d82d49e9ad153ef84670c1d0bde5f36b540d32fa037cca6127ce9e4e366b7403

Resubmissions

21-09-2024 16:31

240921-t1qvhasdmk 6

12-08-2024 10:22

25-07-2024 11:21

13-07-2024 10:18

11-07-2024 20:03

08-06-2024 18:41

25-05-2024 19:34

23-05-2024 17:58

Analysis

max time kernel
443s
max time network
445s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 20:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AutoIt-Extractor-net40-x64.exe
Size

1.2MB
MD5

205792ce0da5273baffa6aa5b87d3a88
SHA1

50439afe5c2bd328f68206d06d6c31190b3946c6
SHA256

d82d49e9ad153ef84670c1d0bde5f36b540d32fa037cca6127ce9e4e366b7403
SHA512

186f2fac650ee02683c689b0c04867a30330a5475475b106a2aaaedc5e2fa3c9325cf07a2c5321044f5aed1502d729d1d9537ac57bf7733cc228c44ceaba7821
SSDEEP

24576:pcdWeAKpCklFpaQ3vGvW68WxOFxT6YP7KPU48YNL8SsbJDeAKpCZG:QFAcdFpa068WxOFxT6YP7KPU48YNVsbu

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

taskhost_40738cd3c1948d2db7538796e436b742.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ taskhost_40738cd3c1948d2db7538796e436b742.exe
Downloads MZ/PE file

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	taskhost_40738cd3c1948d2db7538796e436b742.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

taskhost_40738cd3c1948d2db7538796e436b742.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	taskhost_40738cd3c1948d2db7538796e436b742.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	taskhost_40738cd3c1948d2db7538796e436b742.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AutoIt-Extractor-net40-x64.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	AutoIt-Extractor-net40-x64.exe

Executes dropped EXE 2 IoCs

Processes:

taskhost_40738cd3c1948d2db7538796e436b742.exeaut62408.exe

pid process

3816 taskhost_40738cd3c1948d2db7538796e436b742.exe
1732 aut62408.exe

pid	process
3816	taskhost_40738cd3c1948d2db7538796e436b742.exe
1732	aut62408.exe

Loads dropped DLL 26 IoCs

Processes:

unlicense.exetaskhost_40738cd3c1948d2db7538796e436b742.exe

pid	process
1656	unlicense.exe
1656	unlicense.exe
1656	unlicense.exe
1656	unlicense.exe
1656	unlicense.exe
1656	unlicense.exe
1656	unlicense.exe
1656	unlicense.exe
1656	unlicense.exe
1656	unlicense.exe
1656	unlicense.exe
1656	unlicense.exe
1656	unlicense.exe
1656	unlicense.exe
1656	unlicense.exe
1656	unlicense.exe
1656	unlicense.exe
1656	unlicense.exe
1656	unlicense.exe
1656	unlicense.exe
1656	unlicense.exe
1656	unlicense.exe
1656	unlicense.exe
1656	unlicense.exe
1656	unlicense.exe
3816	taskhost_40738cd3c1948d2db7538796e436b742.exe

Themida packer 11 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\Unconfirmed 411378.crdownload	themida
behavioral1/memory/3816-657-0x00007FF7A2970000-0x00007FF7A4A84000-memory.dmp	themida
behavioral1/memory/3816-658-0x00007FF7A2970000-0x00007FF7A4A84000-memory.dmp	themida
behavioral1/memory/3816-659-0x00007FF7A2970000-0x00007FF7A4A84000-memory.dmp	themida
behavioral1/memory/3816-660-0x00007FF7A2970000-0x00007FF7A4A84000-memory.dmp	themida
behavioral1/memory/3816-661-0x00007FF7A2970000-0x00007FF7A4A84000-memory.dmp	themida
behavioral1/memory/3816-662-0x00007FF7A2970000-0x00007FF7A4A84000-memory.dmp	themida
behavioral1/memory/3816-823-0x00007FF7A2970000-0x00007FF7A4A84000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\tmpn96bsxlv\unlicense.tmp2	themida
C:\Users\Admin\AppData\Local\Temp\tmpp6sizx3w\unlicense.tmp	themida
behavioral1/memory/3816-1151-0x00007FF7A2970000-0x00007FF7A4A84000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

taskhost_40738cd3c1948d2db7538796e436b742.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost_40738cd3c1948d2db7538796e436b742.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

132 camo.githubusercontent.com
131 raw.githubusercontent.com

flow	ioc
132	camo.githubusercontent.com
131	raw.githubusercontent.com

AutoIT Executable 8 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral1/memory/3816-659-0x00007FF7A2970000-0x00007FF7A4A84000-memory.dmp	autoit_exe
behavioral1/memory/3816-660-0x00007FF7A2970000-0x00007FF7A4A84000-memory.dmp	autoit_exe
behavioral1/memory/3816-661-0x00007FF7A2970000-0x00007FF7A4A84000-memory.dmp	autoit_exe
behavioral1/memory/3816-662-0x00007FF7A2970000-0x00007FF7A4A84000-memory.dmp	autoit_exe
behavioral1/memory/3816-823-0x00007FF7A2970000-0x00007FF7A4A84000-memory.dmp	autoit_exe
C:\Users\Admin\AppData\Local\Temp\tmpn96bsxlv\unlicense.tmp2	autoit_exe
C:\Users\Admin\AppData\Local\Temp\tmpp6sizx3w\unlicense.tmp	autoit_exe
behavioral1/memory/3816-1151-0x00007FF7A2970000-0x00007FF7A4A84000-memory.dmp	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

taskhost_40738cd3c1948d2db7538796e436b742.exe

pid process

3816 taskhost_40738cd3c1948d2db7538796e436b742.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3816	taskhost_40738cd3c1948d2db7538796e436b742.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133608858700538488"	chrome.exe

Modifies registry class 64 IoCs

Processes:

