agukaxwyrwaz\8db7c1df = e99d6a651bb01931ac7e9e79cb85013693cda82a0f37422ca28a8e57c0feb862e237d53485f128aa68ead4a64e470706714c446ad9972c	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Agukaxwyrwaz\f0bf8e55 = 2bb98d11ff66ba89ae31076d48e93e214d658f	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Agukaxwyrwaz\8ff6e1a3 = 4041946ce6aea52797fc47ef076249f5304b0dfb6a4fc1c4e8babd55a110cb7ae9b5aa	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Agukaxwyrwaz\7d9c397e = 1b3d375cd66db5d2527c36112e7ccf60f58dc74617bbc99ea38076b7113e71d0528b41ee91f0c2e7b845b539bd452bfcee86005f35dab6d467be819a3b0a4a679dda9a6f62875fde8a894f709ee1b70f1fa1	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Agukaxwyrwaz\2d55688 = fb36232f7108a2fdfc5c2202806051966416726f70d76b3f9a3c0d37146529261d3cbdfd76e9616562fff999ab93d26e8de48855c870cf0a34	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Agukaxwyrwaz\2d55688 = fb36232f7108a2fdfc5c2202806051966416726f70d76b3f9c3d0937146529261d3cbdfd76e9616562fff999ab93d26e8de48855c870cf0a34	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = a00b994756a7d801	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Agukaxwyrwaz	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Agukaxwyrwaz\2d55688 = fb36342f71089106c59cbe7e7b7a3a215600020c51359d1095e269cdd244498357bd682d	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Agukaxwyrwaz\374a86c6 = 7cd182bf814f5ceae1b998aa37ef5eb66ff2aa218fc1fe6ca5fc4cc5e68c93e2a005d26edf1af2393e2ce12db1397b7a48f81682662c6197d641f871d8be623288c69997de05e539e12ebf6921e903cd12c3f61e49174e2a8a9d983cda61bce865f83b9864dd988194938cb8	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Agukaxwyrwaz\4803e930 = e75f48a7c601279ad10e0be6181c11f0f7fa716c6d2a3aaeccccf22f104b	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe

Modifies registry class 6 IoCs

Processes:

IEXPLORE.EXErundll32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mhtml	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mhtml\OpenWithList	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000_Classes\Local Settings	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WINWORD.EXE	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mhtml\OpenWithList\WINWORD.EXE	IEXPLORE.EXE

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

calc.exe

pid process

1596 calc.exe

pid	process
1596	calc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

iexplore.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exeregsvr32.exeexplorer.exepowershell.exeregsvr32.exe

pid	process
1912	iexplore.exe
1044	chrome.exe
1676	chrome.exe
1676	chrome.exe
2608	chrome.exe
2616	chrome.exe
2572	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
2668	chrome.exe
2264	chrome.exe
1612	chrome.exe
3008	regsvr32.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
988	powershell.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
880	regsvr32.exe
2028	explorer.exe
2028	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

Processes:

7zFM.exe7zG.exe7zG.exerundll32.exe7zFM.exe

pid process

1900 7zFM.exe
1488 7zG.exe
1552 7zG.exe
2004 rundll32.exe
1240 7zFM.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

3008 regsvr32.exe
880 regsvr32.exe

pid	process
1900	7zFM.exe
1488	7zG.exe
1552	7zG.exe
2004	rundll32.exe
1240	7zFM.exe

pid	process
3008	regsvr32.exe
880	regsvr32.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

Processes:

AUDIODG.EXE7zFM.exe7zG.exe7zG.exe7zG.exe7zFM.exe7zG.exepowershell.exeAUDIODG.EXE

description	pid	process
Token: 33	1728	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1728	AUDIODG.EXE
Token: 33	1728	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1728	AUDIODG.EXE
Token: SeRestorePrivilege	1900	7zFM.exe
Token: 35	1900	7zFM.exe
Token: SeRestorePrivilege	1488	7zG.exe
Token: 35	1488	7zG.exe
Token: SeSecurityPrivilege	1488	7zG.exe
Token: SeSecurityPrivilege	1488	7zG.exe
Token: SeRestorePrivilege	1552	7zG.exe
Token: 35	1552	7zG.exe
Token: SeSecurityPrivilege	1552	7zG.exe
Token: SeSecurityPrivilege	1552	7zG.exe
Token: SeRestorePrivilege	276	7zG.exe
Token: 35	276	7zG.exe
Token: SeSecurityPrivilege	276	7zG.exe
Token: SeRestorePrivilege	1240	7zFM.exe
Token: 35	1240	7zFM.exe
Token: SeRestorePrivilege	1748	7zG.exe
Token: 35	1748	7zG.exe
Token: SeSecurityPrivilege	1748	7zG.exe
Token: SeSecurityPrivilege	1748	7zG.exe
Token: SeDebugPrivilege	988	powershell.exe
Token: 33	2988	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2988	AUDIODG.EXE
Token: 33	2988	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2988	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 44 IoCs

Processes:

iexplore.exe7zFM.exe7zG.exe7zG.exe7zG.exe7zFM.exe7zG.exechrome.exenotepad.exenotepad.exe

pid	process
1912	iexplore.exe
1912	iexplore.exe
1900	7zFM.exe
1488	7zG.exe
1552	7zG.exe
276	7zG.exe
1240	7zFM.exe
1748	7zG.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
2520	notepad.exe
2216	notepad.exe

