hawkeye | ad90872dfd4b64dfbff9c38d36bd8b1fdb4173a14e84ad9d151d56d36dc87d08

Resubmissions

05-02-2024 19:28

240205-x6tp5agfhp 10

05-02-2024 16:28

240205-ty322scah7 10

04-02-2024 23:08

240204-24qb5sehfn 10

Analysis

max time kernel
59s
max time network
150s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
05-02-2024 16:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9066bf885cd72e46771654d0d8be15d3.exe
Size

201KB
MD5

9066bf885cd72e46771654d0d8be15d3
SHA1

13afce866b59c99fa0319b7f204e6b6828d4b22c
SHA256

ad90872dfd4b64dfbff9c38d36bd8b1fdb4173a14e84ad9d151d56d36dc87d08
SHA512

ed55f1e9567c5076172f9037a6487fe406b0a87ecb7f8cc892a2e2d1cd9a2d832f7286d286dc90b85de34ecc0216309e5fe658c9c14cbaf07d4e1a4df42861ec
SSDEEP

6144:Cz+glrx25snmJr/TqRd4y/Nns9ImK+BqIbsJHo57:Cz+glrxcsnor/mRGmsCt+BqFxod

Score

10^/10

hawkeye evasion keylogger persistence spyware stealer trojan upx

Malware Config

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye

Modifies firewall policy service 2 TTPs 8 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\explorer.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\A7K5E8K1BX.exe = "C:\\Users\\Admin\\AppData\\Roaming\\A7K5E8K1BX.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\windws.exe = "C:\\Users\\Admin\\AppData\\Roaming\\A7K5E8K1BX.exe"	explorer.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{7A11B4B0-04BD-C31C-DD5B-1F1EBA8BD1A3}	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Active Setup\Installed Components\{7A11B4B0-04BD-C31C-DD5B-1F1EBA8BD1A3}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\A7K5E8K1BX.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7A11B4B0-04BD-C31C-DD5B-1F1EBA8BD1A3}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7A11B4B0-04BD-C31C-DD5B-1F1EBA8BD1A3}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\A7K5E8K1BX.exe"	explorer.exe

Deletes itself 1 IoCs

pid	Process
3012	explorer.exe

Executes dropped EXE 5 IoCs

pid	Process
3012	explorer.exe
2564	explorer.exe
2484	mvscavAP.exe
2476	SiaPort.exe
1392	SiaPort.exe

Loads dropped DLL 8 IoCs

pid	Process
1372	9066bf885cd72e46771654d0d8be15d3.exe
1372	9066bf885cd72e46771654d0d8be15d3.exe
3012	explorer.exe
3012	explorer.exe
3012	explorer.exe
2484	mvscavAP.exe
2484	mvscavAP.exe
2476	SiaPort.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2564-32-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral1/memory/2564-35-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral1/memory/2564-38-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral1/memory/2564-36-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral1/memory/2564-28-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral1/memory/2564-26-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral1/memory/2564-80-0x0000000000400000-0x0000000000473000-memory.dmp	upx