AutoIt-Extractor-net40-x64.exeOpenWith.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	AutoIt-Extractor-net40-x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	AutoIt-Extractor-net40-x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48"	AutoIt-Extractor-net40-x64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\SniffedFolderType = "Generic"	AutoIt-Extractor-net40-x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	AutoIt-Extractor-net40-x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	AutoIt-Extractor-net40-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg	AutoIt-Extractor-net40-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5	AutoIt-Extractor-net40-x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	AutoIt-Extractor-net40-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	AutoIt-Extractor-net40-x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	AutoIt-Extractor-net40-x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257"	AutoIt-Extractor-net40-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	AutoIt-Extractor-net40-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell	AutoIt-Extractor-net40-x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	AutoIt-Extractor-net40-x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\0\0\NodeSlot = "8"	AutoIt-Extractor-net40-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	AutoIt-Extractor-net40-x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	AutoIt-Extractor-net40-x64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	AutoIt-Extractor-net40-x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	AutoIt-Extractor-net40-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg	AutoIt-Extractor-net40-x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	AutoIt-Extractor-net40-x64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	AutoIt-Extractor-net40-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2	AutoIt-Extractor-net40-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	AutoIt-Extractor-net40-x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	AutoIt-Extractor-net40-x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	AutoIt-Extractor-net40-x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	AutoIt-Extractor-net40-x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\0\0\MRUListEx = ffffffff	AutoIt-Extractor-net40-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9	AutoIt-Extractor-net40-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\au3_auto_file\shell\edit\command	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	AutoIt-Extractor-net40-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg	AutoIt-Extractor-net40-x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "4"	AutoIt-Extractor-net40-x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	AutoIt-Extractor-net40-x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202	AutoIt-Extractor-net40-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg	AutoIt-Extractor-net40-x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	AutoIt-Extractor-net40-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell	AutoIt-Extractor-net40-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	AutoIt-Extractor-net40-x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\MRUListEx = 00000000ffffffff	AutoIt-Extractor-net40-x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	AutoIt-Extractor-net40-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell	AutoIt-Extractor-net40-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\.au3	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\NodeSlot = "6"	AutoIt-Extractor-net40-x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	AutoIt-Extractor-net40-x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\3\NodeSlot = "9"	AutoIt-Extractor-net40-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\au3_auto_file\shell\edit	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\au3_auto_file\shell\open\command	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\0\0	AutoIt-Extractor-net40-x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff	AutoIt-Extractor-net40-x64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	AutoIt-Extractor-net40-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg	AutoIt-Extractor-net40-x64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\au3_auto_file\shell\open\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	AutoIt-Extractor-net40-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	AutoIt-Extractor-net40-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7	AutoIt-Extractor-net40-x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	AutoIt-Extractor-net40-x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\MRUListEx = ffffffff	AutoIt-Extractor-net40-x64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Documents"	AutoIt-Extractor-net40-x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac04000000c8000000354b179bff40d211a27e00c04fc308710300000080000000354b179bff40d211a27e00c04fc308710200000080000000	AutoIt-Extractor-net40-x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\0\MRUListEx = ffffffff	AutoIt-Extractor-net40-x64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\SniffedFolderType = "Generic"	AutoIt-Extractor-net40-x64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	AutoIt-Extractor-net40-x64.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

4804 NOTEPAD.EXE
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

chrome.exechrome.exeunlicense.exe

pid process

2308 chrome.exe
2308 chrome.exe
3656 chrome.exe
3656 chrome.exe
1656 unlicense.exe
1656 unlicense.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AutoIt-Extractor-net40-x64.exe

pid process

2108 AutoIt-Extractor-net40-x64.exe

pid	process
4804	NOTEPAD.EXE

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

Processes:

chrome.exe

pid	process
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	2308	chrome.exe
Token: SeCreatePagefilePrivilege	2308	chrome.exe
Token: SeShutdownPrivilege	2308	chrome.exe
Token: SeCreatePagefilePrivilege	2308	chrome.exe
Token: SeShutdownPrivilege	2308	chrome.exe
Token: SeCreatePagefilePrivilege	2308	chrome.exe
Token: SeShutdownPrivilege	2308	chrome.exe
Token: SeCreatePagefilePrivilege	2308	chrome.exe
Token: SeShutdownPrivilege	2308	chrome.exe
Token: SeCreatePagefilePrivilege	2308	chrome.exe
Token: SeShutdownPrivilege	2308	chrome.exe
Token: SeCreatePagefilePrivilege	2308	chrome.exe
Token: SeShutdownPrivilege	2308	chrome.exe
Token: SeCreatePagefilePrivilege	2308	chrome.exe
Token: SeShutdownPrivilege	2308	chrome.exe
Token: SeCreatePagefilePrivilege	2308	chrome.exe
Token: SeShutdownPrivilege	2308	chrome.exe
Token: SeCreatePagefilePrivilege	2308	chrome.exe
Token: SeShutdownPrivilege	2308	chrome.exe
Token: SeCreatePagefilePrivilege	2308	chrome.exe
Token: SeShutdownPrivilege	2308	chrome.exe
Token: SeCreatePagefilePrivilege	2308	chrome.exe
Token: SeShutdownPrivilege	2308	chrome.exe
Token: SeCreatePagefilePrivilege	2308	chrome.exe
Token: SeShutdownPrivilege	2308	chrome.exe
Token: SeCreatePagefilePrivilege	2308	chrome.exe
Token: SeShutdownPrivilege	2308	chrome.exe
Token: SeCreatePagefilePrivilege	2308	chrome.exe
Token: SeShutdownPrivilege	2308	chrome.exe
Token: SeCreatePagefilePrivilege	2308	chrome.exe
Token: SeShutdownPrivilege	2308	chrome.exe
Token: SeCreatePagefilePrivilege	2308	chrome.exe
Token: SeShutdownPrivilege	2308	chrome.exe
Token: SeCreatePagefilePrivilege	2308	chrome.exe
Token: SeShutdownPrivilege	2308	chrome.exe
Token: SeCreatePagefilePrivilege	2308	chrome.exe
Token: SeShutdownPrivilege	2308	chrome.exe
Token: SeCreatePagefilePrivilege	2308	chrome.exe
Token: SeShutdownPrivilege	2308	chrome.exe
Token: SeCreatePagefilePrivilege	2308	chrome.exe
Token: SeShutdownPrivilege	2308	chrome.exe
Token: SeCreatePagefilePrivilege	2308	chrome.exe
Token: SeShutdownPrivilege	2308	chrome.exe
Token: SeCreatePagefilePrivilege	2308	chrome.exe
Token: SeShutdownPrivilege	2308	chrome.exe
Token: SeCreatePagefilePrivilege	2308	chrome.exe
Token: SeShutdownPrivilege	2308	chrome.exe
Token: SeCreatePagefilePrivilege	2308	chrome.exe
Token: SeShutdownPrivilege	2308	chrome.exe
Token: SeCreatePagefilePrivilege	2308	chrome.exe
Token: SeShutdownPrivilege	2308	chrome.exe
Token: SeCreatePagefilePrivilege	2308	chrome.exe
Token: SeShutdownPrivilege	2308	chrome.exe
Token: SeCreatePagefilePrivilege	2308	chrome.exe
Token: SeShutdownPrivilege	2308	chrome.exe
Token: SeCreatePagefilePrivilege	2308	chrome.exe
Token: SeShutdownPrivilege	2308	chrome.exe
Token: SeCreatePagefilePrivilege	2308	chrome.exe
Token: SeShutdownPrivilege	2308	chrome.exe
Token: SeCreatePagefilePrivilege	2308	chrome.exe
Token: SeShutdownPrivilege	2308	chrome.exe
Token: SeCreatePagefilePrivilege	2308	chrome.exe
Token: SeShutdownPrivilege	2308	chrome.exe
Token: SeCreatePagefilePrivilege	2308	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exe

