pandastealer | hxxps://anonfiles[.]com/r7f7r6A8y5/crack_me_rar

Analysis

max time kernel
135s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
07-10-2022 15:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://anonfiles.com/r7f7r6A8y5/crack_me_rar

Score

10^/10

pandastealer spyware stealer

Malware Config

Extracted

Family

pandastealer

Version

1.11

http://a.de

Signatures

Panda Stealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3524-138-0x0000000000C70000-0x0000000001398000-memory.dmp	family_pandastealer
C:\Users\Admin\Desktop\build.exe	family_pandastealer
C:\Users\Admin\Desktop\build.exe	family_pandastealer

PandaStealer
Panda Stealer is a fork of CollectorProject Stealer written in C++.
stealer pandastealer
Executes dropped EXE 1 IoCs

Processes:

build.exe

pid process

4184 build.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Drops file in Program Files directory 1 IoCs

Processes:

chrome.exe

description ioc process

File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\crack me.exe chrome.exe

pid	process
4184	build.exe

description	ioc	process
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\crack me.exe	chrome.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies registry class 64 IoCs

Processes:

crack me.exechrome.exeOpenWith.exechrome.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	crack me.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	crack me.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	crack me.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell	crack me.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\LogicalViewMode = "3"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	crack me.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\1	crack me.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	crack me.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	crack me.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "2"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff	crack me.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	crack me.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202	crack me.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\NodeSlot = "3"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg	crack me.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByDirection = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616193"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	crack me.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	crack me.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	crack me.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	crack me.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\IconSize = "48"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:PID = "0"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	crack me.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	crack me.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	crack me.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	crack me.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	crack me.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Downloads"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\SniffedFolderType = "Generic"	crack me.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	crack me.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 14002e8005398e082303024b98265d99428e115f0000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupView = "0"	chrome.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exebuild.exe

pid	process
4952	chrome.exe
4952	chrome.exe
1244	chrome.exe
1244	chrome.exe
1664	chrome.exe
1664	chrome.exe
2472	chrome.exe
2472	chrome.exe
4696	chrome.exe
4696	chrome.exe
2436	chrome.exe
2436	chrome.exe
5200	chrome.exe
5200	chrome.exe
5280	chrome.exe
5280	chrome.exe
5768	chrome.exe
5768	chrome.exe
6076	chrome.exe
6076	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
4184	build.exe
4184	build.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

7zFM.exe

pid process

1268 7zFM.exe

pid	process
1268	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

Processes:

chrome.exe

pid	process
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

7zFM.exe7zG.exe7zG.exe

description	pid	process
Token: SeRestorePrivilege	1268	7zFM.exe
Token: 35	1268	7zFM.exe
Token: SeRestorePrivilege	5216	7zG.exe
Token: 35	5216	7zG.exe
Token: SeRestorePrivilege	5500	7zG.exe
Token: 35	5500	7zG.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exe7zFM.exe

pid	process
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1268	7zFM.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe

Suspicious use of SendNotifyMessage 30 IoCs

Processes:

chrome.exe

pid	process
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe

Suspicious use of SetWindowsHookEx 20 IoCs

Processes:

