Malware Analysis Report

2025-03-15 04:40

Sample ID 240516-pvgx7ach5x
Target OwnCheat.rar
SHA256 329d442b6323544dc639d3b9f39a91780d925f22d8bc221666a6938c32932952
Tags
redline discovery infostealer spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

329d442b6323544dc639d3b9f39a91780d925f22d8bc221666a6938c32932952

Threat Level: Known bad

The file OwnCheat.rar was found to be: Known bad.

Malicious Activity Summary

redline discovery infostealer spyware stealer

RedLine payload

RedLine

Downloads MZ/PE file

Loads dropped DLL

Executes dropped EXE

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious behavior: GetForegroundWindowSpam

Modifies registry class

Enumerates system info in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-16 12:39

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-16 12:38

Reported

2024-05-16 12:42

Platform

win10v2004-20240426-en

Max time kernel

71s

Max time network

80s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\OwnCheat.rar

Signatures

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\winrar-x64-701.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133603368730035947" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Users\Admin\Downloads\winrar-x64-701.exe N/A
N/A N/A C:\Users\Admin\Downloads\winrar-x64-701.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1516 wrote to memory of 4520 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1516 wrote to memory of 4520 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1516 wrote to memory of 3468 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1516 wrote to memory of 3468 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1516 wrote to memory of 3468 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1516 wrote to memory of 3468 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1516 wrote to memory of 3468 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1516 wrote to memory of 3468 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1516 wrote to memory of 3468 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1516 wrote to memory of 3468 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1516 wrote to memory of 3468 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1516 wrote to memory of 3468 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1516 wrote to memory of 3468 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1516 wrote to memory of 3468 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1516 wrote to memory of 3468 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1516 wrote to memory of 3468 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1516 wrote to memory of 3468 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1516 wrote to memory of 3468 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1516 wrote to memory of 3468 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1516 wrote to memory of 3468 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1516 wrote to memory of 3468 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1516 wrote to memory of 3468 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1516 wrote to memory of 3468 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1516 wrote to memory of 3468 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1516 wrote to memory of 3468 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1516 wrote to memory of 3468 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1516 wrote to memory of 3468 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1516 wrote to memory of 3468 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1516 wrote to memory of 3468 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1516 wrote to memory of 3468 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1516 wrote to memory of 3468 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1516 wrote to memory of 3468 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1516 wrote to memory of 3468 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1516 wrote to memory of 3360 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1516 wrote to memory of 3360 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1516 wrote to memory of 2096 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1516 wrote to memory of 2096 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1516 wrote to memory of 2096 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1516 wrote to memory of 2096 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1516 wrote to memory of 2096 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1516 wrote to memory of 2096 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1516 wrote to memory of 2096 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1516 wrote to memory of 2096 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1516 wrote to memory of 2096 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1516 wrote to memory of 2096 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1516 wrote to memory of 2096 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1516 wrote to memory of 2096 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1516 wrote to memory of 2096 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1516 wrote to memory of 2096 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1516 wrote to memory of 2096 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1516 wrote to memory of 2096 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1516 wrote to memory of 2096 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1516 wrote to memory of 2096 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1516 wrote to memory of 2096 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1516 wrote to memory of 2096 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1516 wrote to memory of 2096 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1516 wrote to memory of 2096 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1516 wrote to memory of 2096 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1516 wrote to memory of 2096 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1516 wrote to memory of 2096 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1516 wrote to memory of 2096 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1516 wrote to memory of 2096 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1516 wrote to memory of 2096 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1516 wrote to memory of 2096 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\OwnCheat.rar

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc02a1ab58,0x7ffc02a1ab68,0x7ffc02a1ab78

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1764 --field-trial-handle=1900,i,18142115684683261677,13333250825718704779,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 --field-trial-handle=1900,i,18142115684683261677,13333250825718704779,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2252 --field-trial-handle=1900,i,18142115684683261677,13333250825718704779,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3084 --field-trial-handle=1900,i,18142115684683261677,13333250825718704779,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3092 --field-trial-handle=1900,i,18142115684683261677,13333250825718704779,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4312 --field-trial-handle=1900,i,18142115684683261677,13333250825718704779,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4504 --field-trial-handle=1900,i,18142115684683261677,13333250825718704779,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4524 --field-trial-handle=1900,i,18142115684683261677,13333250825718704779,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4508 --field-trial-handle=1900,i,18142115684683261677,13333250825718704779,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4836 --field-trial-handle=1900,i,18142115684683261677,13333250825718704779,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4996 --field-trial-handle=1900,i,18142115684683261677,13333250825718704779,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --reenable-autoupdates --system-level

