hxxps://github[.]com/Endermanch/MalwareDatabase/raw/master/rogues/Live%20Protection%20Suite%202019[.]zip

Resubmissions

26/05/2023, 17:50

230526-wenjcshb41 6

26/05/2023, 16:28

230526-tyysbsgg81 8

26/05/2023, 16:06

230526-tkc9gagc69 7

26/05/2023, 16:03

230526-thrzvagc63 7

Analysis

max time kernel
293s
max time network
256s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
26/05/2023, 16:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Endermanch/MalwareDatabase/raw/master/rogues/Live%20Protection%20Suite%202019.zip

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation	[email protected]

Executes dropped EXE 10 IoCs

pid	Process
2760	[email protected]
4792	lpsprt.exe
4280	lpsprt.exe
64	lpsprt.exe
2192	lpsprt.exe
3428	lpsprt.exe
5032	lpsprt.exe
4920	lpsprt.exe
2652	lpsprt.exe
4656	lpsprt.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Windows\CurrentVersion\Run	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SoftProz = "C:\\Program Files (x86)\\HjuTygFcvX\\lpsprt.exe"	lpsprt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SoftProz = "C:\\Program Files (x86)\\HjuTygFcvX\\lpsprt.exe"	lpsprt.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe	[email protected]
File opened for modification	C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe	[email protected]
File opened for modification	C:\Program Files (x86)\HjuTygFcvX	[email protected]
File created	C:\Program Files (x86)\HjuTygFcvX\__tmp_rar_sfx_access_check_240584578	[email protected]

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5052	4792	WerFault.exe	108

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe

Checks processor information in registry 2 TTPs 9 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE

Enumerates system info in registry 2 TTPs 11 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133295980142487949"	chrome.exe

Modifies registry class 29 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\sql_auto_file\shell\open\command	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\sql_auto_file\shell\open\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\〠沼翾	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\崐Ꮬȑ	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\崐Ꮬȑ\ = "sql_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\sql_auto_file\shell\edit\command	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\.sql\ = "sql_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\.sql	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\T	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\sql_auto_file\shell	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Ꮬȑ\ = "sql_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\涠Ꮯȑ	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\ \ = "sql_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\타ၿȑ	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\타ၿȑ\ = "sql_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\sql_auto_file\shell\open	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\㍫ᆗ૵ဆ臐ᇦȑ	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Ꮬȑ	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\T\ = "sql_auto_file"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\sql_auto_file\shell\edit\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\sql_auto_file\shell\edit	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\〠沼翾\ = "sql_auto_file"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\\ = "sql_auto_file"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\㍫ᆗ૵ဆ臐ᇦȑ\ = "sql_auto_file"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\涠Ꮯȑ\ = "sql_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\sql_auto_file	OpenWith.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
464	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1504	POWERPNT.EXE
1824	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
916	chrome.exe
916	chrome.exe
3040	taskmgr.exe
3040	taskmgr.exe
3040	taskmgr.exe
3040	taskmgr.exe
3040	taskmgr.exe
3040	taskmgr.exe
3040	taskmgr.exe
3040	taskmgr.exe
3040	taskmgr.exe
3040	taskmgr.exe
3040	taskmgr.exe
3040	taskmgr.exe
3040	taskmgr.exe
3040	taskmgr.exe
3040	taskmgr.exe
3040	taskmgr.exe
3040	taskmgr.exe
3040	taskmgr.exe
3040	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
916	chrome.exe
916	chrome.exe