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\mvscavAP.exe"	mvscavAP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\windws.exe = "C:\\Users\\Admin\\AppData\\Roaming\\A7K5E8K1BX.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\windws.exe = "C:\\Users\\Admin\\AppData\\Roaming\\A7K5E8K1BX.exe"	explorer.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3012 set thread context of 2564	3012	explorer.exe	44
PID 2476 set thread context of 1392	2476	SiaPort.exe	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
2784	reg.exe
2840	reg.exe
2824	reg.exe
2780	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3012	explorer.exe
2484	mvscavAP.exe
2476	SiaPort.exe
3012	explorer.exe
2484	mvscavAP.exe
2476	SiaPort.exe
3012	explorer.exe
2484	mvscavAP.exe
2476	SiaPort.exe
3012	explorer.exe
2484	mvscavAP.exe
2476	SiaPort.exe
3012	explorer.exe
2484	mvscavAP.exe
2476	SiaPort.exe
3012	explorer.exe
2484	mvscavAP.exe
2476	SiaPort.exe
3012	explorer.exe
2484	mvscavAP.exe
2476	SiaPort.exe
3012	explorer.exe
2484	mvscavAP.exe
2476	SiaPort.exe
3012	explorer.exe
2484	mvscavAP.exe
2476	SiaPort.exe
3012	explorer.exe
2484	mvscavAP.exe
2476	SiaPort.exe
3012	explorer.exe
2484	mvscavAP.exe
2476	SiaPort.exe
3012	explorer.exe
2484	mvscavAP.exe
2476	SiaPort.exe
3012	explorer.exe
2484	mvscavAP.exe
2476	SiaPort.exe
3012	explorer.exe
2484	mvscavAP.exe
2476	SiaPort.exe
3012	explorer.exe
2484	mvscavAP.exe
2476	SiaPort.exe
3012	explorer.exe
2484	mvscavAP.exe
2476	SiaPort.exe
3012	explorer.exe
2484	mvscavAP.exe
2476	SiaPort.exe
3012	explorer.exe
2484	mvscavAP.exe
2476	SiaPort.exe
3012	explorer.exe
2484	mvscavAP.exe
2476	SiaPort.exe
3012	explorer.exe
2484	mvscavAP.exe
2476	SiaPort.exe
3012	explorer.exe
2484	mvscavAP.exe
2476	SiaPort.exe
3012	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1372	9066bf885cd72e46771654d0d8be15d3.exe
Token: SeDebugPrivilege	3012	explorer.exe
Token: SeDebugPrivilege	2484	mvscavAP.exe
Token: 1	2564	explorer.exe
Token: SeCreateTokenPrivilege	2564	explorer.exe
Token: SeAssignPrimaryTokenPrivilege	2564	explorer.exe
Token: SeLockMemoryPrivilege	2564	explorer.exe
Token: SeIncreaseQuotaPrivilege	2564	explorer.exe
Token: SeMachineAccountPrivilege	2564	explorer.exe
Token: SeTcbPrivilege	2564	explorer.exe
Token: SeSecurityPrivilege	2564	explorer.exe
Token: SeTakeOwnershipPrivilege	2564	explorer.exe
Token: SeLoadDriverPrivilege	2564	explorer.exe
Token: SeSystemProfilePrivilege	2564	explorer.exe
Token: SeSystemtimePrivilege	2564	explorer.exe
Token: SeProfSingleProcessPrivilege	2564	explorer.exe
Token: SeIncBasePriorityPrivilege	2564	explorer.exe
Token: SeCreatePagefilePrivilege	2564	explorer.exe
Token: SeCreatePermanentPrivilege	2564	explorer.exe
Token: SeBackupPrivilege	2564	explorer.exe
Token: SeRestorePrivilege	2564	explorer.exe
Token: SeShutdownPrivilege	2564	explorer.exe
Token: SeDebugPrivilege	2564	explorer.exe
Token: SeAuditPrivilege	2564	explorer.exe
Token: SeSystemEnvironmentPrivilege	2564	explorer.exe
Token: SeChangeNotifyPrivilege	2564	explorer.exe
Token: SeRemoteShutdownPrivilege	2564	explorer.exe
Token: SeUndockPrivilege	2564	explorer.exe
Token: SeSyncAgentPrivilege	2564	explorer.exe
Token: SeEnableDelegationPrivilege	2564	explorer.exe
Token: SeManageVolumePrivilege	2564	explorer.exe
Token: SeImpersonatePrivilege	2564	explorer.exe
Token: SeCreateGlobalPrivilege	2564	explorer.exe
Token: 31	2564	explorer.exe
Token: 32	2564	explorer.exe
Token: 33	2564	explorer.exe
Token: 34	2564	explorer.exe
Token: 35	2564	explorer.exe
Token: SeDebugPrivilege	2476	SiaPort.exe
Token: SeShutdownPrivilege	2544	chrome.exe
Token: SeShutdownPrivilege	2544	chrome.exe
Token: SeShutdownPrivilege	2544	chrome.exe
Token: SeShutdownPrivilege	2544	chrome.exe
Token: SeShutdownPrivilege	2544	chrome.exe
Token: SeShutdownPrivilege	2544	chrome.exe
Token: SeShutdownPrivilege	2544	chrome.exe
Token: SeShutdownPrivilege	2544	chrome.exe
Token: SeShutdownPrivilege	2544	chrome.exe
Token: SeShutdownPrivilege	2544	chrome.exe
Token: SeShutdownPrivilege	2544	chrome.exe
Token: SeShutdownPrivilege	2544	chrome.exe
Token: SeShutdownPrivilege	2544	chrome.exe
Token: SeShutdownPrivilege	2544	chrome.exe
