hxxps://github[.]com/pankoza2-pl/malware

Analysis

max time kernel
666s
max time network
681s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
30/05/2024, 12:42

Sharing

Copy URL Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://github.com/pankoza2-pl/malware

Score

7^/10

bootkit persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	installer.exe

Executes dropped EXE 8 IoCs

pid	Process
3028	installer.exe
1756	installer.exe
4348	installer.exe
904	installer.exe
4780	installer.exe
4276	installer.exe
4440	installer.exe
4268	installer.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
154	raw.githubusercontent.com
153	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	installer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133615486063271445"	chrome.exe

Modifies registry class 35 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e8005398e082303024b98265d99428e115f0000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Downloads"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4976	chrome.exe
4976	chrome.exe
1816	chrome.exe
1816	chrome.exe
1756	installer.exe
1756	installer.exe
1756	installer.exe
1756	installer.exe
904	installer.exe
904	installer.exe
4348	installer.exe
4348	installer.exe
4348	installer.exe
904	installer.exe
904	installer.exe
4348	installer.exe
1756	installer.exe
4276	installer.exe
1756	installer.exe
4276	installer.exe
4780	installer.exe
4780	installer.exe
4780	installer.exe
4276	installer.exe
4780	installer.exe
4276	installer.exe
1756	installer.exe
1756	installer.exe
4348	installer.exe
4348	installer.exe
904	installer.exe
904	installer.exe
1756	installer.exe
4348	installer.exe
4348	installer.exe
1756	installer.exe
4276	installer.exe
4780	installer.exe
4276	installer.exe
4780	installer.exe
4276	installer.exe
4780	installer.exe
4780	installer.exe
4276	installer.exe
1756	installer.exe
1756	installer.exe
4348	installer.exe
4348	installer.exe
904	installer.exe
904	installer.exe
904	installer.exe
4348	installer.exe
904	installer.exe
4348	installer.exe
1756	installer.exe
1756	installer.exe
4276	installer.exe
4276	installer.exe
4780	installer.exe
4780	installer.exe
4348	installer.exe
904	installer.exe
4348	installer.exe
904	installer.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe
2516	msedge.exe
2516	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4976	chrome.exe
Token: SeCreatePagefilePrivilege	4976	chrome.exe
Token: SeShutdownPrivilege	4976	chrome.exe
Token: SeCreatePagefilePrivilege	4976	chrome.exe
Token: SeShutdownPrivilege	4976	chrome.exe
Token: SeCreatePagefilePrivilege	4976	chrome.exe
Token: SeShutdownPrivilege	4976	chrome.exe
Token: SeCreatePagefilePrivilege	4976	chrome.exe
Token: SeShutdownPrivilege	4976	chrome.exe
Token: SeCreatePagefilePrivilege	4976	chrome.exe
Token: SeShutdownPrivilege	4976	chrome.exe
Token: SeCreatePagefilePrivilege	4976	chrome.exe
Token: SeShutdownPrivilege	4976	chrome.exe
Token: SeCreatePagefilePrivilege	4976	chrome.exe
Token: SeShutdownPrivilege	4976	chrome.exe
Token: SeCreatePagefilePrivilege	4976	chrome.exe
Token: SeShutdownPrivilege	4976	chrome.exe
Token: SeCreatePagefilePrivilege	4976	chrome.exe
Token: SeShutdownPrivilege	4976	chrome.exe
Token: SeCreatePagefilePrivilege	4976	chrome.exe
Token: SeShutdownPrivilege	4976	chrome.exe
Token: SeCreatePagefilePrivilege	4976	chrome.exe
Token: SeShutdownPrivilege	4976	chrome.exe
Token: SeCreatePagefilePrivilege	4976	chrome.exe
Token: SeShutdownPrivilege	4976	chrome.exe
Token: SeCreatePagefilePrivilege	4976	chrome.exe
Token: SeShutdownPrivilege	4976	chrome.exe
Token: SeCreatePagefilePrivilege	4976	chrome.exe
Token: SeShutdownPrivilege	4976	chrome.exe
Token: SeCreatePagefilePrivilege	4976	chrome.exe
Token: SeShutdownPrivilege	4976	chrome.exe
Token: SeCreatePagefilePrivilege	4976	chrome.exe
Token: SeShutdownPrivilege	4976	chrome.exe
Token: SeCreatePagefilePrivilege	4976	chrome.exe
Token: SeShutdownPrivilege	4976	chrome.exe
Token: SeCreatePagefilePrivilege	4976	chrome.exe
Token: SeShutdownPrivilege	4976	chrome.exe
Token: SeCreatePagefilePrivilege	4976	chrome.exe
Token: SeShutdownPrivilege	4976	chrome.exe
Token: SeCreatePagefilePrivilege	4976	chrome.exe
Token: SeShutdownPrivilege	4976	chrome.exe
Token: SeCreatePagefilePrivilege	4976	chrome.exe
Token: SeShutdownPrivilege	4976	chrome.exe
Token: SeCreatePagefilePrivilege	4976	chrome.exe
Token: SeShutdownPrivilege	4976	chrome.exe
Token: SeCreatePagefilePrivilege	4976	chrome.exe
Token: SeShutdownPrivilege	4976	chrome.exe
Token: SeCreatePagefilePrivilege	4976	chrome.exe
Token: SeShutdownPrivilege	4976	chrome.exe
Token: SeCreatePagefilePrivilege	4976	chrome.exe
Token: SeShutdownPrivilege	4976	chrome.exe
Token: SeCreatePagefilePrivilege	4976	chrome.exe
Token: SeShutdownPrivilege	4976	chrome.exe
Token: SeCreatePagefilePrivilege	4976	chrome.exe
Token: SeShutdownPrivilege	4976	chrome.exe
Token: SeCreatePagefilePrivilege	4976	chrome.exe
Token: SeShutdownPrivilege	4976	chrome.exe
Token: SeCreatePagefilePrivilege	4976	chrome.exe
Token: SeShutdownPrivilege	4976	chrome.exe
Token: SeCreatePagefilePrivilege	4976	chrome.exe
Token: SeShutdownPrivilege	4976	chrome.exe
Token: SeCreatePagefilePrivilege	4976	chrome.exe
Token: SeShutdownPrivilege	4976	chrome.exe
Token: SeCreatePagefilePrivilege	4976	chrome.exe