Suspicious use of AdjustPrivilegeToken 59 IoCs

description	pid	Process
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeRestorePrivilege	1692	7zG.exe
Token: 35	1692	7zG.exe
Token: SeSecurityPrivilege	1692	7zG.exe
Token: SeSecurityPrivilege	1692	7zG.exe
Token: SeBackupPrivilege	1336	dw20.exe
Token: SeBackupPrivilege	1336	dw20.exe
Token: SeDebugPrivilege	3040	taskmgr.exe
Token: SeSystemProfilePrivilege	3040	taskmgr.exe
Token: SeCreateGlobalPrivilege	3040	taskmgr.exe
Token: 33	3040	taskmgr.exe
Token: SeIncBasePriorityPrivilege	3040	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
1692	7zG.exe
4792	lpsprt.exe
4792	lpsprt.exe
4792	lpsprt.exe
4792	lpsprt.exe
4792	lpsprt.exe
4792	lpsprt.exe
4792	lpsprt.exe
4792	lpsprt.exe
4792	lpsprt.exe
4792	lpsprt.exe
4792	lpsprt.exe
4792	lpsprt.exe
3040	taskmgr.exe
3040	taskmgr.exe
3040	taskmgr.exe
3040	taskmgr.exe
3040	taskmgr.exe
3040	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
4792	lpsprt.exe
4792	lpsprt.exe
4792	lpsprt.exe
4792	lpsprt.exe
4792	lpsprt.exe
4792	lpsprt.exe
4792	lpsprt.exe
4792	lpsprt.exe
4792	lpsprt.exe
4792	lpsprt.exe
4792	lpsprt.exe
4792	lpsprt.exe
3040	taskmgr.exe
3040	taskmgr.exe
3040	taskmgr.exe
3040	taskmgr.exe
3040	taskmgr.exe
3040	taskmgr.exe
3040	taskmgr.exe
3040	taskmgr.exe
3040	taskmgr.exe
3040	taskmgr.exe
3040	taskmgr.exe
3040	taskmgr.exe
3040	taskmgr.exe
3040	taskmgr.exe
3040	taskmgr.exe
3040	taskmgr.exe
3040	taskmgr.exe
3040	taskmgr.exe

Suspicious use of SetWindowsHookEx 24 IoCs

pid	Process
2760	[email protected]
1336	dw20.exe
1504	POWERPNT.EXE
1504	POWERPNT.EXE
1824	EXCEL.EXE
1824	EXCEL.EXE
1824	EXCEL.EXE
1824	EXCEL.EXE
1824	EXCEL.EXE
1824	EXCEL.EXE
1824	EXCEL.EXE
1824	EXCEL.EXE
1824	EXCEL.EXE
1824	EXCEL.EXE
1824	EXCEL.EXE
4760	OpenWith.exe
4760	OpenWith.exe
4760	OpenWith.exe
4760	OpenWith.exe
4760	OpenWith.exe
4760	OpenWith.exe
4760	OpenWith.exe
4760	OpenWith.exe
4760	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 916 wrote to memory of 4772	916	chrome.exe	85
PID 916 wrote to memory of 4772	916	chrome.exe	85
PID 916 wrote to memory of 2228	916	chrome.exe	86
PID 916 wrote to memory of 2228	916	chrome.exe	86
PID 916 wrote to memory of 2228	916	chrome.exe	86
PID 916 wrote to memory of 2228	916	chrome.exe	86
PID 916 wrote to memory of 2228	916	chrome.exe	86
PID 916 wrote to memory of 2228	916	chrome.exe	86
PID 916 wrote to memory of 2228	916	chrome.exe	86
PID 916 wrote to memory of 2228	916	chrome.exe	86
PID 916 wrote to memory of 2228	916	chrome.exe	86
PID 916 wrote to memory of 2228	916	chrome.exe	86
PID 916 wrote to memory of 2228	916	chrome.exe	86
PID 916 wrote to memory of 2228	916	chrome.exe	86
PID 916 wrote to memory of 2228	916	chrome.exe	86
PID 916 wrote to memory of 2228	916	chrome.exe	86
PID 916 wrote to memory of 2228	916	chrome.exe	86
PID 916 wrote to memory of 2228	916	chrome.exe	86
PID 916 wrote to memory of 2228	916	chrome.exe	86
PID 916 wrote to memory of 2228	916	chrome.exe	86
PID 916 wrote to memory of 2228	916	chrome.exe	86
PID 916 wrote to memory of 2228	916	chrome.exe	86
PID 916 wrote to memory of 2228	916	chrome.exe	86
PID 916 wrote to memory of 2228	916	chrome.exe	86
PID 916 wrote to memory of 2228	916	chrome.exe	86
PID 916 wrote to memory of 2228	916	chrome.exe	86
PID 916 wrote to memory of 2228	916	chrome.exe	86
PID 916 wrote to memory of 2228	916	chrome.exe	86
PID 916 wrote to memory of 2228	916	chrome.exe	86
PID 916 wrote to memory of 2228	916	chrome.exe	86
PID 916 wrote to memory of 2228	916	chrome.exe	86
PID 916 wrote to memory of 2228	916	chrome.exe	86
PID 916 wrote to memory of 2228	916	chrome.exe	86
PID 916 wrote to memory of 2228	916	chrome.exe	86
PID 916 wrote to memory of 2228	916	chrome.exe	86
PID 916 wrote to memory of 2228	916	chrome.exe	86
PID 916 wrote to memory of 2228	916	chrome.exe	86
PID 916 wrote to memory of 2228	916	chrome.exe	86
PID 916 wrote to memory of 2228	916	chrome.exe	86
PID 916 wrote to memory of 2228	916	chrome.exe	86
PID 916 wrote to memory of 868	916	chrome.exe	87
PID 916 wrote to memory of 868	916	chrome.exe	87
PID 916 wrote to memory of 3872	916	chrome.exe	88
PID 916 wrote to memory of 3872	916	chrome.exe	88
PID 916 wrote to memory of 3872	916	chrome.exe	88
PID 916 wrote to memory of 3872	916	chrome.exe	88
PID 916 wrote to memory of 3872	916	chrome.exe	88
PID 916 wrote to memory of 3872	916	chrome.exe	88
PID 916 wrote to memory of 3872	916	chrome.exe	88
PID 916 wrote to memory of 3872	916	chrome.exe	88
PID 916 wrote to memory of 3872	916	chrome.exe	88
PID 916 wrote to memory of 3872	916	chrome.exe	88
PID 916 wrote to memory of 3872	916	chrome.exe	88
PID 916 wrote to memory of 3872	916	chrome.exe	88
PID 916 wrote to memory of 3872	916	chrome.exe	88
PID 916 wrote to memory of 3872	916	chrome.exe	88
PID 916 wrote to memory of 3872	916	chrome.exe	88
PID 916 wrote to memory of 3872	916	chrome.exe	88
PID 916 wrote to memory of 3872	916	chrome.exe	88
PID 916 wrote to memory of 3872	916	chrome.exe	88
PID 916 wrote to memory of 3872	916	chrome.exe	88
PID 916 wrote to memory of 3872	916	chrome.exe	88
PID 916 wrote to memory of 3872	916	chrome.exe	88
PID 916 wrote to memory of 3872	916	chrome.exe	88

