Malware Analysis Report

2024-11-13 14:05

Sample ID 240225-nryk4aaf65
Target LaunchBFH.exe
SHA256 80441fcf20760b653d36c4bc78c58c9e05b190e811767c7ed523a904e53b0684
Tags
lumma stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

80441fcf20760b653d36c4bc78c58c9e05b190e811767c7ed523a904e53b0684

Threat Level: Known bad

The file LaunchBFH.exe was found to be: Known bad.

Malicious Activity Summary

lumma stealer

Lumma Stealer

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Program crash

Enumerates physical storage devices

Enumerates processes with tasklist

Modifies Internet Explorer settings

Runs ping.exe

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Enumerates system info in registry

Suspicious use of SetWindowsHookEx

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-25 11:38

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-25 11:38

Reported

2024-02-25 11:41

Platform

win10v2004-20240221-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\LaunchBFH.exe"

Signatures

Lumma Stealer

stealer lumma

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\LaunchBFH.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31024\Apply.pif N/A

Enumerates physical storage devices

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133533347991634495" C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31024\Apply.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31024\Apply.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31024\Apply.pif N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31024\Apply.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31024\Apply.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31024\Apply.pif N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1132 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Local\Temp\LaunchBFH.exe C:\Windows\SysWOW64\cmd.exe
PID 1132 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Local\Temp\LaunchBFH.exe C:\Windows\SysWOW64\cmd.exe
PID 1132 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Local\Temp\LaunchBFH.exe C:\Windows\SysWOW64\cmd.exe
PID 4284 wrote to memory of 2176 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4284 wrote to memory of 2176 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4284 wrote to memory of 2176 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4284 wrote to memory of 4316 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4284 wrote to memory of 4316 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4284 wrote to memory of 4316 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4284 wrote to memory of 728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4284 wrote to memory of 728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4284 wrote to memory of 728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4284 wrote to memory of 4516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4284 wrote to memory of 4516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4284 wrote to memory of 4516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4284 wrote to memory of 4188 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4284 wrote to memory of 4188 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4284 wrote to memory of 4188 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4284 wrote to memory of 264 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4284 wrote to memory of 264 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4284 wrote to memory of 264 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4284 wrote to memory of 5016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4284 wrote to memory of 5016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4284 wrote to memory of 5016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4284 wrote to memory of 4060 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31024\Apply.pif
PID 4284 wrote to memory of 4060 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31024\Apply.pif
PID 4284 wrote to memory of 4060 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31024\Apply.pif
PID 4284 wrote to memory of 2348 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4284 wrote to memory of 2348 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4284 wrote to memory of 2348 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2740 wrote to memory of 4368 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2740 wrote to memory of 4368 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2740 wrote to memory of 3508 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2740 wrote to memory of 3508 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2740 wrote to memory of 3508 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2740 wrote to memory of 3508 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2740 wrote to memory of 3508 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2740 wrote to memory of 3508 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2740 wrote to memory of 3508 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2740 wrote to memory of 3508 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2740 wrote to memory of 3508 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2740 wrote to memory of 3508 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2740 wrote to memory of 3508 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2740 wrote to memory of 3508 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2740 wrote to memory of 3508 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2740 wrote to memory of 3508 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2740 wrote to memory of 3508 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2740 wrote to memory of 3508 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2740 wrote to memory of 3508 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2740 wrote to memory of 3508 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2740 wrote to memory of 3508 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2740 wrote to memory of 3508 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2740 wrote to memory of 3508 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2740 wrote to memory of 3508 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2740 wrote to memory of 3508 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2740 wrote to memory of 3508 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2740 wrote to memory of 3508 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2740 wrote to memory of 3508 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2740 wrote to memory of 3508 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2740 wrote to memory of 3508 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2740 wrote to memory of 3508 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2740 wrote to memory of 3508 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2740 wrote to memory of 3508 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2740 wrote to memory of 3508 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Processes

C:\Users\Admin\AppData\Local\Temp\LaunchBFH.exe

"C:\Users\Admin\AppData\Local\Temp\LaunchBFH.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k move Inventory Inventory.bat & Inventory.bat & exit

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa.exe opssvc.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 31024

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Cookbook + Increasingly + Rounds + Affordable 31024\Apply.pif

