Malware Analysis Report

2024-10-23 19:16

Sample ID 230721-j9vjyadd4t
Target https://bazaar.abuse.ch/sample/2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98/
Tags
gurcu collection discovery spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

Threat Level: Known bad

The file https://bazaar.abuse.ch/sample/2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98/ was found to be: Known bad.

Malicious Activity Summary

gurcu collection discovery spyware stealer

Gurcu, WhiteSnake

Executes dropped EXE

Reads user/profile data of web browsers

Checks computer location settings

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Checks installed software on the system

Drops file in System32 directory

Program crash

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

outlook_win_path

Suspicious use of FindShellTrayWindow

Modifies registry class

Uses Task Scheduler COM API

Creates scheduled task(s)

Enumerates system info in registry

Runs ping.exe

Suspicious behavior: GetForegroundWindowSpam

Modifies data under HKEY_USERS

outlook_office_path

Suspicious use of AdjustPrivilegeToken

Checks SCSI registry key(s)

Suspicious use of SetWindowsHookEx

Suspicious use of SendNotifyMessage

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-21 08:22

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-21 08:22

Reported

2023-07-21 08:28

Platform

win10v2004-20230703-en

Max time kernel

315s

Max time network

317s

Command Line

"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://bazaar.abuse.ch/sample/2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98/

Signatures

Gurcu, WhiteSnake

stealer gurcu

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Downloads\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\taskschd.msc C:\Windows\system32\mmc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133344013761678489" C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\mmc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\7-Zip\7zG.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\mmc.exe N/A
N/A N/A C:\Windows\system32\mmc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1748 wrote to memory of 4736 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1748 wrote to memory of 4736 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1748 wrote to memory of 1556 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1748 wrote to memory of 1556 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1748 wrote to memory of 1556 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1748 wrote to memory of 1556 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1748 wrote to memory of 1556 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1748 wrote to memory of 1556 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1748 wrote to memory of 1556 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1748 wrote to memory of 1556 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1748 wrote to memory of 1556 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1748 wrote to memory of 1556 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1748 wrote to memory of 1556 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1748 wrote to memory of 1556 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1748 wrote to memory of 1556 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1748 wrote to memory of 1556 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1748 wrote to memory of 1556 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1748 wrote to memory of 1556 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1748 wrote to memory of 1556 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1748 wrote to memory of 1556 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1748 wrote to memory of 1556 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1748 wrote to memory of 1556 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1748 wrote to memory of 1556 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1748 wrote to memory of 1556 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1748 wrote to memory of 1556 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1748 wrote to memory of 1556 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1748 wrote to memory of 1556 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1748 wrote to memory of 1556 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1748 wrote to memory of 1556 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1748 wrote to memory of 1556 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1748 wrote to memory of 1556 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1748 wrote to memory of 1556 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1748 wrote to memory of 1556 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1748 wrote to memory of 1556 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1748 wrote to memory of 1556 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1748 wrote to memory of 1556 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1748 wrote to memory of 1556 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1748 wrote to memory of 1556 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1748 wrote to memory of 1556 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1748 wrote to memory of 1556 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1748 wrote to memory of 920 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1748 wrote to memory of 920 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1748 wrote to memory of 4176 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1748 wrote to memory of 4176 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1748 wrote to memory of 4176 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1748 wrote to memory of 4176 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1748 wrote to memory of 4176 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1748 wrote to memory of 4176 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1748 wrote to memory of 4176 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1748 wrote to memory of 4176 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1748 wrote to memory of 4176 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1748 wrote to memory of 4176 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1748 wrote to memory of 4176 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1748 wrote to memory of 4176 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1748 wrote to memory of 4176 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1748 wrote to memory of 4176 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1748 wrote to memory of 4176 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1748 wrote to memory of 4176 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1748 wrote to memory of 4176 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1748 wrote to memory of 4176 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1748 wrote to memory of 4176 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1748 wrote to memory of 4176 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1748 wrote to memory of 4176 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1748 wrote to memory of 4176 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe N/A

