d82d49e9ad153ef84670c1d0bde5f36b540d32fa037cca6127ce9e4e366b7403

Resubmissions

21-09-2024 16:31

240921-t1qvhasdmk 6

12-08-2024 10:22

25-07-2024 11:21

13-07-2024 10:18

11-07-2024 20:03

08-06-2024 18:41

25-05-2024 19:34

23-05-2024 17:58

Analysis

max time kernel
334s
max time network
332s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 11:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AutoIt-Extractor-net40-x64.exe
Size

1.2MB
MD5

205792ce0da5273baffa6aa5b87d3a88
SHA1

50439afe5c2bd328f68206d06d6c31190b3946c6
SHA256

d82d49e9ad153ef84670c1d0bde5f36b540d32fa037cca6127ce9e4e366b7403
SHA512

186f2fac650ee02683c689b0c04867a30330a5475475b106a2aaaedc5e2fa3c9325cf07a2c5321044f5aed1502d729d1d9537ac57bf7733cc228c44ceaba7821
SSDEEP

24576:pcdWeAKpCklFpaQ3vGvW68WxOFxT6YP7KPU48YNL8SsbJDeAKpCZG:QFAcdFpa068WxOFxT6YP7KPU48YNVsbu

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

taskhostv2.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ taskhostv2.exe
Downloads MZ/PE file

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	taskhostv2.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

taskhostv2.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	taskhostv2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	taskhostv2.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AutoIt-Extractor-net40-x64.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	AutoIt-Extractor-net40-x64.exe

Executes dropped EXE 2 IoCs

Processes:

taskhostv2.exeaut60585.exe

pid process

2408 taskhostv2.exe
2224 aut60585.exe

pid	process
2408	taskhostv2.exe
2224	aut60585.exe

Loads dropped DLL 27 IoCs

Processes:

unlicense.exetaskhostv2.exe

pid	process
4788	unlicense.exe
4788	unlicense.exe
4788	unlicense.exe
4788	unlicense.exe
4788	unlicense.exe
4788	unlicense.exe
4788	unlicense.exe
4788	unlicense.exe
4788	unlicense.exe
4788	unlicense.exe
4788	unlicense.exe
4788	unlicense.exe
4788	unlicense.exe
4788	unlicense.exe
4788	unlicense.exe
4788	unlicense.exe
4788	unlicense.exe
4788	unlicense.exe
4788	unlicense.exe
4788	unlicense.exe
4788	unlicense.exe
4788	unlicense.exe
4788	unlicense.exe
4788	unlicense.exe
4788	unlicense.exe
4788	unlicense.exe
2408	taskhostv2.exe

Themida packer 12 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\taskhostv2.exe	themida
behavioral1/memory/2408-626-0x00007FF69C300000-0x00007FF69EE66000-memory.dmp	themida
behavioral1/memory/2408-633-0x00007FF69C300000-0x00007FF69EE66000-memory.dmp	themida
behavioral1/memory/2408-632-0x00007FF69C300000-0x00007FF69EE66000-memory.dmp	themida
behavioral1/memory/2408-634-0x00007FF69C300000-0x00007FF69EE66000-memory.dmp	themida
behavioral1/memory/2408-635-0x00007FF69C300000-0x00007FF69EE66000-memory.dmp	themida
behavioral1/memory/2408-637-0x00007FF69C300000-0x00007FF69EE66000-memory.dmp	themida
behavioral1/memory/2408-636-0x00007FF69C300000-0x00007FF69EE66000-memory.dmp	themida
behavioral1/memory/2408-638-0x00007FF69C300000-0x00007FF69EE66000-memory.dmp	themida
behavioral1/memory/2408-839-0x00007FF69C300000-0x00007FF69EE66000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\tmp9de5uzyx\unlicense.tmp	themida
behavioral1/memory/2408-1136-0x00007FF69C300000-0x00007FF69EE66000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

taskhostv2.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA taskhostv2.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhostv2.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

Processes:

flow	ioc
118	raw.githubusercontent.com
119	camo.githubusercontent.com
121	raw.githubusercontent.com
122	camo.githubusercontent.com
123	camo.githubusercontent.com

AutoIT Executable 9 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral1/memory/2408-633-0x00007FF69C300000-0x00007FF69EE66000-memory.dmp	autoit_exe
behavioral1/memory/2408-634-0x00007FF69C300000-0x00007FF69EE66000-memory.dmp	autoit_exe
behavioral1/memory/2408-635-0x00007FF69C300000-0x00007FF69EE66000-memory.dmp	autoit_exe
behavioral1/memory/2408-637-0x00007FF69C300000-0x00007FF69EE66000-memory.dmp	autoit_exe
behavioral1/memory/2408-636-0x00007FF69C300000-0x00007FF69EE66000-memory.dmp	autoit_exe
behavioral1/memory/2408-638-0x00007FF69C300000-0x00007FF69EE66000-memory.dmp	autoit_exe
behavioral1/memory/2408-839-0x00007FF69C300000-0x00007FF69EE66000-memory.dmp	autoit_exe
C:\Users\Admin\AppData\Local\Temp\tmp9de5uzyx\unlicense.tmp	autoit_exe
behavioral1/memory/2408-1136-0x00007FF69C300000-0x00007FF69EE66000-memory.dmp	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

taskhostv2.exe

pid process

2408 taskhostv2.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2408	taskhostv2.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133608503277629921"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 64 IoCs

