Malware Analysis Report

2024-08-06 12:40

Sample ID 240526-t4tessdf47
Target build.exe
SHA256 5a7f0ae453a4302dc288e00b6392923906ead1f181d338ab1c02a4a78f78593b
Tags
stealerium collection spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5a7f0ae453a4302dc288e00b6392923906ead1f181d338ab1c02a4a78f78593b

Threat Level: Known bad

The file build.exe was found to be: Known bad.

Malicious Activity Summary

stealerium collection spyware stealer

Stealerium

Stealerium family

Reads user/profile data of web browsers

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Accesses Microsoft Outlook profiles

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Enumerates system info in registry

outlook_win_path

Suspicious use of AdjustPrivilegeToken

NTFS ADS

Modifies data under HKEY_USERS

Suspicious use of SetWindowsHookEx

outlook_office_path

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Modifies registry class

Suspicious use of FindShellTrayWindow

Checks processor information in registry

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Email Collection
T1114
Exfiltration
TA0010
Command and Control
TA0011
Web Service
T1102
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-05-26 16:37

Signatures

Stealerium family

stealerium

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-26 16:37

Reported

2024-05-26 16:39

Platform

win11-20240508-en

Max time kernel

149s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\build.exe"

Signatures

Stealerium

stealer stealerium

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\build.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\build.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\build.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A discord.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\build.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\build.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133612151166294074" C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings C:\Program Files\Google\Chrome\Application\chrome.exe N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\Downloads\Ransomware.WannaCry.zip:Zone.Identifier C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 228 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\build.exe C:\Windows\SysWOW64\cmd.exe
PID 228 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\build.exe C:\Windows\SysWOW64\cmd.exe
PID 228 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\build.exe C:\Windows\SysWOW64\cmd.exe
PID 4076 wrote to memory of 2144 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4076 wrote to memory of 2144 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4076 wrote to memory of 2144 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4076 wrote to memory of 4500 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 4076 wrote to memory of 4500 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 4076 wrote to memory of 4500 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 4076 wrote to memory of 2860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4076 wrote to memory of 2860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4076 wrote to memory of 2860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 228 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\build.exe C:\Windows\SysWOW64\cmd.exe
PID 228 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\build.exe C:\Windows\SysWOW64\cmd.exe
PID 228 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\build.exe C:\Windows\SysWOW64\cmd.exe
PID 3332 wrote to memory of 3108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3332 wrote to memory of 3108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3332 wrote to memory of 3108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3332 wrote to memory of 868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 3332 wrote to memory of 868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 3332 wrote to memory of 868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 4316 wrote to memory of 1264 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4316 wrote to memory of 1264 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4316 wrote to memory of 768 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4316 wrote to memory of 768 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4316 wrote to memory of 768 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4316 wrote to memory of 768 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4316 wrote to memory of 768 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4316 wrote to memory of 768 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4316 wrote to memory of 768 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4316 wrote to memory of 768 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4316 wrote to memory of 768 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4316 wrote to memory of 768 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4316 wrote to memory of 768 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4316 wrote to memory of 768 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4316 wrote to memory of 768 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4316 wrote to memory of 768 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4316 wrote to memory of 768 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4316 wrote to memory of 768 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4316 wrote to memory of 768 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4316 wrote to memory of 768 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4316 wrote to memory of 768 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4316 wrote to memory of 768 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4316 wrote to memory of 768 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4316 wrote to memory of 768 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4316 wrote to memory of 768 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4316 wrote to memory of 768 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4316 wrote to memory of 768 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4316 wrote to memory of 768 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4316 wrote to memory of 768 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4316 wrote to memory of 768 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4316 wrote to memory of 768 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4316 wrote to memory of 768 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4316 wrote to memory of 768 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4316 wrote to memory of 4688 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4316 wrote to memory of 4688 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4316 wrote to memory of 4944 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4316 wrote to memory of 4944 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4316 wrote to memory of 4944 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4316 wrote to memory of 4944 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4316 wrote to memory of 4944 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4316 wrote to memory of 4944 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4316 wrote to memory of 4944 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4316 wrote to memory of 4944 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\build.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\build.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\build.exe

"C:\Users\Admin\AppData\Local\Temp\build.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe24d7ab58,0x7ffe24d7ab68,0x7ffe24d7ab78