Token: SeShutdownPrivilege	2544	chrome.exe
Token: SeShutdownPrivilege	2544	chrome.exe
Token: SeShutdownPrivilege	2544	chrome.exe
Token: SeShutdownPrivilege	2544	chrome.exe
Token: SeShutdownPrivilege	2544	chrome.exe
Token: SeShutdownPrivilege	2544	chrome.exe
Token: SeShutdownPrivilege	2544	chrome.exe
Token: SeShutdownPrivilege	2544	chrome.exe
Token: SeShutdownPrivilege	2544	chrome.exe
Token: SeShutdownPrivilege	2544	chrome.exe
Token: SeShutdownPrivilege	2544	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2564	explorer.exe
2564	explorer.exe
2564	explorer.exe
1392	SiaPort.exe
1392	SiaPort.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1372 wrote to memory of 3012	1372	9066bf885cd72e46771654d0d8be15d3.exe	28
PID 1372 wrote to memory of 3012	1372	9066bf885cd72e46771654d0d8be15d3.exe	28
PID 1372 wrote to memory of 3012	1372	9066bf885cd72e46771654d0d8be15d3.exe	28
PID 1372 wrote to memory of 3012	1372	9066bf885cd72e46771654d0d8be15d3.exe	28
PID 3012 wrote to memory of 2564	3012	explorer.exe	44
PID 3012 wrote to memory of 2564	3012	explorer.exe	44
PID 3012 wrote to memory of 2564	3012	explorer.exe	44
PID 3012 wrote to memory of 2564	3012	explorer.exe	44
PID 3012 wrote to memory of 2564	3012	explorer.exe	44
PID 3012 wrote to memory of 2564	3012	explorer.exe	44
PID 3012 wrote to memory of 2564	3012	explorer.exe	44
PID 3012 wrote to memory of 2564	3012	explorer.exe	44
PID 3012 wrote to memory of 2484	3012	explorer.exe	43
PID 3012 wrote to memory of 2484	3012	explorer.exe	43
PID 3012 wrote to memory of 2484	3012	explorer.exe	43
PID 3012 wrote to memory of 2484	3012	explorer.exe	43
PID 2484 wrote to memory of 2476	2484	mvscavAP.exe	42
PID 2484 wrote to memory of 2476	2484	mvscavAP.exe	42
PID 2484 wrote to memory of 2476	2484	mvscavAP.exe	42
PID 2484 wrote to memory of 2476	2484	mvscavAP.exe	42
PID 2564 wrote to memory of 2576	2564	explorer.exe	41
PID 2564 wrote to memory of 2576	2564	explorer.exe	41
PID 2564 wrote to memory of 2576	2564	explorer.exe	41
PID 2564 wrote to memory of 2576	2564	explorer.exe	41
PID 2564 wrote to memory of 1984	2564	explorer.exe	40
PID 2564 wrote to memory of 1984	2564	explorer.exe	40
PID 2564 wrote to memory of 1984	2564	explorer.exe	40
PID 2564 wrote to memory of 1984	2564	explorer.exe	40
PID 2564 wrote to memory of 3028	2564	explorer.exe	38
PID 2564 wrote to memory of 3028	2564	explorer.exe	38
PID 2564 wrote to memory of 3028	2564	explorer.exe	38
PID 2564 wrote to memory of 3028	2564	explorer.exe	38
PID 2564 wrote to memory of 1100	2564	explorer.exe	37
PID 2564 wrote to memory of 1100	2564	explorer.exe	37
PID 2564 wrote to memory of 1100	2564	explorer.exe	37
PID 2564 wrote to memory of 1100	2564	explorer.exe	37
PID 3028 wrote to memory of 2784	3028	cmd.exe	30
PID 3028 wrote to memory of 2784	3028	cmd.exe	30
PID 3028 wrote to memory of 2784	3028	cmd.exe	30
PID 3028 wrote to memory of 2784	3028	cmd.exe	30
PID 2476 wrote to memory of 1392	2476	SiaPort.exe	31
PID 2476 wrote to memory of 1392	2476	SiaPort.exe	31
PID 2476 wrote to memory of 1392	2476	SiaPort.exe	31
PID 2476 wrote to memory of 1392	2476	SiaPort.exe	31
PID 2476 wrote to memory of 1392	2476	SiaPort.exe	31
PID 2476 wrote to memory of 1392	2476	SiaPort.exe	31
PID 2476 wrote to memory of 1392	2476	SiaPort.exe	31
PID 2476 wrote to memory of 1392	2476	SiaPort.exe	31
PID 2576 wrote to memory of 2780	2576	cmd.exe	34
PID 2576 wrote to memory of 2780	2576	cmd.exe	34
PID 2576 wrote to memory of 2780	2576	cmd.exe	34
PID 2576 wrote to memory of 2780	2576	cmd.exe	34
PID 1100 wrote to memory of 2824	1100	cmd.exe	33
PID 1100 wrote to memory of 2824	1100	cmd.exe	33
PID 1100 wrote to memory of 2824	1100	cmd.exe	33
PID 1100 wrote to memory of 2824	1100	cmd.exe	33
PID 1984 wrote to memory of 2840	1984	cmd.exe	32
PID 1984 wrote to memory of 2840	1984	cmd.exe	32
PID 1984 wrote to memory of 2840	1984	cmd.exe	32
PID 1984 wrote to memory of 2840	1984	cmd.exe	32
PID 2544 wrote to memory of 2852	2544	chrome.exe	45
PID 2544 wrote to memory of 2852	2544	chrome.exe	45
PID 2544 wrote to memory of 2852	2544	chrome.exe	45
PID 2544 wrote to memory of 1724	2544	chrome.exe	49

