Malware Analysis Report

2025-01-22 18:51

Sample ID 240311-zeat2sdf81
Target https://cdn.discordapp.com/attachments/1216836182860628050/1216845019185418340/gen_build.zip?ex=6601de3c&is=65ef693c&hm=d1a1eca8ddeec67d4541910893b2b076143ae403d58fa7b7faf2aa262e14cdda&
Tags
gozi banker isfb trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

Threat Level: Known bad

The file https://cdn.discordapp.com/attachments/1216836182860628050/1216845019185418340/gen_build.zip?ex=6601de3c&is=65ef693c&hm=d1a1eca8ddeec67d4541910893b2b076143ae403d58fa7b7faf2aa262e14cdda& was found to be: Known bad.

Malicious Activity Summary

gozi banker isfb trojan

Gozi

Loads dropped DLL

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Creates scheduled task(s)

Modifies data under HKEY_USERS

Modifies registry class

NTFS ADS

Enumerates system info in registry

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-11 20:37

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-11 20:37

Reported

2024-03-11 20:38

Platform

win11-20240221-en

Max time kernel

57s

Max time network

58s

Command Line

C:\Windows\Explorer.EXE

Signatures

Gozi

banker trojan gozi

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\l15qrp4j.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Temp1_gen_build.zip\gen.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A discord.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A discord.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133546630646097623" C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\ms-settings\shell C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\ms-settings\shell\open C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\ms-settings\shell\open\command\ = "wscript.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\chinahalf1930182.vbs" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\ms-settings\shell\open\command C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\ms-settings\shell\open\command C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\ms-settings C:\Windows\SysWOW64\reg.exe N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\Downloads\gen_build.zip:Zone.Identifier C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Temp1_gen_build.zip\gen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Temp1_gen_build.zip\gen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Temp1_gen_build.zip\gen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\l15qrp4j.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\l15qrp4j.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Temp1_gen_build.zip\gen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Temp1_gen_build.zip\gen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Temp1_gen_build.zip\gen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Temp1_gen_build.zip\gen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Temp1_gen_build.zip\gen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Temp1_gen_build.zip\gen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Temp1_gen_build.zip\gen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Temp1_gen_build.zip\gen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Temp1_gen_build.zip\gen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Temp1_gen_build.zip\gen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Temp1_gen_build.zip\gen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Temp1_gen_build.zip\gen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Temp1_gen_build.zip\gen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Temp1_gen_build.zip\gen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Temp1_gen_build.zip\gen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Temp1_gen_build.zip\gen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Temp1_gen_build.zip\gen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Temp1_gen_build.zip\gen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Temp1_gen_build.zip\gen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Temp1_gen_build.zip\gen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Temp1_gen_build.zip\gen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Temp1_gen_build.zip\gen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Temp1_gen_build.zip\gen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Temp1_gen_build.zip\gen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Temp1_gen_build.zip\gen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Temp1_gen_build.zip\gen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Temp1_gen_build.zip\gen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Temp1_gen_build.zip\gen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Temp1_gen_build.zip\gen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Temp1_gen_build.zip\gen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Temp1_gen_build.zip\gen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Temp1_gen_build.zip\gen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Temp1_gen_build.zip\gen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Temp1_gen_build.zip\gen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Temp1_gen_build.zip\gen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Temp1_gen_build.zip\gen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Temp1_gen_build.zip\gen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Temp1_gen_build.zip\gen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Temp1_gen_build.zip\gen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Temp1_gen_build.zip\gen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Temp1_gen_build.zip\gen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Temp1_gen_build.zip\gen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Temp1_gen_build.zip\gen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Temp1_gen_build.zip\gen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Temp1_gen_build.zip\gen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Temp1_gen_build.zip\gen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Temp1_gen_build.zip\gen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Temp1_gen_build.zip\gen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Temp1_gen_build.zip\gen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Temp1_gen_build.zip\gen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Temp1_gen_build.zip\gen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Temp1_gen_build.zip\gen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Temp1_gen_build.zip\gen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Temp1_gen_build.zip\gen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Temp1_gen_build.zip\gen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Temp1_gen_build.zip\gen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Temp1_gen_build.zip\gen.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Temp1_gen_build.zip\gen.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2284 wrote to memory of 4880 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2284 wrote to memory of 4880 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2284 wrote to memory of 3652 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2284 wrote to memory of 3652 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2284 wrote to memory of 3652 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2284 wrote to memory of 3652 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2284 wrote to memory of 3652 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2284 wrote to memory of 3652 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2284 wrote to memory of 3652 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2284 wrote to memory of 3652 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2284 wrote to memory of 3652 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2284 wrote to memory of 3652 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2284 wrote to memory of 3652 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2284 wrote to memory of 3652 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2284 wrote to memory of 3652 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2284 wrote to memory of 3652 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2284 wrote to memory of 3652 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2284 wrote to memory of 3652 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2284 wrote to memory of 3652 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2284 wrote to memory of 3652 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2284 wrote to memory of 3652 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2284 wrote to memory of 3652 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2284 wrote to memory of 3652 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2284 wrote to memory of 3652 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2284 wrote to memory of 3652 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2284 wrote to memory of 3652 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2284 wrote to memory of 3652 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2284 wrote to memory of 3652 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2284 wrote to memory of 3652 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2284 wrote to memory of 3652 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2284 wrote to memory of 3652 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2284 wrote to memory of 3652 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2284 wrote to memory of 3652 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2284 wrote to memory of 3652 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2284 wrote to memory of 3652 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2284 wrote to memory of 3652 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2284 wrote to memory of 3652 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2284 wrote to memory of 3652 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2284 wrote to memory of 3652 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2284 wrote to memory of 3652 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2284 wrote to memory of 4408 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2284 wrote to memory of 4408 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2284 wrote to memory of 388 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2284 wrote to memory of 388 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2284 wrote to memory of 388 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2284 wrote to memory of 388 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2284 wrote to memory of 388 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2284 wrote to memory of 388 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2284 wrote to memory of 388 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2284 wrote to memory of 388 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2284 wrote to memory of 388 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2284 wrote to memory of 388 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2284 wrote to memory of 388 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2284 wrote to memory of 388 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2284 wrote to memory of 388 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2284 wrote to memory of 388 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2284 wrote to memory of 388 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2284 wrote to memory of 388 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2284 wrote to memory of 388 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2284 wrote to memory of 388 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2284 wrote to memory of 388 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2284 wrote to memory of 388 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2284 wrote to memory of 388 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2284 wrote to memory of 388 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://cdn.discordapp.com/attachments/1216836182860628050/1216845019185418340/gen_build.zip?ex=6601de3c&is=65ef693c&hm=d1a1eca8ddeec67d4541910893b2b076143ae403d58fa7b7faf2aa262e14cdda&