pid	process
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

Processes:

chrome.exe

pid	process
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe

Suspicious use of SetWindowsHookEx 21 IoCs

Processes:

AutoIt-Extractor-net40-x64.exeaut62408.exeOpenWith.exe

pid	process
2108	AutoIt-Extractor-net40-x64.exe
1732	aut62408.exe
2108	AutoIt-Extractor-net40-x64.exe
2108	AutoIt-Extractor-net40-x64.exe
1776	OpenWith.exe
1776	OpenWith.exe
1776	OpenWith.exe
1776	OpenWith.exe
1776	OpenWith.exe
1776	OpenWith.exe
1776	OpenWith.exe
1776	OpenWith.exe
1776	OpenWith.exe
1776	OpenWith.exe
1776	OpenWith.exe
1776	OpenWith.exe
1776	OpenWith.exe
1776	OpenWith.exe
1776	OpenWith.exe
1776	OpenWith.exe
1776	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 2308 wrote to memory of 832	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 832	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 1728	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 1728	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 1728	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 1728	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 1728	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 1728	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 1728	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 1728	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 1728	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 1728	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 1728	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 1728	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 1728	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 1728	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 1728	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 1728	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 1728	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 1728	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 1728	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 1728	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 1728	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 1728	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 1728	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 1728	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 1728	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 1728	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 1728	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 1728	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 1728	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 1728	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 1728	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 3116	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 3116	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 4240	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 4240	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 4240	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 4240	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 4240	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 4240	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 4240	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 4240	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 4240	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 4240	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 4240	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 4240	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 4240	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 4240	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 4240	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 4240	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 4240	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 4240	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 4240	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 4240	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 4240	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 4240	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 4240	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 4240	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 4240	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 4240	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 4240	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 4240	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 4240	2308	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\AutoIt-Extractor-net40-x64.exe
"C:\Users\Admin\AppData\Local\Temp\AutoIt-Extractor-net40-x64.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2108
- C:\Users\Admin\AppData\Local\Temp\aut62408.exe
  "C:\Users\Admin\AppData\Local\Temp\aut62408.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1732

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff8aaf0ab58,0x7ff8aaf0ab68,0x7ff8aaf0ab78
  2⤵
  PID:832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1776 --field-trial-handle=1952,i,17989184079717396308,15008270831329204863,131072 /prefetch:2
  2⤵
  PID:1728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2104 --field-trial-handle=1952,i,17989184079717396308,15008270831329204863,131072 /prefetch:8
  2⤵
  PID:3116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2284 --field-trial-handle=1952,i,17989184079717396308,15008270831329204863,131072 /prefetch:8
  2⤵
  PID:4240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2980 --field-trial-handle=1952,i,17989184079717396308,15008270831329204863,131072 /prefetch:1
  2⤵
  PID:4212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2988 --field-trial-handle=1952,i,17989184079717396308,15008270831329204863,131072 /prefetch:1
  2⤵
  PID:2852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4312 --field-trial-handle=1952,i,17989184079717396308,15008270831329204863,131072 /prefetch:1
  2⤵
  PID:4156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4488 --field-trial-handle=1952,i,17989184079717396308,15008270831329204863,131072 /prefetch:8
  2⤵
  PID:2376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4624 --field-trial-handle=1952,i,17989184079717396308,15008270831329204863,131072 /prefetch:8
  2⤵
  PID:5016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4640 --field-trial-handle=1952,i,17989184079717396308,15008270831329204863,131072 /prefetch:8
  2⤵
  PID:860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4656 --field-trial-handle=1952,i,17989184079717396308,15008270831329204863,131072 /prefetch:8
  2⤵
  PID:2820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4912 --field-trial-handle=1952,i,17989184079717396308,15008270831329204863,131072 /prefetch:8
  2⤵
  PID:3160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4640 --field-trial-handle=1952,i,17989184079717396308,15008270831329204863,131072 /prefetch:1
  2⤵
  PID:5092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4688 --field-trial-handle=1952,i,17989184079717396308,15008270831329204863,131072 /prefetch:1
  2⤵
  PID:232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=1712 --field-trial-handle=1952,i,17989184079717396308,15008270831329204863,131072 /prefetch:1
  2⤵
  PID:1912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=4692 --field-trial-handle=1952,i,17989184079717396308,15008270831329204863,131072 /prefetch:1
  2⤵
  PID:2640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4112 --field-trial-handle=1952,i,17989184079717396308,15008270831329204863,131072 /prefetch:8
  2⤵
  PID:1332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3316 --field-trial-handle=1952,i,17989184079717396308,15008270831329204863,131072 /prefetch:8
  2⤵
  PID:2332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3276 --field-trial-handle=1952,i,17989184079717396308,15008270831329204863,131072 /prefetch:8
  2⤵
  PID:1768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=3472 --field-trial-handle=1952,i,17989184079717396308,15008270831329204863,131072 /prefetch:1
  2⤵
  PID:1824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=5284 --field-trial-handle=1952,i,17989184079717396308,15008270831329204863,131072 /prefetch:1
  2⤵
  PID:5116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5524 --field-trial-handle=1952,i,17989184079717396308,15008270831329204863,131072 /prefetch:8
  2⤵
  PID:2268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5544 --field-trial-handle=1952,i,17989184079717396308,15008270831329204863,131072 /prefetch:8
  2⤵
  PID:1720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5676 --field-trial-handle=1952,i,17989184079717396308,15008270831329204863,131072 /prefetch:8
  2⤵
  PID:912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5704 --field-trial-handle=1952,i,17989184079717396308,15008270831329204863,131072 /prefetch:8
  2⤵
  PID:952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5540 --field-trial-handle=1952,i,17989184079717396308,15008270831329204863,131072 /prefetch:8
  2⤵
  PID:760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --mojo-platform-channel-handle=5480 --field-trial-handle=1952,i,17989184079717396308,15008270831329204863,131072 /prefetch:1
  2⤵
  PID:4844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --mojo-platform-channel-handle=1748 --field-trial-handle=1952,i,17989184079717396308,15008270831329204863,131072 /prefetch:1
  2⤵
  PID:3468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2980 --field-trial-handle=1952,i,17989184079717396308,15008270831329204863,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3192 --field-trial-handle=1952,i,17989184079717396308,15008270831329204863,131072 /prefetch:8
  2⤵
  PID:528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2996 --field-trial-handle=1952,i,17989184079717396308,15008270831329204863,131072 /prefetch:8
  2⤵
  PID:464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --mojo-platform-channel-handle=5672 --field-trial-handle=1952,i,17989184079717396308,15008270831329204863,131072 /prefetch:1
  2⤵
  PID:3080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --mojo-platform-channel-handle=3028 --field-trial-handle=1952,i,17989184079717396308,15008270831329204863,131072 /prefetch:1
  2⤵
  PID:4012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5552 --field-trial-handle=1952,i,17989184079717396308,15008270831329204863,131072 /prefetch:8
  2⤵
  PID:4104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5656 --field-trial-handle=1952,i,17989184079717396308,15008270831329204863,131072 /prefetch:8
  2⤵
  PID:3832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --mojo-platform-channel-handle=3056 --field-trial-handle=1952,i,17989184079717396308,15008270831329204863,131072 /prefetch:1
  2⤵
  PID:3076