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Ink 31024\o

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31024\Apply.pif

31024\Apply.pif 31024\o

C:\Windows\SysWOW64\PING.EXE

ping -n 5 127.0.0.1

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffdefb99758,0x7ffdefb99768,0x7ffdefb99778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1792 --field-trial-handle=1940,i,5904241096886863658,11154569233428367820,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2244 --field-trial-handle=1940,i,5904241096886863658,11154569233428367820,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3116 --field-trial-handle=1940,i,5904241096886863658,11154569233428367820,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 --field-trial-handle=1940,i,5904241096886863658,11154569233428367820,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3124 --field-trial-handle=1940,i,5904241096886863658,11154569233428367820,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4660 --field-trial-handle=1940,i,5904241096886863658,11154569233428367820,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5108 --field-trial-handle=1940,i,5904241096886863658,11154569233428367820,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5260 --field-trial-handle=1940,i,5904241096886863658,11154569233428367820,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5220 --field-trial-handle=1940,i,5904241096886863658,11154569233428367820,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5296 --field-trial-handle=1940,i,5904241096886863658,11154569233428367820,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=5100 --field-trial-handle=1940,i,5904241096886863658,11154569233428367820,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=2320 --field-trial-handle=1940,i,5904241096886863658,11154569233428367820,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4860 --field-trial-handle=1940,i,5904241096886863658,11154569233428367820,131072 /prefetch:1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 qBnWsPFfTrJBhDSbGyd.qBnWsPFfTrJBhDSbGyd udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 assumptionflattyou.shop udp
US 104.21.66.182:443 assumptionflattyou.shop tcp
US 8.8.8.8:53 technologyenterdo.shop udp
US 104.21.80.118:443 technologyenterdo.shop tcp
US 8.8.8.8:53 lighterepisodeheighte.fun udp
US 8.8.8.8:53 problemregardybuiwo.fun udp
US 8.8.8.8:53 detectordiscusser.shop udp
US 8.8.8.8:53 182.66.21.104.in-addr.arpa udp
US 8.8.8.8:53 118.80.21.104.in-addr.arpa udp
US 104.21.60.92:443 detectordiscusser.shop tcp
US 8.8.8.8:53 edurestunningcrackyow.fun udp
US 8.8.8.8:53 pooreveningfuseor.pw udp
US 8.8.8.8:53 turkeyunlikelyofw.shop udp
US 172.67.202.191:443 turkeyunlikelyofw.shop tcp
US 8.8.8.8:53 associationokeo.shop udp
US 104.21.10.242:443 associationokeo.shop tcp
US 8.8.8.8:53 92.60.21.104.in-addr.arpa udp
US 8.8.8.8:53 191.202.67.172.in-addr.arpa udp
US 8.8.8.8:53 242.10.21.104.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 172.217.16.228:443 www.google.com udp
GB 172.217.16.228:443 www.google.com tcp
US 8.8.8.8:53 42.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 67.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 228.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 clients2.google.com udp
GB 142.250.200.14:443 clients2.google.com udp
N/A 224.0.0.251:5353 udp
GB 142.250.200.14:443 clients2.google.com tcp
US 8.8.8.8:53 content-autofill.googleapis.com udp
GB 142.250.180.10:443 content-autofill.googleapis.com tcp
US 8.8.8.8:53 3.213.58.216.in-addr.arpa udp
US 8.8.8.8:53 10.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 227.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 beacons.gcp.gvt2.com udp
DE 172.217.16.131:443 beacons.gcp.gvt2.com tcp
US 8.8.8.8:53 131.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
DE 140.82.121.4:443 github.com tcp
US 8.8.8.8:53 github.githubassets.com udp
US 8.8.8.8:53 avatars.githubusercontent.com udp
US 185.199.110.154:443 github.githubassets.com tcp
US 185.199.110.154:443 github.githubassets.com tcp
US 185.199.110.154:443 github.githubassets.com tcp
US 185.199.110.154:443 github.githubassets.com tcp
US 185.199.110.154:443 github.githubassets.com tcp
US 185.199.110.154:443 github.githubassets.com tcp
US 185.199.111.133:443 avatars.githubusercontent.com tcp
US 185.199.110.154:443 github.githubassets.com tcp
US 8.8.8.8:53 4.121.82.140.in-addr.arpa udp
US 8.8.8.8:53 154.110.199.185.in-addr.arpa udp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 consent.google.com udp
GB 142.250.178.14:443 consent.google.com tcp
US 8.8.8.8:53 apis.google.com udp
GB 216.58.213.14:443 apis.google.com tcp
GB 142.250.180.10:443 content-autofill.googleapis.com udp
US 8.8.8.8:53 14.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 14.213.58.216.in-addr.arpa udp
US 8.8.8.8:53 2.213.58.216.in-addr.arpa udp
US 8.8.8.8:53 5350.xg4ken.com udp
IE 54.76.121.195:443 5350.xg4ken.com tcp
US 8.8.8.8:53 github-cloud.s3.amazonaws.com udp
US 8.8.8.8:53 user-images.githubusercontent.com udp
US 8.8.8.8:53 195.121.76.54.in-addr.arpa udp
US 8.8.8.8:53 collector.github.com udp
US 8.8.8.8:53 api.github.com udp
US 140.82.113.22:443 collector.github.com tcp
US 140.82.113.22:443 collector.github.com tcp
DE 140.82.121.6:443 api.github.com tcp
DE 140.82.121.6:443 api.github.com tcp
US 8.8.8.8:53 22.113.82.140.in-addr.arpa udp
US 8.8.8.8:53 6.121.82.140.in-addr.arpa udp
DE 172.217.16.131:443 beacons.gcp.gvt2.com udp
IE 54.76.121.195:443 tcp