Processes:

chrome.exeAutoIt-Extractor-net40-x64.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257"	AutoIt-Extractor-net40-x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	AutoIt-Extractor-net40-x64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\SniffedFolderType = "Generic"	AutoIt-Extractor-net40-x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	AutoIt-Extractor-net40-x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "8"	AutoIt-Extractor-net40-x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\IconSize = "48"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	AutoIt-Extractor-net40-x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\3 = 3a002e803accbfb42cdb4c42b0297fe99a87c641260001002600efbe11000000b453dc33d697da01b3a7600a3aacda01b3a7600a3aacda0114000000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202	AutoIt-Extractor-net40-x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202	AutoIt-Extractor-net40-x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Version = "1"	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	AutoIt-Extractor-net40-x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	AutoIt-Extractor-net40-x64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	AutoIt-Extractor-net40-x64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Documents"	AutoIt-Extractor-net40-x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	AutoIt-Extractor-net40-x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	AutoIt-Extractor-net40-x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1092616193"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	AutoIt-Extractor-net40-x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	AutoIt-Extractor-net40-x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 020000000100000000000000ffffffff	AutoIt-Extractor-net40-x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	AutoIt-Extractor-net40-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	AutoIt-Extractor-net40-x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	AutoIt-Extractor-net40-x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	AutoIt-Extractor-net40-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8	AutoIt-Extractor-net40-x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	AutoIt-Extractor-net40-x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByDirection = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	AutoIt-Extractor-net40-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	AutoIt-Extractor-net40-x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	AutoIt-Extractor-net40-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	AutoIt-Extractor-net40-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	AutoIt-Extractor-net40-x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	AutoIt-Extractor-net40-x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	AutoIt-Extractor-net40-x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202020202	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac04000000c8000000354b179bff40d211a27e00c04fc308710300000080000000354b179bff40d211a27e00c04fc308710200000080000000	AutoIt-Extractor-net40-x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	AutoIt-Extractor-net40-x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	AutoIt-Extractor-net40-x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6"	AutoIt-Extractor-net40-x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	AutoIt-Extractor-net40-x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Mode = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell	AutoIt-Extractor-net40-x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:PID = "0"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202020202	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2	AutoIt-Extractor-net40-x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\NodeSlot = "3"	AutoIt-Extractor-net40-x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	AutoIt-Extractor-net40-x64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	AutoIt-Extractor-net40-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg	AutoIt-Extractor-net40-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\SniffedFolderType = "Downloads"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

chrome.exechrome.exeunlicense.exe

pid process

3600 chrome.exe
3600 chrome.exe
5004 chrome.exe
5004 chrome.exe
4788 unlicense.exe
4788 unlicense.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AutoIt-Extractor-net40-x64.exe

pid process

3064 AutoIt-Extractor-net40-x64.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs

Processes:

chrome.exe

pid	process
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exe

pid	process
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

Processes:

chrome.exe

pid	process
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe

Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

AutoIt-Extractor-net40-x64.exeaut60585.exechrome.exe

pid	process
3064	AutoIt-Extractor-net40-x64.exe
3064	AutoIt-Extractor-net40-x64.exe
3064	AutoIt-Extractor-net40-x64.exe
2224	aut60585.exe
3064	AutoIt-Extractor-net40-x64.exe
3064	AutoIt-Extractor-net40-x64.exe
3064	AutoIt-Extractor-net40-x64.exe
3064	AutoIt-Extractor-net40-x64.exe
1592	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 3600 wrote to memory of 2916	3600	chrome.exe	chrome.exe
PID 3600 wrote to memory of 2916	3600	chrome.exe	chrome.exe
PID 3600 wrote to memory of 3100	3600	chrome.exe	chrome.exe
PID 3600 wrote to memory of 3100	3600	chrome.exe	chrome.exe
PID 3600 wrote to memory of 3100	3600	chrome.exe	chrome.exe
PID 3600 wrote to memory of 3100	3600	chrome.exe	chrome.exe
PID 3600 wrote to memory of 3100	3600	chrome.exe	chrome.exe
PID 3600 wrote to memory of 3100	3600	chrome.exe	chrome.exe
PID 3600 wrote to memory of 3100	3600	chrome.exe	chrome.exe
PID 3600 wrote to memory of 3100	3600	chrome.exe	chrome.exe
PID 3600 wrote to memory of 3100	3600	chrome.exe	chrome.exe
PID 3600 wrote to memory of 3100	3600	chrome.exe	chrome.exe
PID 3600 wrote to memory of 3100	3600	chrome.exe	chrome.exe
PID 3600 wrote to memory of 3100	3600	chrome.exe	chrome.exe
PID 3600 wrote to memory of 3100	3600	chrome.exe	chrome.exe
PID 3600 wrote to memory of 3100	3600	chrome.exe	chrome.exe
PID 3600 wrote to memory of 3100	3600	chrome.exe	chrome.exe
PID 3600 wrote to memory of 3100	3600	chrome.exe	chrome.exe
PID 3600 wrote to memory of 3100	3600	chrome.exe	chrome.exe
PID 3600 wrote to memory of 3100	3600	chrome.exe	chrome.exe
PID 3600 wrote to memory of 3100	3600	chrome.exe	chrome.exe
PID 3600 wrote to memory of 3100	3600	chrome.exe	chrome.exe
PID 3600 wrote to memory of 3100	3600	chrome.exe	chrome.exe
PID 3600 wrote to memory of 3100	3600	chrome.exe	chrome.exe
PID 3600 wrote to memory of 3100	3600	chrome.exe	chrome.exe
PID 3600 wrote to memory of 3100	3600	chrome.exe	chrome.exe
PID 3600 wrote to memory of 3100	3600	chrome.exe	chrome.exe
PID 3600 wrote to memory of 3100	3600	chrome.exe	chrome.exe
PID 3600 wrote to memory of 3100	3600	chrome.exe	chrome.exe
PID 3600 wrote to memory of 3100	3600	chrome.exe	chrome.exe
PID 3600 wrote to memory of 3100	3600	chrome.exe	chrome.exe
PID 3600 wrote to memory of 3100	3600	chrome.exe	chrome.exe
PID 3600 wrote to memory of 3100	3600	chrome.exe	chrome.exe
PID 3600 wrote to memory of 1692	3600	chrome.exe	chrome.exe
PID 3600 wrote to memory of 1692	3600	chrome.exe	chrome.exe
PID 3600 wrote to memory of 2804	3600	chrome.exe	chrome.exe
PID 3600 wrote to memory of 2804	3600	chrome.exe	chrome.exe
PID 3600 wrote to memory of 2804	3600	chrome.exe	chrome.exe
PID 3600 wrote to memory of 2804	3600	chrome.exe	chrome.exe
PID 3600 wrote to memory of 2804	3600	chrome.exe	chrome.exe
PID 3600 wrote to memory of 2804	3600	chrome.exe	chrome.exe
PID 3600 wrote to memory of 2804	3600	chrome.exe	chrome.exe
PID 3600 wrote to memory of 2804	3600	chrome.exe	chrome.exe
PID 3600 wrote to memory of 2804	3600	chrome.exe	chrome.exe
PID 3600 wrote to memory of 2804	3600	chrome.exe	chrome.exe
PID 3600 wrote to memory of 2804	3600	chrome.exe	chrome.exe
PID 3600 wrote to memory of 2804	3600	chrome.exe	chrome.exe
PID 3600 wrote to memory of 2804	3600	chrome.exe	chrome.exe
PID 3600 wrote to memory of 2804	3600	chrome.exe	chrome.exe
PID 3600 wrote to memory of 2804	3600	chrome.exe	chrome.exe
PID 3600 wrote to memory of 2804	3600	chrome.exe	chrome.exe
PID 3600 wrote to memory of 2804	3600	chrome.exe	chrome.exe
PID 3600 wrote to memory of 2804	3600	chrome.exe	chrome.exe
PID 3600 wrote to memory of 2804	3600	chrome.exe	chrome.exe
PID 3600 wrote to memory of 2804	3600	chrome.exe	chrome.exe
PID 3600 wrote to memory of 2804	3600	chrome.exe	chrome.exe
PID 3600 wrote to memory of 2804	3600	chrome.exe	chrome.exe
PID 3600 wrote to memory of 2804	3600	chrome.exe	chrome.exe
PID 3600 wrote to memory of 2804	3600	chrome.exe	chrome.exe
PID 3600 wrote to memory of 2804	3600	chrome.exe	chrome.exe
PID 3600 wrote to memory of 2804	3600	chrome.exe	chrome.exe
PID 3600 wrote to memory of 2804	3600	chrome.exe	chrome.exe
PID 3600 wrote to memory of 2804	3600	chrome.exe	chrome.exe
PID 3600 wrote to memory of 2804	3600	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\AutoIt-Extractor-net40-x64.exe
"C:\Users\Admin\AppData\Local\Temp\AutoIt-Extractor-net40-x64.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3064