Suspicious use of SendNotifyMessage 32 IoCs

Processes:

chrome.exe

pid	process
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe

Suspicious use of SetWindowsHookEx 37 IoCs

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

pid	process
1912	iexplore.exe
1912	iexplore.exe
1732	IEXPLORE.EXE
1732	IEXPLORE.EXE
1732	IEXPLORE.EXE
1732	IEXPLORE.EXE
1732	IEXPLORE.EXE
1732	IEXPLORE.EXE
1732	IEXPLORE.EXE
1732	IEXPLORE.EXE
696	IEXPLORE.EXE
696	IEXPLORE.EXE
1912	iexplore.exe
696	IEXPLORE.EXE
696	IEXPLORE.EXE
2036	IEXPLORE.EXE
2036	IEXPLORE.EXE
1912	iexplore.exe
2036	IEXPLORE.EXE
2036	IEXPLORE.EXE
1912	iexplore.exe
696	IEXPLORE.EXE
696	IEXPLORE.EXE
696	IEXPLORE.EXE
696	IEXPLORE.EXE
1732	IEXPLORE.EXE
1732	IEXPLORE.EXE
1732	IEXPLORE.EXE
1764	IEXPLORE.EXE
1764	IEXPLORE.EXE
1764	IEXPLORE.EXE
1764	IEXPLORE.EXE
1912	iexplore.exe
1912	iexplore.exe
1912	iexplore.exe
696	IEXPLORE.EXE
696	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

iexplore.exerundll32.exechrome.exe

description	pid	process	target process
PID 1912 wrote to memory of 1732	1912	iexplore.exe	IEXPLORE.EXE
PID 1912 wrote to memory of 1732	1912	iexplore.exe	IEXPLORE.EXE
PID 1912 wrote to memory of 1732	1912	iexplore.exe	IEXPLORE.EXE
PID 1912 wrote to memory of 1732	1912	iexplore.exe	IEXPLORE.EXE
PID 2004 wrote to memory of 1956	2004	rundll32.exe	NOTEPAD.EXE
PID 2004 wrote to memory of 1956	2004	rundll32.exe	NOTEPAD.EXE
PID 2004 wrote to memory of 1956	2004	rundll32.exe	NOTEPAD.EXE
PID 1912 wrote to memory of 696	1912	iexplore.exe	IEXPLORE.EXE
PID 1912 wrote to memory of 696	1912	iexplore.exe	IEXPLORE.EXE
PID 1912 wrote to memory of 696	1912	iexplore.exe	IEXPLORE.EXE
PID 1912 wrote to memory of 696	1912	iexplore.exe	IEXPLORE.EXE
PID 1912 wrote to memory of 2036	1912	iexplore.exe	IEXPLORE.EXE
PID 1912 wrote to memory of 2036	1912	iexplore.exe	IEXPLORE.EXE
PID 1912 wrote to memory of 2036	1912	iexplore.exe	IEXPLORE.EXE
PID 1912 wrote to memory of 2036	1912	iexplore.exe	IEXPLORE.EXE
PID 1676 wrote to memory of 1728	1676	chrome.exe	chrome.exe
PID 1676 wrote to memory of 1728	1676	chrome.exe	chrome.exe
PID 1676 wrote to memory of 1728	1676	chrome.exe	chrome.exe
PID 1676 wrote to memory of 1440	1676	chrome.exe	chrome.exe
PID 1676 wrote to memory of 1440	1676	chrome.exe	chrome.exe
PID 1676 wrote to memory of 1440	1676	chrome.exe	chrome.exe
PID 1676 wrote to memory of 1440	1676	chrome.exe	chrome.exe
PID 1676 wrote to memory of 1440	1676	chrome.exe	chrome.exe
PID 1676 wrote to memory of 1440	1676	chrome.exe	chrome.exe
PID 1676 wrote to memory of 1440	1676	chrome.exe	chrome.exe
PID 1676 wrote to memory of 1440	1676	chrome.exe	chrome.exe
PID 1676 wrote to memory of 1440	1676	chrome.exe	chrome.exe
PID 1676 wrote to memory of 1440	1676	chrome.exe	chrome.exe
PID 1676 wrote to memory of 1440	1676	chrome.exe	chrome.exe
PID 1676 wrote to memory of 1440	1676	chrome.exe	chrome.exe
PID 1676 wrote to memory of 1440	1676	chrome.exe	chrome.exe
PID 1676 wrote to memory of 1440	1676	chrome.exe	chrome.exe
PID 1676 wrote to memory of 1440	1676	chrome.exe	chrome.exe
PID 1676 wrote to memory of 1440	1676	chrome.exe	chrome.exe
PID 1676 wrote to memory of 1440	1676	chrome.exe	chrome.exe
PID 1676 wrote to memory of 1440	1676	chrome.exe	chrome.exe
PID 1676 wrote to memory of 1440	1676	chrome.exe	chrome.exe
PID 1676 wrote to memory of 1440	1676	chrome.exe	chrome.exe
PID 1676 wrote to memory of 1440	1676	chrome.exe	chrome.exe
PID 1676 wrote to memory of 1440	1676	chrome.exe	chrome.exe
PID 1676 wrote to memory of 1440	1676	chrome.exe	chrome.exe
PID 1676 wrote to memory of 1440	1676	chrome.exe	chrome.exe
PID 1676 wrote to memory of 1440	1676	chrome.exe	chrome.exe
PID 1676 wrote to memory of 1440	1676	chrome.exe	chrome.exe
PID 1676 wrote to memory of 1440	1676	chrome.exe	chrome.exe
PID 1676 wrote to memory of 1440	1676	chrome.exe	chrome.exe
PID 1676 wrote to memory of 1440	1676	chrome.exe	chrome.exe
PID 1676 wrote to memory of 1440	1676	chrome.exe	chrome.exe
PID 1676 wrote to memory of 1440	1676	chrome.exe	chrome.exe
PID 1676 wrote to memory of 1440	1676	chrome.exe	chrome.exe
PID 1676 wrote to memory of 1440	1676	chrome.exe	chrome.exe
PID 1676 wrote to memory of 1440	1676	chrome.exe	chrome.exe
PID 1676 wrote to memory of 1440	1676	chrome.exe	chrome.exe
PID 1676 wrote to memory of 1440	1676	chrome.exe	chrome.exe
PID 1676 wrote to memory of 1440	1676	chrome.exe	chrome.exe
PID 1676 wrote to memory of 1440	1676	chrome.exe	chrome.exe
PID 1676 wrote to memory of 1440	1676	chrome.exe	chrome.exe
PID 1676 wrote to memory of 1440	1676	chrome.exe	chrome.exe
PID 1676 wrote to memory of 1440	1676	chrome.exe	chrome.exe
PID 1676 wrote to memory of 1044	1676	chrome.exe	chrome.exe
PID 1676 wrote to memory of 1044	1676	chrome.exe	chrome.exe
PID 1676 wrote to memory of 1044	1676	chrome.exe	chrome.exe
PID 1676 wrote to memory of 1744	1676	chrome.exe	chrome.exe
PID 1676 wrote to memory of 1744	1676	chrome.exe	chrome.exe