Processes

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://bazaar.abuse.ch/sample/2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98/

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa679a9758,0x7ffa679a9768,0x7ffa679a9778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1724 --field-trial-handle=1860,i,12385385014013056322,14135842595464667468,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 --field-trial-handle=1860,i,12385385014013056322,14135842595464667468,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2212 --field-trial-handle=1860,i,12385385014013056322,14135842595464667468,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3028 --field-trial-handle=1860,i,12385385014013056322,14135842595464667468,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3020 --field-trial-handle=1860,i,12385385014013056322,14135842595464667468,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4748 --field-trial-handle=1860,i,12385385014013056322,14135842595464667468,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3304 --field-trial-handle=1860,i,12385385014013056322,14135842595464667468,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5400 --field-trial-handle=1860,i,12385385014013056322,14135842595464667468,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4964 --field-trial-handle=1860,i,12385385014013056322,14135842595464667468,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4976 --field-trial-handle=1860,i,12385385014013056322,14135842595464667468,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4888 --field-trial-handle=1860,i,12385385014013056322,14135842595464667468,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5008 --field-trial-handle=1860,i,12385385014013056322,14135842595464667468,131072 /prefetch:8

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98\" -spe -an -ai#7zMap2255:190:7zEvent19310

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4792 --field-trial-handle=1860,i,12385385014013056322,14135842595464667468,131072 /prefetch:2

C:\Users\Admin\Downloads\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe

"C:\Users\Admin\Downloads\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\Downloads\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe" &&START "" "C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping 127.0.0.1

C:\Windows\system32\schtasks.exe

schtasks /create /tn "2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe

"C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe"

C:\Windows\System32\tar.exe

"C:\Windows\System32\tar.exe" -xvzf "C:\Users\Admin\AppData\Local\Temp\tmp2D85.tmp" -C "C:\Users\Admin\AppData\Local\x22nso3f7r"

C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe

"C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\x22nso3f7r\torrc.txt"

C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe

C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe

C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe

"C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\x22nso3f7r\torrc.txt"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 424 -p 2040 -ip 2040

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2040 -s 2340

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Windows\system32\mmc.exe

"C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc" /s

C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe

C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe

C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe

"C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\x22nso3f7r\torrc.txt"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 512 -p 2064 -ip 2064