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4864

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4208

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:5000
- C:\Users\Admin\Desktop\unlicense.exe
  C:\Users\Admin\Desktop\unlicense.exe C:\Users\Admin\Desktop\taskhost_40738cd3c1948d2db7538796e436b742.exe
  2⤵
  PID:2796
- - C:\Users\Admin\Desktop\unlicense.exe
    C:\Users\Admin\Desktop\unlicense.exe C:\Users\Admin\Desktop\taskhost_40738cd3c1948d2db7538796e436b742.exe
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:1656
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ver"
      4⤵
      PID:1536
  - - C:\Users\Admin\Desktop\taskhost_40738cd3c1948d2db7538796e436b742.exe
      "C:\Users\Admin\Desktop\taskhost_40738cd3c1948d2db7538796e436b742.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Loads dropped DLL
      Checks whether UAC is enabled
      Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:3816

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1776
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\taskhostv4.au3
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:4804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000006

Filesize
59KB

MD5
7626aade5004330bfb65f1e1f790df0c

SHA1
97dca3e04f19cfe55b010c13f10a81ffe8b8374b

SHA256
cdeaef4fa58a99edcdd3c26ced28e6d512704d3a326a03a61d072d3a287fd60e

SHA512
f7b1b34430546788a7451e723a78186c4738b3906cb2bca2a6ae94b1a70f9f863b2bfa7947cc897dfb88b6a3fe98030aa58101f5f656812ff10837e7585e3f74

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
45c34ca4c6ce7afd36f39b79817fe780

SHA1
b1dd1a56e5917b46119d33f83d47c87f867c0bb1

SHA256
09684b76b1502baf007e9c8d5324c791bc770c339fcaf0aacaa012a07fdfaddb

SHA512
fccdc1a8ad0135eaa2b1354bca20c5dbfb646630db76a9bd8e2d9e332e557ec581eb177bc2fd1800218d3431e5e7f36608fb2321752e197027611f4f9b287a39

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
b93395eff2028baa5b690f249527f3d8

SHA1
a750714f9fe549237ad34239089def467752cac9

SHA256
bacd1e23d277e9368d3c0e18b4f25d29d28364b3a5feb968ce7b3d0d14c0147d

SHA512
86bac3bda9002a7cd7ef9126c1b3de86e1d52a8bd91f6379e214f13cc11ee01af6758b8f864adb694776e5c43ce8830b6201b809f14d47827907a687d8790af7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
c69d4ceab4418c331cba0b6773de5c62

SHA1
b5ac9e2b3a92b721ed913ced3164c218230d4005

SHA256
0cffac78db79b51341d0ba4e7210859748d80a7a70027d2b004af5a26131fc01

SHA512
4e37bff1ef13565e3e28f6e0b39efdf3d1142171d2086dc51287353c52282b3a65aee750da302c0eac297a6a50a4bec33d78b280d882bd105c94a019f77d5d90

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
ae9d9f826440e0d4c437b739feb030b2

SHA1
6583e596a32d3898de9200634c0962c8b636882b

SHA256
d64f2c4f068820204176a913fd50b9455e994ae5b2a86727e2e545488d789575

SHA512
0f2edc491aa9de61f6eca689f2803128b4a394255f77f6adc3bf269064735f4cd9f3c50fdccbf4b2634956dffab7002a48eced74df33bec2d1dae6b6487725b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
fa013192f9141325e40a16e3a6889795

SHA1
dd3dab751d1cea0b56f373134f9a91a1c0d9f4b1

SHA256
859ac9e199631cbec1fa62bb4c3c5167cbe878ca4182fa8fabd20342d7db2364

SHA512
2433569dae095eef40fda6b1cded66fd3cc1b8114b6e357082f26ab52d34fa1246747c48480733664a6903146f6c6d73c311fb097b0a3ebd85375ff0d65be2f4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
a41f7e4f1dd6f9568cdf786deea08788