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" "C:\Users\Admin\AppData\Local\Temp\Report Jul 14 15082.html"
1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1912

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1912 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1732

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1912 CREDAT:4142095 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:696

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1912 CREDAT:2962448 /prefetch:2
2⤵
- Suspicious use of SetWindowsHookEx
PID:2036

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1912 CREDAT:3159123 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1764

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x524
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1728

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1900

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GT6S4AY2\Report Jul 14 15082\" -ad -an -ai#7zMap9833:236:7zEvent6395
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1488

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GT6S4AY2\Report Jul 14 15082\" -ad -an -ai#7zMap32422:236:7zEvent6623
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1552

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\Report Jul 14 15082\3590\Report Jul 14 15082\" -ad -an -ai#7zMap12916:146:7zEvent16971
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:276

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\Report Jul 14 15082\3590\Report Jul 14 15082.iso
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2004

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Report Jul 14 15082\3590\Report Jul 14 15082.iso
2⤵
PID:1956

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\Report Jul 14 15082\3590\Report Jul 14 15082.iso"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1240

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\Report Jul 14 15082\3590\" -an -ai#7zMap21476:146:7zEvent4470
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1748

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1676

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef63a4f50,0x7fef63a4f60,0x7fef63a4f70
2⤵
PID:1728

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1056,5553754351055192834,2626710871045760704,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1072 /prefetch:2
2⤵
PID:1440

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1056,5553754351055192834,2626710871045760704,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1448 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1044

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1056,5553754351055192834,2626710871045760704,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1692 /prefetch:8
2⤵
PID:1744

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1056,5553754351055192834,2626710871045760704,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2068 /prefetch:1
2⤵
PID:2156

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1056,5553754351055192834,2626710871045760704,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2076 /prefetch:1
2⤵
PID:2164

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1056,5553754351055192834,2626710871045760704,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2888 /prefetch:8
2⤵
PID:2316

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1056,5553754351055192834,2626710871045760704,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2540 /prefetch:2
2⤵
PID:2404

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1056,5553754351055192834,2626710871045760704,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
2⤵
PID:2448

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1056,5553754351055192834,2626710871045760704,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3548 /prefetch:8
2⤵
PID:2512

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1056,5553754351055192834,2626710871045760704,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3664 /prefetch:8
2⤵
PID:2520

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1056,5553754351055192834,2626710871045760704,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3924 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2608

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1056,5553754351055192834,2626710871045760704,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3936 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2616

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1056,5553754351055192834,2626710871045760704,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3928 /prefetch:8
2⤵
PID:2744

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1056,5553754351055192834,2626710871045760704,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1008 /prefetch:1
2⤵
PID:2780

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1056,5553754351055192834,2626710871045760704,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3504 /prefetch:1
2⤵
PID:2848

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1056,5553754351055192834,2626710871045760704,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2220 /prefetch:8
2⤵
PID:2932

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1056,5553754351055192834,2626710871045760704,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=108 /prefetch:8
2⤵
PID:2996

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1056,5553754351055192834,2626710871045760704,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2744 /prefetch:8
2⤵
PID:3044

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1056,5553754351055192834,2626710871045760704,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3464 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2572

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1056,5553754351055192834,2626710871045760704,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3440 /prefetch:8
2⤵
PID:2676

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1056,5553754351055192834,2626710871045760704,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2444 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2668

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1056,5553754351055192834,2626710871045760704,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2440 /prefetch:8
2⤵
PID:2088

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1056,5553754351055192834,2626710871045760704,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3428 /prefetch:8
2⤵
PID:2208