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff758c1ae48,0x7ff758c1ae58,0x7ff758c1ae68

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4264 --field-trial-handle=1900,i,18142115684683261677,13333250825718704779,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5040 --field-trial-handle=1900,i,18142115684683261677,13333250825718704779,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4828 --field-trial-handle=1900,i,18142115684683261677,13333250825718704779,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5180 --field-trial-handle=1900,i,18142115684683261677,13333250825718704779,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5244 --field-trial-handle=1900,i,18142115684683261677,13333250825718704779,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5520 --field-trial-handle=1900,i,18142115684683261677,13333250825718704779,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5340 --field-trial-handle=1900,i,18142115684683261677,13333250825718704779,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5352 --field-trial-handle=1900,i,18142115684683261677,13333250825718704779,131072 /prefetch:8

C:\Users\Admin\Downloads\winrar-x64-701.exe

"C:\Users\Admin\Downloads\winrar-x64-701.exe"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.138:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 138.61.62.23.in-addr.arpa udp
NL 23.62.61.104:443 www.bing.com tcp
US 8.8.8.8:53 104.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:443 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp
US 8.8.8.8:53 3.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 170.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 196.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 163.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
FR 172.217.20.174:443 play.google.com tcp
US 8.8.8.8:53 clients2.google.com udp
FR 216.58.213.78:443 clients2.google.com udp
N/A 224.0.0.251:5353 udp
FR 216.58.213.78:443 clients2.google.com tcp
US 8.8.8.8:53 174.20.217.172.in-addr.arpa udp
US 8.8.8.8:53 78.213.58.216.in-addr.arpa udp
US 8.8.8.8:53 67.214.58.216.in-addr.arpa udp
FR 172.217.20.174:443 play.google.com udp
US 8.8.8.8:53 consent.google.com udp
GB 142.250.187.238:443 consent.google.com tcp
US 8.8.8.8:53 238.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 content-autofill.googleapis.com udp
FR 216.58.214.74:443 content-autofill.googleapis.com tcp
US 8.8.8.8:53 74.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 www.win-rar.com udp
DE 51.195.68.163:443 www.win-rar.com tcp
DE 51.195.68.163:443 www.win-rar.com tcp
US 8.8.8.8:53 163.68.195.51.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 98.56.20.217.in-addr.arpa udp

Files

\??\pipe\crashpad_1516_QECGGCMPNVODBQDC

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 2eefe0a0dac61097c016a197e426a578
SHA1 1770a540f714213a070b77a7c9d9206a21bef371
SHA256 37d959eeb3ff5e746053e2e903e7ab968453078a9bcebcec747e737e5e88ebc0
SHA512 f40da93ea05ae81cf99e131a968c1ffd96eb8ab3664f008b26d07f9cfeb75135dc3226af3d1fe3f7069a3a3cb2d02a0d365cebfd6ad34edac72fd6c142cbb4ed

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\64a1a776-83f6-4082-8824-d6e38040fc15.tmp

MD5 5c73e3e1b5b2d8885432bfb570a0a95f
SHA1 231aea34589a7971df8837523328a25474332c9c
SHA256 539c7ba12ddc5b4b0f45ff799c45f62b9be69a420e8c2f06c5d402042e551bf7
SHA512 2eb19b4a916d4a349d1363983cd4d4446e89e0b0664c654465bb7a7619ccfa3e97aa7e7a3403807c971a4f270ebcc870b7967d84c0685b8dcb495a1cdfa72898

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 47c60dcc98f5caf9359871a249b772d4
SHA1 3ce6f3ab0da2ec2d45688a0fe1abfdc3b01379f8
SHA256 c37a375b96a09a6646f29d100d624db79b264866026f5b5ceff14e7eeac4404a
SHA512 30e6cabccc4d57c457808e25fba309c0cb4aee8f41ab10110682a6f1207e9b7fa16973fe58f742c6a63bf2a57f4ec219131dae65a0ccf40ec33361c4a98748c4