SHA1
abbe5ce01684fd7c4469261e73a0004b4f0cff15

SHA256
2d88c4ba08a41a54764b9cce3b4b093050f354db2b35ca13cc2a3562bfa42b9b

SHA512
b3cd5f0f8d14726ece878a4b100ad6fccec870c73d21845930e6b90a833a814025bab363d7b1420f244dd4d70c459ac74ca94edd84ca897f6a743709b950e4ee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
b9a7985504428a447e11d9eb0742c9e0

SHA1
e10b60daa24aa2c9c9763637cdf5b87a2c08b944

SHA256
ffadfc24e5d80e5e2c24b08e4f36e33f0ec4ecc539b14790d9d4a3463de69dee

SHA512
6559606d949f45a29521b1c61570437dc6a967cd27c5df60e6c97658f38051867ca7fa69f67842e58656ae89a19a1013712c40dd5aeb5bb7f435a608632a5971

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
0e4b402842d413e2acd8878404691971

SHA1
4f05a8c2a3204aa99e5a3f555e8d045a8e997cd8

SHA256
5a46fcb9ad8492d3c03e5da4243b166bc2dfe7e9fc735d946b9eb86e1847638d

SHA512
90c5109e7780001145f22157150398f35a0fd5a729d0df2496acab989297fa4f19c020aa6c770142fb0d8733a36867951e8024c202a8293a298aceeb7ab9fe17

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
f0d3c3e603940e35d55551134ba2aa1e

SHA1
5ac53abd6293364ddd2f0451ff7f827d561dc14f

SHA256
c20ad368356d12403a54bff9cef657d92fa4a44ac3c573a7818317c7625089c2

SHA512
196c3c6cafd09660c5a6d274c0fc647f0b541435ff47f7b7947a854e04d766648923b959eb92e732dbb3ec3951a51bcc53add9c7db101c11ff10d2af25a578dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
a6fb53085cf751188cdb03dc4a297058

SHA1
acb02b65d57236d288393cfa46eea583f3ad0179

SHA256
02df7e384c2d8c6edd31019a3e1cd33439b02523c0578e0769178b48514c7aa6

SHA512
6a78772c0e58315edd30581591b7b83d3006a4eff8b65f3962cc6802699e9db61a631942a14b068e588b0534ebd22d7f4a6628e0059d4d608bcb39697422f5b6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
dd5641bc205f717362ff2756f29f790c

SHA1
bb4b3969025c0276e0afefc01a26a0e60e992eda

SHA256
05d4e3303f69955860616689109da2c7053c6c05e6c5beacca61499af01db473

SHA512
6314de5f43a3ba180622a95cb7f56ba57d30b4e2ef89ab60a0d9cfd868d2510ce9d7ccbdc141b8b05ecfcaeaeb49c93f351e5f787472563b8f87565b0d2d17c2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
43587671c5b37542617f3c838c5db954

SHA1
b0a8f4c25c3cf9825ba26f12d3c13954bf5cc3e3

SHA256
5392437397837a4ee104419dbc03430a99f05a39f446470634977a3edfad08fe

SHA512
f4cb712268ddddab4b15cc411d87a4010ed98aa9cbf476d85d8aa3a7034195cd8f9bb32b92e7591ae8903cc8a98bc6047049e2c03822515c9aff30afae7d10db

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
ac53a812bf00ca007232d6199e44f87b

SHA1
040a1608d4b71d95ff5b72b33bc971525ac34ff3

SHA256
5f5f792107a0a32e1c045b6fb57305c43ad6943431db4ad9ed454b3f5a426b80

SHA512
3e6a66023e3f1c7d190827dec80be73acdaf52f27e09e8a4012ace29a620851991e40f397ff798e9a7ad919b8b5b1b225898e09ee597f3241fb9d67486d34f64

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
902a02c53163850c17b3ebbd74fdd74a

SHA1
856cf45c0e7d4694ac16e213ee44319f3d3064a7

SHA256
4b530bac58c88786616a9608f30450734c799fedd448872926d0747c3fa07316

SHA512
686947e40e8c92e8db40468a88ac9f01c1d90b01801db61a75cf8369baa1e566b35da52b95d156560701bf0dcfb65f7e1ca93cc5d1c514f4f9d0552f11173a13

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
a9a054f6bac88a5579eb802972a59e70

SHA1
2fc776b4cfda58d834bcf870534d36650bdff8f9

SHA256
22611d7505a19f7d952227e0cacbec6f351b336d3008606e452def11857fda0e

SHA512
92bb3ba63b4198af86d09194d708b84c2e4343df3f4c479155024d5a8efa7e6bb5be2250433276fdabd542815d0d497e7c32f5477f5e593f23b715dc0c197bb8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
65ec6cdb36b26159e7d3229a60ac0580

SHA1
de33d1c1a16796844b3b7814bacfb4c60e1fc44e

SHA256
0d89e466184f7a4f7b6164bed4484dfb59ff1628ee4c637412749d3a5f2afb25

SHA512
5a999c1df08d14fa9b89628e258ecf374fc4c4dc15429caca52daedb498f6f31d0ee322bd51459b48bd343a6c8692cb5f9441055388dbb8cf08c2749ca9f29c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
c20bb1b07221d5e93a194986159f4043

SHA1
1bdf8ddf6808f22b7aba7541a2417e00a902686b

SHA256
427040a0116c2f3ecfdd9bdbf7b2432120f1094fb3e1a4e0df60c9bfe769230f

SHA512
1ea474a2f4353551ff56c1902443f42d67f5dac4caf58f7e8c67cf90122a1b50c438792e273262a345e755c270057fe16330f77c88b381f0fe7db8d78d496bcf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
df764da98bf2149db5afb6595d02ba24

SHA1
a445d10939e2184efb4081b92575ec5018b8a1cd

SHA256
40b25f85abe9a4f88806470a03a10770007fe1653ca887115206a755d4368e74

SHA512
fb899e897fceab72fac6b86e1b29911ef4eab2f4e2513f8a3e56aec8b79fa3e713c8c047a2a649287302a5749b7cacc4672c4aea5e307cd9b0940912fb7e3a83

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
4167239d911346824a49152dd613e91d

SHA1
716deb3c31a0c032ae35a171b1b8954086a96a3e

SHA256
7401d4d798bd48d837c24c16ba58129241761fee77caf1f6fd20e955194dca66

SHA512
1affe8a66b2acb469a0a55c63aa9bb2da93ed3056f0bb697be782ee11713c95f3f489ea3e87368d65ed4468497e0b407864f893695bd1a0911c6f0cfebd29539