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1556 --field-trial-handle=1780,i,8323451141105421934,15666659213602769311,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2072 --field-trial-handle=1780,i,8323451141105421934,15666659213602769311,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2164 --field-trial-handle=1780,i,8323451141105421934,15666659213602769311,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3028 --field-trial-handle=1780,i,8323451141105421934,15666659213602769311,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3124 --field-trial-handle=1780,i,8323451141105421934,15666659213602769311,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4132 --field-trial-handle=1780,i,8323451141105421934,15666659213602769311,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4148 --field-trial-handle=1780,i,8323451141105421934,15666659213602769311,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4476 --field-trial-handle=1780,i,8323451141105421934,15666659213602769311,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4384 --field-trial-handle=1780,i,8323451141105421934,15666659213602769311,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4712 --field-trial-handle=1780,i,8323451141105421934,15666659213602769311,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4832 --field-trial-handle=1780,i,8323451141105421934,15666659213602769311,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4872 --field-trial-handle=1780,i,8323451141105421934,15666659213602769311,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4508 --field-trial-handle=1780,i,8323451141105421934,15666659213602769311,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3200 --field-trial-handle=1780,i,8323451141105421934,15666659213602769311,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3840 --field-trial-handle=1780,i,8323451141105421934,15666659213602769311,131072 /prefetch:8

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 discord.com udp
US 162.159.137.232:443 discord.com tcp
US 8.8.8.8:53 232.137.159.162.in-addr.arpa udp
US 104.16.185.241:80 icanhazip.com tcp
US 152.199.19.74:80 evcs-ocsp.ws.symantec.com tcp
US 104.16.185.241:80 icanhazip.com tcp
FR 151.80.29.83:443 api.gofile.io tcp
US 206.168.191.31:443 store8.gofile.io tcp
US 104.16.185.241:80 icanhazip.com tcp
US 162.159.137.232:443 discord.com tcp
BE 104.68.66.114:443 cxcs.microsoft.net tcp
NL 23.62.61.97:443 www.bing.com tcp
FR 216.58.215.36:443 www.google.com tcp
FR 172.217.20.174:443 play.google.com udp
FR 172.217.20.174:443 play.google.com tcp
FR 216.58.213.78:443 clients2.google.com udp
FR 216.58.213.78:443 clients2.google.com tcp
N/A 224.0.0.251:5353 udp
FR 216.58.215.36:443 www.google.com udp
FR 216.58.213.74:443 content-autofill.googleapis.com tcp
US 8.8.8.8:53 74.213.58.216.in-addr.arpa udp
FR 142.250.179.110:443 encrypted-tbn3.gstatic.com tcp
FR 142.250.179.110:443 encrypted-tbn3.gstatic.com udp
FR 142.250.179.99:443 id.google.com tcp
FR 172.217.20.206:443 encrypted-tbn2.gstatic.com tcp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
FR 216.58.213.74:443 content-autofill.googleapis.com udp
US 140.82.112.21:443 collector.github.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 140.82.112.21:443 collector.github.com tcp
GB 20.26.156.210:443 api.github.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp

Files

memory/228-0-0x0000000074DBE000-0x0000000074DBF000-memory.dmp

memory/228-1-0x0000000000490000-0x0000000000622000-memory.dmp

memory/228-2-0x00000000050E0000-0x0000000005146000-memory.dmp

memory/228-3-0x0000000074DB0000-0x0000000075561000-memory.dmp

memory/228-7-0x0000000005600000-0x0000000005692000-memory.dmp

memory/228-8-0x0000000005690000-0x00000000056B6000-memory.dmp

memory/228-9-0x00000000056C0000-0x00000000056C8000-memory.dmp

memory/228-10-0x00000000063A0000-0x00000000063AA000-memory.dmp

memory/228-11-0x00000000065F0000-0x00000000065F8000-memory.dmp

memory/228-12-0x0000000006610000-0x000000000662E000-memory.dmp

C:\Users\Admin\AppData\Local\6f7efe2142da6968d8c25754e8fa661c\Admin@UARODAWW_en-US\Browsers\Firefox\Bookmarks.txt

MD5 2e9d094dda5cdc3ce6519f75943a4ff4
SHA1 5d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256 c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512 d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

memory/228-69-0x0000000006DC0000-0x0000000006E52000-memory.dmp

memory/228-75-0x0000000007410000-0x00000000079B6000-memory.dmp

C:\Users\Admin\AppData\Local\6f7efe2142da6968d8c25754e8fa661c\Admin@UARODAWW_en-US\System\Process.txt