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 12dfceea19e90b1d58652c145eb16a07
SHA1 2e55ecad6bce6ad0b8cee3d67e443e5f8e37ba3a
SHA256 bcc1f4e79d7f240e0cfefafe0d43e4957a181dc455ed16ae8ac11097fcf7e5a8
SHA512 2f2da54f610ac118e26e7c6ba6a1d28d0f6cd2ff98c42704d50c348130e3d09d14bcecb52e22121e6bd6a2ae9ecaf711ba9b6d15a877adaeb959b35fbe669421

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 a165103282bcf3b13bde58cc71670f25
SHA1 bd98cb0d780654705162c5bb08f35afa8025c83f
SHA256 00106fef6f93ba72ebb5026090d73d7f77f20d193defcbb438c1837fed9688a8
SHA512 ccf1d8a5c2e8b4a0fd2f1706e0e5d433393fa9c0a209082bf4abeae09061983d5b2211d5c4e7df32656ad02de57f194d59c9995a7a64e1b24c244562bea33f55

C:\Users\Admin\Downloads\winrar-x64-701.exe

MD5 46c17c999744470b689331f41eab7df1
SHA1 b8a63127df6a87d333061c622220d6d70ed80f7c
SHA256 c5b5def1c8882b702b6b25cbd94461c737bc151366d2d9eba5006c04886bfc9a
SHA512 4b02a3e85b699f62df1b4fe752c4dee08cfabc9b8bb316bc39b854bd5187fc602943a95788ec680c7d3dc2c26ad882e69c0740294bd6cb3b32cdcd165a9441b6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 7a331a1fa937de069741bf58e84292b9
SHA1 c1fc7e558b57d40bf6b47c15cda0fb86cecddb39
SHA256 6a4b9eb5616a879658b6765734217b4f50e699f92df83bf46bbddbee07ac67b2
SHA512 1f86fb24ba46bd5aa7061edcfb88bb11c6fa2dc069c8f6c4f80ed14b05c25cfc97c0aa5921d5cf72a468a7f25082b99e9ad9e55683a1d4268571b14263c1f0f1

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

MD5 b5584a043bbd5c12fd7c21cae8121c19
SHA1 ce21c9684c4688ef7486d1ccd6235eea6fdd0be5
SHA256 a9ec5c11c101d2f6a1d6f470377cbb4ecc077601c978745459bf0ddab0a9769e
SHA512 b3b80aff7dc24b3e370b9367c2ef6f503770327e3f49cdc59985fd9205c3b01085e142116f8667e8f0076f418fa0a21359c781d802407020e6a8fc3567fd70ba

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe5809a0.TMP

MD5 8fc8d268a5121b3a6401b7c8b3117308
SHA1 946370af88c0001bafccc4276cc7728183844222
SHA256 87428af7e2d48932e88b52ee9ee6a09504632832b94f7b619113c55b51a22ca7
SHA512 0a739f511cbd8e9a666ff56098396a8436e83dc521165e8843260e0706abfca9c6b9c5915bf37f3c59013f3feec60343253bf71f6c1f4fe4943f9e3a7a88af41

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 de70055005240a92a5b3c25b3826e522
SHA1 1f3c0b4f07e8aebe0315a5258d62c163d66c5b50
SHA256 82a0b623e3b21023bcc52a091abb151994412011fb790569ec0b063367fe29c8
SHA512 103c9746f6bec3368e0d3fb80b68500b821788c29629e3fa29f3a1888cfd541594677bdfdd3c1bf8e864a098af8e085738121773a7cfab97639f1751269739a1