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1056,5553754351055192834,2626710871045760704,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2264

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1056,5553754351055192834,2626710871045760704,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2152 /prefetch:8
2⤵
PID:2892

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1056,5553754351055192834,2626710871045760704,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1
2⤵
PID:2956

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1056,5553754351055192834,2626710871045760704,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1612

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1056,5553754351055192834,2626710871045760704,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=628 /prefetch:8
2⤵
PID:2296

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1056,5553754351055192834,2626710871045760704,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2004 /prefetch:8
2⤵
PID:1748

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1056,5553754351055192834,2626710871045760704,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4020 /prefetch:8
2⤵
PID:2660

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1056,5553754351055192834,2626710871045760704,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3924 /prefetch:8
2⤵
PID:2560

C:\Windows\System32\MsSpellCheckingFacility.exe
"C:\Windows\System32\MsSpellCheckingFacility.exe" -Embedding
1⤵
PID:2328

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /q /c calc.exe
1⤵
PID:700

C:\Users\Admin\Desktop\Report Jul 14 15082\3590\calc.exe
calc.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1596

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\SysWOW64\regsvr32.exe 7533.dll
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3008

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2028

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /Z /ST 16:30 /tn rbonasa /ET 16:41 /tr "powershell.exe -encodedCommand cgBlAGcAcwB2AHIAMwAyAC4AZQB4AGUAIAAiAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEQAZQBzAGsAdABvAHAAXABSAGUAcABvAHIAdAAgAEoAdQBsACAAMQA0ACAAMQA1ADAAOAAyAFwAMwA1ADkAMABcADcANQAzADMALgBkAGwAbAAiAA==" /SC ONCE
5⤵
- Creates scheduled task(s)
PID:2456

C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"
1⤵
- Drops file in Program Files directory
PID:1080

C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir1080_2031617621\ChromeRecovery.exe
"C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir1080_2031617621\ChromeRecovery.exe" --appguid={8A69D345-D564-463c-AFF1-A69D9E530F96} --browser-version=89.0.4389.114 --sessionid={5fb07cd6-630a-416b-b463-1140729fe581} --system
2⤵
- Executes dropped EXE
PID:2312

C:\Windows\system32\notepad.exe
"C:\Windows\system32\notepad.exe"
1⤵
- Suspicious use of FindShellTrayWindow
PID:2520

C:\Windows\system32\notepad.exe
"C:\Windows\system32\notepad.exe"
1⤵
- Suspicious use of FindShellTrayWindow
PID:2216

C:\Windows\system32\taskeng.exe
taskeng.exe {9F1B9597-9D86-4AE9-9192-D74F7C744390} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:2476

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -encodedCommand cgBlAGcAcwB2AHIAMwAyAC4AZQB4AGUAIAAiAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEQAZQBzAGsAdABvAHAAXABSAGUAcABvAHIAdAAgAEoAdQBsACAAMQA0ACAAMQA1ADAAOAAyAFwAMwA1ADkAMABcADcANQAzADMALgBkAGwAbAAiAA==
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:988

C:\Windows\system32\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" "C:\Users\Admin\Desktop\Report Jul 14 15082\3590\7533.dll"
3⤵
PID:2996

C:\Windows\SysWOW64\regsvr32.exe
"C:\Users\Admin\Desktop\Report Jul 14 15082\3590\7533.dll"
4⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:880

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
5⤵
- Modifies data under HKEY_USERS
PID:2956

C:\Windows\system32\verclsid.exe
"C:\Windows\system32\verclsid.exe" /S /C {0B2C9183-C9FA-4C53-AE21-C900B0C39965} /I {0C733A8A-2A1C-11CE-ADE5-00AA0044773D} /X 0x401
1⤵
PID:1324

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x55c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2988

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir1080_2031617621\ChromeRecovery.exe
Filesize
253KB

MD5
49ac3c96d270702a27b4895e4ce1f42a

SHA1
55b90405f1e1b72143c64113e8bc65608dd3fd76

SHA256
82aa3fd6a25cda9e16689cfadea175091be010cecae537e517f392e0bef5ba0f

SHA512
b62f6501cb4c992d42d9097e356805c88ac4ac5a46ead4a8eee9f8cbae197b2305da8aab5b4a61891fe73951588025f2d642c32524b360687993f98c913138a0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
1KB

MD5
665641c5a8ea192941bfd3794a9c3c2d

SHA1
b65fbad877c3752bc08e378cf9fe765d7f3da7ad

SHA256
0682283af2401c76e4a9e6e4b04d50261e733f26b60572c09d7cba1d40b8f93f

SHA512
35edd51b2b170769a0ca899bf38ff7f27a7a190120ecc50fe8b6052bf4ca0eae07a3eac5e682835bb9ecb01ec44a534f0537016937d4c7da28d0b8b15e54f877

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_F97E3458719FE8B5437DE55F349865B9
Filesize
472B

MD5
c660281ffef858223bf7a30410450fe7

SHA1
95627ab988485692900c90fe916998d75eb025a7

SHA256
a2f52d260315e2290d9c63c1575df10de20aa80c6fb58c162a4083a37553bfbd

SHA512
ebfe1a790bccac7cd2fc3356df10c1c26e8fbc51772bda8d43bcd2eb58147813b62b77694d8d77147ee0d3b4c2e2a520c19fe31f4b440bc953f945d0141f2414