C:\Users\Admin\AppData\Local\Temp\aut60585.exe
"C:\Users\Admin\AppData\Local\Temp\aut60585.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2224

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3600

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe2bfcab58,0x7ffe2bfcab68,0x7ffe2bfcab78
2⤵
PID:2916

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1684 --field-trial-handle=1916,i,18227572573499920236,12720802283970120674,131072 /prefetch:2
2⤵
PID:3100

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1968 --field-trial-handle=1916,i,18227572573499920236,12720802283970120674,131072 /prefetch:8
2⤵
PID:1692

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2212 --field-trial-handle=1916,i,18227572573499920236,12720802283970120674,131072 /prefetch:8
2⤵
PID:2804

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3060 --field-trial-handle=1916,i,18227572573499920236,12720802283970120674,131072 /prefetch:1
2⤵
PID:1076

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3068 --field-trial-handle=1916,i,18227572573499920236,12720802283970120674,131072 /prefetch:1
2⤵
PID:3948

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3596 --field-trial-handle=1916,i,18227572573499920236,12720802283970120674,131072 /prefetch:1
2⤵
PID:3360

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3584 --field-trial-handle=1916,i,18227572573499920236,12720802283970120674,131072 /prefetch:8
2⤵
PID:852

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4500 --field-trial-handle=1916,i,18227572573499920236,12720802283970120674,131072 /prefetch:8
2⤵
PID:2308

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4544 --field-trial-handle=1916,i,18227572573499920236,12720802283970120674,131072 /prefetch:8
2⤵
PID:3608

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4840 --field-trial-handle=1916,i,18227572573499920236,12720802283970120674,131072 /prefetch:8
2⤵
PID:1672

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5020 --field-trial-handle=1916,i,18227572573499920236,12720802283970120674,131072 /prefetch:8
2⤵
PID:1224

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4164 --field-trial-handle=1916,i,18227572573499920236,12720802283970120674,131072 /prefetch:1
2⤵
PID:3516

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4752 --field-trial-handle=1916,i,18227572573499920236,12720802283970120674,131072 /prefetch:1
2⤵
PID:4640

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=1660 --field-trial-handle=1916,i,18227572573499920236,12720802283970120674,131072 /prefetch:1
2⤵
PID:3744

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=5076 --field-trial-handle=1916,i,18227572573499920236,12720802283970120674,131072 /prefetch:1
2⤵
PID:3504

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5088 --field-trial-handle=1916,i,18227572573499920236,12720802283970120674,131072 /prefetch:1
2⤵
PID:3692

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5296 --field-trial-handle=1916,i,18227572573499920236,12720802283970120674,131072 /prefetch:8
2⤵
PID:1348

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5324 --field-trial-handle=1916,i,18227572573499920236,12720802283970120674,131072 /prefetch:8
2⤵
PID:2656

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3048 --field-trial-handle=1916,i,18227572573499920236,12720802283970120674,131072 /prefetch:8
2⤵
PID:1004

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5116 --field-trial-handle=1916,i,18227572573499920236,12720802283970120674,131072 /prefetch:8
2⤵
PID:3980

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3048 --field-trial-handle=1916,i,18227572573499920236,12720802283970120674,131072 /prefetch:8
2⤵
PID:4460

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5032 --field-trial-handle=1916,i,18227572573499920236,12720802283970120674,131072 /prefetch:8
2⤵
PID:1340

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=5616 --field-trial-handle=1916,i,18227572573499920236,12720802283970120674,131072 /prefetch:1
2⤵
PID:3888

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=3256 --field-trial-handle=1916,i,18227572573499920236,12720802283970120674,131072 /prefetch:1
2⤵
PID:3744

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3284 --field-trial-handle=1916,i,18227572573499920236,12720802283970120674,131072 /prefetch:8
2⤵
PID:3060

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5788 --field-trial-handle=1916,i,18227572573499920236,12720802283970120674,131072 /prefetch:8
2⤵
PID:4732