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9351d9758,0x7ff9351d9768,0x7ff9351d9778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1664 --field-trial-handle=1832,i,10564693612482137825,11985617361448915169,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=1832,i,10564693612482137825,11985617361448915169,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2188 --field-trial-handle=1832,i,10564693612482137825,11985617361448915169,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2988 --field-trial-handle=1832,i,10564693612482137825,11985617361448915169,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2996 --field-trial-handle=1832,i,10564693612482137825,11985617361448915169,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5096 --field-trial-handle=1832,i,10564693612482137825,11985617361448915169,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5396 --field-trial-handle=1832,i,10564693612482137825,11985617361448915169,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5192 --field-trial-handle=1832,i,10564693612482137825,11985617361448915169,131072 /prefetch:8

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\AppData\Local\Temp\Temp1_gen_build.zip\gen.exe

"C:\Users\Admin\AppData\Local\Temp\Temp1_gen_build.zip\gen.exe"

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" add "HKCU\Software\Classes\ms-settings\shell\open\command" /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\chinahalf1930182.vbs" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" add "HKCU\Software\Classes\ms-settings\shell\open\command" /v DelegateExecute /d "0" /f

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C computerdefaults.exe

C:\Windows\SysWOW64\ComputerDefaults.exe

computerdefaults.exe

C:\Windows\SysWOW64\wscript.exe

"wscript.exe" C:\Users\Admin\AppData\Local\Temp\chinahalf1930182.vbs

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C del C:\Windows\System32\drivers\etc\hosts

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C schtasks /Create /SC ONLOGON /TN TwitchUpdater_A7Q2drImVArLnmrvI050MX /TR "C:\Users\Admin\AppData\Local\Microsoft\PlayReady\A7Q2drImVArLnmrvI050MX.exe" /RL HIGHEST /IT

C:\Windows\SysWOW64\schtasks.exe

schtasks /Create /SC ONLOGON /TN TwitchUpdater_A7Q2drImVArLnmrvI050MX /TR "C:\Users\Admin\AppData\Local\Microsoft\PlayReady\A7Q2drImVArLnmrvI050MX.exe" /RL HIGHEST /IT

C:\Users\Admin\AppData\Local\Temp\l15qrp4j.exe

"C:\Users\Admin\AppData\Local\Temp\l15qrp4j.exe" explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 233.135.159.162.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 104.21.79.145:443 textpubshiers.top tcp
US 162.159.137.232:443 discord.com tcp

Files

\??\pipe\crashpad_2284_SNVMLDAIKDMCOGZA

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\Downloads\gen_build.zip:Zone.Identifier

MD5 3b2cabd8e404aacb485f237442b8de64
SHA1 1f63d14fc77e565acf375cb8cc7ac3402d42a675
SHA256 0445f18fb1d4908ffa5258d6d60d51c7018964e6f69455fdb6afa7ac3a194b99
SHA512 c0305a2fe69fb896d7e667c459372d8b9935aed3c22dbe6ae7f5152cbe206a8d7f70983ec36123b5afff11b67b6ed3389914a6d7472728e9a0f880a6b5d01ab5