C:\Users\Admin\AppData\Local\Temp\9066bf885cd72e46771654d0d8be15d3.exe
"C:\Users\Admin\AppData\Local\Temp\9066bf885cd72e46771654d0d8be15d3.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1372
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3012
- - C:\Users\Admin\AppData\Local\Temp\System\mvscavAP.exe
    "C:\Users\Admin\AppData\Local\Temp\System\mvscavAP.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2484
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
    3⤵
    - Adds policy Run key to start application
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2564

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
1⤵
- Modifies firewall policy service
- Modifies registry key
PID:2784

C:\Users\Admin\AppData\Local\Temp\System\SiaPort.exe
C:\Users\Admin\AppData\Local\Temp\System\SiaPort.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1392

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe:*:Enabled:Windows Messanger" /f
1⤵
- Modifies firewall policy service
- Modifies registry key
PID:2840

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\A7K5E8K1BX.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\A7K5E8K1BX.exe:*:Enabled:Windows Messanger" /f
1⤵
- Modifies firewall policy service
- Modifies registry key
PID:2824

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
1⤵
- Modifies firewall policy service
- Modifies registry key
PID:2780

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\A7K5E8K1BX.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\A7K5E8K1BX.exe:*:Enabled:Windows Messanger" /f
1⤵
- Suspicious use of WriteProcessMemory
PID:1100

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
1⤵
- Suspicious use of WriteProcessMemory
PID:3028

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe:*:Enabled:Windows Messanger" /f
1⤵
- Suspicious use of WriteProcessMemory
PID:1984

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
1⤵
- Suspicious use of WriteProcessMemory
PID:2576

C:\Users\Admin\AppData\Local\Temp\System\SiaPort.exe
"C:\Users\Admin\AppData\Local\Temp\System\SiaPort.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2476

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6ea9758,0x7fef6ea9768,0x7fef6ea9778
1⤵
PID:2852

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1576 --field-trial-handle=1200,i,13651766539697017233,7204957201133887688,131072 /prefetch:8
  2⤵
  PID:2116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1536 --field-trial-handle=1200,i,13651766539697017233,7204957201133887688,131072 /prefetch:8
  2⤵
  PID:1748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1144 --field-trial-handle=1200,i,13651766539697017233,7204957201133887688,131072 /prefetch:2
  2⤵
  PID:1724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2392 --field-trial-handle=1200,i,13651766539697017233,7204957201133887688,131072 /prefetch:1
  2⤵
  PID:1840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2296 --field-trial-handle=1200,i,13651766539697017233,7204957201133887688,131072 /prefetch:1
  2⤵
  PID:1528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1140 --field-trial-handle=1200,i,13651766539697017233,7204957201133887688,131072 /prefetch:2
  2⤵
  PID:1768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1320 --field-trial-handle=1200,i,13651766539697017233,7204957201133887688,131072 /prefetch:1
  2⤵
  PID:1604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3000 --field-trial-handle=1200,i,13651766539697017233,7204957201133887688,131072 /prefetch:8
  2⤵
  PID:2460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3608 --field-trial-handle=1200,i,13651766539697017233,7204957201133887688,131072 /prefetch:8
  2⤵
  PID:2876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3884 --field-trial-handle=1200,i,13651766539697017233,7204957201133887688,131072 /prefetch:8
  2⤵
  PID:2600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3996 --field-trial-handle=1200,i,13651766539697017233,7204957201133887688,131072 /prefetch:1
  2⤵
  PID:112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=2332 --field-trial-handle=1200,i,13651766539697017233,7204957201133887688,131072 /prefetch:1
  2⤵
  PID:2160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=1096 --field-trial-handle=1200,i,13651766539697017233,7204957201133887688,131072 /prefetch:1
  2⤵
  PID:844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3028 --field-trial-handle=1200,i,13651766539697017233,7204957201133887688,131072 /prefetch:1
  2⤵
  PID:1080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1648 --field-trial-handle=1200,i,13651766539697017233,7204957201133887688,131072 /prefetch:8
  2⤵
  PID:2948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2636 --field-trial-handle=1200,i,13651766539697017233,7204957201133887688,131072 /prefetch:8
  2⤵
  PID:2988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=2780 --field-trial-handle=1200,i,13651766539697017233,7204957201133887688,131072 /prefetch:1
  2⤵
  PID:2420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=2384 --field-trial-handle=1200,i,13651766539697017233,7204957201133887688,131072 /prefetch:1
  2⤵
  PID:2612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1744 --field-trial-handle=1200,i,13651766539697017233,7204957201133887688,131072 /prefetch:8
  2⤵
  PID:1672

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

Filesize
1KB

MD5
55540a230bdab55187a841cfe1aa1545

SHA1
363e4734f757bdeb89868efe94907774a327695e

SHA256
d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb

SHA512
c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416

Filesize
230B

MD5
d6f580642626796571d8bf0dff99cb72

SHA1
1577fc57c0e480570d79727fa830cb427692be9b

SHA256
dcd41ac48d6114c20645304f7af2463b31616145108632e5ae67bef60a6607bd

SHA512
dfe13acdb00e19b12384dd000d86020ba0423544f6fc979d2b3cf75f4c8d429e7a5fa020a8b93661beb01587619c3bbc4134b793a31f151b142e7e1bbf24ae87