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --mojo-platform-channel-handle=5688 --field-trial-handle=1916,i,18227572573499920236,12720802283970120674,131072 /prefetch:1
2⤵
PID:4872

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --mojo-platform-channel-handle=5132 --field-trial-handle=1916,i,18227572573499920236,12720802283970120674,131072 /prefetch:1
2⤵
PID:3688

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6056 --field-trial-handle=1916,i,18227572573499920236,12720802283970120674,131072 /prefetch:8
2⤵
PID:4696

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6136 --field-trial-handle=1916,i,18227572573499920236,12720802283970120674,131072 /prefetch:8
2⤵
PID:2040

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6020 --field-trial-handle=1916,i,18227572573499920236,12720802283970120674,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5004

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --mojo-platform-channel-handle=1540 --field-trial-handle=1916,i,18227572573499920236,12720802283970120674,131072 /prefetch:1
2⤵
PID:1388

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --mojo-platform-channel-handle=6020 --field-trial-handle=1916,i,18227572573499920236,12720802283970120674,131072 /prefetch:1
2⤵
PID:4128

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5576 --field-trial-handle=1916,i,18227572573499920236,12720802283970120674,131072 /prefetch:8
2⤵
PID:4788

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5608 --field-trial-handle=1916,i,18227572573499920236,12720802283970120674,131072 /prefetch:8
2⤵
PID:3492

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --mojo-platform-channel-handle=3184 --field-trial-handle=1916,i,18227572573499920236,12720802283970120674,131072 /prefetch:1
2⤵
PID:740

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --mojo-platform-channel-handle=3268 --field-trial-handle=1916,i,18227572573499920236,12720802283970120674,131072 /prefetch:1
2⤵
PID:3456

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5780 --field-trial-handle=1916,i,18227572573499920236,12720802283970120674,131072 /prefetch:8
2⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1592

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:2584

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2860

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:3728

C:\Users\Admin\Desktop\unlicense.exe
C:\Users\Admin\Desktop\unlicense.exe C:\Users\Admin\Desktop\taskhostv2.exe
2⤵
PID:4044

C:\Users\Admin\Desktop\unlicense.exe
C:\Users\Admin\Desktop\unlicense.exe C:\Users\Admin\Desktop\taskhostv2.exe
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
4⤵
PID:1408

C:\Users\Admin\Desktop\taskhostv2.exe
"C:\Users\Admin\Desktop\taskhostv2.exe"
4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000006
Filesize
59KB

MD5
7626aade5004330bfb65f1e1f790df0c

SHA1
97dca3e04f19cfe55b010c13f10a81ffe8b8374b

SHA256
cdeaef4fa58a99edcdd3c26ced28e6d512704d3a326a03a61d072d3a287fd60e

SHA512
f7b1b34430546788a7451e723a78186c4738b3906cb2bca2a6ae94b1a70f9f863b2bfa7947cc897dfb88b6a3fe98030aa58101f5f656812ff10837e7585e3f74

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
2KB

MD5
931cd9d6f11bca68f88729cc985d69de

SHA1
bf1a2ceb9cd9311a26a4cf70b14189d8ee2c3dc5

SHA256
377b78a047de470689edc80d119f77ac45ffe64acea41c3bd6cc51ea8741241a

SHA512
3e8fecdc489e6c4cf4afcb8f9dff9534655e829a4e73cde38caccf5515eea4fb213bbdf9c6c5d33d8aebb026d55ae2bec318c48dae5f22073be7b213becfe1fa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
288B

MD5
b3ab669bc5a3bc58e5b0c10a44c3c4db

SHA1
f369bfc1cd058082bff1114b0f2c0c6cb6c77b63

SHA256
ca5fa6c30a4338eefec5b2dde25a29f6a7081d5f5bdf3a4a763f5954b313fcc9

SHA512
efe3032af9dc735f5c60e023cbdb000b224a0aacdda4994c31b3bfde556ec041e2e7287b0e49349a7c9e1f6d893feca86a3281d0d1d563b30a2bc3ebfe93fa96

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
2KB

MD5
4458e8819100a1bddaa81381a98f9dcf

SHA1
e901cd67b749af47f4b903ea69916ce3e91ff719

SHA256
0bb1ea3d41eac1459a624f7d6fa85f9d97314b64b22d2084ccc44564d46cd0e6

SHA512
7858df226556727a377d1dd3f0e99b2df68b9cfc3471894a29f18f87d3d22a466a83728d1b86cd1af338786b806d5ff9b3419eb085fa32ad0ac7be0e0e3bf875

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
3KB

MD5
82adfb85a98529d558151d8d5f5838fb

SHA1
fcfe58591388f34680d9594bdc1669f9b7c2c7e1

SHA256
9631bfd8f4ca6985d329d03e2ba3b68894285f29e34652e9e8d63cc0492518d7

SHA512
1d677571bf4fa641bf3df676d052015a37e6ab6d32c1c08d1bb4196ca663e453a4846ed9b73735c3ced62a5dd39452131522ee8c98d370bfb44b9f293b499055

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
3KB

MD5
ab499975c401277f1282184c221a2b97

SHA1
626f02323527cec873cd8a0003872029394dabb5

SHA256
37a0282858aa635ccb6c21e138bab9cc3aa91de74c4e704d361163cd3c5bbd64

SHA512
e341443c8613fcef3c17fd0f47295a303b5bfb25dcfdce5590744e758b67aef15761fde565243f7eec2948f0b40283f1a8e0ee6b38aa8ebe3e80891efe64eaec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
05e2da8d86ce67f6ffbce179255ba72c

SHA1
8cc294a482cb3073466a0bfdddfbfaee14758a0d

SHA256
85b811820ec369e6a75da491a6c14937fcc88350159216dcfe0bd98110c6578c

SHA512
1f333e809aec62f706379e6811340b4b64e29eb05865679791627b1bf62aa393d78ac9b4c19fa1d6f041ea4aea71739c181bac280198a5da6edc555134614502