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-16 12:38

Reported

2024-05-16 12:45

Platform

win11-20240508-en

Max time kernel

284s

Max time network

294s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\OwnCheat.rar

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\1 = 8c00310000000000a858096e110050524f4752417e310000740009000400efbec5525961a858096e2e0000003f0000000000010000000000000000004a00000000000e0d5a00500072006f006700720061006d002000460069006c0065007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370038003100000018000000 C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\MRUListEx = 0100000000000000ffffffff C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5 C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202 C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\1 C:\Windows\system32\OpenWith.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\1\NodeSlot = "5" C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\1\MRUListEx = ffffffff C:\Windows\system32\OpenWith.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\SniffedFolderType = "Generic" C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2 C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202 C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" C:\Windows\system32\OpenWith.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zG.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1604 wrote to memory of 4700 N/A C:\Users\Admin\Desktop\OwnCheat\OwnCheat.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1604 wrote to memory of 4700 N/A C:\Users\Admin\Desktop\OwnCheat\OwnCheat.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1604 wrote to memory of 4700 N/A C:\Users\Admin\Desktop\OwnCheat\OwnCheat.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1604 wrote to memory of 4700 N/A C:\Users\Admin\Desktop\OwnCheat\OwnCheat.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1604 wrote to memory of 4700 N/A C:\Users\Admin\Desktop\OwnCheat\OwnCheat.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1604 wrote to memory of 4700 N/A C:\Users\Admin\Desktop\OwnCheat\OwnCheat.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1604 wrote to memory of 4700 N/A C:\Users\Admin\Desktop\OwnCheat\OwnCheat.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1604 wrote to memory of 4700 N/A C:\Users\Admin\Desktop\OwnCheat\OwnCheat.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3008 wrote to memory of 1612 N/A C:\Users\Admin\Desktop\OwnCheat\OwnCheat.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3008 wrote to memory of 1612 N/A C:\Users\Admin\Desktop\OwnCheat\OwnCheat.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3008 wrote to memory of 1612 N/A C:\Users\Admin\Desktop\OwnCheat\OwnCheat.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3008 wrote to memory of 1612 N/A C:\Users\Admin\Desktop\OwnCheat\OwnCheat.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3008 wrote to memory of 1612 N/A C:\Users\Admin\Desktop\OwnCheat\OwnCheat.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3008 wrote to memory of 1612 N/A C:\Users\Admin\Desktop\OwnCheat\OwnCheat.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3008 wrote to memory of 1612 N/A C:\Users\Admin\Desktop\OwnCheat\OwnCheat.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3008 wrote to memory of 1612 N/A C:\Users\Admin\Desktop\OwnCheat\OwnCheat.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2096 wrote to memory of 3704 N/A C:\Users\Admin\Desktop\OwnCheat\OwnCheat.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2096 wrote to memory of 3704 N/A C:\Users\Admin\Desktop\OwnCheat\OwnCheat.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2096 wrote to memory of 3704 N/A C:\Users\Admin\Desktop\OwnCheat\OwnCheat.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2096 wrote to memory of 3704 N/A C:\Users\Admin\Desktop\OwnCheat\OwnCheat.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2096 wrote to memory of 3704 N/A C:\Users\Admin\Desktop\OwnCheat\OwnCheat.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2096 wrote to memory of 3704 N/A C:\Users\Admin\Desktop\OwnCheat\OwnCheat.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2096 wrote to memory of 3704 N/A C:\Users\Admin\Desktop\OwnCheat\OwnCheat.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2096 wrote to memory of 3704 N/A C:\Users\Admin\Desktop\OwnCheat\OwnCheat.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3896 wrote to memory of 4420 N/A C:\Users\Admin\Desktop\OwnCheat\OwnCheat.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3896 wrote to memory of 4420 N/A C:\Users\Admin\Desktop\OwnCheat\OwnCheat.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3896 wrote to memory of 4420 N/A C:\Users\Admin\Desktop\OwnCheat\OwnCheat.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3896 wrote to memory of 2004 N/A C:\Users\Admin\Desktop\OwnCheat\OwnCheat.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3896 wrote to memory of 2004 N/A C:\Users\Admin\Desktop\OwnCheat\OwnCheat.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3896 wrote to memory of 2004 N/A C:\Users\Admin\Desktop\OwnCheat\OwnCheat.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3896 wrote to memory of 2004 N/A C:\Users\Admin\Desktop\OwnCheat\OwnCheat.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3896 wrote to memory of 2004 N/A C:\Users\Admin\Desktop\OwnCheat\OwnCheat.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3896 wrote to memory of 2004 N/A C:\Users\Admin\Desktop\OwnCheat\OwnCheat.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3896 wrote to memory of 2004 N/A C:\Users\Admin\Desktop\OwnCheat\OwnCheat.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3896 wrote to memory of 2004 N/A C:\Users\Admin\Desktop\OwnCheat\OwnCheat.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2908 wrote to memory of 3528 N/A C:\Users\Admin\Desktop\OwnCheat\OwnCheat.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2908 wrote to memory of 3528 N/A C:\Users\Admin\Desktop\OwnCheat\OwnCheat.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2908 wrote to memory of 3528 N/A C:\Users\Admin\Desktop\OwnCheat\OwnCheat.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2908 wrote to memory of 3528 N/A C:\Users\Admin\Desktop\OwnCheat\OwnCheat.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2908 wrote to memory of 3528 N/A C:\Users\Admin\Desktop\OwnCheat\OwnCheat.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2908 wrote to memory of 3528 N/A C:\Users\Admin\Desktop\OwnCheat\OwnCheat.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2908 wrote to memory of 3528 N/A C:\Users\Admin\Desktop\OwnCheat\OwnCheat.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2908 wrote to memory of 3528 N/A C:\Users\Admin\Desktop\OwnCheat\OwnCheat.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\OwnCheat.rar