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://github.com/Endermanch/MalwareDatabase/raw/master/rogues/Live%20Protection%20Suite%202019.zip
1⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe6cf19758,0x7ffe6cf19768,0x7ffe6cf19778
  2⤵
  PID:4772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1808 --field-trial-handle=1792,i,16042682397773013011,7333580028725671732,131072 /prefetch:2
  2⤵
  PID:2228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 --field-trial-handle=1792,i,16042682397773013011,7333580028725671732,131072 /prefetch:8
  2⤵
  PID:868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2212 --field-trial-handle=1792,i,16042682397773013011,7333580028725671732,131072 /prefetch:8
  2⤵
  PID:3872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3176 --field-trial-handle=1792,i,16042682397773013011,7333580028725671732,131072 /prefetch:1
  2⤵
  PID:988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3168 --field-trial-handle=1792,i,16042682397773013011,7333580028725671732,131072 /prefetch:1
  2⤵
  PID:2640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4608 --field-trial-handle=1792,i,16042682397773013011,7333580028725671732,131072 /prefetch:8
  2⤵
  PID:5016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4704 --field-trial-handle=1792,i,16042682397773013011,7333580028725671732,131072 /prefetch:8
  2⤵
  PID:3344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4728 --field-trial-handle=1792,i,16042682397773013011,7333580028725671732,131072 /prefetch:8
  2⤵
  PID:3480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5000 --field-trial-handle=1792,i,16042682397773013011,7333580028725671732,131072 /prefetch:8
  2⤵
  PID:940

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:5060

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap4009:110:7zEvent18553
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1692

C:\Users\Admin\Desktop\[email protected]
"C:\Users\Admin\Desktop\[email protected]"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:2760
- C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe
  "C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4792
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
    dw20.exe -x -s 3984
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1336
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 4792 -s 3168
    3⤵
    - Program crash
    PID:5052

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 464 -p 4792 -ip 4792
1⤵
PID:3636

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3040

C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe
"C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4280

C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe
"C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe"
1⤵
- Executes dropped EXE
PID:64

C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe
"C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe"
1⤵
- Executes dropped EXE
PID:2192