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
3KB

MD5
b27e5caf5df3b3b21d430088f94aaba6

SHA1
3327560f579eb1e03d64d3805224c1ab2973ae9b

SHA256
07f51d53497d04fa5074fed7dfe4428cfd77b191cf25d317ef5b61feeed81438

SHA512
bdddc6fbfbdd69ab656352af6e70b70d2c3df7a0e96091b504eb934c50504affd0dd03f7f793336e8ecf00d8d72817f5c9d43432ffa12d127b1eb85ced87c430

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
690B

MD5
4507698ee15d3abc7b1b23bc01d6982b

SHA1
52baf3dc1c6a280727028ad6d856887b821293f0

SHA256
b8bde902b9d0765ec91152d81968b67d75eca6b1dfc6ac4b21ce5bd4a6493f9e

SHA512
9f87a5e58c5bf7a265659a7b62592af978a2125c239411da9aa47fa0445afa897d218e285e6bfe90e9f00dd61f60eb4e288e288c63aef663a78963435e6e71cc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
c18bcbe942c1fc6cf07135970437c970

SHA1
6be3e511cf33eb419291f4d1df3c7555d760af8d

SHA256
3651e309aad6098a851784876432a593bb8ded1de7807d158a7f7dfdc13ca6f9

SHA512
fba4c1f889bf333172a25c7efaf064a78ceb03e9122d697143a4251c5697fb2366bdb964b68968d6d0bf76970bdb21d6de06a1494ed547fc9db6ae3ccdd77789

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
8ee68a2dbcd77fd8395890a3fa005523

SHA1
b09960e5bfc8ac74735df075d162ee594877f4f2

SHA256
9d392b0c3b84dff83b055fedb53675aab14fb779c2620c264493f44d563b3259

SHA512
b361e32d3794650779f015c5828da7233b89c3f8eec4cc5d6a3345eb8eccd196ededf5bb6fef0d578a86089a42cd1f220c128f13f93c442a186b41dc3371d10c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
4dd6831492a00ed4a602851ac7295696

SHA1
fa6db0fc9e1f0aaa20f5e64357acb1c955703fa6

SHA256
e0e860a4956f08138b6b25ff81e2ba338cfdd6bc9cfebf68b81d4757059a9be4

SHA512
fd0c9432975dd36eac5e32bf1a7c399884029502424ba598342d1617264a6362b00e9496341c3318d0cdb536688405d514c7ea0cbee046a0520271b31e4bd794

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
5e8bc3ba231ee32ff6976cf8c93b6580

SHA1
10055720631dad3f22bf65a9533870d29d40bfbb

SHA256
c55af2885343f5b1073b2fbf54fed6ebfecb2230f2e34532ce2cd88f25e17a67

SHA512
173e8f2e317f3e1821352cc2563e98a0e4b477c2ad433cc831aed85459868f898564e69c14c7c5ffe0342b14205e48c75379bba15f1ae9ba4f73a010121dc88c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
63936c5e189960bfa749f997b578ea21

SHA1
91b22309e2d2bcb7d7b54d4ca3db155b8453e572

SHA256
0b99836725b964a060aeb8e7cd155fb76926a72baffbcb1130a0444a44879b0b

SHA512
76bec1cb4f0739a2e0a0be19c2d3fa1482898c96c11d5366d4bc5013ef7e087b3989ff3194dcfa4834e525355fcda0fa30ccba5aa3bd58995df7210e704f6d3c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
690B

MD5
87aae27ac859a0bbc3f7e6357f17dd21

SHA1
1e70021f8e508eaed6ba48ce66782ea048630250

SHA256
c43307ed8b638b4583b6408b8557a30fe25330f81f0e6cc3601ede8233aa8427

SHA512
0f05c9e6714c9bf030b6fad4cde856ab2d4fdf25164d18cdc7e399bab751eb582f5228b7d5bc87473fa7a98e2c5762ba8b462e14cd4e3528cd2a43a07d591e6a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
690B

MD5
0bafc5867bd146132dca1666ceeb14b7

SHA1
cf9f1b7e470681ed31c6f6b26e019aa63edcbe7f

SHA256
9990bc48444251886b9376d602ff9dd98d009bbcdc99bda0f541d1c60850b086

SHA512
be746de7b080e2d1c5f988487104da4960b7c1615684159141929cc19cd31cf0b15f91e0061295117c408f3a900c09f4a3f8107d60e71ebc01485c2a53dc8799

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
385a561794b516e2841de2577c76fdec

SHA1
485876a597f96a92c7d1ad9727091098e0ba0a36

SHA256
be6c18dbe169fb4dd36ed7dc8e85f07d97c98b908a5d95ebf05969a43fe483e5

SHA512
6bb1ba209d2f80a6c0daef5a242fba36793a04154518d74228d18725abc77011674c324d2cccf9eab9c98d1961acb961504f02e36adfbae35be8704bc4f79fe0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
8KB

MD5
f367570ec5d7ff42f63e0664057dd104

SHA1
af00e6f5eb446b1da93aff2d9e25d982e7ca304e

SHA256
6b726eef094dacb4ec6368b896e85858b5a345890f48ccbd27c15b585dd9c9ac

SHA512
89c273fcd9b761e40e6688b204795fa3ad3dae7d81e17f0957a088b48b56bd0db9095450b42f513dcd3d07039e6409cbff59a01e17c6d34ef5188fd91994bc7c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
901aeb4610bd37e5928603e4baf564a6

SHA1
51045c433633200223fdcc0e787bf1e5e757fe0f

SHA256
c0a5b578691b1853d664e81afc43c67697b8ab1985c95a1df8509c0f91291123

SHA512
a2276bb5ddcbe5a49a5bb4904a21a31a14180d49fec91d5f6d989701367da8a4fa2c68954ebaad63a57f6d2e6471c228cd1feafa1252cb7e7601af1f433ed99c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
8KB

MD5
741d79af4b9825e704e972738a4e243d

SHA1
f3348ab4c0b06f19da9d24ee1f06082a50f3c64b

SHA256
33ff8a6edf227dc1327bff68e6651604b17c6514ec5450aa8c9ba672ad9a85d5

SHA512
f9a02f191fa2e0d51c4512c99e48a66b17845592de04e3affb189736b8e78b0dd2a5dac40c957088b02740c04c55de5e16add37fae6951f590686177a14f00bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
8KB