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04
Filesize
471B

MD5
7f50c054e6a36bcb31992dd4c6f5e71d

SHA1
feda46846a81c9cd143f11a0b1619dce6c616343

SHA256
5ba0d6cbd1bcd76cf8a6165ead0b51350898a3d956db363d7e1970e38e72e39a

SHA512
3c55ecc44a5bc351758646bbadb203f75e4ad8517d5912354ef2a415cda8eff8918c557f2362c87564609b1466d18db3c5fd8f20f12e937d9d6d618e4b9909a7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
Filesize
724B

MD5
5a11c6099b9e5808dfb08c5c9570c92f

SHA1
e5dc219641146d1839557973f348037fa589fd18

SHA256
91291a5edc4e10a225d3c23265d236ecc74473d9893be5bd07e202d95b3fb172

SHA512
c2435b6619464a14c65ab116ab83a6e0568bdf7abc5e5a5e19f3deaf56c70a46360965da8b60e1256e9c8656aef9751adb9e762731bb8dbab145f1c8224ac8f9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E573CDF4C6D731D56A665145182FD759_A4CC4BA6D8C868D6962E073729DF794D
Filesize
471B

MD5
213cd84644764d4561eed9525af1727b

SHA1
d25825d1bf353af350fe58b62c65f76c8ca27d6f

SHA256
18e532c36b7e5dd4b6dd5e0fd51a6eda9238981f0c1f63e5fe75d7e4e4172933

SHA512
640fd46d7e2207fd7946ab1cf62c12a4f58541abe10f78c5c48dac1a9dca179d389b3c692149ecce9bafbd339a0c9a6fab30022fa2c7dd6dd78530a8ef2404df

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_4D168D4419431996C7034D53B3EACCBC
Filesize
472B

MD5
cfb9dbc8f9fa9d02af0b826433142319

SHA1
c9d23c8e191be2329e2ca1b2d51ff4cb8f50d7c4

SHA256
c6f9f3d4b73bc5a97e4f3f6d99a92f0c6f166f2ed920bea31126b21b9ee86546

SHA512
9d7e4408006d9580bebb50de991d10802bebffb1f85ac0b365c9ca457c3ddfff786f35c686aa890d54217631da37a3c93ba6a1315d914514fea1ac380659faa8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_E64A58EA668DE7BEC95F6C7C5A8689E0
Filesize
471B

MD5
658624f116b1a2e132f9e098dfbe4c55

SHA1
49e9b922cab1f6b5144b0f5a1771c50267562222

SHA256
bb8ca3676343ff6ce5c7f18b521f1b883b3f64fb05bbf83886386530e6397c3e

SHA512
58c06c294db6a3d3937e0f3e9d00937199a190ed246c342eb292f178b9c1d7afe16fccf6c5ac6cb3b1e5dbcc40373dcf2b9b49a8dcde0c8903b6a3ed98affdde

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
410B

MD5
c7197d0fc18869038ac5ab261aa06bf9

SHA1
cbcae5ce0e94c6f4cbb2356a6a93fd70a6028b85

SHA256
9b818ac191fc2acb7b522b3ca5ea6beed85416ebbfa186df5ee41caa1424a9c5

SHA512
b92b524f0b048186f4adfa184c6994b3e5451995649c85a9f4f476b23c6555b4743f598189204e60561b0a65369e10d7f8aed605d6d47cd672412f0b6e751af2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
340B

MD5
9f6e64cf465a63dee2c5be9cffc19557

SHA1
f55f229769f350d57b2ab5db1d239f91197836f4

SHA256
579174ce8e5f22df08c09ce1f5b701f7f7a20e47f2790ef2d9c1184c0f6b9607

SHA512
8ce3fa1077379ef5c87fe51356f77c1e7f4b66ffe06e491e1e3c8d00779146382a2cad7e806578c55df91fb47a1494ce8a6a2c503c02ca6c717b39bc53d64f29

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_F97E3458719FE8B5437DE55F349865B9
Filesize
410B

MD5
4d091ab0a5d7c0fa0f9606156a88adfa

SHA1
e449c045d19dc83c638ef3cd78165a65de5714c1

SHA256
3d76e109d04cd0a79c5c9d121a79d30644612585beedf6cc6ae31b3b90e53296

SHA512
641e811bc0a3b2dfa3d93aa2ac01f6d0888e4876cb74489d0247b4df5ff6cc8244108c5faa129f0850bf9af509f534dd2cd2a7f2531cf9f037a19789e0e4a900

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04
Filesize
430B

MD5
eea5e78324cdf40181549b2132c085bb

SHA1
85a37af7b8c23fee8810ae5303228edcc3c5f9b5

SHA256
b5536ae035a878ce82a058f252b3fc121122e5a847545b93eeb27725e697becb

SHA512
3bd83925464daa95a21c82329a2ef0c5649d6841fde1a3f0ebb02fb46ca39f10e7c640272fb42a747351a226619ee08c577db76fd9b8e1f73de7d0384f64bdda

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
Filesize
392B

MD5
7927ac15cb577cff62688c7ce4ac3451

SHA1
65fd86d90957e05e59c2daa7685cf819afb85e0d

SHA256
7aa7c5e2c3adbe3e1cd90473388a48d07eaf5294748ac513625173e621b3d840

SHA512
e9bfd20f52c03b0a452590ca024b58b773e4931357abbe6c9f7ead687beb04db7e8950fbb3979bd73252db5be3abd2c30cb3838d65cae57f1bf7a0b037d948a4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E573CDF4C6D731D56A665145182FD759_A4CC4BA6D8C868D6962E073729DF794D
Filesize
400B