C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe
"C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe"
1⤵
- Executes dropped EXE
PID:3428

C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe
"C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe"
1⤵
- Executes dropped EXE
PID:5032

C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe
"C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe"
1⤵
- Executes dropped EXE
PID:4920

C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe
"C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe"
1⤵
- Executes dropped EXE
PID:2652

C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe
"C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe"
1⤵
- Executes dropped EXE
PID:4656

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /s "C:\Users\Admin\Desktop\SubmitResize.ppsm" /ou ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1504

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\MovePing.xla"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1824

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4760
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\AddBlock.sql
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:464

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\9114a964dce44b95910bf576b7d8ddb3 /t 2240 /p 464
1⤵
PID:3004

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe

Filesize
911KB

MD5
2e6360eeebcafd207ad6f4cfc81afdb3

SHA1
6d85d48c8c809ad0ee5f7b1b20ef79e871466072

SHA256
3a31f386f4a68827d8cbfeb087c017f871d80ab4565a2266f692fbe6cfea9c3b

SHA512
36e1cadeff91158c0e96585d7550dc193a6470f5fccf3cf98845c4291becc6dae39609771cc8157493bc6cb405446ac55a1790108c6c213293bf4a56ecf381e4

Download Submit
C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe

Filesize
911KB

MD5
2e6360eeebcafd207ad6f4cfc81afdb3

SHA1
6d85d48c8c809ad0ee5f7b1b20ef79e871466072

SHA256
3a31f386f4a68827d8cbfeb087c017f871d80ab4565a2266f692fbe6cfea9c3b

SHA512
36e1cadeff91158c0e96585d7550dc193a6470f5fccf3cf98845c4291becc6dae39609771cc8157493bc6cb405446ac55a1790108c6c213293bf4a56ecf381e4

Download Submit
C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe

Filesize
911KB

MD5
2e6360eeebcafd207ad6f4cfc81afdb3

SHA1
6d85d48c8c809ad0ee5f7b1b20ef79e871466072

SHA256
3a31f386f4a68827d8cbfeb087c017f871d80ab4565a2266f692fbe6cfea9c3b

SHA512
36e1cadeff91158c0e96585d7550dc193a6470f5fccf3cf98845c4291becc6dae39609771cc8157493bc6cb405446ac55a1790108c6c213293bf4a56ecf381e4

Download Submit
C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe

Filesize
911KB

MD5
2e6360eeebcafd207ad6f4cfc81afdb3

SHA1
6d85d48c8c809ad0ee5f7b1b20ef79e871466072

SHA256
3a31f386f4a68827d8cbfeb087c017f871d80ab4565a2266f692fbe6cfea9c3b

SHA512
36e1cadeff91158c0e96585d7550dc193a6470f5fccf3cf98845c4291becc6dae39609771cc8157493bc6cb405446ac55a1790108c6c213293bf4a56ecf381e4

Download Submit
C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe

Filesize
911KB

MD5
2e6360eeebcafd207ad6f4cfc81afdb3

SHA1
6d85d48c8c809ad0ee5f7b1b20ef79e871466072

SHA256
3a31f386f4a68827d8cbfeb087c017f871d80ab4565a2266f692fbe6cfea9c3b

SHA512
36e1cadeff91158c0e96585d7550dc193a6470f5fccf3cf98845c4291becc6dae39609771cc8157493bc6cb405446ac55a1790108c6c213293bf4a56ecf381e4

Download Submit
C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe

Filesize
911KB

MD5
2e6360eeebcafd207ad6f4cfc81afdb3

SHA1
6d85d48c8c809ad0ee5f7b1b20ef79e871466072

SHA256
3a31f386f4a68827d8cbfeb087c017f871d80ab4565a2266f692fbe6cfea9c3b

SHA512
36e1cadeff91158c0e96585d7550dc193a6470f5fccf3cf98845c4291becc6dae39609771cc8157493bc6cb405446ac55a1790108c6c213293bf4a56ecf381e4

Download Submit
C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe

Filesize
911KB

MD5
2e6360eeebcafd207ad6f4cfc81afdb3

SHA1
6d85d48c8c809ad0ee5f7b1b20ef79e871466072

SHA256
3a31f386f4a68827d8cbfeb087c017f871d80ab4565a2266f692fbe6cfea9c3b

SHA512
36e1cadeff91158c0e96585d7550dc193a6470f5fccf3cf98845c4291becc6dae39609771cc8157493bc6cb405446ac55a1790108c6c213293bf4a56ecf381e4