OpenWith.exechrome.execrack me.exe

pid	process
3104	OpenWith.exe
3104	OpenWith.exe
3104	OpenWith.exe
3104	OpenWith.exe
3104	OpenWith.exe
3104	OpenWith.exe
3104	OpenWith.exe
3104	OpenWith.exe
3104	OpenWith.exe
3104	OpenWith.exe
3104	OpenWith.exe
3104	OpenWith.exe
3104	OpenWith.exe
3104	OpenWith.exe
3104	OpenWith.exe
3104	OpenWith.exe
3104	OpenWith.exe
5768	chrome.exe
3524	crack me.exe
3524	crack me.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 1244 wrote to memory of 1456	1244	chrome.exe	chrome.exe
PID 1244 wrote to memory of 1456	1244	chrome.exe	chrome.exe
PID 1244 wrote to memory of 1072	1244	chrome.exe	chrome.exe
PID 1244 wrote to memory of 1072	1244	chrome.exe	chrome.exe
PID 1244 wrote to memory of 1072	1244	chrome.exe	chrome.exe
PID 1244 wrote to memory of 1072	1244	chrome.exe	chrome.exe
PID 1244 wrote to memory of 1072	1244	chrome.exe	chrome.exe
PID 1244 wrote to memory of 1072	1244	chrome.exe	chrome.exe
PID 1244 wrote to memory of 1072	1244	chrome.exe	chrome.exe
PID 1244 wrote to memory of 1072	1244	chrome.exe	chrome.exe
PID 1244 wrote to memory of 1072	1244	chrome.exe	chrome.exe
PID 1244 wrote to memory of 1072	1244	chrome.exe	chrome.exe
PID 1244 wrote to memory of 1072	1244	chrome.exe	chrome.exe
PID 1244 wrote to memory of 1072	1244	chrome.exe	chrome.exe
PID 1244 wrote to memory of 1072	1244	chrome.exe	chrome.exe
PID 1244 wrote to memory of 1072	1244	chrome.exe	chrome.exe
PID 1244 wrote to memory of 1072	1244	chrome.exe	chrome.exe
PID 1244 wrote to memory of 1072	1244	chrome.exe	chrome.exe
PID 1244 wrote to memory of 1072	1244	chrome.exe	chrome.exe
PID 1244 wrote to memory of 1072	1244	chrome.exe	chrome.exe
PID 1244 wrote to memory of 1072	1244	chrome.exe	chrome.exe
PID 1244 wrote to memory of 1072	1244	chrome.exe	chrome.exe
PID 1244 wrote to memory of 1072	1244	chrome.exe	chrome.exe
PID 1244 wrote to memory of 1072	1244	chrome.exe	chrome.exe
PID 1244 wrote to memory of 1072	1244	chrome.exe	chrome.exe
PID 1244 wrote to memory of 1072	1244	chrome.exe	chrome.exe
PID 1244 wrote to memory of 1072	1244	chrome.exe	chrome.exe
PID 1244 wrote to memory of 1072	1244	chrome.exe	chrome.exe
PID 1244 wrote to memory of 1072	1244	chrome.exe	chrome.exe
PID 1244 wrote to memory of 1072	1244	chrome.exe	chrome.exe
PID 1244 wrote to memory of 1072	1244	chrome.exe	chrome.exe
PID 1244 wrote to memory of 1072	1244	chrome.exe	chrome.exe
PID 1244 wrote to memory of 1072	1244	chrome.exe	chrome.exe
PID 1244 wrote to memory of 1072	1244	chrome.exe	chrome.exe
PID 1244 wrote to memory of 1072	1244	chrome.exe	chrome.exe
PID 1244 wrote to memory of 1072	1244	chrome.exe	chrome.exe
PID 1244 wrote to memory of 1072	1244	chrome.exe	chrome.exe
PID 1244 wrote to memory of 1072	1244	chrome.exe	chrome.exe
PID 1244 wrote to memory of 1072	1244	chrome.exe	chrome.exe
PID 1244 wrote to memory of 1072	1244	chrome.exe	chrome.exe
PID 1244 wrote to memory of 1072	1244	chrome.exe	chrome.exe
PID 1244 wrote to memory of 1072	1244	chrome.exe	chrome.exe
PID 1244 wrote to memory of 4952	1244	chrome.exe	chrome.exe
PID 1244 wrote to memory of 4952	1244	chrome.exe	chrome.exe
PID 1244 wrote to memory of 1672	1244	chrome.exe	chrome.exe
PID 1244 wrote to memory of 1672	1244	chrome.exe	chrome.exe
PID 1244 wrote to memory of 1672	1244	chrome.exe	chrome.exe
PID 1244 wrote to memory of 1672	1244	chrome.exe	chrome.exe
PID 1244 wrote to memory of 1672	1244	chrome.exe	chrome.exe
PID 1244 wrote to memory of 1672	1244	chrome.exe	chrome.exe
PID 1244 wrote to memory of 1672	1244	chrome.exe	chrome.exe
PID 1244 wrote to memory of 1672	1244	chrome.exe	chrome.exe
PID 1244 wrote to memory of 1672	1244	chrome.exe	chrome.exe
PID 1244 wrote to memory of 1672	1244	chrome.exe	chrome.exe
PID 1244 wrote to memory of 1672	1244	chrome.exe	chrome.exe
PID 1244 wrote to memory of 1672	1244	chrome.exe	chrome.exe
PID 1244 wrote to memory of 1672	1244	chrome.exe	chrome.exe
PID 1244 wrote to memory of 1672	1244	chrome.exe	chrome.exe
PID 1244 wrote to memory of 1672	1244	chrome.exe	chrome.exe
PID 1244 wrote to memory of 1672	1244	chrome.exe	chrome.exe
PID 1244 wrote to memory of 1672	1244	chrome.exe	chrome.exe
PID 1244 wrote to memory of 1672	1244	chrome.exe	chrome.exe
PID 1244 wrote to memory of 1672	1244	chrome.exe	chrome.exe
PID 1244 wrote to memory of 1672	1244	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://anonfiles.com/r7f7r6A8y5/crack_me_rar
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1244