MD5
374983cb2e58d8d1991c1fda5eb1acae

SHA1
b9071a51b07f6ffafb3d66b59fd98eebade1ebe9

SHA256
d8ebfcc238a11d8cf1a460da0e54a51f63baafa69ce14237cc0bb99f37bee090

SHA512
8d566541f7cdd7ef6f1801ade43803d7576b162d81edc19c241629dfcef1c3bdb588db4a3576d0b35c8c27d9e1057f5d697628e61f47839ef84aed556e6ee653

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_4D168D4419431996C7034D53B3EACCBC
Filesize
406B

MD5
ed69d06c7ae5f0130cdf6398e7058f7a

SHA1
a3b2d46cb427fea9d44fe143c089e524d262f7c7

SHA256
5eabfbf3f2483a05d0c71a34b04097179755bb73bb337b0e98f021064294b56d

SHA512
88bf5934eb16f4bed516bf0a1865bf32847ce0d861f05d81307bc2d3e95db00439140612d11131398567848f711fff4af1e70050bac0f3e3cf765aa909956951

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_E64A58EA668DE7BEC95F6C7C5A8689E0
Filesize
406B

MD5
a0b2a61049d801e3230d338627010c9b

SHA1
c825b379e52ed047b8440273bf0eef1b57ea2f2d

SHA256
1b85cb79f2439004e44f147b340aec694a45ded2806c7100a12e86f7fcc80019

SHA512
6400a0dbeb67bfd3f15eba1aab7aa77a4dbf4518f2490800700aab2ac5d7e482d04697db7a30528b22ca415d4d364a21c915572825f7168b8bc4c1b6b718c147

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\RecoveryImproved\1.3.36.141\Recovery.crx3
Filesize
141KB

MD5
ea1c1ffd3ea54d1fb117bfdbb3569c60

SHA1
10958b0f690ae8f5240e1528b1ccffff28a33272

SHA256
7c3a6a7d16ac44c3200f572a764bce7d8fa84b9572dd028b15c59bdccbc0a77d

SHA512
6c30728cac9eac53f0b27b7dbe2222da83225c3b63617d6b271a6cfedf18e8f0a8dffa1053e1cbc4c5e16625f4bbc0d03aa306a946c9d72faa4ceb779f8ffcaf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\35bgd18\imagestore.dat
Filesize
10KB

MD5
4e535b9fd6340989c5d246c0a8c394c8

SHA1
9524d8a076420f97695d74e1480efe13844b577a

SHA256
650f6f7e61cffa19128c8b82852daec7ddad2b962fa325a961b941e7056dc63c

SHA512
95fce991aa3cb00ccb815f961490c68909eddd460bcfae574fd7a6182743f8633e1418d8a76949893410a2c771c11d745940ccb4a9daf0d0d910950d071fcf69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\35bgd18\imagestore.dat
Filesize
10KB

MD5
4e535b9fd6340989c5d246c0a8c394c8

SHA1
9524d8a076420f97695d74e1480efe13844b577a

SHA256
650f6f7e61cffa19128c8b82852daec7ddad2b962fa325a961b941e7056dc63c

SHA512
95fce991aa3cb00ccb815f961490c68909eddd460bcfae574fd7a6182743f8633e1418d8a76949893410a2c771c11d745940ccb4a9daf0d0d910950d071fcf69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GT6S4AY2\Report Jul 14 15082.zip.c0r1xux.partial
Filesize
696KB

MD5
41372841889046d646724b37ad4df4da

SHA1
f2739815a4291fc359af2ad0d6c45ef0833648d4

SHA256
ba52c037ca0db00c578bcbc3c16283f76dbd4727ac1621b7641eca0e246c6ebb

SHA512
81c6b0923ecdd8ee9186b336531bc10edf732d3eca0ffe19d5f526cdc288ccc5dcf570e22d0a01e6bb51dc9a0d2f13477283578726a181052096c62abe9aadbb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\1OPCIB79.txt
Filesize
571B

MD5
b9d0113995d5fa4d011f052e6f26c73c

SHA1
934556e952d2876bb3f991e23fd194f40cf7b03c

SHA256
045bc3f7d9cf1afa15f5b726b8527eb754b1bb5e41d2c10d2eb37bd9bc87aa0f

SHA512
fbecc33b0f4299dc74856d44530e3cfc4a87c41d8d580997d78eb81e70b1246d679d5df986c9408416644b703195bf4e234e8d4fbaef9e9443b36e8e61b6c103

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\3C97ARQS.txt
Filesize
571B

MD5
8854caa3c8e0891d65427f1e0988664e

SHA1
93ad3380a72970aaa71c5667ef633aa46d18df51

SHA256
2f51666dbab04475adc316c4f5675fb5068232c8bea9fbd653d934650571e3e7

SHA512
58b90c40d229083a7d2577bf8dfeb5d5a24fdb05eb6b34982a103a3bc2efd11344a47c1785c7b087d62d70025deaea0f160b11ca14aa690737f89388ce56e7c9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\EQB9RC3U.txt
Filesize
345B