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2064 -s 1840

Network

Country Destination Domain Proto
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 bazaar.abuse.ch udp
US 151.101.2.49:443 bazaar.abuse.ch tcp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 226.20.18.104.in-addr.arpa udp
US 8.8.8.8:53 8.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 49.2.101.151.in-addr.arpa udp
US 8.8.8.8:53 196.168.217.172.in-addr.arpa udp
US 8.8.8.8:53 195.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 155.245.36.23.in-addr.arpa udp
US 8.8.8.8:53 content-autofill.googleapis.com udp
NL 172.217.168.234:443 content-autofill.googleapis.com tcp
US 8.8.8.8:53 234.168.217.172.in-addr.arpa udp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 assets.msn.com udp
GB 2.22.249.211:443 assets.msn.com tcp
US 8.8.8.8:53 211.249.22.2.in-addr.arpa udp
US 8.8.8.8:53 54.120.234.20.in-addr.arpa udp
US 8.8.8.8:53 38.148.119.40.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 218.240.110.104.in-addr.arpa udp
NL 172.217.168.234:443 content-autofill.googleapis.com udp
US 8.8.8.8:53 bazaar.abuse.ch udp
US 8.8.8.8:53 beacons.gcp.gvt2.com udp
US 192.178.48.227:443 beacons.gcp.gvt2.com tcp
US 8.8.8.8:53 227.48.178.192.in-addr.arpa udp
US 8.8.8.8:53 27.178.89.13.in-addr.arpa udp
US 8.8.8.8:53 74.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 254.178.238.8.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 cybereason.com udp
US 8.8.8.8:53 google.kz udp
US 8.8.8.8:53 archive.torproject.org udp
US 8.8.8.8:53 twitter.com udp
CA 45.60.107.106:80 cybereason.com tcp
NL 142.250.179.132:80 google.kz tcp
NL 142.250.179.132:80 google.kz tcp
US 104.244.42.1:80 twitter.com tcp
US 104.244.42.1:80 twitter.com tcp
DE 159.69.63.226:443 archive.torproject.org tcp
US 104.244.42.1:443 twitter.com tcp
US 8.8.8.8:53 cyware.com udp
US 104.244.42.1:443 twitter.com tcp
US 15.197.166.200:80 cyware.com tcp
US 15.197.166.200:80 cyware.com tcp
US 15.197.166.200:443 cyware.com tcp
US 15.197.166.200:443 cyware.com tcp
US 8.8.8.8:53 www.cybereason.com udp
US 45.60.62.106:80 www.cybereason.com tcp
US 8.8.8.8:53 132.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 1.42.244.104.in-addr.arpa udp
US 8.8.8.8:53 226.63.69.159.in-addr.arpa udp
US 8.8.8.8:53 106.107.60.45.in-addr.arpa udp
US 8.8.8.8:53 200.166.197.15.in-addr.arpa udp
US 45.60.62.106:443 www.cybereason.com tcp
US 8.8.8.8:53 106.62.60.45.in-addr.arpa udp
US 15.197.166.200:443 cyware.com tcp
IT 190.211.254.182:9001 tcp
SG 116.12.180.237:7443 tcp
US 8.8.8.8:53 182.254.211.190.in-addr.arpa udp
US 8.8.8.8:53 237.180.12.116.in-addr.arpa udp
US 107.155.81.178:443 tcp
GI 94.131.15.74:443 tcp
AT 86.59.119.83:443 tcp
N/A 127.0.0.1:60827 tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 83.119.59.86.in-addr.arpa udp
US 8.8.8.8:53 74.15.131.94.in-addr.arpa udp
US 8.8.8.8:53 178.81.155.107.in-addr.arpa udp
US 15.197.166.200:443 cyware.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 15.197.166.200:443 cyware.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 45.8.109.52.in-addr.arpa udp
US 8.8.8.8:53 youtube.kz udp
CH 140.238.218.94:8080 140.238.218.94 tcp
NL 142.251.39.110:80 youtube.kz tcp
NL 142.251.39.110:443 youtube.kz tcp
US 8.8.8.8:53 110.39.251.142.in-addr.arpa udp
US 8.8.8.8:53 94.218.238.140.in-addr.arpa udp
DE 46.235.26.83:8080 46.235.26.83 tcp
DE 168.119.121.16:8080 tcp
US 8.8.8.8:53 142.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 83.26.235.46.in-addr.arpa udp
GB 51.77.125.62:8080 tcp
N/A 127.0.0.1:60893 tcp
US 8.8.8.8:53 208.240.110.104.in-addr.arpa udp
FR 185.189.159.121:8001 tcp
FI 65.21.49.163:8080 tcp
DE 167.86.115.218:9090 tcp
FR 46.226.106.173:8080 46.226.106.173 tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 173.106.226.46.in-addr.arpa udp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp

Files

\??\pipe\crashpad_1748_SFMLFDLOMCRTAGSY

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000b

MD5 442d0e9e8515f3517372c89d7d94fe9b
SHA1 768598cde1ba553c3b208f842b06eb80b94f2939
SHA256 205f37c78cda70f635fd72e1d99079d7c4d88e54e88b04a0d746455eefe3b979
SHA512 cd396095eb7640706063c45d951e49ec380ddd5f61088a26df2471d4424b14579708842ff971a5abe41f03218364ee5f7246d26bf2a0d3e08998bd580abcf739