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb93654f50,0x7ffb93654f60,0x7ffb93654f70
2⤵
PID:1456

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1652,5629711641746653806,13341655689866456868,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1700 /prefetch:2
2⤵
PID:1072

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1652,5629711641746653806,13341655689866456868,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2016 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4952

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1652,5629711641746653806,13341655689866456868,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2292 /prefetch:8
2⤵
PID:1672

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,5629711641746653806,13341655689866456868,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2992 /prefetch:1
2⤵
PID:3100

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,5629711641746653806,13341655689866456868,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3000 /prefetch:1
2⤵
PID:2304

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,5629711641746653806,13341655689866456868,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4552 /prefetch:8
2⤵
PID:3452

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,5629711641746653806,13341655689866456868,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4696 /prefetch:1
2⤵
PID:5072

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,5629711641746653806,13341655689866456868,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3040 /prefetch:1
2⤵
PID:4596

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,5629711641746653806,13341655689866456868,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:1
2⤵
PID:1048

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1652,5629711641746653806,13341655689866456868,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5452 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1664

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1652,5629711641746653806,13341655689866456868,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5424 /prefetch:8
2⤵
- Drops file in Program Files directory
PID:4368

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1652,5629711641746653806,13341655689866456868,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5392 /prefetch:8
2⤵
PID:2580

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1652,5629711641746653806,13341655689866456868,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5340 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2472

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,5629711641746653806,13341655689866456868,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5404 /prefetch:8
2⤵
PID:740

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1652,5629711641746653806,13341655689866456868,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5732 /prefetch:8
2⤵
PID:1020

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,5629711641746653806,13341655689866456868,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5332 /prefetch:8
2⤵
PID:1696

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,5629711641746653806,13341655689866456868,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4660 /prefetch:1
2⤵
PID:1544

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,5629711641746653806,13341655689866456868,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6132 /prefetch:1
2⤵
PID:3440

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1652,5629711641746653806,13341655689866456868,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5876 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4696

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1652,5629711641746653806,13341655689866456868,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6044 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2436

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1652,5629711641746653806,13341655689866456868,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4660 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5200

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1652,5629711641746653806,13341655689866456868,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2116 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5280

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,5629711641746653806,13341655689866456868,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6060 /prefetch:8
2⤵
PID:5440

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,5629711641746653806,13341655689866456868,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5428 /prefetch:8
2⤵
PID:5540

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,5629711641746653806,13341655689866456868,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4280 /prefetch:1
2⤵
PID:5576

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,5629711641746653806,13341655689866456868,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6172 /prefetch:1
2⤵
PID:5644

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,5629711641746653806,13341655689866456868,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4720 /prefetch:1
2⤵
PID:5700

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1652,5629711641746653806,13341655689866456868,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4660 /prefetch:8
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5768

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1652,5629711641746653806,13341655689866456868,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6332 /prefetch:8
2⤵
PID:5936

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1652,5629711641746653806,13341655689866456868,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4496 /prefetch:8
2⤵
PID:5976

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,5629711641746653806,13341655689866456868,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6136 /prefetch:1
2⤵
PID:6008

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1652,5629711641746653806,13341655689866456868,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4480 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:6076

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1652,5629711641746653806,13341655689866456868,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5000 /prefetch:8
2⤵
PID:4312

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1652,5629711641746653806,13341655689866456868,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1580 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3964

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2144

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3104

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1268

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" a -i#7zMap7664:78:7zEvent18187 -ad -saa -- "C:\Users\Admin\Downloads\crack me"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5216

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" a -i#7zMap2182:78:7zEvent24805 -ad -saa -- "C:\Users\Admin\Downloads\crack me"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5500