MD5
44eb6352546eda8d0df662c9db20bf4a

SHA1
86798474ed4b7ba2077d7ca4669c0d4d3b64ce9b

SHA256
72d91b401076061a4dcd032d47a9297c3f390e6e003ba4f4048b2ecab453e07d

SHA512
414689fd86b34b6397bc558a743e4056c45cf5da9bf0e479b5f96171bb85341ccf21fc1c1d65cf09853aa9a01a94de3fe51b77efa19836333e097e806a9496e7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\V7BAXJGK.txt
Filesize
607B

MD5
0645c10ae8805c6b3994be4794fa6405

SHA1
3596d6bf6f938bd918d2864120049ad540a1e99d

SHA256
7c5e32058917deb4b753bcf30faff2f910e5ae00aa8353f1b0ea7f1ae49da837

SHA512
48d7ccace8e228773d0392b1e43fde6dad2c58b861958d05559ed81f924f2901496b304a2eb839d9ec5987c8eb3c0fb6dd313ddc049546969bf54b0a663b3b4d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\VJ4TEAWJ.txt
Filesize
414B

MD5
c46a3fb876a79c8a857481d6b68e2151

SHA1
d9cb3c91628dbb341f1dc319a08052619dd3a755

SHA256
82df2835f1e4664529766ff49a0d2b76d4de97a8252fbb24017a414fa45adeec

SHA512
9757bd4d7dc009591de3ba6abb35ca4100a07985f07ee4515e5524004670d333ae695160a0bf3f9a80e21defa2a36279f5c667ee75941bbbfa1519239eea13b6

Download Submit
C:\Users\Admin\Desktop\Report Jul 14 15082\3590\7533.dll
Filesize
663KB

MD5
9d4e58407ddb622c56a8f7140d2ee7fe

SHA1
3bec502d2d91606e5b6e76b08e7005c45b6e1a1e

SHA256
a2764be5da8416921cbb8d6006c8e449c2b5724b1929c957a282ff10135798ae

SHA512
54c1383c79ee91bcb14a20421a5c65e1643171c35499424cf37c6c75327db655c6aa0b57afbde659848a9b4f1144dfd6ccd53a77d3f02e7ecbecf191853ed9be

Download Submit
C:\Users\Admin\Desktop\Report Jul 14 15082\3590\Report Jul 14 15082.iso
Filesize
2.6MB

MD5
7d2e37c9f9c8f93dc7c7966d8971dee9

SHA1
0519d2c8e4e3752231d61fa3220b71b77c3931ac

SHA256
4bdf6fbeb3f8eb6af6b0d7bbb7790a51d4c09cfbfff03d0e7e35a5758450e49c

SHA512
005351c5e837eba6909d0cab220c2ac30eb12891ce603cf21cb2b6a753e2c9f929d18e9c1c67059889bb0c82cd84e0619b403f6d7b5834f6ff2e78f81ad88b44

Download Submit
C:\Users\Admin\Desktop\Report Jul 14 15082\3590\Report Jul 14 15082.lnk
Filesize
953B

MD5
6beb697ea179a70fe4b17a8082f5f3de

SHA1
31c0be28f46b86670c3d08d3c4f6ee8793cabbbe

SHA256
87e0b52eff04e28bc5b041592d628a3500b147dd8e2164642b00d4a6602cd45a

SHA512
4a3ff0308a3f64d43f4258c39a76ace9210bc7a32f949ff9a188d1e6c4cadc2ca311ed312b8b6010818c3ffb62ae24c19ec76471e3b7b2671db9307bead6ca3a

Download Submit
C:\Users\Admin\Desktop\Report Jul 14 15082\3590\WindowsCodecs.dll
Filesize
4KB

MD5
21930abbbb06588edf0240cc60302143

SHA1
48bf9b838ecb90b8389a0c50b301acc32b44b53e

SHA256
8760c4b4cc8fdcd144651d5ba02195d238950d3b70abd7d7e1e2d42b6bda9751

SHA512
36b092e22b953a4c984530ee1f3d01aae88084ed8146918316438ee37daefe76ed3cb6dfa39c7a020871a92fc2df0a22b5f4146cdd6437339fe3cff4792db4f6

Download Submit
C:\Users\Admin\Desktop\Report Jul 14 15082\3590\calc.exe
Filesize
758KB

MD5
60b7c0fead45f2066e5b805a91f4f0fc

SHA1
9018a7d6cdbe859a430e8794e73381f77c840be0

SHA256
80c10ee5f21f92f89cbc293a59d2fd4c01c7958aacad15642558db700943fa22

SHA512
68b9f9c00fc64df946684ce81a72a2624f0fc07e07c0c8b3db2fae8c9c0415bd1b4a03ad7ffa96985af0cc5e0410f6c5e29a30200efff21ab4b01369a3c59b58

Download Submit
C:\Users\Admin\Desktop\Report Jul 14 15082\3590\calc.exe
Filesize
758KB

MD5
60b7c0fead45f2066e5b805a91f4f0fc

SHA1
9018a7d6cdbe859a430e8794e73381f77c840be0

SHA256
80c10ee5f21f92f89cbc293a59d2fd4c01c7958aacad15642558db700943fa22

SHA512
68b9f9c00fc64df946684ce81a72a2624f0fc07e07c0c8b3db2fae8c9c0415bd1b4a03ad7ffa96985af0cc5e0410f6c5e29a30200efff21ab4b01369a3c59b58