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6ae027e1a9f276e815145974c3d7a19d

SHA1
c2297eb578c9bee8112d87a9e6b4251cb733ce43

SHA256
3032b9edb1a922f3724059d196e4933157c47365e28070dffc4386bb25527a35

SHA512
d1f3d3bb7c9555c5d54659339097a38ed92387d317ffe974fe58bc93ae2782ac12f60b2e6ac2b98fcbe8a603de0726408a6256f11aa8744a8f0dc2e6e3736903

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
87fbf42bd0bee29eac1340b79e127860

SHA1
2a59034911e49f641d84b8dbaadc43d8ca5cc5c1

SHA256
8805dc6eaef374f21a9a7310053cfd1dba228fdc39308fcaa9d7c8c2e36f767d

SHA512
134b1db92ee2a7da8b489e0de198d987c9104c9fd5f82ffed3bacc043921e94f12a821614aa1dc88fc374721226113300f4aff4fb8d857d8f71529f9e656b727

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fcb26e338f8d35170df09e33183384d6

SHA1
6e9e14c1bfe35fa0148f3aaf4919859166ac7acd

SHA256
843a56b59b310e13827f01755354598222221561e224e09e2edab0098ac1ed3c

SHA512
3e34b45af876f45e3fdac8c4a7cd92aa8171d94a80c1578d52d17426b02ac8bfa6f2c3d4ee6cac4f3e2d3ec49ede26c4c3a128f7b17655f09867c78d32de929a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e49d6daba776c466e8d5d52107962c11

SHA1
e7895d5f23d2f3a1d80e6277d56caef596edd5e4

SHA256
1c961f69c971b7ec541155982ac4bcd96235b6983701c5196fe423032f47fb89

SHA512
410812aeee86d095b6e85497fcfcfef1d8c67637292deb230f212f543dd2d03f4de3827a762a0699fd4a05893fd0c59941dbad8e20f4da8665a2a58aa1ad4c18

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0887810aa451b3b84cb90ead6d5f4062

SHA1
eec6f87a21bd629665890575b9be65f98b6815f4

SHA256
f4ba840752952a58faa521485a1dcee06df336ad20d8ee07e54951e8f586033d

SHA512
9dc5c1c323ab4952441691bc4e70438197ac3e8f0caa04a962ebf18ecf7dbda88cfcc39d7270bb4bd7411e7d406969d61595743fa9b0b794283bc9b3283d5d94

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
60ee621f147ed5cf51f2669afc162492

SHA1
84ee4e3c87486ca1fa317147a97f5927d90d14e3

SHA256
bd6fa9d8c0d1db72c8861419a2e1ea95926997c9bc8a25cb742c50949a1e4310

SHA512
f8e268ce562da25359c90ec6dc268349c24a97dfecdf10e048606fc31693fdafa0c33c1bb9fb595c9d7fad5569e8bd1faf1ea487b4e90769c4f77eb0b6ec12a2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c8579d6ac14065843d01090bedd977d8

SHA1
8a5a6802cff5d2e8a8af765fdfbffa4a2335e925

SHA256
7344cb92bedfd36276e4c3279cfe313b800447af714dcea76e55c3ebc6ce38b4

SHA512
2fb04f1c80e040bc0d8772863c8d64f747e2728da7c6e4a7bc019ea5d0b47a7d23f189e1f3cf4804917aa40547d4347d103d8fbfad78d46f4a7a663ad078b482

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
919ffd7c19af1361d4f45fba51c056bb

SHA1
16103e989c2efe20d0b9b5d6916f9a0a0c0b5344

SHA256
ace1541c355979da9f9132cf22a18bca1b3c899678702178b43daba307af2aa1

SHA512
c6c83a4d8bff843835f8e1f606c4f1262b56e39278dd10dc13a820e0e9f76a4084aac57c20c9a91efc3d04b42ca87989e937aae5f5348e5d272496ad09a71c29

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
50c256066ed1551bbfd10a41125f8afd

SHA1
5a9df5d9189c4639dfba4729f66abf81919f76f9

SHA256
810170f856d4110a0ad860fd0c0607e699cfaf543743aaedf7d4787cb89d8bf9

SHA512
3f22ca599e4ea877424ce88a8784f646168b24d3663abc24942ec835be460177ffb0500a1156b1702bacde7ed2363c1997067d107b7db972494ea19807e041a7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bb981fcb239c9b60a840546aaff0d82e

SHA1
b4eaf8ed3b62f187a977ad93497c8414f24541c4

SHA256
dc654b52a12b166c4bbdb15f8bcf5c85d9796a747e92ca029350c9a4f9cc32a6

SHA512
49f12b5d90363a6e6f69ec80eecbec413a3c9633e782c2ef3fbbf8296c2dbe8688156925e68ce006b0de6699056ac0913e24e8aa78037119aa8547b37f6def20