Files

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Inventory

MD5 b649c8b485f6b192061ad04a185f03dc
SHA1 6fb0cc214d6d55d400793c3d085d9ea98c7fbb87
SHA256 fee25a6fcbd1d1bfbeca85e9a97e882d1b4a0bc5a521838f8b6ee1fe6c7370e9
SHA512 e12fdc7e64f6b2ad9ef45b01ec7ab87bb1dba4c29e727517b9690018b2ec699bdd2173cf9eac8a0f3441c32ba8a952ab8de2b0bf63c6c47c94f56ba92bf2cbe3

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Cookbook

MD5 e9db611974409fb7c1770fe95bfd5402
SHA1 ad077d6f8ad48bd4a8edbca88711cc4b7c71c1b5
SHA256 fc141ffe6bf256b8794c769feed25fa8bfeff01a60cdd2699e2d84e94585553c
SHA512 623694fdcc7acd66ed8170a158d2209706311566e04629c5a03b133902f729a554c3aaa6c85ef1163edaa3dfafd72d85b49f6edfa73e5419e57fac1d2f489799

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Increasingly

MD5 863ce19b37f186c47a26882e399b9a81
SHA1 3843eded5fdd895e41694174d79789854bccada5
SHA256 0dbcc3e2ccfd18644f4ec3a24058cf6109e520b0c2213d8a083b5200696d20c6
SHA512 ca5323396012958b0269f4f0c1af62c0b26f593d061d81755060873dc270aa8680d4f61b00a445fc123d406d6f0e06fc1f7d45bc54c1efdc757b7e3531199f33

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Rounds

MD5 12073c3269a07bf6bc9cd8b66462fc0f
SHA1 f3a762ef9933b82aeae112b09a231f140ed2363f
SHA256 12221e02174a5148dd215e1b1dcc81e47704be82e8dbc4e93eb9a664e582cbda
SHA512 e0c586ebb4b18a45345e293189ff52e83d974f52a76c0cd614ac28c6d50288e84f78fc28adeeb0d10adf3bae0a21789e59698e86a96012c2901a32406aceb206

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Affordable

MD5 e66c8890c2eb6adba5948d082bd215a6
SHA1 93a813794b38b728c8a6248c64221a419b026ce4
SHA256 99e62c44a3dbf370201324564c94be16ffb81b29c543ec5fd6f14e1a3be75e1a
SHA512 9b7546cee1ba82ff4db0a3598098be91bbd114e4a80116b15ac9ea106fa881b201eee6dda4ee91b2d917ecaab5bc2327dcd34047c60f122f6e0fdacb79e49d17

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ink

MD5 baa1587c7effd1d982a3cfe987d0f4a2
SHA1 edf879652a193ac9f685a44fc8ff39da7571f803
SHA256 e4160779100599c8404fd1153f0af398df82c8a78ce0ae98e53fdcefdfcad60f
SHA512 68d8fdd4877ac7d97a238ad9fe2f91160bf71ea54cbb62bebe56dbfb00dcfe88d6291b9188ff6500caff28bd3b4518f4697e30227279f6059324e6756a995ea4