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap23676:74:7zEvent22141

C:\Users\Admin\Desktop\OwnCheat\OwnCheat.exe

"C:\Users\Admin\Desktop\OwnCheat\OwnCheat.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\Desktop\OwnCheat\OwnCheat.exe

"C:\Users\Admin\Desktop\OwnCheat\OwnCheat.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\Desktop\OwnCheat\OwnCheat.exe

"C:\Users\Admin\Desktop\OwnCheat\OwnCheat.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc

C:\Users\Admin\Desktop\OwnCheat\OwnCheat.exe

"C:\Users\Admin\Desktop\OwnCheat\OwnCheat.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\Desktop\OwnCheat\OwnCheat.exe

"C:\Users\Admin\Desktop\OwnCheat\OwnCheat.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\Desktop\OwnCheat\Addons\bin\jp2launcher.exe

"C:\Users\Admin\Desktop\OwnCheat\Addons\bin\jp2launcher.exe"

C:\Users\Admin\Desktop\OwnCheat\Addons\bin\keytool.exe

"C:\Users\Admin\Desktop\OwnCheat\Addons\bin\keytool.exe"

Network

Country Destination Domain Proto
RU 147.45.47.64:11837 tcp
RU 147.45.47.64:11837 tcp
RU 147.45.47.64:11837 tcp
BE 88.221.83.211:443 www.bing.com tcp
CZ 104.64.113.235:443 cxcs.microsoft.net tcp
US 8.8.8.8:53 235.113.64.104.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
GB 95.101.143.218:443 tcp
US 20.42.65.93:443 browser.pipe.aria.microsoft.com tcp
BE 2.17.107.120:443 r.bing.com tcp
BE 2.17.107.120:443 r.bing.com tcp
BE 2.17.107.120:443 r.bing.com tcp
BE 2.17.107.120:443 r.bing.com tcp
BE 2.17.107.120:443 r.bing.com tcp
BE 2.17.107.120:443 r.bing.com tcp
BE 2.17.107.120:443 r.bing.com tcp
RU 147.45.47.64:11837 tcp
RU 147.45.47.64:11837 tcp

Files

C:\Users\Admin\Desktop\OwnCheat\Addons\lib\ext\cross.ext

MD5 dada5d3d71d97009275fe266381bd52b
SHA1 be421b5c86767be813811869acf569a1ad1dbf3d
SHA256 63c3d033bfd95795a555e1ad0b9233c1547cfd7682cca803b31c2a985615d91b
SHA512 99d5fb30378029dac8980a902848bbbd0f638b0a5bf058537aa27a21a64dafa9c39674273af4a0d15793065c543d358f1a75559ab9c354d9f7754ca03fde4c51

C:\Users\Admin\Desktop\OwnCheat\Addons\lib\images\cursors\win32_LinkNoDrop32x32.gif

MD5 1e9d8f133a442da6b0c74d49bc84a341
SHA1 259edc45b4569427e8319895a444f4295d54348f
SHA256 1a1d3079d49583837662b84e11d8c0870698511d9110e710eb8e7eb20df7ae3b
SHA512 63d6f70c8cab9735f0f857f5bf99e319f6ae98238dc7829dd706b7d6855c70be206e32e3e55df884402483cf8bebad00d139283af5c0b85dc1c5bf8f253acd37