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
0150dafd96116bdb5b42763e3b0648c2

SHA1
dfd49e0f0769cbbcf7171ba30d803007cf4708db

SHA256
903282a7cf307eabe37dd85b8f42f7184661610689d38cfc660872dc082ba669

SHA512
5f8ec984827d3f30479195b9ca132d72c7ca4f383560b6f3994689f45d6781103b5bf725a89e6a95725c672a4467694aeb6e31d65ffb67975e945644f717633b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
04762841b032a42e7f13604c6b4d6689

SHA1
5823a0c236648bc278fc44ed8fd91e1217b72ef0

SHA256
937212da5063b854556165e97826cb3b6e57d1cff46140ef099ae63903a4dc48

SHA512
4ea1924c087e666cea25fc0422487ca6dd8df55ec31e4a7cbae6a7f3245e3f2077efe218bc8dbeb346437320ab5fd481a38243ec80f9a35a8c17d9f504cfde1d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
260KB

MD5
9c1d3d4d6fe30b4751ff385a559873fa

SHA1
1bd829fe0dc95d7f75829d0a1d432db5168819d8

SHA256
72225c8352171e43f6d832210f673061391b7ec1c4203adf5bf31af2020f2115

SHA512
60d29d896740e4e1c258eac025831f2a7382f2efc690c026679f4815f67c6b74deee643b3555047ad74437d355094d3225cab742f9bc99f3fd51e3f82f5fcf4c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
260KB

MD5
e186f8431878ae1f7ca321b9bbd80901

SHA1
68cc2a04fff5ff0b26226b505d8a6a249e00174c

SHA256
5386c94ad533583a1aa683aeb86b174b84db2d0cd40ec1ae5ff7de334dc1b486

SHA512
a72df966ec3688efdcb763123884bfed690f8d68d735c9d3c3bad0424a7ba78c932a2321d736a10abf5e038a64173964995ad79cc8e2eda98397a09cc206c446

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
260KB

MD5
aa243578bcda40bd5d0cd494a4f68098

SHA1
d8159e4263e24dbc8bf5c013e7a8e0d6e15b501d

SHA256
95cf506e2612a68ffaa8f1f365c6114846db1d48ec07d62fa0a4ea9b99a20a42

SHA512
384cf73cec05a8dde5dab9e09ef897ef054618afa05fb474d9d59b638c314fffe077c682ad2295db0d1f1faffb9d077f455baf08352e833bd8b0126ae654af43

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
96KB

MD5
e90ed57daa363eb104ef8f30af6600e4

SHA1
9cce579d0e1039533c65f8a128264359d1358376

SHA256
ae192a51278f8f3f6cfead34eec5301641788ecd8df3765d715a69fc5377a250

SHA512
715a6fd347e145a68ab7bcb9e90abc774ada629bf117795c8b9fc7e2c0f477d212ba765df02ec04a622af1814aa10eb6b32de255d3e9f7bd17320f772bac9068

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
94KB

MD5
7434908401cd9c7a9b43a501a355e1ea

SHA1
a4e0e69359a32387444119887f7cecbc9bf13f25

SHA256
623116f43ebc76e6a65024402cad8fd0901decd24cd451946d3814a7e7dfc5a2

SHA512
4d7119f518f06be8b81134633f4324906c5df3fb386e5b63163d53444a674b97fd98b36c6b4faf8d49cfce41efdc1cedfa2721e81b58b85cbad144ae6c32f5e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe595df5.TMP

Filesize
88KB

MD5
75689a33143136a6a1aab2ab0b77226d

SHA1
0c42219201716e136d92eb41f4b292df78f8878b

SHA256
59bac1202d8bbdac6f42cba11be0214feb87d461584c8f459234b5482fe012bb

SHA512
03ecfed31c7f7b1a87d1267b68c52f0af55c4791c0440d1cec7ca56b62445280ec3b640bec1427a02e03193417b6b7285d8748b1b5f895a62b6d9dd4195de12f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27962\VCRUNTIME140.dll

Filesize
106KB

MD5
4585a96cc4eef6aafd5e27ea09147dc6

SHA1
489cfff1b19abbec98fda26ac8958005e88dd0cb

SHA256
a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736

SHA512
d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27962\_asyncio.pyd

Filesize
63KB

MD5
79f71c92c850b2d0f5e39128a59054f1

SHA1
a773e62fa5df1373f08feaa1fb8fa1b6d5246252

SHA256
0237739399db629fdd94de209f19ac3c8cd74d48bebe40ad8ea6ac7556a51980

SHA512
3fdef4c04e7d89d923182e3e48d4f3d866204e878abcaacff657256f054aeafafdd352b5a55ea3864a090d01169ec67b52c7f944e02247592417d78532cc5171

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27962\_bz2.pyd

Filesize
82KB

MD5
3859239ced9a45399b967ebce5a6ba23

SHA1
6f8ff3df90ac833c1eb69208db462cda8ca3f8d6

SHA256
a4dd883257a7ace84f96bcc6cd59e22d843d0db080606defae32923fc712c75a

SHA512
030e5ce81e36bd55f69d55cbb8385820eb7c1f95342c1a32058f49abeabb485b1c4a30877c07a56c9d909228e45a4196872e14ded4f87adaa8b6ad97463e5c69

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27962\_ctypes.pyd

Filesize
120KB

MD5
bd36f7d64660d120c6fb98c8f536d369

SHA1
6829c9ce6091cb2b085eb3d5469337ac4782f927

SHA256
ee543453ac1a2b9b52e80dc66207d3767012ca24ce2b44206804767f37443902

SHA512
bd15f6d4492ddbc89fcbadba07fc10aa6698b13030dd301340b5f1b02b74191faf9b3dcf66b72ecf96084656084b531034ea5cadc1dd333ef64afb69a1d1fd56

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27962\_lzma.pyd

Filesize
155KB

MD5
e5abc3a72996f8fde0bcf709e6577d9d

SHA1
15770bdcd06e171f0b868c803b8cf33a8581edd3

SHA256
1796038480754a680f33a4e37c8b5673cc86c49281a287dc0c5cae984d0cb4bb

SHA512
b347474dc071f2857e1e16965b43db6518e35915b8168bdeff1ead4dff710a1cc9f04ca0ced23a6de40d717eea375eedb0bf3714daf35de6a77f071db33dfae6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27962\_overlapped.pyd