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31024\Apply.pif

MD5 848164d084384c49937f99d5b894253e
SHA1 3055ef803eeec4f175ebf120f94125717ee12444
SHA256 f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3
SHA512 aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a

memory/4060-25-0x0000000077401000-0x0000000077521000-memory.dmp

memory/4060-26-0x0000000000490000-0x00000000004D9000-memory.dmp

memory/4060-28-0x0000000001540000-0x0000000001541000-memory.dmp

memory/4060-27-0x0000000000490000-0x00000000004D9000-memory.dmp

memory/4060-29-0x0000000000490000-0x00000000004D9000-memory.dmp

memory/4060-30-0x0000000000490000-0x00000000004D9000-memory.dmp

memory/4060-31-0x0000000000490000-0x00000000004D9000-memory.dmp

memory/4060-32-0x0000000000490000-0x00000000004D9000-memory.dmp

memory/4060-33-0x0000000004EB0000-0x0000000004EB1000-memory.dmp

memory/4060-34-0x0000000004EB0000-0x0000000004EB1000-memory.dmp

memory/4060-35-0x0000000004EB0000-0x0000000004EB1000-memory.dmp

memory/4060-36-0x0000000004EB0000-0x0000000004EF0000-memory.dmp

memory/4060-37-0x0000000000490000-0x00000000004D9000-memory.dmp

\??\pipe\crashpad_2740_AMXRVYPIBVKDREHA

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

MD5 99914b932bd37a50b983c5e7c90ae93b
SHA1 bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA256 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA512 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 09bc1c50b698d564216dcb208d68849a
SHA1 7839f08b2ffba5f0d4b86f599b6e11e3cdaf64b8
SHA256 24ebd05f7958f24ad9b1d574da0fb1d2f5bfd1476ef03ad468678dc850a8985f
SHA512 eefc04c09f1c158a9f874032f4f510ec1d530d9ea2ce107ae4e7e9f8695f658e7f96dd7a973d738169f778f9c6ddd244e50e053b3c42926f45db9271815fd50c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 dab506181704062a41c7ce234896612e
SHA1 39c1dbd587128abfd1370e75efc1455a41a3ad08
SHA256 2c9cb24eaffad9ff076acfe926f27c0834d91295065af41198cbb800fd6889e0
SHA512 9bf6fb5a48f2d9ebaf644ca307895938913f9f49551444d52212fa0f0ba3a590f3b8044bcadde83f836f03258a5b0f43f7c8e6bb5dff0925b5d33f775e46fda0

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 f1d18c4aa200473896c09ff4034b23cc
SHA1 7aaad75470f69680ecab64f6b8c5315ef4a5c6de
SHA256 466554c1888f53a48fbc681569a7f89a3796c0ecb7fa08f5e0c2ed683edb8f8e
SHA512 3a0a919bf6c8b138a46257bb7cc47d7f67ef4cd0eb824a0bf849a684061bdf5376a48c64ebe133ee7b552f7af5641c1e7f8271948b4ee3ae58ad4fe95f6b6605

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

MD5 873734b55d4c7d35a177c8318b0caec7
SHA1 469b913b09ea5b55e60098c95120cc9b935ddb28
SHA256 4ee3aa3dc43cb3ef3f6bfb91ed8214659e9c2600a45bee9728ebbcb6f33b088d
SHA512 24f05ed981e994475879ca2221b6948418c4412063b9c07f46b8de581047ddd5d73401562fa9ee54d4ce5f97a6288c54eac5de0ca29b1bb5797bdac5a1b30308

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 08988709d3c0608a1370177f25984ef6
SHA1 65b51056efb76718434b3abda1c675846804840e
SHA256 ae5e4dcc8a31232a02457378f45be73f2f0b9cecb88fb7d7b9f82328f36e9237
SHA512 b6537a612e8afa285cf758381631f85d36f64bad7f2aee4bb6e861e21b3bbc65299562bdecebb27f8be959007218c65ad156de0063dc1ad74de566f96a4d7532

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 ae29ab42aff50a3a9aa3a2b9e9cab14f
SHA1 b5e2ac39059d81431fbc96817e21656e0723a620
SHA256 81337ae0a8f03bcba1df1442066b92e571a148af694bd4ea927bdf95e01c182d
SHA512 66a4ae09a93f6a6818c0358161d9df99e9dbfecd9db4b0a36fd009ef2bb9a41e412e73b4b1331c632f6e4595059e2048553abd3af7abba6714f478d167aa3891