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
29a63a58dca8e9726da1b405d10d85e7

SHA1
95b78a113d433a5e235317de377287811b10db7a

SHA256
c5f2f68057c758dcc31e4827ba47fa273b1f75a2c0a64a992c5d76c4c989c949

SHA512
25147fa637c947af77b60dc355471c883c8561947cc9faa44db304625bc08d27e327d3b3909390a198c80170ae23695ac0609547a5600c32274713f3ae5788d2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
5933b87e55e05ff6dc68752c44e8fd1a

SHA1
9ec228ef8be8db588cc9280f1ebed77648b2989b

SHA256
ba4480a08189bfd91ed264786b6a8e2526f3c75055c1809806ca933154a93afa

SHA512
0275d3dd2ca4fec086e75b1c9840d25252954b58d971c6da17e373487a22b64b653bcf813c9ba51e3b2399b98cb8ec9785164172d5915119291834594a56b2db

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000003

Filesize
40KB

MD5
1128652e9d55dcfc30d11ce65dbfc490

SHA1
c3dc05f00453708162853a9e6083a1362cc0fc26

SHA256
b189ff1f576a3672b67406791468936b4b5070778957ba3060a7141200231e4e

SHA512
75e611ba64a983b85b314b145a6d776ed8c786f62126539f6da3c1638bf7e566c11daf18d1811b07656de47ff8b50637520cf719a2cacc77a9d27393fc08453b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000004

Filesize
193KB

MD5
7fe2c36271aa8065b034ce9efdbd2a07

SHA1
e22ee654cb122d0d62393dd8d6753d2bcad148a3

SHA256
02cf672988303d8fbdbc7625f54596ece6d83c78152ca6e1aa332fc8c75d5c34

SHA512
45d53a09ced29138e2f99e0e8a293322050f8032e006df06315ac9af2f1ab64d1c767ea5db53289bb5881a4866061299e5a60cd83753fe6ba88e8de7562706ec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000023

Filesize
96KB

MD5
987d8920f98c2d9e0f7c2b9f30c8e27f

SHA1
10a0b1e40e7a1c97d62e2b5944a1f90efe1f8c86

SHA256
4c33060665a96a5dc1818a2345702b34f035bcc5d0be88fa1d76afed38a9f1e2

SHA512
683dcce0bd846e89097919469bfe5772680704df4137bd6a5bcc198b187f6768b202f4b9d89aecd46c330dd52c3f1fca595b7eb83c07c36e0f9f703bedcbd209

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.roblox.com_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.roblox.com_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.roblox.com_0.indexeddb.leveldb\CURRENT~RFf780da7.TMP

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
65c8484f22f88d8be291ab85b3b69a0f

SHA1
7e253c0d7c4a3ed001a5ee5d139b54e32168eced

SHA256
fd07efe6a5959e11d668504a43bc04004cdf009fd293e62b4eb6575e8154a7c1

SHA512
8d78d436b2d169e1a96621cdec28e7e69ca23cb8b62e980ea0432d8635ec4a78b5a6fb2aa85c0ca6bac8d27d3b8f59575869f014e72ba3ac61eb076946bcc76e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
f357ff59f809e49c86f834e941143632

SHA1
054d185db888691c3830771345f18bd017265eef

SHA256
84286483b1e25fe5831e1f1ac92eadf264046ce54df5a90b6be75ae455289c9b

SHA512
77fdb0197ebc9ef60bcc385c5f3a0cfc68147098bbba7aa11d024c3d6c36c5f63cfbbadbe77dd1b546c24e528b1232abc4e7ba03b75f1ecf268cb0f0b07398f7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
dda0cca54fcae58f237a4dbdd0e13b9e

SHA1
166cd545016e1368f236c63876191a20a9f94a85

SHA256
a4229a31769701b50e00bd5510dfb3e893e2d9174d2467a66857529d168d02e0

SHA512
74d022f067f514aa333b02f46163d87cd0d019a7981b65224ee630819f3730dd5da0b06b44846641548b3762ef35c4354e97a2c5ce887a6be3d01360f3933c98

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
baee5c2d52bf1be6af1f58f20950328a

SHA1
d59e6504f6d936c50997a1bfdeaf81e2c4b0c0bb

SHA256
0444ebb40853b162e35debad1918396cc99d9bd8ad3cf77ffa03ce7559aac342

SHA512
64f272f7474cc83096f3a19b81001bd2f28a568a629d6a325ec0d7793f0aa96d07ce03d5a9445eabace514fe2ce0d936a15f098a8447795cbd809fefddbdfcb5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
50d5dcbb70a2d798fa3632f834486633