Filesize
49KB

MD5
e5aceaf21e82253e300c0b78793887a8

SHA1
c58f78fbbe8713cb00ccdfeb1d8d7359f58ebfde

SHA256
d950342686c959056ff43c9e5127554760fa20669d97166927dd6aae5494e02a

SHA512
517c29928d6623cf3b2bcdcd68551070d2894874893c0d115a0172d749b6fe102af6261c0fd1b65664f742fa96abbce2f8111a72e1a3c2f574b58b909205937f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27962\_queue.pyd

Filesize
31KB

MD5
f00133f7758627a15f2d98c034cf1657

SHA1
2f5f54eda4634052f5be24c560154af6647eee05

SHA256
35609869edc57d806925ec52cca9bc5a035e30d5f40549647d4da6d7983f8659

SHA512
1c77dd811d2184beedf3c553c3f4da2144b75c6518543f98c630c59cd597fcbf6fd22cfbb0a7b9ea2fdb7983ff69d0d99e8201f4e84a0629bc5733aa09ffc201

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27962\_socket.pyd

Filesize
77KB

MD5
1eea9568d6fdef29b9963783827f5867

SHA1
a17760365094966220661ad87e57efe09cd85b84

SHA256
74181072392a3727049ea3681fe9e59516373809ced53e08f6da7c496b76e117

SHA512
d9443b70fcdc4d0ea1cb93a88325012d3f99db88c36393a7ded6d04f590e582f7f1640d8b153fe3c5342fa93802a8374f03f6cd37dd40cdbb5ade2e07fad1e09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27962\_ssl.pyd

Filesize
157KB

MD5
208b0108172e59542260934a2e7cfa85

SHA1
1d7ffb1b1754b97448eb41e686c0c79194d2ab3a

SHA256
5160500474ec95d4f3af7e467cc70cb37bec1d12545f0299aab6d69cea106c69

SHA512
41abf6deab0f6c048967ca6060c337067f9f8125529925971be86681ec0d3592c72b9cc85dd8bdee5dd3e4e69e3bb629710d2d641078d5618b4f55b8a60cc69d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27962\base_library.zip

Filesize
1.8MB

MD5
5327287d65cc9ab041ce96e93d3a6d53

SHA1
a57aa09afecf580c301f1a7702dbbb07327cf8a9

SHA256
73cdfcec488b39e14993fb32a233de4bc841a394092fcac1deb6ee41e24720ea

SHA512
68fc996b4809a762b8d44323a5d023ba8a39580039c748bc310da9878c94fe1685709ab959365ecb26a5ee1a82e65f2eb19344f1f03d4dff48eb87a403a57c20

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27962\libcrypto-1_1.dll

Filesize
3.3MB

MD5
e94733523bcd9a1fb6ac47e10a267287

SHA1
94033b405386d04c75ffe6a424b9814b75c608ac

SHA256
f20eb4efd8647b5273fdaafceb8ccb2b8ba5329665878e01986cbfc1e6832c44

SHA512
07dd0eb86498497e693da0f9dd08de5b7b09052a2d6754cfbc2aa260e7f56790e6c0a968875f7803cb735609b1e9b9c91a91b84913059c561bffed5ab2cbb29f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27962\libffi-8.dll

Filesize
38KB

MD5
0f8e4992ca92baaf54cc0b43aaccce21

SHA1
c7300975df267b1d6adcbac0ac93fd7b1ab49bd2

SHA256
eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a

SHA512
6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27962\libssl-1_1.dll

Filesize
688KB

MD5
25bde25d332383d1228b2e66a4cb9f3e

SHA1
cd5b9c3dd6aab470d445e3956708a324e93a9160

SHA256
c8f7237e7040a73c2bea567acc9cec373aadd48654aaac6122416e160f08ca13

SHA512
ca2f2139bb456799c9f98ef8d89fd7c09d1972fa5dd8fc01b14b7af00bf8d2c2175fb2c0c41e49a6daf540e67943aad338e33c1556fd6040ef06e0f25bfa88fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27962\pyexpat.pyd

Filesize
194KB

MD5
9c21a5540fc572f75901820cf97245ec

SHA1
09296f032a50de7b398018f28ee8086da915aebd

SHA256
2ff8cd82e7cc255e219e7734498d2dea0c65a5ab29dc8581240d40eb81246045

SHA512
4217268db87eec2f0a14b5881edb3fdb8efe7ea27d6dcbee7602ca4997416c1130420f11167dac7e781553f3611409fa37650b7c2b2d09f19dc190b17b410ba5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27962\python3.DLL

Filesize
65KB

MD5
b711598fc3ed0fe4cf2c7f3e0877979e

SHA1
299c799e5d697834aa2447d8a313588ab5c5e433

SHA256
520169aa6cf49d7ee724d1178de1be0e809e4bdcf671e06f3d422a0dd5fd294a

SHA512
b3d59eff5e38cef651c9603971bde77be7231ea8b7bdb444259390a8a9e452e107a0b6cb9cc93e37fd3b40afb2ba9e67217d648bfca52f7cdc4b60c7493b6b84

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27962\python311.dll

Filesize
5.5MB

MD5
5a5dd7cad8028097842b0afef45bfbcf

SHA1
e247a2e460687c607253949c52ae2801ff35dc4a

SHA256
a811c7516f531f1515d10743ae78004dd627eba0dc2d3bc0d2e033b2722043ce

SHA512
e6268e4fad2ce3ef16b68298a57498e16f0262bf3531539ad013a66f72df471569f94c6fcc48154b7c3049a3ad15cbfcbb6345dacb4f4ed7d528c74d589c9858

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27962\select.pyd

Filesize
29KB

MD5
c97a587e19227d03a85e90a04d7937f6

SHA1
463703cf1cac4e2297b442654fc6169b70cfb9bf

SHA256
c4aa9a106381835cfb5f9badfb9d77df74338bc66e69183757a5a3774ccdaccf

SHA512
97784363f3b0b794d2f9fd6a2c862d64910c71591006a34eedff989ecca669ac245b3dfe68eaa6da621209a3ab61d36e9118ebb4be4c0e72ce80fab7b43bde12