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 c5613103a9952cbc5cf4e388367aeab7
SHA1 8445c5824a611598e15ebd1bea97580a2cea1a61
SHA256 a4b8c6000fd934a9f6475fe103896b3fd9e60c227624a48289807274a3829f35
SHA512 c8089ece0a58f77ef5281e7c5e7c921185cb780ae68aa67a039eb9c00707587dc4f0432647056dd5a9f747edeac261c6a2e6d1b878658c52aba30bbe4020a28c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 03199825de6df1c7d08b78e0fd5b596d
SHA1 ecfcf83be7534f65b159215bba84a21a47bb0150
SHA256 9e2700c61d7448b507f1b5cb1dd39b854bfa5cb442bacd93e1c35e3b6753cbe0
SHA512 fd4194bd04b02a13769f2ed908a0ff960145ea3c38c7d7b1afa7f9dfd2de8490af357f417f9cf388de9fbf81d0e9c4e5b5c633520e8ed81bca42b20931a05cf8

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 4d7c9467a3da64dc6e3b6eabd578e322
SHA1 3aa2627d5f2a154bffadfca40f24091bda0b27c7
SHA256 85d1746bafda3b041752ba2d90cfa602b884372dfb0bd2dcd2781b84d12cd71a
SHA512 6e15cfcfaedf67dd2e88573e570c1b88e45c133b9916a0a463443aba83aa1fc776cd3ac84dae4ccef03213c2b81801d0daf4fdc0bd7ff6a70d630b9ec9b383ff

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 426eaad8b7da181fe46c4eb8ffa347a8
SHA1 a5a40c83f304a93baf88d9dbbcf4e63711b27f3e
SHA256 f6bbc021702945efb669ca91c6e47c484712fd9faa64e9099c2e258a3b65e46d
SHA512 e1807e54e6bd07ad3393f62372b3b8c6c72bd68d9ddbaf39b96ef6aa56c8a2606334f3c942af5ba1a565d7647cfb7ba293035935a5d220474d20c80caad820e0

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 c6ab2acaba9980e5748ea29c7c9b95a7
SHA1 8e039c05b7ff1a362145ab327c1161b61021fb73
SHA256 1d2cabc0d85c63986ec298cfc674517e69885ab8813a7c6556d2e969c653bbdc
SHA512 06d076643ce7e58b1faa00ad2d97e1e0514497e19a7465290570996638f08d9d2ba0ccac2ca916979a65e8822bfaaf4ded99062db74de9c54256f732fb6c360a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 9da486be90c56074841ebd8882828c22
SHA1 539b0811035efc603fa2406afd1e30bb01c137f8
SHA256 07954a153a7ec29d972c487c3c661dbe2fb18309b2d7a26743e3b213b95ab804
SHA512 1cf838e87d67d80574abfabe3d6fe9c9b047ff88f36a735f773342320834d4b36d6880f134e39e4818863bfea8f75f154ff4e7a16e2efa28bc492b78d7491595

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 71a4b12e152e465b023336f882773de1
SHA1 d450af10404ba3f439efaf2d99fb328cdae0ef77
SHA256 3082c77ced19e7fd8fc016448c243d73354d0a38a7834d1a9694da65deba8523
SHA512 92bd0b240c564a9d57b642f86033e548bd04f587f05a3317bcf35617a46b961f0422107fe811174918bc78719c37baf7ade37b1382eb1f5c3b8f103886109435

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 4aaee11ff002e03811b62c8629d52f24
SHA1 7d15f1ab07f0de992a079bcaa74796ec73c7fa54
SHA256 431c17e1a0bfe7ad10aa3dc14b83e03893d4b613317256dbaa4868fc5c24c4ba
SHA512 d9a082eb129b02d25c85dc8b3b2fd11fc89a7e486ae81234e7d189bd9b5f7c987a8eb8ec3ccac4930b7547e0845ccb48d31f6ebc4d52c2225968b81564aebc53

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-25 11:38

Reported

2024-02-25 11:41

Platform

win7-20240215-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\LaunchBFH.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31021\Apply.pif N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Enumerates physical storage devices