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5352

C:\Users\Admin\Desktop\crack me.exe
"C:\Users\Admin\Desktop\crack me.exe"
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3524

C:\Users\Admin\Desktop\build.exe
"C:\Users\Admin\Desktop\build.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4184

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies
Filesize
20KB

MD5
9287067e721c0d690e72898806941b6d

SHA1
c78d835376768cdb711067b71e3f8a80baaa4bc9

SHA256
f6a4a9f3cce0f092785e3444012c2a47f8ab8ec5f0e737b80e068b7b41d58004

SHA512
6bb81cc574466d7c341bd45c11fd1ca5c978321dda1b226c4ef8a5614223c0b75c52d20f3cdec300fe47be23a760fa40a14a871781cdf9f0b90b40d37df98d8b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Data
Filesize
88KB

MD5
e47511b49da7f197b083e22a52e6766f

SHA1
38917b6f4ad11293576e935aa5945a04d8dd9439

SHA256
a9b21285a5b7ac24e54c5db0244c976b67ef88148ca1647e3c939e918521b830

SHA512
f9d9b67a70cc95d4421bcbc40d9b774f9611b26c6e52dba9e4abfecb52bfa36a39d215a475543ff67e76df91b5f9c112135e686ee2bb705b5a31d0a3e1cc2d0d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
112KB

MD5
4273ee95ccda6dc039c1df57de9051d6

SHA1
f12d708e5f1d9abd5d9561856c54226ec0c771dc

SHA256
3885f40187b1d70a5b03900c47ae671cfb38ce1c23c15a51dad9afc71f5276d2

SHA512
eacfa1452b615240d175cfcba0dc03819b440dd635ec1df3fd01f1e3ace98e8e8312f10ccef5b56df9a5837f2d9e819e4f13460efb5bd5e659a8fb1dcddce76f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\Desktop\build.exe
Filesize
681KB

MD5
2926bf5366282d638b46f964be4e690f

SHA1
bffb4137a1eb0f87e65da13f483dc76a996863eb

SHA256
6277841d35d89da5d87435443e35a7c59b1ea8508f37aeb5e2af0cf27e256225

SHA512
5bae458412bc2d4e535a8013e7f7a958ccc73e55419a885df748764cc8c5ca5d7ad5ea7fd1b7a51c0ec2942ce92228e51efbfba9b765a822a1bd0b3c37b3ba5f

Download Submit
C:\Users\Admin\Desktop\build.exe
Filesize
681KB

MD5
2926bf5366282d638b46f964be4e690f

SHA1
bffb4137a1eb0f87e65da13f483dc76a996863eb

SHA256
6277841d35d89da5d87435443e35a7c59b1ea8508f37aeb5e2af0cf27e256225

SHA512
5bae458412bc2d4e535a8013e7f7a958ccc73e55419a885df748764cc8c5ca5d7ad5ea7fd1b7a51c0ec2942ce92228e51efbfba9b765a822a1bd0b3c37b3ba5f

Download Submit
C:\Users\Admin\Downloads\crack me.rar
Filesize
2.8MB

MD5
60c0e9bc426609b2f30fe2344796bccf

SHA1
b3ada393d0223ca317d7eecaa56d48fbbb9265ea

SHA256
fdb8a3401aad1941bd617377ba8c4c7823b2ffa6e0bc00be4a8d9f9a67a9758f

SHA512
7a73d6dc7c3bca2a148aff21849d7063b6f3d575691698ef46dddf812bc5e7af661b27d37482fcb541068b56a2ea30da192041757b8cc3131bb014af40340545

Download Submit
\??\pipe\crashpad_1244_ZABJBKPTLXWTNVZA
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3524-143-0x000000000A6D0000-0x000000000A6DA000-memory.dmp

Filesize
40KB

Download
memory/3524-142-0x000000000A6F0000-0x000000000A782000-memory.dmp

Filesize
584KB

Download
memory/3524-141-0x000000000AB90000-0x000000000B134000-memory.dmp

Filesize
5.6MB

Download
memory/3524-138-0x0000000000C70000-0x0000000001398000-memory.dmp

Filesize
7.2MB

Download
memory/5216-133-0x0000000000000000-mapping.dmp

Download
memory/5500-135-0x0000000000000000-mapping.dmp

Download