MD5
1049cca5e27df0ae0bae4ff12abdf635

SHA1
41ce400eda6048232399dac7f657fb6d7c2723cb

SHA256
d7d7e94f61a99a1fe2a125207739d65338a2cdb52a575f06202fb77cecda85a9

SHA512
b627650fd8ca7fdfea0078a2e2dad47b62f70a46fba0237ca102fd9682433820e34f4805d0e54aa5f6617787d63ead4a70144d1c609fdd7b17ca0dbe462a3f26

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
f97ac4bed40d23cc6f4ed8e38395adf6

SHA1
15055c5af490e1948d5bfbd0f036a6a72006a019

SHA256
a68309fdcd982f3f70490631bdf663746b5c67dae9a95ed3f2596ff9d42b4d3b

SHA512
c1ec167fce55ac9574d84c025109323085fa62cc788dba0ca9019a247124122bb6d3dd92f05109fd8e55f0d3790e1f3b4b38f6c0a139cd2c437d038d7c56ef12

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
85158bf8bbbcf795f2832496a213a5f0

SHA1
39d49bc65022df1b448bc39fb4dab6afdc312a55

SHA256
eba43c1f42fe7806e4f424a3ca05f563797608c4a61962abe5c99b5c2700534c

SHA512
f578ccfc2d160c71291586f101e42b3acd855cbd35d9283047e5e1bfc56e62aa781efac8aa5212f3f066e1dcca8c40c6c14f5925fb4c933f7db55c57573e20b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
256KB

MD5
462ff217beefb31383f52170355a4109

SHA1
8bd678156713d4fc131e601b4aef77e6fd195978

SHA256
609d5ee7037f2df87412fa3b8b7119430c98333d9a18fc8233f97860d6ac9d90

SHA512
a135e520f02889d4018db11edc30c5f4666e379592b7e9f768d5dacabe53170eae64447698336331a69acbb4012cefb13396fa39571a997ead09b4b477af6fce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
256KB

MD5
816527fc8cc0974c5862995910f52700

SHA1
3f0c6b6d636bfc5cf501b51baa781cca202e2caa

SHA256
46264c3fa01a77b1cfaa0e99f1589f1691cb01e6a2f30eb9d0ae4f1b04830f59

SHA512
9c4f1346409f2e012767d22a4b48e9fe262bedd4c490c8200dd0b20239c02d5db087018a777e9581d5131234a41ededd75b6001b08205f06bb2cbe06116210a9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
98KB

MD5
53549c788e10ab3adc60f8546cd5ae30

SHA1
f6ca1dbb7ba9f2d9ff851babf4ca3cf86a3f2e41

SHA256
950119010a95dc3802cff867ef7170650772ce47f49376abc6942a2a1e42e32f

SHA512
174e0f2b0396134b5bc34a854fa80d319a164fccfa2a8945c43f0c4879de22fde74045cdff0bff036936a04feb4e4cac9366ae66877a83c8adbe4727e1a2d6b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
94KB

MD5
d7e3ab94a1eed83e987495a1b2621604

SHA1
1a7f43af6129512fe7d7575be3403f98c1fa4df5

SHA256
d704d95d8e9dbe3edf4f46ad41f8a89d2f61aafa13d7ba2ec1983c9057349fde

SHA512
fe02bb8f007c7dfc1ff5ab93bd0adda7416563fb740b284d0d5abf900535483757b842dbe3b6cd3cab4877b1269179700710c9d216979a693ff27c57c42a0ff1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe581596.TMP
Filesize
88KB

MD5
500df0a99bfc32c06664017949333826

SHA1
827563bf7285352ab363c66e3badac6446f60e20

SHA256
fe7e495ea0b801d98e40fa84f44b3a598221590049eedcc8b4b61b41a03673a7

SHA512
9e11e929ef2355b0919eed88df905d40672829276311055953118704c45d289bc0945612e37464b7dea8f871a769f11793139e6812bb3c64ba0cfafe4dbcda6b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\b54b2585-1022-43a8-a4b5-a30e9eb98729.tmp
Filesize
256KB

MD5
ca986cce5057d014f69e170483f13676

SHA1
ae4da0047ad9d142832938b33710bb43f10314e0

SHA256
ea5f6f1366f4ec14463e16d022eceb270c8442c02f3585962959a4dd73de1d4b

SHA512
4240824267d758be2b2f761928862931e49193750e5a69f4d1cbc138b9cd808a47740aa98a725f664f43b4312bb597610c3881e0926325f335c36e7464756b73

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40442\VCRUNTIME140.dll
Filesize
106KB

MD5
4585a96cc4eef6aafd5e27ea09147dc6

SHA1
489cfff1b19abbec98fda26ac8958005e88dd0cb

SHA256
a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736

SHA512
d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40442\_asyncio.pyd
Filesize
63KB

MD5
79f71c92c850b2d0f5e39128a59054f1

SHA1
a773e62fa5df1373f08feaa1fb8fa1b6d5246252

SHA256
0237739399db629fdd94de209f19ac3c8cd74d48bebe40ad8ea6ac7556a51980

SHA512
3fdef4c04e7d89d923182e3e48d4f3d866204e878abcaacff657256f054aeafafdd352b5a55ea3864a090d01169ec67b52c7f944e02247592417d78532cc5171

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40442\_bz2.pyd
Filesize
82KB

MD5
3859239ced9a45399b967ebce5a6ba23

SHA1
6f8ff3df90ac833c1eb69208db462cda8ca3f8d6

SHA256
a4dd883257a7ace84f96bcc6cd59e22d843d0db080606defae32923fc712c75a

SHA512
030e5ce81e36bd55f69d55cbb8385820eb7c1f95342c1a32058f49abeabb485b1c4a30877c07a56c9d909228e45a4196872e14ded4f87adaa8b6ad97463e5c69

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40442\_ctypes.pyd
Filesize
120KB