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MINIE C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009b106788dea7af4d98683a8983feb7c6000000000200000000001066000000010000200000009567eea85358d56ccfe03db6c02702609a67dbd4a1f2cfc2d3a3196580c1010d000000000e800000000200002000000079da402ec3af13da9fc94fd3b4a498d8dadb3b82d9106f31e99ffe49daf9e35590000000e885339ded5cefc710c4ed45fdc16fe8b36076545582d013333ad23dd435f01f04de3c26b9562881cac74d4672c2a0e91675c4c81859d0c4aea939c7ffa4661ec5a75147847f5387b9aee1efb45647f58b2f5372683ad9dae8389f751936e9b8a36d422a8aaa8ed35848e26349b80320a9f0cce7a9402e165990794bd91a396cf756a5fdafc746e89df8ed3732e9f1f44000000009e4c6e5baff7e9365aaac651dd2d6d3e9cca1d0ed5fdb115338441d134455e77f516e939ca5ef2f4f46b48ec9827ab6f8f2bf2925d7dfce323a489034a2541b C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{721936C1-D3D2-11EE-A4DC-6EC9990C2B7A} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 208db146df67da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009b106788dea7af4d98683a8983feb7c6000000000200000000001066000000010000200000002bc7f99079842918112f66c83b844afa76ce9c64ea8aef674178ac4ef79f1cef000000000e8000000002000020000000ad441d3fca3feb7055b50e2fdcef76a2660d8c41e5d2fac73000f587ca85b6c02000000091b49ca1b4826d37f8c56c5c3be6f402b527b258b8fc6852ef03cdb347ce3c2140000000cf6363c6f3968b4c703a4f0e2179f053ba5916737d5af5e2a3850d5b25611a680cd69269a951e06836173e5b41c8c150d5ead477e2db3c7553ba9c247266697c C:\Program Files\Internet Explorer\iexplore.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1888 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\LaunchBFH.exe C:\Windows\SysWOW64\cmd.exe
PID 1888 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\LaunchBFH.exe C:\Windows\SysWOW64\cmd.exe
PID 1888 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\LaunchBFH.exe C:\Windows\SysWOW64\cmd.exe
PID 1888 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\LaunchBFH.exe C:\Windows\SysWOW64\cmd.exe
PID 1888 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\LaunchBFH.exe C:\Windows\SysWOW64\cmd.exe
PID 1888 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\LaunchBFH.exe C:\Windows\SysWOW64\cmd.exe
PID 1888 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\LaunchBFH.exe C:\Windows\SysWOW64\cmd.exe
PID 2096 wrote to memory of 2576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2096 wrote to memory of 2576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2096 wrote to memory of 2576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2096 wrote to memory of 2576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2096 wrote to memory of 2576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2096 wrote to memory of 2576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2096 wrote to memory of 2576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2096 wrote to memory of 2596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2096 wrote to memory of 2596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2096 wrote to memory of 2596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2096 wrote to memory of 2596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2096 wrote to memory of 2596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2096 wrote to memory of 2596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2096 wrote to memory of 2596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2096 wrote to memory of 2404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2096 wrote to memory of 2404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2096 wrote to memory of 2404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2096 wrote to memory of 2404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2096 wrote to memory of 2404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2096 wrote to memory of 2404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2096 wrote to memory of 2404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2096 wrote to memory of 2704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2096 wrote to memory of 2704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2096 wrote to memory of 2704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2096 wrote to memory of 2704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2096 wrote to memory of 2704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2096 wrote to memory of 2704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2096 wrote to memory of 2704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2096 wrote to memory of 1980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2096 wrote to memory of 1980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2096 wrote to memory of 1980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2096 wrote to memory of 1980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2096 wrote to memory of 1980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2096 wrote to memory of 1980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2096 wrote to memory of 1980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2096 wrote to memory of 2420 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2096 wrote to memory of 2420 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2096 wrote to memory of 2420 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2096 wrote to memory of 2420 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2096 wrote to memory of 2420 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2096 wrote to memory of 2420 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2096 wrote to memory of 2420 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2096 wrote to memory of 2568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2096 wrote to memory of 2568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2096 wrote to memory of 2568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2096 wrote to memory of 2568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2096 wrote to memory of 2568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2096 wrote to memory of 2568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2096 wrote to memory of 2568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2096 wrote to memory of 2452 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31021\Apply.pif
PID 2096 wrote to memory of 2452 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31021\Apply.pif
PID 2096 wrote to memory of 2452 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31021\Apply.pif
PID 2096 wrote to memory of 2452 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31021\Apply.pif
PID 2096 wrote to memory of 2452 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31021\Apply.pif
PID 2096 wrote to memory of 2452 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31021\Apply.pif
PID 2096 wrote to memory of 2452 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31021\Apply.pif
PID 2096 wrote to memory of 2408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\LaunchBFH.exe

"C:\Users\Admin\AppData\Local\Temp\LaunchBFH.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k move Inventory Inventory.bat & Inventory.bat & exit