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

MD5 99914b932bd37a50b983c5e7c90ae93b
SHA1 bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA256 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA512 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 7bb1ca65e82a0e4e3ef03a81281f798a
SHA1 e48e771c2c32081058bb7ce536ef94e8bf6f09e9
SHA256 49a1de24fe9c834059ff82f694daaa14cc1a3572939390e14960d344a8c5e3d1
SHA512 70268f09240cb3347c8b1306d6cd00414ea13950f5a879ac70e58e11f52a393f2a1a1b428a3679cccc01a88ef45c6793ab67922b5f5a66d1fdf5d09f0583ce98

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 5974252d0eb5a4271fc7e6f175d70006
SHA1 f661939a355e75c53a9350171595cfaa29396da3
SHA256 6200bf61c8469bcd90c749d3d58cb1f261746933bbc5a12ae9de10869348a446
SHA512 55ba182cc75dc4f26deb6c7dddd85a2d607522866e3d85d5b9ed3903249d9422040f01a0cff6502233da9023b3afd21fe292b1d97d819f5434358b47660d85e4

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 f6bc3ce3c1d93a7bb740ad87dc4daeda
SHA1 b8726f0339895d6ab30a202f1e904b3b6871ef2c
SHA256 e3fe016155d184d7f9e730e055e198ffe1052129afa9ae85d41ae6f6ae6b4592
SHA512 84147cf55924d13c526043f59643c74260eb4c8af267bdc53801f63b034056a0d43e8d40abc6a15821aa0d45ce27bc5e969921cc14c4aee52611f6af71a0b039

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 e8382cf007903649d33f9fff6d656592
SHA1 c90828f1babfc7df4e3badaa4d8ebfc2b02aab92
SHA256 93e8992835d26d71085eac9356566e58d9a51ba8665f601d9c90e9e064104083
SHA512 856a20b9dead319a5e705cfadbd0c2989576f555692578a9febdf9fe20148e2f6392997945437aecbff1da30431b40734222ea552210879c7302314974b1974e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 b368549c229d9442bf15f7cbf8529f25
SHA1 7ed94db870dcfac2248f5dd9d53d3aa7b6f8ab99
SHA256 14424930e149f522d93b2430e1a4aaccd623b219340da11ece5587d2e4e58135
SHA512 b73542b049745956b5ab82d3f9b6fd639ba0f0ca4e3157e2f80d4fad0a3ab846ab172bde1f43dc96106b996f29682259952481dcfc2bbf03e336ce707cbaaa68

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 a0e5514472d2271eb1fe34dfe6e99c18
SHA1 0b1c21e4fd3da2e742dc047b75b02dca04cfcfe4
SHA256 6e3686841a22efa2abbd0fa3eada6fdf31b6d5dac711225dc006d87c8afbd5a2
SHA512 714a5d98e7b196038dbf848de3009de545551df362371495e96654b0e1837b3ef377870d1eed0eb19fc10455828388c4d83ffa6c3b59ed0dde34a7eb4671e819

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 9a2f5e63a89671a42fdc8802391c0b3f
SHA1 ff4e3a3270e0bfa13db33bcbff02f04360e9ade8
SHA256 9a8dcd191a0f965393e9a4ec9033d5314fbb58b342fcd821a5a0db27596a505e
SHA512 07c06e921e320456495bf3bc2700d2b484675ccc3736103a046bb8882dd7d66d9e7fe8f2125c6dd1368e2dde69428cae02f626f06f4db9900eb6b224e460c133

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 868038e502e662c3d1607d157ec03e55
SHA1 82f51532a9a05b0c67610369e24ce5abdc4f5284
SHA256 e4ae46b40e4123dc329cb06770654ebe19971f5fadf6303d327179f953282710
SHA512 6250890615b77831ff44ec7fe7dce459d460006ae3ca3aec676601eaec7e4c03715439754b7e04ff12dad1f238a369f3f3721d633f963aa0ab249a7883b8e12f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