SHA1
f28937d9670302327270b774edf4488d65d4d2b6

SHA256
479c8db1cf0a153c3e404b98ddb78ba5736a1949adaf5b41508718de53d6ab17

SHA512
baf1feb48f4869b1076aff929d3424a5725be8bc682d966a985eb7c2b1a7fb0d286c775755f3762323568e858accf967064eb9c61ed04d31ac53c6e7bea4bcbe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
198B

MD5
3e0c45178a1667f990541299a80fc7e5

SHA1
7689dfcdab7112cc72fe64a23dbe43aad32bd91b

SHA256
a1c447a4243ba04714b806129244440c5e35af7dd7b5507e0b6f65639198b0a2

SHA512
7e4dd5ceee8e18b5e590f8d4e3ccc18cc73d9830ca3fb54ca0760ee5a041929c9e5c01c67eb999e28c3258af531aea573595db485ac20a63e5c77f496a7162df

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
520B

MD5
5d777b7c68490c5c0fe81654247a66c3

SHA1
26c48f15b96cbb5e4dfd2708ab671c099756c04b

SHA256
8656410632b89d17803acb5f811bea025e69c920fd36abe74e1c3bcf499bfaef

SHA512
426e9f2f6101a5c1eb88e4432104328e1873cd706693f6f588d01b88e4943fc2e809fbbe14ea5718dcaa7225fbb08fa33eeba78023fa68cf3317dac2681c09a5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
ede6e2ddc5af16786939eea190a0676a

SHA1
28f02b59bf48a03d6ad8413b073cc9b22b2f9d1c

SHA256
f2c03093628f8e303ff0b5d23c6c8da6d137196d1162e658de954dce57ab7252

SHA512
9e7088b362569ce511188de7be3f3bf4e5df1c07d20fe5b27ba4bfe303d78c7a2b44279b94aaee4a46dedadb409543cc0f7e842a5f7a13289ec9a714e965809f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
f244cf01e1a4fdf5920283a9d26d0b2b

SHA1
65324b8e018ac45474c37d4543b96b0ef659d5c5

SHA256
bad69c0b5292d09c0c6ad714a781eac948464a09c9022facaf3d85d4829a986f

SHA512
8b96e49bb5f2dc872689966bbc1c24f363bcc4867582be68d496ea0bf7a01ff9ff29d40a1ad62a3db0ba2000d7b7e68aeb1b17907347bfec21081df8f3359e9e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
eea409515256f8d46b0a0fe3a101d420

SHA1
dce28ea6db81ed36be4946d71bc41264f112694d

SHA256
388abd923d176552aa4063b114e9060c042dac55fce667dfd0ff753453f13bbc

SHA512
2b8effc1cf02a81d3007a152a7ae48e17831731bc74702b3c1833fbe72473484a76530fba462765be38c59cadc44f66ee32d7738e296633bc3ea2a0d04b3d43b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
42e9feb323b72f1315c7a8f10b9dec36

SHA1
a57380ae776eff41e498421fe7f015657e37e378

SHA256
41246e645c5bfa06f461afeb06b6031428ac7b7d4d292a0fc162cb7946dff0f3

SHA512
d019b3981ac63260ce80169cec7d6d2f113785e7c3d2c6b6b1f89170a112fc601a1e567f27caee9b98f89e9ebed83c5a2a4b97a0878145f49e96581ab85baaa0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
84576cc9962f1b49d09195575146620d

SHA1
1386af0db9199a44308a099feea538651ba8f70a

SHA256
d8f554b9d3b7bc381daf024bf66630e21b44b0ca439b5283f05a9ded028a75bd

SHA512
8f6ec1ce35b4e64dc488e1c26843b27f21e3a252768a8a2d7a56ca4d0d074c1ec57ac693788a72a4bb30aca91cf6cd4981a3dba67a9e4783e760a6cd52748832

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
148a523c4be57fb39a19d92610b50331

SHA1
fb437b005b2054d04669593b10ca605e88797a3f

SHA256
2d8be9d86f751a80a6194367ff7ea22ac157e4855330ba008bea65a9b64e751e

SHA512
a3931b66f83cc59269fb0a314bb5a4e150b1e0732ec0e04df85bee7efbdf972f2f25f0b58542f748a107be6077d5b8c180ce0cbdb563de7c54ed91dde118c6cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
122KB

MD5
131f3155d9022b77090efe667b45a696

SHA1
d430e98c97a2c87fd78aed60039bcfe7e478c72c

SHA256
8d74dd9aca1467de8934b1bfcfee8c684e77d748733cbefa135d72c5099fbd7a

SHA512
9a6dec9f777e24709f8f68dc504f4c34b750897b0f0826e5fe48db3e0993fede470c887d995408100a7581946c929f128d91dcd983f5c1cc8da7cd970032af36