Download Submit
C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe

Filesize
911KB

MD5
2e6360eeebcafd207ad6f4cfc81afdb3

SHA1
6d85d48c8c809ad0ee5f7b1b20ef79e871466072

SHA256
3a31f386f4a68827d8cbfeb087c017f871d80ab4565a2266f692fbe6cfea9c3b

SHA512
36e1cadeff91158c0e96585d7550dc193a6470f5fccf3cf98845c4291becc6dae39609771cc8157493bc6cb405446ac55a1790108c6c213293bf4a56ecf381e4

Download Submit
C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe

Filesize
911KB

MD5
2e6360eeebcafd207ad6f4cfc81afdb3

SHA1
6d85d48c8c809ad0ee5f7b1b20ef79e871466072

SHA256
3a31f386f4a68827d8cbfeb087c017f871d80ab4565a2266f692fbe6cfea9c3b

SHA512
36e1cadeff91158c0e96585d7550dc193a6470f5fccf3cf98845c4291becc6dae39609771cc8157493bc6cb405446ac55a1790108c6c213293bf4a56ecf381e4

Download Submit
C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe

Filesize
911KB

MD5
2e6360eeebcafd207ad6f4cfc81afdb3

SHA1
6d85d48c8c809ad0ee5f7b1b20ef79e871466072

SHA256
3a31f386f4a68827d8cbfeb087c017f871d80ab4565a2266f692fbe6cfea9c3b

SHA512
36e1cadeff91158c0e96585d7550dc193a6470f5fccf3cf98845c4291becc6dae39609771cc8157493bc6cb405446ac55a1790108c6c213293bf4a56ecf381e4

Download Submit
C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe

Filesize
911KB

MD5
2e6360eeebcafd207ad6f4cfc81afdb3

SHA1
6d85d48c8c809ad0ee5f7b1b20ef79e871466072

SHA256
3a31f386f4a68827d8cbfeb087c017f871d80ab4565a2266f692fbe6cfea9c3b

SHA512
36e1cadeff91158c0e96585d7550dc193a6470f5fccf3cf98845c4291becc6dae39609771cc8157493bc6cb405446ac55a1790108c6c213293bf4a56ecf381e4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868

Filesize
471B

MD5
7246f9f2393bdc38f441dfa3c338cece

SHA1
00ce20874528d1eb3560a3478f8c02296433f7aa

SHA256
efe795c0877c58b0dcfa936ccf52e5d83010475d88353485ea8ccc662b6d73c3

SHA512
3de31641dcef3cbdf5b58c191b9588d6411ef04ce8e549906ffd87735b0aeeb523c49d60f63970d895ec818bdf02bb1447823cd254da028905960c55807305b7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868

Filesize
412B

MD5
f414ba65903465f94ed6d1af236f59d0

SHA1
b8f048ac02278c90234b1647b47d201b05fe9f1f

SHA256
418f3b88d10cac2025154b81b207339610c5f311405ad555332cd32920dfec34

SHA512
10c2c7634573628af0712fa57f85d9edd42774d03c45ff6237127f695593a8be0c2ca1c1af1234ea01a930de04d72e3f41add7ae9f40c185f096ea342f3d8753

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
a98d7bd3a941bbc25c759b465e514d8e

SHA1
2446b543edd348aa31e40a07972d007ea79e0008

SHA256
38d5a04207d9dc28471bce9210f40bce9fdcb4d100ea26c543917b01f6458fb2

SHA512
e06d2ca8bcb68c9ed7339f986b02a0f83870f824d9e30409ed8b17681fe02205451699605295711cafd02bc523bf10a108b29ddabe21a97eebf39c38ae7bcbdc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
702B

MD5
0e79302b628631e207ae95a723c4e4e4

SHA1
82115846d81fae83660ef361087e5e1ccc9c41d0

SHA256
47dbcbe8aa59e15bf8606c5dd53d977b859bf726779c81bfdc77041f51866e49

SHA512
c23049b12483001304013592ae9897926d1adff968c7fc024ac0f52f2f30a85101fa31e46f211a6946bf3935844ab08d7fd617aeac8d67f78ac83c19d4b1ea86