MD5 3b5537dce96f57098998e410b0202920
SHA1 7732b57e4e3bbc122d63f67078efa7cf5f975448
SHA256 a1c54426705d6cef00e0ae98f5ad1615735a31a4e200c3a5835b44266a4a3f88
SHA512 c038c334db3a467a710c624704eb5884fd40314cd57bd2fd154806a59c0be954c414727628d50e41cdfd86f5334ceefcf1363d641b2681c1137651cbbb4fd55d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000007

MD5 0ce7bf20be2d5afad791c7b87dd24f20
SHA1 f0d6c6f1f5560281a3a42060037940130c4c6097
SHA256 b3664954574167ffab238da481247a371ecaafa135a636af08e572795fd04325
SHA512 0c24363846c6f19862b24399f93fe31e47f8eb18f1e3c486074ceac5360cfcdef8be439a29dc8a66d932bc6857663373dc91d490bedb21d9eb434822eda70260

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 2454219a2ce13c5983958f09a1d336c2
SHA1 927ea4862f7c0c9c6e23392efeb405d0102e3941
SHA256 620c2fa8581f2152e362ed92f4894eb0df9fe44830dccbaced09db01a3dd2a05
SHA512 268300db5021d54aecba0833a1bdb9f0344599de03fb5221dd3359a5f226b7cd19b3d7e9e92072e0d6b3aeb6e3b73b5fbd3f51cd266f9ea330ba893d95ac6f54

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 bd71200d8098dbeb63c6f875284d2b14
SHA1 b63d506a922b476e0f5e4ebe2310050deb9752af
SHA256 cbf4d78f199836c714fe51b2896692979834415e56ca5bb296d9debd64165158
SHA512 ba63f9d3e43d4d60e7773b6f0c282abb9d0fbc8568e25ce9c9a8b004dd908ca89439593ecb4f8ec8be5cb19508529c3c74ca167be6742a20c6f653548f0c64c0

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 e560b0ecc6d881b578c33a564a2059d5
SHA1 d53e4b4fbbd68af6f50d1a0a45196dcb4e727650
SHA256 836e34dbda1a9d5fac14ac37e13c14d6a8cf9a0bf3f44c82a49302c0977f5d1b
SHA512 ffd3605d73708930a18b8d29a27122bd7a0b86b3cb5e4250c355c0068e79ae2210a405765abbdf6c397d7f9ca2744f601cba6c10c0a846c9e3861ce927772a00

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 a0a9f842582f071ed69ef24d60533cbe
SHA1 6342fab3ceff4f70d8e881abb2823e767c315eac
SHA256 ea3e9c4cd06d0b136bd0bc9ad04b621786117b8698956ee0e04c55014d879d13
SHA512 e217d0744a89dce0d0e44d81d330ee99a5f72c9991fc62b8f48fdaddd1f276ed5f931ee1841f7dedb56d9fe15e98048ef8d7d84326451136e9280a4cb39a0efa

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe595fd9.TMP

MD5 cd8c2ee388a870dda4420164547e1c1b
SHA1 de0ab96e9505fa602acaf007ec49358f296f3cf0
SHA256 7e8afb93ae2b9ddf619b2e80d751c8253de954103976c5b81aca75db7fa65b0f
SHA512 bf34adcc51fbcaacaa58bdf1cc0ecf4580da53bc63ca57682ebf4098c0dd641bca7115ca826985074a0aeb02140742967c5723154bcfffdce06896655db4b841

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

MD5 da182ea645f8eebc60d803be0ae22299
SHA1 2ff602e71541c71ce3e109c8edcbd1792fef28f8
SHA256 d9d8c44923bd679a81f578482f1f87881a099d6ef76f1fdff25a9d11ad67d4ac
SHA512 3843f00d10f44f99eab01de528320fd6e20326069105c84a6b24ade57394a619deaed4e6d317d45882de0812e59146d746c705c357f22db391208d798cfcf39b

C:\Users\Admin\Downloads\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.zip