MD5 333357bc353bc37c73433d789d3e7ead
SHA1 d0a4942d6d35e64e93b8c60cf05adf20831b40aa
SHA256 f927f5c25c3865c360e039fd966460fabea598d1c0b01fd5c15944a2a7a8c7a8
SHA512 e143914d861ede9c5f441497f42db8ce772b6935f66eb6e99feae638d59725f127de7d0b6859891055cbcdb3923040cecb21e4d5707cdcf6ca0dcaa8e1328567

C:\Users\Admin\AppData\Local\6f7efe2142da6968d8c25754e8fa661c\Admin@UARODAWW_en-US\System\Apps.txt

MD5 7610c1e8507a2036dcbddd2661e0da78
SHA1 3457906b1bbf44870fe6ac51165dfb5ccdeefd72
SHA256 9316d47815132a221562d03c2cb6167a6a6e300aaa4db73bd07439d939a4e76f
SHA512 1577208c24925dce0d633ed3dd7c851888f45f2cdc23bf219e400c391b59302a5f535c0f6acf8bcdbb9495d6af20f1de2e9a9f8bfbb11a11e4e8e4744cce845f

memory/228-195-0x0000000006870000-0x00000000068EA000-memory.dmp

C:\Users\Admin\AppData\Local\6f7efe2142da6968d8c25754e8fa661c\Admin@UARODAWW_en-US\System\ProductKey.txt

MD5 71eb5479298c7afc6d126fa04d2a9bde
SHA1 a9b3d5505cf9f84bb6c2be2acece53cb40075113
SHA256 f6cadfd4e4c25ff3b8cffe54a2af24a757a349abbf4e1142ec4c9789347fe8b3
SHA512 7c6687e21d31ec1d6d2eff04b07b465f875fd80df26677f1506b14158444cf55044eb6674880bd5bd44f04ff73023b26cb19b8837427a1d6655c96df52f140bd

C:\Users\Admin\AppData\Local\6f7efe2142da6968d8c25754e8fa661c\Admin@UARODAWW_en-US\System\Debug.txt

MD5 fd79cc2e56698e01eed0b5755a791bec
SHA1 9f6fe0fadb9dfde83d02fbb2c450679e59dc6e1f
SHA256 0bef87789ec3d1800a457b2cc07e7adc0b5f65af34f6409daf3f2f8bb6a9fced
SHA512 695a8abffaa1369cbe2fe025f553cba7ffd8c50606964ef2dbf16421c09c01e90921df5de4292c9e1707cae544eb96eb8231ad3f424162a6ca66d7016bcd3245

C:\Users\Admin\AppData\Local\6f7efe2142da6968d8c25754e8fa661c\Admin@UARODAWW_en-US\Directories\Videos.txt

MD5 1fddbf1169b6c75898b86e7e24bc7c1f
SHA1 d2091060cb5191ff70eb99c0088c182e80c20f8c
SHA256 a67aa329b7d878de61671e18cd2f4b011d11cbac67ea779818c6dafad2d70733
SHA512 20bfeafde7fec1753fef59de467bd4a3dd7fe627e8c44e95fe62b065a5768c4508e886ec5d898e911a28cf6365f455c9ab1ebe2386d17a76f53037f99061fd4d

C:\Users\Admin\AppData\Local\6f7efe2142da6968d8c25754e8fa661c\Admin@UARODAWW_en-US\Directories\Startup.txt

MD5 68c93da4981d591704cea7b71cebfb97
SHA1 fd0f8d97463cd33892cc828b4ad04e03fc014fa6
SHA256 889ed51f9c16a4b989bda57957d3e132b1a9c117ee84e208207f2fa208a59483
SHA512 63455c726b55f2d4de87147a75ff04f2daa35278183969ccf185d23707840dd84363bec20d4e8c56252196ce555001ca0e61b3f4887d27577081fdef9e946402

C:\Users\Admin\AppData\Local\6f7efe2142da6968d8c25754e8fa661c\Admin@UARODAWW_en-US\Directories\OneDrive.txt

MD5 966247eb3ee749e21597d73c4176bd52
SHA1 1e9e63c2872cef8f015d4b888eb9f81b00a35c79
SHA256 8ddfc481b1b6ae30815ecce8a73755862f24b3bb7fdebdbf099e037d53eb082e
SHA512 bd30aec68c070e86e3dec787ed26dd3d6b7d33d83e43cb2d50f9e2cff779fee4c96afbbe170443bd62874073a844beb29a69b10c72c54d7d444a8d86cfd7b5aa