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
5bd4b11a379d77038632f6b7bf06211b

SHA1
1999329d59ee5ab3a10427b7d485306006da6e6c

SHA256
f4df1d3cbbe384a229d52ed8b1345a1a3b4302992438c0f12728328c99b39c3d

SHA512
20e46b277abc1b7306fee24b0c5b2e0adb31381c8a2d77ec2250d6224f6dd0c4b67750ffc4ef86494b025bd5ed8949314b2febb74c64454c5ff319433d492672

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
fb3fcf6c996a2d1130537fc2bc417f9c

SHA1
e85107c883ed1b62303c865ff01f8ccc93ee0a9b

SHA256
5979167d045efee9c25044a61f2980f8a638876e262135d69b4809695411db92

SHA512
70269a4602ab138efd4c6729b9e4a838c954fd5002489cb4ef4e51c32d5d21095a990ac79bcb155be9b1ea2a2ad972f3a73d50dd596d322f8430c76e26d577f0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
33793023983b871425aa1459f5230ef6

SHA1
fa4bd6ed2596404e189b0e01cf3dd57f40788042

SHA256
f6acc2701be4932a29bfe03183bdb5ee9396ce4e14f559b9b1fad9e140e28b79

SHA512
f1e416c04830a592ca831f6f6afbb585e06d540ec9b25c9c7782f4e332bcfdb54d171de29dbfbf969497fa32c4a03fdff1aa92d412c89373a2e32b97f3b7b828

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\c01b67b6-e6ac-4cf2-a272-a15bfc23b739.tmp

Filesize
6KB

MD5
0470bb5b744386101eda6751b910e5a3

SHA1
626e9589c1ad6d22ad0c9aadfa692427d2f5c492

SHA256
b7c7e8abbcc2f2a6054b2d6c803e8aecaf9021767dfbd163e209e75e891bafc7

SHA512
015041bab0b593764e30861231618b121c5dfdc09186e246d550d16adfc07c6d4754e694785ae8c5158d1e5b22f2b1483b868349e74ca60de82c3446a1342079

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
153KB

MD5
73c0c8027ef21324e2a6b3dcd74ce3a7

SHA1
aa3327cda13263d0ff972cd02ae719f92cfb2fac

SHA256
df5bc39a3b0529bc505990f7318cda3a062db84c8391adc00442cc1f14361ecc

SHA512
a085cb54d3d5654cea3871ef4d020ea8e0cda33223467b561581e34ed8fbb78768ec67fbb8e629dd746a8aaa2e9683bb69bd1a9791e0397b4487c5e72befa963

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
153KB

MD5
c1db0fc55e1ec81d16747123e6085918

SHA1
c8cddb414716b271a5aeace35702726dd9661f40

SHA256
a2ef9e3e7e12fea0734ffae5f6f7d353a732ebd4c3fe5efad8058113603f33b2

SHA512
312949892b580e15f714ff30046047498ce29cb62a9f1d95ffac4a5ee4453b6e8d30112c35e36e99d775f69898e10d46d09735636213263cf917052fdc291920

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\lpsprt.exe.log

Filesize
774B

MD5
42bdba115365f7c1ea6a5651fa6efc1b

SHA1
fefa3924f41ef6256567fd7ae6de99cfed2b8bbc

SHA256
f89cedafd39d3ff328f08fae08f1447c521e7553cafd37d3d557e84aa7dbfa5b

SHA512
fd07f40f5846220fc9201c6fe693cc00b7b17082990b18438dcb4f7ce4bd6d195704a62b0b98fad249cba1bbdd4223c4fb1299be2f113c8e03c9b5d27d0c6a9c

Download Submit
C:\Users\Admin\Desktop\[email protected]

Filesize
1.1MB

MD5
2eb3ce80b26345bd139f7378330b19c1

SHA1
10122bd8dd749e20c132d108d176794f140242b0

SHA256
8abed3ea04d52c42bdd6c9169c59212a7d8c649c12006b8278eda5aa91154cd2

SHA512
e3223cd07d59cd97893304a3632b3a66fd91635848160c33011c103cca2badbfe9b78fe258666b634e455872f3a98889ede5a425d8fae91cae6983da1ea1190a

Download Submit
C:\Users\Admin\Desktop\[email protected]