MD5 df98441b78e01e15e81e292a088c36a5
SHA1 2d7484611819da4d796fa41f75c702809f2a4157
SHA256 9920f28c789c1af1e011df0508075ecc6a8bc609a73dcf23282971e6cc6fa66d
SHA512 5c731b0132ebc19918451dd8971141b34f5f27e5febd8bb7e8f7e6cf823c3f250e02df587676d4e985a8316a55234c0c3c75e0d30f839a523e24325010cc9dff

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 aab9d1fc132b9d461e424c41d0ab7e04
SHA1 4ee539c302178f2c5f8bcc8f103e24f3e6053497
SHA256 b46d93cd3942631d74bce975f4a3e6cb62f10098eb4f5d17d7821672981b5d3e
SHA512 d9252fa805e6d4f4ba4f21206e6c8ee0f69f15ab2a1a7f59054ca2f5cfceda90f17f458d03f21bc8a239fd2579a626d8069be9722380e1fc65a320d6ace581b3

C:\Users\Admin\Downloads\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe

MD5 fdb8081ac26d8de3f7582b2616bcf3e8
SHA1 c46856c1394a0b36f7826285db0d72ae494f15f0
SHA256 2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98
SHA512 0fdaa8f7c6ce93026fa1ad2e18b0ad31cd0e77afc17763042e841b039a2a1130b4138f34a2d32d8e74bee347f26b40f36d224be8b7f4cd7c2f6917617ff60c98

C:\Users\Admin\Downloads\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe

MD5 fdb8081ac26d8de3f7582b2616bcf3e8
SHA1 c46856c1394a0b36f7826285db0d72ae494f15f0
SHA256 2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98
SHA512 0fdaa8f7c6ce93026fa1ad2e18b0ad31cd0e77afc17763042e841b039a2a1130b4138f34a2d32d8e74bee347f26b40f36d224be8b7f4cd7c2f6917617ff60c98

memory/4216-345-0x00000264BB410000-0x00000264BB4AA000-memory.dmp

memory/4216-346-0x00007FFA53A80000-0x00007FFA54541000-memory.dmp

memory/4216-347-0x00000264BB8C0000-0x00000264BB8D0000-memory.dmp

memory/4216-351-0x00007FFA53A80000-0x00007FFA54541000-memory.dmp

C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe

MD5 fdb8081ac26d8de3f7582b2616bcf3e8
SHA1 c46856c1394a0b36f7826285db0d72ae494f15f0
SHA256 2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98
SHA512 0fdaa8f7c6ce93026fa1ad2e18b0ad31cd0e77afc17763042e841b039a2a1130b4138f34a2d32d8e74bee347f26b40f36d224be8b7f4cd7c2f6917617ff60c98

C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe

MD5 fdb8081ac26d8de3f7582b2616bcf3e8
SHA1 c46856c1394a0b36f7826285db0d72ae494f15f0
SHA256 2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98
SHA512 0fdaa8f7c6ce93026fa1ad2e18b0ad31cd0e77afc17763042e841b039a2a1130b4138f34a2d32d8e74bee347f26b40f36d224be8b7f4cd7c2f6917617ff60c98

C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe

MD5 fdb8081ac26d8de3f7582b2616bcf3e8
SHA1 c46856c1394a0b36f7826285db0d72ae494f15f0
SHA256 2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98
SHA512 0fdaa8f7c6ce93026fa1ad2e18b0ad31cd0e77afc17763042e841b039a2a1130b4138f34a2d32d8e74bee347f26b40f36d224be8b7f4cd7c2f6917617ff60c98

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe.log

MD5 fc1be6f3f52d5c841af91f8fc3f790cb
SHA1 ac79b4229e0a0ce378ae22fc6104748c5f234511
SHA256 6da862f7c7feffca99cd58712ece93928c6ca6aed617f5d8c10a4718eaa2a910
SHA512 2f46165017309ee1a0c1b23e30a71e52e86ad8933e2649bf58c3f4628c5aa75659f5b8f6be32c2882f220b2f3ff2fd50d8766bf0a3708c94c2c634c051a05ea6

memory/4256-356-0x00007FFA53A80000-0x00007FFA54541000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 7bb1ca65e82a0e4e3ef03a81281f798a
SHA1 e48e771c2c32081058bb7ce536ef94e8bf6f09e9
SHA256 49a1de24fe9c834059ff82f694daaa14cc1a3572939390e14960d344a8c5e3d1
SHA512 70268f09240cb3347c8b1306d6cd00414ea13950f5a879ac70e58e11f52a393f2a1a1b428a3679cccc01a88ef45c6793ab67922b5f5a66d1fdf5d09f0583ce98