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa.exe opssvc.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 31021

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Cookbook + Increasingly + Rounds + Affordable 31021\Apply.pif

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Ink 31021\o

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31021\Apply.pif

31021\Apply.pif 31021\o

C:\Windows\SysWOW64\PING.EXE

ping -n 5 127.0.0.1

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://www..com/

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1540 CREDAT:275457 /prefetch:2

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2452 -s 524

Network

Country Destination Domain Proto
US 8.8.8.8:53 qBnWsPFfTrJBhDSbGyd.qBnWsPFfTrJBhDSbGyd udp

Files

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Inventory

MD5 b649c8b485f6b192061ad04a185f03dc
SHA1 6fb0cc214d6d55d400793c3d085d9ea98c7fbb87
SHA256 fee25a6fcbd1d1bfbeca85e9a97e882d1b4a0bc5a521838f8b6ee1fe6c7370e9
SHA512 e12fdc7e64f6b2ad9ef45b01ec7ab87bb1dba4c29e727517b9690018b2ec699bdd2173cf9eac8a0f3441c32ba8a952ab8de2b0bf63c6c47c94f56ba92bf2cbe3

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Cookbook

MD5 e9db611974409fb7c1770fe95bfd5402
SHA1 ad077d6f8ad48bd4a8edbca88711cc4b7c71c1b5
SHA256 fc141ffe6bf256b8794c769feed25fa8bfeff01a60cdd2699e2d84e94585553c
SHA512 623694fdcc7acd66ed8170a158d2209706311566e04629c5a03b133902f729a554c3aaa6c85ef1163edaa3dfafd72d85b49f6edfa73e5419e57fac1d2f489799

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Increasingly

MD5 863ce19b37f186c47a26882e399b9a81
SHA1 3843eded5fdd895e41694174d79789854bccada5
SHA256 0dbcc3e2ccfd18644f4ec3a24058cf6109e520b0c2213d8a083b5200696d20c6
SHA512 ca5323396012958b0269f4f0c1af62c0b26f593d061d81755060873dc270aa8680d4f61b00a445fc123d406d6f0e06fc1f7d45bc54c1efdc757b7e3531199f33

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Rounds

MD5 12073c3269a07bf6bc9cd8b66462fc0f
SHA1 f3a762ef9933b82aeae112b09a231f140ed2363f
SHA256 12221e02174a5148dd215e1b1dcc81e47704be82e8dbc4e93eb9a664e582cbda
SHA512 e0c586ebb4b18a45345e293189ff52e83d974f52a76c0cd614ac28c6d50288e84f78fc28adeeb0d10adf3bae0a21789e59698e86a96012c2901a32406aceb206

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Affordable

MD5 e66c8890c2eb6adba5948d082bd215a6
SHA1 93a813794b38b728c8a6248c64221a419b026ce4
SHA256 99e62c44a3dbf370201324564c94be16ffb81b29c543ec5fd6f14e1a3be75e1a
SHA512 9b7546cee1ba82ff4db0a3598098be91bbd114e4a80116b15ac9ea106fa881b201eee6dda4ee91b2d917ecaab5bc2327dcd34047c60f122f6e0fdacb79e49d17

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ink

MD5 baa1587c7effd1d982a3cfe987d0f4a2
SHA1 edf879652a193ac9f685a44fc8ff39da7571f803
SHA256 e4160779100599c8404fd1153f0af398df82c8a78ce0ae98e53fdcefdfcad60f
SHA512 68d8fdd4877ac7d97a238ad9fe2f91160bf71ea54cbb62bebe56dbfb00dcfe88d6291b9188ff6500caff28bd3b4518f4697e30227279f6059324e6756a995ea4

\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31021\Apply.pif

MD5 848164d084384c49937f99d5b894253e
SHA1 3055ef803eeec4f175ebf120f94125717ee12444
SHA256 f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3
SHA512 aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a