Filesize
1.1MB

MD5
2eb3ce80b26345bd139f7378330b19c1

SHA1
10122bd8dd749e20c132d108d176794f140242b0

SHA256
8abed3ea04d52c42bdd6c9169c59212a7d8c649c12006b8278eda5aa91154cd2

SHA512
e3223cd07d59cd97893304a3632b3a66fd91635848160c33011c103cca2badbfe9b78fe258666b634e455872f3a98889ede5a425d8fae91cae6983da1ea1190a

Download Submit
C:\Users\Admin\Desktop\[email protected]

Filesize
1.1MB

MD5
2eb3ce80b26345bd139f7378330b19c1

SHA1
10122bd8dd749e20c132d108d176794f140242b0

SHA256
8abed3ea04d52c42bdd6c9169c59212a7d8c649c12006b8278eda5aa91154cd2

SHA512
e3223cd07d59cd97893304a3632b3a66fd91635848160c33011c103cca2badbfe9b78fe258666b634e455872f3a98889ede5a425d8fae91cae6983da1ea1190a

Download Submit
C:\Users\Admin\Downloads\Live Protection Suite 2019.zip.crdownload

Filesize
1010KB

MD5
7a5994fab80a2ed6adf59a93c7bc2d88

SHA1
fe2ddcefd45c378dfb19817de118fcf151c59b1f

SHA256
6ebad2ea4d537eb1ce11dd19d495fca3e2b8b4e50140d9b241b71f5f1bc71804

SHA512
5ba499f12ed0a5de31350530402327dc323aae7d414ee972bd652265e5226adef71d94c0b52a3bf0ebe8f95081c3c27708758ef15da58163492afdb664e08ad2