C:\Users\Admin\AppData\Local\Temp\tmp2D85.tmp

MD5 89d2d5811c1aff539bb355f15f3ddad0
SHA1 5bb3577c25b6d323d927200c48cd184a3e27c873
SHA256 b630008f6d3887793d48b87091e56691e292894dd4fa100dc4a418a2f29dcc12
SHA512 39e576124c54143520c5435a2ef9b24506131e13403489c0692f09b89135015d611c4988d4772f8a1e6557fa68b4667d467334461009cee8c2227dfc3e295289

C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe

MD5 88590909765350c0d70c6c34b1f31dd2
SHA1 129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7
SHA256 46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82
SHA512 a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192

C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe

MD5 88590909765350c0d70c6c34b1f31dd2
SHA1 129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7
SHA256 46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82
SHA512 a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192

C:\Users\Admin\AppData\Local\x22nso3f7r\torrc.txt

MD5 93338c40030ba128ae286e6e054423e7
SHA1 4e47b4d315130f166a6515487d5402ac92d0f9b5
SHA256 44eca962cac9a295e9d56ffa04cc59f8c93746b0e03774e3167acd3be927f0a6
SHA512 c932239e0620350a2fd28e6d4c4db89432db78b166d4dfde7596e1ce5cb3e258030f85dccad497a3116b8fb5235d86265936ed907bde725a9e174e68c510a622

C:\Users\Admin\AppData\Local\x22nso3f7r\host\hostname

MD5 98b819776090956cd50ac7e513f57d2a
SHA1 d02e988a8fa7740addb42bc040786d6d378ec6f9
SHA256 cb90b70aeb594dadc52239bcc799824b293b22d021b9798a6cb81fe46b61c787
SHA512 4ea7609d8d5e68df35b887b4b0fb047adb602117e6df6c4f89e2fba5ee524f719a3cf10bf58438f2bcb8d7a0120101893cde6c757cb041582d6a8dc0e5073957

memory/4256-385-0x00007FFA53A80000-0x00007FFA54541000-memory.dmp

C:\Users\Admin\AppData\Local\x22nso3f7r\data\cached-microdesc-consensus.tmp

MD5 d5a455e55c380c0d6851ce1f0f2b2866
SHA1 bb9ca92d3ee60963326368b298e8c0b9d84c4624
SHA256 b8b8c31f3906ff13a489f0ec8b32c13ea79cf412d51acf595e93b0bc54fa9b49
SHA512 322dedfee1c64eca986bb43dd41cf63c670756e24bce8d4516332e679e4c89f959ce5b8749601b802b88ec2d7173a6945c935faafdeaf9ef04e9582bf677128e

C:\Users\Admin\AppData\Local\x22nso3f7r\data\cached-microdescs.new

MD5 c540caf61c520a70944ee8688f179722
SHA1 169c5fd1a808dd77c65c34818362f5426441e870
SHA256 27cfe07b913107472c84c37992bdc5b118c31c914d087a1018ce7dc24b282112
SHA512 4a1e45c04c5eff90646c732e21f533fb7930731f54e64b7e56314070abe85139585add1065ba121beaee9861cba71e171c0f70d64ac5053ed3979e1157240b07