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

MD5 99914b932bd37a50b983c5e7c90ae93b
SHA1 bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA256 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA512 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 6f13b44bc9045c87333d23758a1affa3
SHA1 fd3913923591d3d0ac815a64de9425cd73387d01
SHA256 36fd088d6d36f976793e9ab250667b61b9dc17da2cf90a0c736d27e648b198d7
SHA512 965483c4dd369a21ec58b6ebc056e8aef91611378483cac2a4b7e3a454bfb923ae3eaea16720ee75000d6f006ee0e9a8bf59ab2a6874ea5ff5ec41a8346d1d64

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 f8ea33d77c814102f7b4c58365f2d990
SHA1 3c3acce7b66aa6892a096d7ee37b2fc598012cf8
SHA256 5520a08ef03ebcc47625990fe8e480637cd273d888f193c2f15becac5e588cb5
SHA512 b6915e9a098b2975dacfbe5a6530d7abc2c1491b72be97481fd00e9997a5cbc9be75267b7820b99d39efbd1f932b72087d7f9310521e28687e2db5308f4ba4fd

C:\Users\Admin\Downloads\gen_build.zip

MD5 41f614f1f978c645982238f03983d251
SHA1 dfd8e4f3d3d934de01e423b3f0393aeb4ebd81c7
SHA256 550f5faa4bdd6e5e435a19b6d77af1eace8750c5a9372d71f390454a949215f0
SHA512 f27d0869c705e5469e0226a22511ee71847367b6eba672208b47111e247c606e1f19d95bc85c496ab919d14f7d89f97947505937fd6dee693e7065fe94ba3b7d

memory/2712-39-0x0000000000C60000-0x0000000000C6A000-memory.dmp

memory/2712-40-0x0000000002730000-0x000000000274A000-memory.dmp

memory/2712-41-0x0000000074B30000-0x00000000752E1000-memory.dmp

memory/2712-43-0x0000000002720000-0x000000000272A000-memory.dmp

memory/2712-42-0x0000000004D80000-0x0000000004D90000-memory.dmp

memory/2712-44-0x0000000004D90000-0x0000000004E22000-memory.dmp

memory/2712-45-0x00000000053E0000-0x0000000005986000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\chinahalf1930182.vbs

MD5 a34267102c21aff46aecc85598924544
SHA1 77268af47c6a4b9c6be7f7487b2c9b233d49d435
SHA256 eba7ab5c248e46dbe70470b41ebf25a378b4eff9ce632adff927ac1f95583d44
SHA512 5d320312b93b46c9051a20c82d6405a3f2c78b23adb3ab3e71aad854b65b500937de7ca2986cf79967386d689beecccf676d89afde8ecc5d5ad0cb4ae2bf38a3

memory/2712-60-0x000000000AB30000-0x000000000B730000-memory.dmp

memory/2712-70-0x00000000118D0000-0x0000000012572000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Costura\40BD99E3E2E3C109881E4ECA2DEDC617\32\sqlite.interop.dll

MD5 6f2fdecc48e7d72ca1eb7f17a97e59ad
SHA1 fcbc8c4403e5c8194ee69158d7e70ee7dbd4c056
SHA256 70e48ef5c14766f3601c97451b47859fddcbe7f237e1c5200cea8e7a7609d809
SHA512 fea98a3d6fff1497551dc6583dd92798dcac764070a350fd381e856105a6411c94effd4b189b7a32608ff610422b8dbd6d93393c5da99ee66d4569d45191dc8b

memory/2712-77-0x0000000074B30000-0x00000000752E1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\l15qrp4j.exe

MD5 e898826598a138f86f2aa80c0830707a
SHA1 1e912a5671f7786cc077f83146a0484e5a78729c
SHA256 df443ccf551470b3f9f7d92faf51b3b85ae206dd08da3b6390ce9a6039b7253a
SHA512 6827068b8580822ded1fb8447bdb038d0e00633f5ef7f480a8cdeaab6928ac23022a0b7a925058e0926ce9b41a6c8c22a5692e074621b2fccdb7edd29a0d4cfb

memory/3268-87-0x00000000033A0000-0x00000000033A1000-memory.dmp

memory/3268-89-0x0000000002E60000-0x0000000002E68000-memory.dmp

memory/3268-91-0x0000000002E60000-0x0000000002E68000-memory.dmp

memory/2712-88-0x0000000004D80000-0x0000000004D90000-memory.dmp

memory/3268-86-0x0000000002E60000-0x0000000002E68000-memory.dmp

memory/3268-92-0x0000000002E60000-0x0000000002E68000-memory.dmp

memory/2712-98-0x0000000007F30000-0x0000000007F42000-memory.dmp