C:\Users\Admin\Desktop\OwnCheat\OwnCheat.exe

MD5 912358f984f87614dbedb09490dcacfd
SHA1 a867edcd5cb5151b2d7ec36052d6299c6bab2029
SHA256 0094e98a9f21a84e831ec6a4dccd2d912c5f5d78a1ae3c9339acf799e80280d4
SHA512 4decc1655c5f477d10d5e583f9ed1a0874cb1a8974d2a8aa3a68ab3a886cbecc07d654c73e5764f1257d25cb0fce5e5d2f707119d0da7d96dbe099ac4e75ea36

memory/1604-412-0x0000000001400000-0x0000000001401000-memory.dmp

memory/1604-414-0x0000000001400000-0x0000000001401000-memory.dmp

memory/4700-413-0x0000000000400000-0x000000000044A000-memory.dmp

memory/4700-415-0x0000000005F90000-0x0000000006536000-memory.dmp

memory/4700-416-0x00000000059E0000-0x0000000005A72000-memory.dmp

memory/4700-417-0x0000000005970000-0x000000000597A000-memory.dmp

memory/4700-418-0x0000000006FF0000-0x0000000007608000-memory.dmp

memory/4700-419-0x0000000006B20000-0x0000000006C2A000-memory.dmp

memory/4700-420-0x0000000006A30000-0x0000000006A42000-memory.dmp

memory/4700-421-0x0000000006A90000-0x0000000006ACC000-memory.dmp

memory/4700-422-0x0000000006AD0000-0x0000000006B1C000-memory.dmp

memory/4700-423-0x0000000006D20000-0x0000000006D86000-memory.dmp

memory/4700-424-0x0000000007690000-0x0000000007706000-memory.dmp

memory/4700-425-0x0000000007630000-0x000000000764E000-memory.dmp

memory/4700-426-0x0000000008F80000-0x0000000009142000-memory.dmp

memory/4700-427-0x0000000009680000-0x0000000009BAC000-memory.dmp

memory/3008-432-0x00000000013F0000-0x00000000013F1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

MD5 661cf82d7ff5c760912b43f583c59aa5
SHA1 924bacd9bb4e0f5f985b4f98bcd4a83a46775497
SHA256 e85f98a486bee3b77e4c15d304d2209d3944ec6e3ac2faadf68ba176edfa64ae
SHA512 44db890cc597390afd2b529af490e0835d14ef703eba6488720524666b76aedc02c7d17977f6c115474b6639ffcce409ebb205deb182b08a48fe5986109b616d

memory/2096-437-0x0000000000990000-0x0000000000991000-memory.dmp

memory/3896-441-0x00000000009D0000-0x00000000009D1000-memory.dmp

memory/2908-445-0x0000000000950000-0x0000000000951000-memory.dmp

C:\Users\Admin\Desktop\OwnCheat\Addons\bin\jp2launcher.exe

MD5 5f85f7f2dfac397d642834b61809240f
SHA1 eca28e8464208fa11ef7df677b741cdd561483d9
SHA256 b71e00adb77d87882d58993a5888955bdd62c57d364f60aaa0fa19d32a69c9da
SHA512 2bfe9fce450e57ea93deeaa85a746cb17ba946eeff866f10d67c74f7ea038b16910e0d8ef29e9f358af7daabd45e3983c370fef82a9647546819dcde3aee45bc

C:\Users\Admin\Desktop\OwnCheat\Addons\bin\MSVCR100.dll

MD5 bf38660a9125935658cfa3e53fdc7d65
SHA1 0b51fb415ec89848f339f8989d323bea722bfd70
SHA256 60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa
SHA512 25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1

C:\Users\Admin\Desktop\OwnCheat\Addons\bin\keytool.exe

MD5 9a4cf09834f086568df469e3f670bf07
SHA1 594c4e0394475a6299c79e3a063c7d5ae49635f3
SHA256 709e9e544434c52285a72f29ad6b99ce1e7668545f10ad385c87abf34d2052bb
SHA512 cd551e7944461f3288b880b9d161f19f97eb4599a3a46cc93c4172b5112960fb0c040b9996f13cf0761fb85a283e2f20944135ec59660c807a59b29cddc44586