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27962\ucrtbase.dll

Filesize
987KB

MD5
6169dac91a2ab01314395d972fc48642

SHA1
a8d9df6020668e57b97c01c8fd155a65218018af

SHA256
293e867204c66f6ea557da9dfba34501c1b49fde6ba8ca36e8af064508707b4e

SHA512
5f42f268426069314c7e9a90ce9ca33e9cd8c1512dcd5cc38d33442aa24dd5c40fa806cc8a2f1c1189acae6a2e680b6e12fb8e79a3c73e38ae21a154be975199

Download Submit
C:\Users\Admin\AppData\Local\Temp\aut62408.exe

Filesize
155KB

MD5
0817eba91d0d5d072b52bd8185a8c477

SHA1
fc90835f504554710ed37b01bcaf4f0cb0a5a870

SHA256
554a0a1a023d5431ecdc8ee106fd7ccce6433e2b993ca0d4a82447808d31fa56

SHA512
c262151ca35e6783f4da514d26b483f2d3f7467f4b753769dbc9d648a82d536b17483d8ef848bcf1d65006f93ec60e2abd30a56808b9733e623f13e661e2d927

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpn96bsxlv\unlicense.tmp2

Filesize
33.0MB

MD5
93b9d6daf246a4fdc260add96790c9af

SHA1
92d00b53f8a2bee91afaefa400eaf9a495b1eb76

SHA256
0160da53603d55e77fad817531c9f90abd2801a5ec706a9987ff974cd6f4a899

SHA512
0fc8efd7be2f1cdddf68d295b9dd966c01463caeb3e4566f40fc983d74d85be7291a285a17efe2bf4d20a7eaf158f869b359ff5c7d95114df2b5ecfd39795684

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpp6sizx3w\unlicense.tmp

Filesize
33.0MB

MD5
f0a4b42823267afc15d82e06f335f584

SHA1
f8c44627ed3993114e6d7927386dd31f757fbb49

SHA256
54de2d5130bff900746f667d3d45a87a89984611c745904b65dd381d0d06beaa

SHA512
6ef9e550c1ba6d03f24c1f8406393cdd1568d10ee76a506eed0624278aade65cf149862858697094c8d83e8ca2d396fda1b618b10e3b2ccb4715b851780e8f4c

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 411378.crdownload

Filesize
22.8MB

MD5
40738cd3c1948d2db7538796e436b742

SHA1
43c1b62b24d54cfdabb879e0426cce8678f777b1

SHA256
4bd8616841b6e9c72360e8b241e55ed286c10c0b96f0aab3531dcc1d1b05f6fc

SHA512
eb6dd3a52522f9a7c642227dd51142313ac2eabda2158de80e5bb7b28bf2292a2019b0951b70882134ed02422c1705dc3940b05e75abe0b894b2ffd556e4b7af

Download Submit
C:\Users\Admin\Downloads\unlicense-py3.11-x64.zip

Filesize
46.8MB

MD5
2f769fc19beb081a1f94f0013f96e2fb

SHA1
86a55959ab6ac2ba4abe5e7aced9d3dbc9a23f68

SHA256
09d2b526d7a9f76dc11546b3af85e67cd187108f060af6286d7a533831949d16

SHA512
d50e924a844fbcb5baf8b2ec5badaf5611d764a9f7e42e6afc2927956b2e3a90f9f3eface705884aed778e0231855abd1db5c1c75c65d75805f26adbea450068

Download Submit
\??\pipe\crashpad_2308_XRWKBDCCEBMLQLYE

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2108-1245-0x00000000017B0000-0x000000000195E000-memory.dmp

Filesize
1.7MB

Download
memory/2108-0-0x00007FF8B1253000-0x00007FF8B1255000-memory.dmp

Filesize
8KB

Download
memory/2108-1-0x0000000000740000-0x000000000087C000-memory.dmp

Filesize
1.2MB

Download
memory/2108-2-0x00007FF8B1250000-0x00007FF8B1D11000-memory.dmp

Filesize
10.8MB

Download
memory/2108-3-0x00007FF8B1250000-0x00007FF8B1D11000-memory.dmp

Filesize
10.8MB

Download
memory/2108-4-0x00007FF8B1250000-0x00007FF8B1D11000-memory.dmp

Filesize
10.8MB

Download
memory/2108-1262-0x00007FF8B1250000-0x00007FF8B1D11000-memory.dmp

Filesize
10.8MB

Download
memory/2108-1261-0x00000000017B0000-0x000000000195E000-memory.dmp

Filesize
1.7MB

Download
memory/2108-1258-0x00000000017B0000-0x000000000195E000-memory.dmp

Filesize
1.7MB

Download
memory/2108-1219-0x00007FF8B1250000-0x00007FF8B1D11000-memory.dmp

Filesize
10.8MB

Download
memory/2108-1220-0x00000000017B0000-0x000000000195E000-memory.dmp

Filesize
1.7MB

Download
memory/2108-1246-0x00007FF8B1250000-0x00007FF8B1D11000-memory.dmp

Filesize
10.8MB

Download
memory/3816-658-0x00007FF7A2970000-0x00007FF7A4A84000-memory.dmp

Filesize
33.1MB

Download
memory/3816-655-0x00000267302A0000-0x00000267302A1000-memory.dmp

Filesize
4KB

Download
memory/3816-656-0x0000026732200000-0x0000026732210000-memory.dmp

Filesize
64KB

Download
memory/3816-1151-0x00007FF7A2970000-0x00007FF7A4A84000-memory.dmp

Filesize
33.1MB

Download
memory/3816-657-0x00007FF7A2970000-0x00007FF7A4A84000-memory.dmp

Filesize
33.1MB

Download
memory/3816-659-0x00007FF7A2970000-0x00007FF7A4A84000-memory.dmp

Filesize
33.1MB

Download
memory/3816-823-0x00007FF7A2970000-0x00007FF7A4A84000-memory.dmp

Filesize
33.1MB

Download
memory/3816-662-0x00007FF7A2970000-0x00007FF7A4A84000-memory.dmp

Filesize
33.1MB

Download
memory/3816-661-0x00007FF7A2970000-0x00007FF7A4A84000-memory.dmp

Filesize
33.1MB

Download
memory/3816-660-0x00007FF7A2970000-0x00007FF7A4A84000-memory.dmp

Filesize
33.1MB

Download