Download Submit
C:\Users\Admin\AppData\Local\Temp\SysInfo.txt

Filesize
70B

MD5
d0137746bca9a48b82a9c520f7ea4ce0

SHA1
bf454a623bda2251b46dd0bcfeaaf6b47c33a766

SHA256
bbf0b41e8c270251bacbd9629c7f6fe92f47f7de8c8151ba78738c63eda2fc0a

SHA512
f0c1b1e11bfd07cf5934c105b43e39a7bdd7741a25a2ad089d197bcf0630a806e76414329dbfe6a1afb2b72674b500af764bb08a73b94df404f02f259af13dad

Download Submit
C:\Users\Admin\AppData\Local\Temp\System\SiaPort.exe

Filesize
198KB

MD5
60661287ebe78f7b963a459736041fe1

SHA1
1646343b2e7cdb1981524a09d52c6a31cc124648

SHA256
774d15a0561571660398cfeb4fb6b010b427c63dc0fbd2549793ac49636241d9

SHA512
1043b6aa99e8c3a26b74bd1bf293df6275ceb246f4c11dc6985e6b88b8295f0d55fc37e8b25ec80c9b1f518eb35642360fd9ce71f2722657b96a06244bf4ed42

Download Submit
C:\Users\Admin\AppData\Local\Temp\System\mvscavAP.exe

Filesize
6KB

MD5
c203e138f460101f8af1314c0e817892

SHA1
13c2bc33e42e86e066d303b8596211d92a1a814e

SHA256
1d06c0e123142e3d119f5d865cba651d10c1b96a6fb44b68782b5f762ee16454

SHA512
ed9890756d06e0418223bda173c054839c407687c4f4cc0de63f7ef77a8872c146157c85be215b45f60636c7dfc2c815660d979b2f581408bbdae336428e045c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarEA83.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

Filesize
201KB

MD5
9066bf885cd72e46771654d0d8be15d3

SHA1
13afce866b59c99fa0319b7f204e6b6828d4b22c

SHA256
ad90872dfd4b64dfbff9c38d36bd8b1fdb4173a14e84ad9d151d56d36dc87d08

SHA512
ed55f1e9567c5076172f9037a6487fe406b0a87ecb7f8cc892a2e2d1cd9a2d832f7286d286dc90b85de34ecc0216309e5fe658c9c14cbaf07d4e1a4df42861ec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

Filesize
36KB

MD5
f91d357af9ba3732ace93c0c4a33f790

SHA1
2b9bef9264a290b4ead491d34a023927863702c2

SHA256
22c26840a84ce961926c22eba944711b34a35d7f0511b5d568a964e7255a6c4e

SHA512
939fddb50d03dde7b5003ed241de11895b344340080d4bf4194072654e2bf674a1fe62702b5c3c3cb29c091f177bc28dfe761d0e974fcd347c3958f3fe9347bf

Download Submit
memory/1372-1-0x0000000074950000-0x0000000074EFB000-memory.dmp

Filesize
5.7MB

Download
memory/1372-2-0x00000000007C0000-0x0000000000800000-memory.dmp

Filesize
256KB

Download
memory/1372-14-0x0000000074950000-0x0000000074EFB000-memory.dmp

Filesize
5.7MB

Download
memory/1372-0-0x0000000074950000-0x0000000074EFB000-memory.dmp

Filesize
5.7MB

Download
memory/1392-68-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2476-132-0x0000000074950000-0x0000000074EFB000-memory.dmp

Filesize
5.7MB

Download
memory/2476-65-0x0000000074950000-0x0000000074EFB000-memory.dmp

Filesize
5.7MB

Download
memory/2476-60-0x0000000074950000-0x0000000074EFB000-memory.dmp

Filesize
5.7MB

Download
memory/2476-61-0x00000000008C0000-0x0000000000900000-memory.dmp

Filesize
256KB

Download
memory/2476-107-0x00000000008C0000-0x0000000000900000-memory.dmp

Filesize
256KB

Download
memory/2476-82-0x0000000074950000-0x0000000074EFB000-memory.dmp

Filesize
5.7MB

Download
memory/2484-52-0x00000000004B0000-0x00000000004F0000-memory.dmp

Filesize
256KB

Download
memory/2484-53-0x0000000074950000-0x0000000074EFB000-memory.dmp

Filesize
5.7MB

Download
memory/2484-51-0x0000000074950000-0x0000000074EFB000-memory.dmp

Filesize
5.7MB

Download
memory/2484-81-0x0000000074950000-0x0000000074EFB000-memory.dmp

Filesize
5.7MB

Download
memory/2564-35-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2564-26-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2564-32-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2564-38-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2564-24-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2564-28-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2564-36-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2564-80-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2564-30-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3012-17-0x0000000074950000-0x0000000074EFB000-memory.dmp

Filesize
5.7MB

Download
memory/3012-15-0x0000000074950000-0x0000000074EFB000-memory.dmp

Filesize
5.7MB

Download
memory/3012-16-0x0000000000590000-0x00000000005D0000-memory.dmp

Filesize
256KB

Download
memory/3012-79-0x0000000074950000-0x0000000074EFB000-memory.dmp

Filesize
5.7MB

Download