memory/228-264-0x0000000006EE0000-0x0000000006F92000-memory.dmp

memory/228-266-0x0000000004BF0000-0x0000000004C12000-memory.dmp

memory/228-267-0x0000000008E50000-0x00000000091A7000-memory.dmp

C:\Users\Admin\AppData\Local\6f7efe2142da6968d8c25754e8fa661c\msgid.dat

MD5 2430c2abc611d2a06d5e21d22f771e14
SHA1 3d52c8fc87f37e96d3d657694bb0c4008cb3941a
SHA256 88302c71db1a8263001846afa1fef08d5a735f61e9667d584d467c7e9c2d98e7
SHA512 d6b2655dabfa424b9a04c23c32139ecbd00410ba4366c3e18723ac9ad55842ef97af38fd44b429c5575d8b9ab22892e2f68707c06cb7d39153481d67041c98c6

memory/228-279-0x0000000006D80000-0x0000000006D8A000-memory.dmp

memory/228-280-0x0000000074DBE000-0x0000000074DBF000-memory.dmp

memory/228-281-0x0000000074DB0000-0x0000000075561000-memory.dmp

\??\pipe\crashpad_4316_IQIGRNJVCDFOBLVK

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 8d7f0585675679686b3aaa7780b12f03
SHA1 67e907f0aecd9816f23281dd0a94196da176768b
SHA256 ea1fe64c07c7f84eb247aea86e7736ba2015a716bb66716472c24e1d2e379cf1
SHA512 a048b6f31e2b8b2afe1b028b5e4b5b22700a733266ec9a7e25c22a80aebc219f685ab6091de4933e27a6ec7690bb70da4eb69a55531ce5221abe8ade6ab5e171

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 bd8af046d15fe8d448a4577b26490012
SHA1 327ae57c473278cfa5ec22cbda514fef80e4d146
SHA256 860fe09d8353f023b307af9f09f09ada9dd28996bbff93f12e16ad3bd2e3290b
SHA512 31912a8b0c78a94933f40b057e8b510b4bcd4bf62d3245d61c801e5eb533f2e3a5aeaf95a7961cd653403eefefa360f53313d7a5a4f26f8040b3e25bfb5a437d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 593205f8f80623489da6a762a053674f
SHA1 418b142e07f9e0a7b323b43daeed70d43093eef2
SHA256 000523ee9b63a583b2dac2b06e5780f6b4c7c8fb9216f887258cc0d687884190
SHA512 6b164c9e6b07e108afd02f1a92827edc182891351f5a3a558bfc9e6887882fde5fb67314debf1bd24a2cc8dd8131e4e62e73ff81211f79c013b2537e83af0608

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 d0af60b0ab82d8aa172c1e1a59f475ac
SHA1 5809bdbaac7e48ad5e6c90ad9ee91810b0df06db
SHA256 b97a0a6002e8bfe0d5cbf126f2f084f0657784b5281eb18092763aceff72a80f
SHA512 db45da05246eb24691de22290d6d13fb9d8655155bebfcc91ab352a552fe30fe94d22396accb81fe1738d89b676a54166098d4ce868fa0956d73db7e172fae2f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 e88fea60474b90bd9bf744bb4788576f
SHA1 8ca7d421624d0f40438222cb803e3186cdd301e3
SHA256 3c801bcdf60934c3abf28f5513225ef907b46a8795ab606e8474c5c2a3bbffa5
SHA512 06672a30dfcfa397e922a8046a4a4b2f833a9ce1387bbb388a5b3c34c1f4832825fde56588a16e4dda3e7850668a5ee3df42db00cd94ec827bcd79c6f21bc21a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 79e684396b380aad8f68fb4211c00872
SHA1 d330f188534118027590a7860d2268210b27b61d
SHA256 388a2097c0bc5a559e6cfebbe89119b3d9a4133ca744097a3b7ae77c3d737e01
SHA512 f970a92be644f1e3aa59df89355fcbafad46d796548ba13a3ca5ecc804e5e4d49928d940614c6cb1fc65e380b199b97cf32bb7314c4367b031f50752d18eb5b6

C:\Users\Admin\Downloads\Ransomware.WannaCry.zip:Zone.Identifier

MD5 fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1 d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256 eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512 aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

C:\Users\Admin\Downloads\Ransomware.WannaCry.zip

MD5 efe76bf09daba2c594d2bc173d9b5cf0
SHA1 ba5de52939cb809eae10fdbb7fac47095a9599a7
SHA256 707a9f323556179571bc832e34fa592066b1d5f2cac4a7426fe163597e3e618a
SHA512 4a1df71925cf2eb49c38f07c6a95bea17752b025f0114c6fd81bc0841c1d1f2965b5dda1469e454b9e8207c2e0dfd3df0959e57166620ccff86eeeb5cf855029