MD5
bd36f7d64660d120c6fb98c8f536d369

SHA1
6829c9ce6091cb2b085eb3d5469337ac4782f927

SHA256
ee543453ac1a2b9b52e80dc66207d3767012ca24ce2b44206804767f37443902

SHA512
bd15f6d4492ddbc89fcbadba07fc10aa6698b13030dd301340b5f1b02b74191faf9b3dcf66b72ecf96084656084b531034ea5cadc1dd333ef64afb69a1d1fd56

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40442\_lzma.pyd
Filesize
155KB

MD5
e5abc3a72996f8fde0bcf709e6577d9d

SHA1
15770bdcd06e171f0b868c803b8cf33a8581edd3

SHA256
1796038480754a680f33a4e37c8b5673cc86c49281a287dc0c5cae984d0cb4bb

SHA512
b347474dc071f2857e1e16965b43db6518e35915b8168bdeff1ead4dff710a1cc9f04ca0ced23a6de40d717eea375eedb0bf3714daf35de6a77f071db33dfae6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40442\_queue.pyd
Filesize
31KB

MD5
f00133f7758627a15f2d98c034cf1657

SHA1
2f5f54eda4634052f5be24c560154af6647eee05

SHA256
35609869edc57d806925ec52cca9bc5a035e30d5f40549647d4da6d7983f8659

SHA512
1c77dd811d2184beedf3c553c3f4da2144b75c6518543f98c630c59cd597fcbf6fd22cfbb0a7b9ea2fdb7983ff69d0d99e8201f4e84a0629bc5733aa09ffc201

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40442\_socket.pyd
Filesize
77KB

MD5
1eea9568d6fdef29b9963783827f5867

SHA1
a17760365094966220661ad87e57efe09cd85b84

SHA256
74181072392a3727049ea3681fe9e59516373809ced53e08f6da7c496b76e117

SHA512
d9443b70fcdc4d0ea1cb93a88325012d3f99db88c36393a7ded6d04f590e582f7f1640d8b153fe3c5342fa93802a8374f03f6cd37dd40cdbb5ade2e07fad1e09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40442\_ssl.pyd
Filesize
157KB

MD5
208b0108172e59542260934a2e7cfa85

SHA1
1d7ffb1b1754b97448eb41e686c0c79194d2ab3a

SHA256
5160500474ec95d4f3af7e467cc70cb37bec1d12545f0299aab6d69cea106c69

SHA512
41abf6deab0f6c048967ca6060c337067f9f8125529925971be86681ec0d3592c72b9cc85dd8bdee5dd3e4e69e3bb629710d2d641078d5618b4f55b8a60cc69d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40442\base_library.zip
Filesize
1.8MB

MD5
5327287d65cc9ab041ce96e93d3a6d53

SHA1
a57aa09afecf580c301f1a7702dbbb07327cf8a9

SHA256
73cdfcec488b39e14993fb32a233de4bc841a394092fcac1deb6ee41e24720ea

SHA512
68fc996b4809a762b8d44323a5d023ba8a39580039c748bc310da9878c94fe1685709ab959365ecb26a5ee1a82e65f2eb19344f1f03d4dff48eb87a403a57c20

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40442\libcrypto-1_1.dll
Filesize
3.3MB

MD5
e94733523bcd9a1fb6ac47e10a267287

SHA1
94033b405386d04c75ffe6a424b9814b75c608ac

SHA256
f20eb4efd8647b5273fdaafceb8ccb2b8ba5329665878e01986cbfc1e6832c44

SHA512
07dd0eb86498497e693da0f9dd08de5b7b09052a2d6754cfbc2aa260e7f56790e6c0a968875f7803cb735609b1e9b9c91a91b84913059c561bffed5ab2cbb29f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40442\libffi-8.dll
Filesize
38KB

MD5
0f8e4992ca92baaf54cc0b43aaccce21

SHA1
c7300975df267b1d6adcbac0ac93fd7b1ab49bd2

SHA256
eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a

SHA512
6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40442\libssl-1_1.dll
Filesize
688KB

MD5
25bde25d332383d1228b2e66a4cb9f3e

SHA1
cd5b9c3dd6aab470d445e3956708a324e93a9160

SHA256
c8f7237e7040a73c2bea567acc9cec373aadd48654aaac6122416e160f08ca13

SHA512
ca2f2139bb456799c9f98ef8d89fd7c09d1972fa5dd8fc01b14b7af00bf8d2c2175fb2c0c41e49a6daf540e67943aad338e33c1556fd6040ef06e0f25bfa88fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40442\pyexpat.pyd
Filesize
194KB

MD5
9c21a5540fc572f75901820cf97245ec

SHA1
09296f032a50de7b398018f28ee8086da915aebd

SHA256
2ff8cd82e7cc255e219e7734498d2dea0c65a5ab29dc8581240d40eb81246045

SHA512
4217268db87eec2f0a14b5881edb3fdb8efe7ea27d6dcbee7602ca4997416c1130420f11167dac7e781553f3611409fa37650b7c2b2d09f19dc190b17b410ba5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40442\python3.DLL
Filesize
65KB

MD5
b711598fc3ed0fe4cf2c7f3e0877979e

SHA1
299c799e5d697834aa2447d8a313588ab5c5e433

SHA256
520169aa6cf49d7ee724d1178de1be0e809e4bdcf671e06f3d422a0dd5fd294a

SHA512
b3d59eff5e38cef651c9603971bde77be7231ea8b7bdb444259390a8a9e452e107a0b6cb9cc93e37fd3b40afb2ba9e67217d648bfca52f7cdc4b60c7493b6b84

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40442\python311.dll
Filesize
5.5MB

MD5
5a5dd7cad8028097842b0afef45bfbcf

SHA1
e247a2e460687c607253949c52ae2801ff35dc4a

SHA256
a811c7516f531f1515d10743ae78004dd627eba0dc2d3bc0d2e033b2722043ce

SHA512
e6268e4fad2ce3ef16b68298a57498e16f0262bf3531539ad013a66f72df471569f94c6fcc48154b7c3049a3ad15cbfcbb6345dacb4f4ed7d528c74d589c9858