memory/2452-25-0x00000000777A0000-0x0000000077876000-memory.dmp

memory/2452-36-0x00000000039C0000-0x0000000003A09000-memory.dmp

memory/2452-37-0x00000000039C0000-0x0000000003A09000-memory.dmp

memory/2452-38-0x00000000039C0000-0x0000000003A09000-memory.dmp

memory/2452-40-0x00000000039C0000-0x0000000003A09000-memory.dmp

memory/2452-39-0x00000000039C0000-0x0000000003A09000-memory.dmp

memory/2452-41-0x00000000039C0000-0x0000000003A09000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab45AB.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Tar4678.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 811fa369e0039322cdd65baee052a03c
SHA1 aca09a3b7b57d95d080b6e293cabef019af88030
SHA256 bbf0ca5f85bbcc33d73d4973543820c727f63c62d48a2016c3a5d75b20225d29
SHA512 c544a30068f84af29b2d48e7b8de417a155fe56f0a863b9a7c19b4bf910d71069499fc93e097220dba516668e423b47f96c0c25a7ff3ff109d8fd72d37c9e3e2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 55ce7011a7b4e88b3b40463e3bfc2c3d
SHA1 0792e2833afbc558add007c4fdbf26795e361ef8
SHA256 4b08bbf2e979272e6a9a3454c5cafdcc628d37cd8879cdfed1ba20a4c87f8d61
SHA512 ff53adb357c6d25b6b011b9ffb60da9a1a9defd19e0eebfb62ab99c69968f9b44e897b9f87d65e210f957cde136a81feff4dfbc84b12c3edc1085ff964c86afb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 76cec4e8e1814a6f79c90f743060ed12
SHA1 858406d4183a907a6055240836d4c07c3cb1b194
SHA256 bd43244f445327e5aa67eeb3190f4dd77ac8dd332a16b473182e1865ed8959d8
SHA512 2ca1bbb665e8f1e403b65a474d95f99a6f146b6ca3778f56b250d1d57c3681ec688b9afd322d33a4f47666bf8c37d617787f5702098ecb1f8e54c93871074d61

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b91070cec78074383d5c92d0e691b16f
SHA1 de6076e4e25e5c1e2b2000968e5f195dcf9cb462
SHA256 02115bea5cd733cf232df0733225625f1fda7b5056ea94697f8c16b740216be5
SHA512 4756ab28da35d925bc2f6b84c4aadcfd979bbc9f6d18778f661a3449ac191bc67cd48999c3c9fd5ad70d8306a50ccba862a6a61c79225c45851781e18fc1d893

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 de953c7c3441aed99f52f7c61780aff7
SHA1 0649c4f5bb85b56ddc19c988e67c27e46f93feaa
SHA256 e2e6ef42b5d629942591f38504abab1c5f69f7c16c9bfb87a2561f7a8eeef810
SHA512 84aba2fc8ebed8987a62913e363446e931f5aac8e95aaeb10a74ee9d20f13479a194c1fb3f4019d9f7b8bf47be2cac2fe23e6988589015955248e5fdbbc65b90

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 42fe904015f0c6d61db6f8430d7e6a2b
SHA1 88799cb02055fd8d2d54e09f4505c32019d183f0
SHA256 69ff9b338accc1de8d5842c49fe44b2000be07322609afeb61babe443b1d08db
SHA512 2d10888c0ea5f9ac27e07928b9c98cd8540d8067cae6b2f6a67052bcb79bea91c4c3e7d4c5c8822475d1ef31ae5f46cd2abe8c39207df64ba10b81c6d852256b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 89956660de1ac50cc2a0c35daa66d056
SHA1 f75237791fcfb252fe9aff360621fe63032bf4fd
SHA256 1c51130aa51cfbb96c938842a0a1b0233be55df84dbce75ef6a6b48e4155c6b3
SHA512 dbc1d13b120cb6b9c1e7cbd4720becd1562f0e5ffd510d83200af8fc46f261ad7f474143014f9a6594c1bab9baf2a84e2236ef3cfbe89c1c0bf042c763f5a6e1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8ca285cb9c522625afb609856f58308d
SHA1 426b9edf0f16be55c1530a470b9fa5ddf787690b
SHA256 1b0c732e83d0745a75e68b3c7ce3dcff6d2d1bc0838c866fc998beae691b3510
SHA512 85902ec4ba077f3c5e341d7b6bf3fd84d5418cb0497a2edc2af850ad55b13a14d145182e81e0f85fbf700f8743c8194bbfaabf2ab14165c8762d75484e1243e3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c9576bae33a92ad019c74aff2e910bcb
SHA1 cfe5f1990adc2de105a13a26f1cfc08b996c6867
SHA256 afa9e9f14951ad446088165e95b8d2e7aa9ac7b86bbfd07f9496aaea2e54ac19
SHA512 0a81d1d5c0af4aeefc05fdf5f3dddfc47e3b8157addbe04858de3f89ad893673982e627629379c780902ed8b8c59bed31680f11ef677547d9b2382de0fa1f50d