Download Submit
\??\PIPE\samr
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\crashpad_1676_ANJENWUIUDDNDWHN
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\Desktop\Report Jul 14 15082\3590\7533.dll
Filesize
663KB

MD5
9d4e58407ddb622c56a8f7140d2ee7fe

SHA1
3bec502d2d91606e5b6e76b08e7005c45b6e1a1e

SHA256
a2764be5da8416921cbb8d6006c8e449c2b5724b1929c957a282ff10135798ae

SHA512
54c1383c79ee91bcb14a20421a5c65e1643171c35499424cf37c6c75327db655c6aa0b57afbde659848a9b4f1144dfd6ccd53a77d3f02e7ecbecf191853ed9be

Download Submit
\Users\Admin\Desktop\Report Jul 14 15082\3590\WindowsCodecs.dll
Filesize
4KB

MD5
21930abbbb06588edf0240cc60302143

SHA1
48bf9b838ecb90b8389a0c50b301acc32b44b53e

SHA256
8760c4b4cc8fdcd144651d5ba02195d238950d3b70abd7d7e1e2d42b6bda9751

SHA512
36b092e22b953a4c984530ee1f3d01aae88084ed8146918316438ee37daefe76ed3cb6dfa39c7a020871a92fc2df0a22b5f4146cdd6437339fe3cff4792db4f6

Download Submit
memory/880-139-0x0000000000200000-0x0000000000229000-memory.dmp

Filesize
164KB

Download
memory/880-137-0x00000000002A0000-0x00000000002C2000-memory.dmp

Filesize
136KB

Download
memory/880-136-0x00000000002A0000-0x00000000002C2000-memory.dmp

Filesize
136KB

Download
memory/880-138-0x00000000002A0000-0x00000000002C2000-memory.dmp

Filesize
136KB

Download
memory/880-135-0x0000000000440000-0x00000000004EC000-memory.dmp

Filesize
688KB

Download
memory/880-145-0x00000000002A0000-0x00000000002C2000-memory.dmp

Filesize
136KB

Download
memory/880-133-0x0000000000000000-mapping.dmp

Download
memory/880-140-0x00000000002A0000-0x00000000002C2000-memory.dmp

Filesize
136KB

Download
memory/988-125-0x000007FEE37C0000-0x000007FEE41E3000-memory.dmp

Filesize
10.1MB

Download
memory/988-123-0x0000000000000000-mapping.dmp

Download
memory/988-131-0x00000000011AB000-0x00000000011CA000-memory.dmp

Filesize
124KB

Download
memory/988-130-0x00000000011A4000-0x00000000011A7000-memory.dmp

Filesize
12KB

Download
memory/988-128-0x00000000011AB000-0x00000000011CA000-memory.dmp

Filesize
124KB

Download
memory/988-127-0x00000000011A4000-0x00000000011A7000-memory.dmp

Filesize
12KB

Download
memory/988-126-0x000007FEE2C60000-0x000007FEE37BD000-memory.dmp

Filesize
11.4MB

Download
memory/1596-96-0x0000000000000000-mapping.dmp

Download
memory/1596-98-0x0000000076071000-0x0000000076073000-memory.dmp

Filesize
8KB

Download
memory/1900-57-0x000007FEFBC71000-0x000007FEFBC73000-memory.dmp

Filesize
8KB

Download
memory/1956-63-0x0000000000000000-mapping.dmp

Download
memory/2028-115-0x0000000000000000-mapping.dmp

Download
memory/2028-121-0x0000000000080000-0x00000000000A2000-memory.dmp

Filesize
136KB

Download
memory/2028-119-0x0000000000080000-0x00000000000A2000-memory.dmp

Filesize
136KB

Download
memory/2028-117-0x0000000070DB1000-0x0000000070DB3000-memory.dmp

Filesize
8KB

Download
memory/2312-105-0x0000000000000000-mapping.dmp

Download
memory/2328-90-0x0000000000190000-0x00000000001A0000-memory.dmp

Filesize
64KB

Download
memory/2456-120-0x0000000000000000-mapping.dmp

Download
memory/2956-142-0x0000000000000000-mapping.dmp

Download
memory/2956-146-0x0000000000100000-0x0000000000122000-memory.dmp

Filesize
136KB

Download
memory/2956-147-0x0000000000100000-0x0000000000122000-memory.dmp

Filesize
136KB

Download
memory/2996-129-0x0000000000000000-mapping.dmp

Download
memory/3008-118-0x00000000002B0000-0x00000000002D2000-memory.dmp

Filesize
136KB

Download
memory/3008-100-0x0000000000000000-mapping.dmp

Download
memory/3008-103-0x00000000009D0000-0x0000000000A7C000-memory.dmp

Filesize
688KB

Download
memory/3008-108-0x00000000002B0000-0x00000000002D2000-memory.dmp

Filesize
136KB

Download
memory/3008-110-0x00000000002B0000-0x00000000002D2000-memory.dmp

Filesize
136KB

Download
memory/3008-114-0x00000000001B0000-0x0000000000230000-memory.dmp

Filesize
512KB

Download
memory/3008-112-0x00000000002B0000-0x00000000002D2000-memory.dmp

Filesize
136KB

Download
memory/3008-111-0x00000000001B0000-0x0000000000230000-memory.dmp

Filesize
512KB

Download
memory/3008-109-0x00000000002B0000-0x00000000002D2000-memory.dmp

Filesize
136KB

Download