C:\Users\Admin\Desktop\OwnCheat\Addons\bin\client\jvm.dll

MD5 39c302fe0781e5af6d007e55f509606a
SHA1 23690a52e8c6578de6a7980bb78aae69d0f31780
SHA256 b1fbdbb1e4c692b34d3b9f28f8188fc6105b05d311c266d59aa5e5ec531966bc
SHA512 67f91a75e16c02ca245233b820df985bd8290a2a50480dff4b2fd2695e3cf0b4534eb1bf0d357d0b14f15ce8bd13c82d2748b5edd9cc38dc9e713f5dc383ed77

C:\Users\Admin\Desktop\OwnCheat\Addons\bin\java.dll

MD5 73bd0b62b158c5a8d0ce92064600620d
SHA1 63c74250c17f75fe6356b649c484ad5936c3e871
SHA256 e7b870deb08bc864fa7fd4dec67cef15896fe802fafb3009e1b7724625d7da30
SHA512 eba1cf977365446b35740471882c5209773a313de653404a8d603245417d32a4e9f23e3b6cd85721143d2f9a0e46ed330c3d8ba8c24aee390d137f9b5cd68d8f

C:\Users\Admin\Desktop\OwnCheat\Addons\bin\verify.dll

MD5 de2167a880207bbf7464bcd1f8bc8657
SHA1 0ff7a5ea29c0364a1162a090dffc13d29bc3d3c7
SHA256 fd856ea783ad60215ce2f920fcb6bb4e416562d3c037c06d047f1ec103cd10b3
SHA512 bb83377c5cff6117cec6fbadf6d40989ce1ee3f37e4ceba17562a59ea903d8962091146e2aa5cc44cfdddf280da7928001eea98abf0c0942d69819b2433f1322

C:\Users\Admin\Desktop\OwnCheat\Addons\lib\i386\jvm.cfg

MD5 9fd47c1a487b79a12e90e7506469477b
SHA1 7814df0ff2ea1827c75dcd73844ca7f025998cc6
SHA256 a73aea3074360cf62adedc0c82bc9c0c36c6a777c70da6c544d0fba7b2d8529e
SHA512 97b9d4c68ac4b534f86efa9af947763ee61aee6086581d96cbf7b3dbd6fd5d9db4b4d16772dce6f347b44085cef8a6ea3bfd3b84fbd9d4ef763cef39255fbce3

C:\Users\Admin\Desktop\OwnCheat\Addons\bin\jli.dll

MD5 73a76ec257bd5574d9db43df2a3bb27f
SHA1 2c9248eae2f9f5f610f6a1dfd799b0598da00368
SHA256 8f19b1ba9295f87e701c46cb888222bb7e79c6ee74b09237d3313e174ae0154f
SHA512 59ecd5fcf35745bdadcdb94456cb51bb7ea305647c164fe73d42e87f226528d1a53ce732f5ec64ce5b4581fa8a17cfbfdc8173e103ae862d6e92eb3ad3638518

C:\Users\Admin\Desktop\OwnCheat\Addons\lib\meta-index

MD5 91aa6ea7320140f30379f758d626e59d
SHA1 3be2febe28723b1033ccdaa110eaf59bbd6d1f96
SHA256 4af21954cdf398d1eae795b6886ca2581dac9f2f1d41c98c6ed9b5dbc3e3c1d4
SHA512 03428803f1d644d89eb4c0dcbdea93acaac366d35fc1356ccabf83473f4fef7924edb771e44c721103cec22d94a179f092d1bfd1c0a62130f076eb82a826d7cb

C:\Users\Admin\Desktop\OwnCheat\Addons\bin\zip.dll

MD5 cb99b83bbc19cd0e1c2ec6031d0a80bc
SHA1 927e1e24fd19f9ca8b5191ef3cc746b74ab68bcd
SHA256 68148243e3a03a3a1aaf4637f054993cb174c04f6bd77894fe84d74af5833bec
SHA512 29c4978fa56f15025355ce26a52bdf8197b8d8073a441425df3dfc93c7d80d36755cc05b6485dd2e1f168df2941315f883960b81368e742c4ea8e69dd82fa2ba