Download Submit
memory/1504-349-0x00007FFE4A2B0000-0x00007FFE4A2C0000-memory.dmp

Filesize
64KB

Download
memory/1504-371-0x00007FFE4A2B0000-0x00007FFE4A2C0000-memory.dmp

Filesize
64KB

Download
memory/1504-350-0x00007FFE4A2B0000-0x00007FFE4A2C0000-memory.dmp

Filesize
64KB

Download
memory/1504-348-0x00007FFE4A2B0000-0x00007FFE4A2C0000-memory.dmp

Filesize
64KB

Download
memory/1504-352-0x00007FFE4A2B0000-0x00007FFE4A2C0000-memory.dmp

Filesize
64KB

Download
memory/1504-353-0x00007FFE47A60000-0x00007FFE47A70000-memory.dmp

Filesize
64KB

Download
memory/1504-354-0x00007FFE47A60000-0x00007FFE47A70000-memory.dmp

Filesize
64KB

Download
memory/1504-351-0x00007FFE4A2B0000-0x00007FFE4A2C0000-memory.dmp

Filesize
64KB

Download
memory/1504-374-0x00007FFE4A2B0000-0x00007FFE4A2C0000-memory.dmp

Filesize
64KB

Download
memory/1504-372-0x00007FFE4A2B0000-0x00007FFE4A2C0000-memory.dmp

Filesize
64KB

Download
memory/1504-373-0x00007FFE4A2B0000-0x00007FFE4A2C0000-memory.dmp

Filesize
64KB

Download
memory/1824-380-0x00007FFE47A60000-0x00007FFE47A70000-memory.dmp

Filesize
64KB

Download
memory/1824-381-0x00007FFE47A60000-0x00007FFE47A70000-memory.dmp

Filesize
64KB

Download
memory/2192-339-0x0000000001430000-0x0000000001440000-memory.dmp

Filesize
64KB

Download
memory/3040-322-0x000002D5AAC50000-0x000002D5AAC51000-memory.dmp

Filesize
4KB

Download
memory/3040-319-0x000002D5AAC50000-0x000002D5AAC51000-memory.dmp

Filesize
4KB

Download
memory/3040-324-0x000002D5AAC50000-0x000002D5AAC51000-memory.dmp

Filesize
4KB

Download
memory/3040-325-0x000002D5AAC50000-0x000002D5AAC51000-memory.dmp

Filesize
4KB

Download
memory/3040-313-0x000002D5AAC50000-0x000002D5AAC51000-memory.dmp

Filesize
4KB

Download
memory/3040-314-0x000002D5AAC50000-0x000002D5AAC51000-memory.dmp

Filesize
4KB

Download
memory/3040-315-0x000002D5AAC50000-0x000002D5AAC51000-memory.dmp

Filesize
4KB

Download
memory/3040-323-0x000002D5AAC50000-0x000002D5AAC51000-memory.dmp

Filesize
4KB

Download
memory/3040-321-0x000002D5AAC50000-0x000002D5AAC51000-memory.dmp

Filesize
4KB

Download
memory/3040-320-0x000002D5AAC50000-0x000002D5AAC51000-memory.dmp

Filesize
4KB

Download
memory/3428-338-0x0000000000AC0000-0x0000000000AD0000-memory.dmp

Filesize
64KB

Download
memory/4280-330-0x0000000000F30000-0x0000000000F40000-memory.dmp

Filesize
64KB

Download
memory/4280-334-0x000000001FDA0000-0x000000001FDC4000-memory.dmp

Filesize
144KB

Download
memory/4280-332-0x0000000000F30000-0x0000000000F40000-memory.dmp

Filesize
64KB

Download
memory/4280-389-0x0000000000F30000-0x0000000000F40000-memory.dmp

Filesize
64KB

Download
memory/4280-329-0x0000000000F30000-0x0000000000F40000-memory.dmp

Filesize
64KB

Download
memory/4280-341-0x0000000000F30000-0x0000000000F40000-memory.dmp

Filesize
64KB

Download
memory/4280-342-0x0000000000F30000-0x0000000000F40000-memory.dmp

Filesize
64KB

Download
memory/4280-394-0x0000000000F30000-0x0000000000F40000-memory.dmp

Filesize
64KB

Download
memory/4280-343-0x0000000000F30000-0x0000000000F40000-memory.dmp

Filesize
64KB

Download
memory/4280-328-0x0000000000F30000-0x0000000000F40000-memory.dmp

Filesize
64KB

Download
memory/4280-327-0x0000000000F30000-0x0000000000F40000-memory.dmp

Filesize
64KB

Download
memory/4280-393-0x0000000000F30000-0x0000000000F40000-memory.dmp

Filesize
64KB

Download
memory/4280-390-0x0000000000F30000-0x0000000000F40000-memory.dmp

Filesize
64KB

Download
memory/4792-306-0x00000000008B0000-0x00000000008C0000-memory.dmp

Filesize
64KB

Download
memory/4792-302-0x00000000008B0000-0x00000000008C0000-memory.dmp

Filesize
64KB

Download
memory/4792-301-0x00000000008B0000-0x00000000008C0000-memory.dmp

Filesize
64KB

Download
memory/4792-299-0x00000000008B0000-0x00000000008C0000-memory.dmp

Filesize
64KB

Download
memory/4792-297-0x00000000008B0000-0x00000000008C0000-memory.dmp

Filesize
64KB

Download
memory/4792-298-0x00000000008B0000-0x00000000008C0000-memory.dmp

Filesize
64KB

Download
memory/4792-296-0x000000001C3B0000-0x000000001C3FC000-memory.dmp

Filesize
304KB

Download
memory/4792-295-0x000000001AE00000-0x000000001AE08000-memory.dmp

Filesize
32KB

Download
memory/4792-294-0x000000001C2B0000-0x000000001C34C000-memory.dmp

Filesize
624KB

Download
memory/4792-293-0x000000001C160000-0x000000001C206000-memory.dmp

Filesize
664KB

Download
memory/4792-292-0x000000001BF10000-0x000000001C0AC000-memory.dmp

Filesize
1.6MB

Download
memory/4792-291-0x00000000008B0000-0x00000000008C0000-memory.dmp

Filesize
64KB

Download
memory/4792-303-0x00000000008B0000-0x00000000008C0000-memory.dmp

Filesize
64KB

Download
memory/4792-304-0x00000000008B0000-0x00000000008C0000-memory.dmp

Filesize
64KB

Download
memory/4792-290-0x000000001B2F0000-0x000000001B7BE000-memory.dmp

Filesize
4.8MB

Download
memory/4792-289-0x0000000000050000-0x0000000000070000-memory.dmp

Filesize
128KB

Download
memory/4792-305-0x00000000008B0000-0x00000000008C0000-memory.dmp

Filesize
64KB

Download
memory/5032-344-0x0000000001260000-0x0000000001270000-memory.dmp

Filesize
64KB

Download