C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe

MD5 fdb8081ac26d8de3f7582b2616bcf3e8
SHA1 c46856c1394a0b36f7826285db0d72ae494f15f0
SHA256 2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98
SHA512 0fdaa8f7c6ce93026fa1ad2e18b0ad31cd0e77afc17763042e841b039a2a1130b4138f34a2d32d8e74bee347f26b40f36d224be8b7f4cd7c2f6917617ff60c98

memory/2040-419-0x00007FFA53A80000-0x00007FFA54541000-memory.dmp

memory/2040-420-0x0000022760710000-0x0000022760720000-memory.dmp

C:\Users\Admin\AppData\Local\x22nso3f7r\port.dat

MD5 03fa2f7502f5f6b9169e67d17cbf51bb
SHA1 f17d5a057363c3e13f6d4fc68291c5d94c6cfa9d
SHA256 5dc3c3700c46499d89e7e810366d9d873e4da6b54c072f8ce515d47d7926878c
SHA512 cc56b5ec25d5a7634a4acb52156c26971e4423397531cb4078df85aadc7ea77538afbf5b843ac7fe489bfc433592eaabaa1c74e5bc36b3c071532832bb5dc11c

C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe

MD5 88590909765350c0d70c6c34b1f31dd2
SHA1 129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7
SHA256 46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82
SHA512 a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192

memory/2040-423-0x00007FFA53A80000-0x00007FFA54541000-memory.dmp

memory/1684-429-0x000001E9625F0000-0x000001E9625F1000-memory.dmp

memory/1684-428-0x000001E9625F0000-0x000001E9625F1000-memory.dmp

memory/1684-430-0x000001E9625F0000-0x000001E9625F1000-memory.dmp

memory/1684-434-0x000001E9625F0000-0x000001E9625F1000-memory.dmp

memory/1684-435-0x000001E9625F0000-0x000001E9625F1000-memory.dmp

memory/1684-436-0x000001E9625F0000-0x000001E9625F1000-memory.dmp

memory/1684-437-0x000001E9625F0000-0x000001E9625F1000-memory.dmp

memory/1684-439-0x000001E9625F0000-0x000001E9625F1000-memory.dmp

memory/1684-438-0x000001E9625F0000-0x000001E9625F1000-memory.dmp

memory/1684-440-0x000001E9625F0000-0x000001E9625F1000-memory.dmp

memory/1588-445-0x00007FFA53A80000-0x00007FFA54541000-memory.dmp

memory/1588-446-0x000000001C8C0000-0x000000001C8D0000-memory.dmp

memory/1588-447-0x000000001C8C0000-0x000000001C8D0000-memory.dmp

memory/1588-448-0x000000001C8C0000-0x000000001C8D0000-memory.dmp

memory/1588-449-0x000000001C8C0000-0x000000001C8D0000-memory.dmp

memory/1588-450-0x00007FFA53A80000-0x00007FFA54541000-memory.dmp

memory/1588-452-0x000000001C8C0000-0x000000001C8D0000-memory.dmp

memory/1588-453-0x000000001C8C0000-0x000000001C8D0000-memory.dmp

memory/1588-454-0x000000001C8C0000-0x000000001C8D0000-memory.dmp

memory/1588-455-0x000000001ED20000-0x000000001EE20000-memory.dmp

memory/1588-456-0x000000001C8C0000-0x000000001C8D0000-memory.dmp

memory/1588-458-0x000000001C8C0000-0x000000001C8D0000-memory.dmp

memory/1588-460-0x00007FFA53A80000-0x00007FFA54541000-memory.dmp

C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe

MD5 fdb8081ac26d8de3f7582b2616bcf3e8
SHA1 c46856c1394a0b36f7826285db0d72ae494f15f0
SHA256 2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98
SHA512 0fdaa8f7c6ce93026fa1ad2e18b0ad31cd0e77afc17763042e841b039a2a1130b4138f34a2d32d8e74bee347f26b40f36d224be8b7f4cd7c2f6917617ff60c98

memory/2064-462-0x00007FFA53A80000-0x00007FFA54541000-memory.dmp

C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe

MD5 88590909765350c0d70c6c34b1f31dd2
SHA1 129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7
SHA256 46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82
SHA512 a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192