C:\Users\Admin\Desktop\OwnCheat\Addons\lib\ext\meta-index

MD5 77abe2551c7a5931b70f78962ac5a3c7
SHA1 a8bb53a505d7002def70c7a8788b9a2ea8a1d7bc
SHA256 c557f0c9053301703798e01dc0f65e290b0ae69075fb49fcc0e68c14b21d87f4
SHA512 9fe671380335804d4416e26c1e00cded200687db484f770ebbdb8631a9c769f0a449c661cb38f49c41463e822beb5248e69fd63562c3d8c508154c5d64421935

C:\Users\Admin\Desktop\OwnCheat\Addons\lib\resources.jar

MD5 9a084b91667e7437574236cd27b7c688
SHA1 d8926cc4aa12d6fe9abe64c8c3cb8bc0f594c5b1
SHA256 a1366a75454fc0f1ca5a14ea03b4927bb8584d6d5b402dfa453122ae16dbf22d
SHA512 d603aa29e1f6eefff4b15c7ebc8a0fa18e090d2e1147d56fd80581c7404ee1cb9d6972fcf2bd0cb24926b3af4dfc5be9bce1fe018681f22a38adaa278bf22d73

C:\Users\Admin\Desktop\OwnCheat\Addons\lib\ext\sunpkcs11.jar

MD5 2e33d8f1fbeb9239c6ffc0d36de772d1
SHA1 3f881e3b34693a96cd3d9e20d6aeabae98757359
SHA256 938c497e97e893d0b9325522475ad9fb2c365a4af832ed180b570c3e4e6fd559
SHA512 db9a5b0f269bbfc9cb712d8bf170414d649cd72f0deeccdc3a4d742430e2e29e203f7e462d2df8f9ec2c82723a8a56ff8fd409cdcbe66547c798b15370b8db65

C:\Users\Admin\Desktop\OwnCheat\Addons\lib\ext\sunmscapi.jar

MD5 2249eac4f859c7bc578afd2f7b771249
SHA1 76ba0e08c6b3df9fb1551f00189323dac8fc818c
SHA256 a0719cae8271f918c8613feb92a7591d0a6e7d04266f62144b2eab7844d00c75
SHA512 db5415bc542f4910166163f9ba34bc33af1d114a73d852b143b2c3e28f59270827006693d6df460523e26516cab351d2ee3f944d715ae86cd12d926d09f92454

C:\Users\Admin\Desktop\OwnCheat\Addons\lib\ext\sunec.jar

MD5 a269905bbb9f7d02baa24a756e7b09d7
SHA1 82a0f9c5cbc2b79bdb6cfe80487691e232b26f9c
SHA256 e2787698d746dc25c24d3be0fa751cea6267f68b4e972cfc3df4b4eac8046245
SHA512 496841cf49e2bf4eb146632f7d1f09efa8f38ae99b93081af4297a7d8412b444b9f066358f0c110d33fea6ae60458355271d8fdcd9854c02efb2023af5f661f6

memory/648-502-0x0000000000E10000-0x0000000000E11000-memory.dmp

C:\Users\Admin\Desktop\OwnCheat\Addons\lib\jce.jar

MD5 a39f61d6ed2585519d7af1e2ea029f59
SHA1 52515ac6deab634f3495fd724dea643ee442b8fd
SHA256 60724d9e372fbe42759349a06d3426380ca2b9162fa01eb2c3587a58a34ad7e0
SHA512 ac2e9ab749f5365be0fb8ebd321e8f231d22eae396053745f047fcbccf8d3de2f737d3c37a52c715addfbdbd18f14809e8b37b382b018b58a76e063efba96948

C:\Users\Admin\Desktop\OwnCheat\Addons\lib\jsse.jar

MD5 fd1434c81219c385f30b07e33cef9f30
SHA1 0b5ee897864c8605ef69f66dfe1e15729cfcbc59
SHA256 bc3a736e08e68ace28c68b0621dccfb76c1063bd28d7bd8fce7b20e7b7526cc5
SHA512 9a778a3843744f1fabad960aa22880d37c30b1cab29e123170d853c9469dc54a81e81a9070e1de1bf63ba527c332bb2b1f1d872907f3bdce33a6898a02fef22d