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 aa3852ffd17a8a943c006da143de35ec
SHA1 b3533b107a591a4ea7c234128dad85ef682d7ae1
SHA256 ccadacb6a8d5e37a4babdc331a75080219ad7bb0dc0c2c3287467d45fd412c74
SHA512 31f71787ccd64f6a9784e7f14344eb06e80fac2b2ee07800d6f17497660702bde331d0d66309e28fcb4857732dd48515ea88607e84bf7a8ec39f1d37a9a3fb9f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 f3eb473ba200292ab62a3ca47c41b5a3
SHA1 2ea2e43d8882740acfe8dfec03016e433b75cf2c
SHA256 586cca30492179e345fe31ac23ac6cf6a8895d4a13a608827cee0a549827ffaf
SHA512 36881705921c2729c4aafe0b1bed769e265bcd22f335d9679b7c844fef564da10d2bd488d62d87749809f8aedede4ac4b7b8e2c008a4aea487987c0872b75d5b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

MD5 504ccc158e2cd8ffe2d72313fec21723
SHA1 d112583fcd28d8ab7870b78e45681b0308698779
SHA256 0dc5ab7d2c7a8a8d8cbd9a5e6c49290467229b28e7e11871af01aee5b54efa48
SHA512 ff22ee17bf6144e041ee37678f51f0a4397cbfcc022ae2e906361263de3b8daffc84478de78842109012513aec494f77cd1651a24ab877198f21fb5e036ad158

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe590267.TMP

MD5 b4966cc8ee9ccfa1afe00f76bf78e709
SHA1 b585312d84f5487082eb817042eef53943f7f2ba
SHA256 00847ce14e4ae365bfb9260fd8793fb05bfa9fece41573190ae1027009e1bed0
SHA512 1ce687f90c633ac9574b19d64867f07da695b08d652dc16cbc333d670af08e7d84ec4e6cf842e4ad67bc17ccc371da5503d55957f7d3fa83c31c9480ffb3be1d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000020

MD5 b425a3c0c715d4ba7c6bf4cec5df69a5
SHA1 c3bdd73bbb0ad57b910718a10fa2ceac8ddb778c
SHA256 78027f1f209368cbf00394cb383caf948bbf1c642ab94934cd0a9ad266530e6f
SHA512 125f0eb751c62ae74682f03ebb3e83f5ee93f5c22b2b94a4e3d558cc3da04ca7e2f0f0b9c788c9b9abc32b823c849919b74d9f13662a920d8cf0906a661e676f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 34cc079eb682c0b874ccdf12ba67b936
SHA1 f6ec310ea728bd65155b17459d69ee18579f80ac
SHA256 306d8e8a439d8223e50d4aa334edcacb31062213c9b4d4f8b27219eb39e1d6c7
SHA512 819cd6e3e21cced9a660114baadf9e69b3d546efd22649f1bec5471786fa5ef3b1394549e25cf69da82c640ee39a526527f2a17352495fca3c1007fb3c79481e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 baef4248960eea4eb2299a89acbb8a88
SHA1 dbc92ced88adbab38f94985937263da8581b6efb
SHA256 d24049bae86276ac97ad109ad7aec239898e6c902b0608767290115c171bf827
SHA512 f9fd4ea50d58cdca35ae1d699155e4fb336676f6cc646eba7fb73fcbf4d1662e9f8777aee606b5d883aff92c67546605991f399298f1d195f91f647611bf7c0e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 1e59260eae2f0479fda62cd71eeaf5cf
SHA1 1a9c0d2218c73a8f9ea79f6f32c8b439ed455f24
SHA256 53128308b8e6c829d1cd24e36b1f6095df04b2190066e0279044f54da81d5c57
SHA512 d1216b0250f1b399f0500cdfd797b22bb6549780e845e5fbefa4ebfa0de3d4c96485f6a7aab773ee0577c86debce49042e32bc42fb6bc1d001283154509fc009

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 a591541b2f6f1ec764b1360a44661fd5
SHA1 deb6232b13a51f4ee468f791c1591671c290abe0
SHA256 3e4faa06b198c868c0bf5bbb3e60a24f4a588b8b60f56df3041ba205bda58227
SHA512 bc9790dbb54a9472ff7023577a97ed2f4f6454a4f432bdd64411d31223b2908b7e54b68377f7de2705d45ca3e38be8981c3314f1d0afe007745b77dae957c7ad