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40442\select.pyd
Filesize
29KB

MD5
c97a587e19227d03a85e90a04d7937f6

SHA1
463703cf1cac4e2297b442654fc6169b70cfb9bf

SHA256
c4aa9a106381835cfb5f9badfb9d77df74338bc66e69183757a5a3774ccdaccf

SHA512
97784363f3b0b794d2f9fd6a2c862d64910c71591006a34eedff989ecca669ac245b3dfe68eaa6da621209a3ab61d36e9118ebb4be4c0e72ce80fab7b43bde12

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40442\ucrtbase.dll
Filesize
987KB

MD5
6169dac91a2ab01314395d972fc48642

SHA1
a8d9df6020668e57b97c01c8fd155a65218018af

SHA256
293e867204c66f6ea557da9dfba34501c1b49fde6ba8ca36e8af064508707b4e

SHA512
5f42f268426069314c7e9a90ce9ca33e9cd8c1512dcd5cc38d33442aa24dd5c40fa806cc8a2f1c1189acae6a2e680b6e12fb8e79a3c73e38ae21a154be975199

Download Submit
C:\Users\Admin\AppData\Local\Temp\aut60585.exe
Filesize
155KB

MD5
0adb8ff62c06f3fc1a3d82360b353ff7

SHA1
d84884c4baace09ad320af0b6c6ecd37d11c36d2

SHA256
3fd4f66bb18ffa7b3928a4756f9f425393c5acd5e3687d0dc797c9b1777a48cb

SHA512
7f83c151fa7d9552fe9152c18c893853bdd8307a6561bbaad7f3a0d36770d89b9c9c0d37dbfd4761475a7590a5c95647d26591a4301c50d75fcdcb89c5c1fd6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9de5uzyx\unlicense.tmp
Filesize
43.4MB

MD5
9a3d697784e4ffe8f062619e03dc7301

SHA1
89eac03a71660233d940674a3a4581d483d95390

SHA256
94ea8044b6136bc0693481b04a87e03e4ec8e0922aa10619b2cb069c44257f77

SHA512
3533d395835403b5ff1a16ce5e4254791428eab844aecf01f7cc125e66349c35047ae2555225fbcfbbc7528771fa66076affbd2fcb8bc6022e1df49fcf5cad56

Download Submit
C:\Users\Admin\Downloads\taskhostv2.exe
Filesize
35.3MB

MD5
911a11639a40d412466ac9bfca7c1ea1

SHA1
bd79203199a3aa9b4222a80bfe070902c50089b9

SHA256
91303120d9f0da0918f412b1a50134fe780835457b18624013e7502b6171e6dd

SHA512
20a0f6faab8619456dfb8cf5397951a56ea1bff4a3388029a7d19e88b4883cdf2635dcc9c2b71018c1edf1755546924761fd9eb11405fdcb54379c96ec380bdf

Download Submit
C:\Users\Admin\Downloads\unlicense-py3.11-x64.zip
Filesize
46.8MB

MD5
2f769fc19beb081a1f94f0013f96e2fb

SHA1
86a55959ab6ac2ba4abe5e7aced9d3dbc9a23f68

SHA256
09d2b526d7a9f76dc11546b3af85e67cd187108f060af6286d7a533831949d16

SHA512
d50e924a844fbcb5baf8b2ec5badaf5611d764a9f7e42e6afc2927956b2e3a90f9f3eface705884aed778e0231855abd1db5c1c75c65d75805f26adbea450068

Download Submit
\??\pipe\crashpad_3600_EDLFHIHIYSVTNVZO
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2408-637-0x00007FF69C300000-0x00007FF69EE66000-memory.dmp

Filesize
43.4MB

Download
memory/2408-633-0x00007FF69C300000-0x00007FF69EE66000-memory.dmp

Filesize
43.4MB

Download
memory/2408-636-0x00007FF69C300000-0x00007FF69EE66000-memory.dmp

Filesize
43.4MB

Download
memory/2408-638-0x00007FF69C300000-0x00007FF69EE66000-memory.dmp

Filesize
43.4MB

Download
memory/2408-839-0x00007FF69C300000-0x00007FF69EE66000-memory.dmp

Filesize
43.4MB

Download
memory/2408-634-0x00007FF69C300000-0x00007FF69EE66000-memory.dmp

Filesize
43.4MB

Download
memory/2408-632-0x00007FF69C300000-0x00007FF69EE66000-memory.dmp

Filesize
43.4MB

Download
memory/2408-1136-0x00007FF69C300000-0x00007FF69EE66000-memory.dmp

Filesize
43.4MB

Download
memory/2408-624-0x0000019E14DD0000-0x0000019E14DD1000-memory.dmp

Filesize
4KB

Download
memory/2408-635-0x00007FF69C300000-0x00007FF69EE66000-memory.dmp

Filesize
43.4MB

Download
memory/2408-625-0x0000019E16D30000-0x0000019E16D40000-memory.dmp

Filesize
64KB

Download
memory/2408-626-0x00007FF69C300000-0x00007FF69EE66000-memory.dmp

Filesize
43.4MB

Download
memory/3064-1239-0x00007FFE318E0000-0x00007FFE323A1000-memory.dmp

Filesize
10.8MB

Download
memory/3064-1220-0x00007FFE318E0000-0x00007FFE323A1000-memory.dmp

Filesize
10.8MB

Download
memory/3064-1204-0x00007FFE318E0000-0x00007FFE323A1000-memory.dmp

Filesize
10.8MB

Download
memory/3064-95-0x00007FFE318E0000-0x00007FFE323A1000-memory.dmp

Filesize
10.8MB

Download
memory/3064-0-0x0000000000440000-0x000000000057C000-memory.dmp

Filesize
1.2MB

Download
memory/3064-3-0x00007FFE318E0000-0x00007FFE323A1000-memory.dmp

Filesize
10.8MB

Download
memory/3064-2-0x00007FFE318E0000-0x00007FFE323A1000-memory.dmp

Filesize
10.8MB

Download
memory/3064-1-0x00007FFE318E3000-0x00007FFE318E5000-memory.dmp

Filesize
8KB

Download