Suspicious use of FindShellTrayWindow 55 IoCs

pid	Process
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe

Suspicious use of SendNotifyMessage 40 IoCs

pid	Process
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1432	chrome.exe
4440	installer.exe
4268	installer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4976 wrote to memory of 2040	4976	chrome.exe	84
PID 4976 wrote to memory of 2040	4976	chrome.exe	84
PID 4976 wrote to memory of 1592	4976	chrome.exe	85
PID 4976 wrote to memory of 1592	4976	chrome.exe	85
PID 4976 wrote to memory of 1592	4976	chrome.exe	85
PID 4976 wrote to memory of 1592	4976	chrome.exe	85
PID 4976 wrote to memory of 1592	4976	chrome.exe	85
PID 4976 wrote to memory of 1592	4976	chrome.exe	85
PID 4976 wrote to memory of 1592	4976	chrome.exe	85
PID 4976 wrote to memory of 1592	4976	chrome.exe	85
PID 4976 wrote to memory of 1592	4976	chrome.exe	85
PID 4976 wrote to memory of 1592	4976	chrome.exe	85
PID 4976 wrote to memory of 1592	4976	chrome.exe	85
PID 4976 wrote to memory of 1592	4976	chrome.exe	85
PID 4976 wrote to memory of 1592	4976	chrome.exe	85
PID 4976 wrote to memory of 1592	4976	chrome.exe	85
PID 4976 wrote to memory of 1592	4976	chrome.exe	85
PID 4976 wrote to memory of 1592	4976	chrome.exe	85
PID 4976 wrote to memory of 1592	4976	chrome.exe	85
PID 4976 wrote to memory of 1592	4976	chrome.exe	85
PID 4976 wrote to memory of 1592	4976	chrome.exe	85
PID 4976 wrote to memory of 1592	4976	chrome.exe	85
PID 4976 wrote to memory of 1592	4976	chrome.exe	85
PID 4976 wrote to memory of 1592	4976	chrome.exe	85
PID 4976 wrote to memory of 1592	4976	chrome.exe	85
PID 4976 wrote to memory of 1592	4976	chrome.exe	85
PID 4976 wrote to memory of 1592	4976	chrome.exe	85
PID 4976 wrote to memory of 1592	4976	chrome.exe	85
PID 4976 wrote to memory of 1592	4976	chrome.exe	85
PID 4976 wrote to memory of 1592	4976	chrome.exe	85
PID 4976 wrote to memory of 1592	4976	chrome.exe	85
PID 4976 wrote to memory of 1592	4976	chrome.exe	85
PID 4976 wrote to memory of 1592	4976	chrome.exe	85
PID 4976 wrote to memory of 228	4976	chrome.exe	86
PID 4976 wrote to memory of 228	4976	chrome.exe	86
PID 4976 wrote to memory of 2068	4976	chrome.exe	87
PID 4976 wrote to memory of 2068	4976	chrome.exe	87
PID 4976 wrote to memory of 2068	4976	chrome.exe	87
PID 4976 wrote to memory of 2068	4976	chrome.exe	87
PID 4976 wrote to memory of 2068	4976	chrome.exe	87
PID 4976 wrote to memory of 2068	4976	chrome.exe	87
PID 4976 wrote to memory of 2068	4976	chrome.exe	87
PID 4976 wrote to memory of 2068	4976	chrome.exe	87
PID 4976 wrote to memory of 2068	4976	chrome.exe	87
PID 4976 wrote to memory of 2068	4976	chrome.exe	87
PID 4976 wrote to memory of 2068	4976	chrome.exe	87
PID 4976 wrote to memory of 2068	4976	chrome.exe	87
PID 4976 wrote to memory of 2068	4976	chrome.exe	87
PID 4976 wrote to memory of 2068	4976	chrome.exe	87
PID 4976 wrote to memory of 2068	4976	chrome.exe	87
PID 4976 wrote to memory of 2068	4976	chrome.exe	87
PID 4976 wrote to memory of 2068	4976	chrome.exe	87
PID 4976 wrote to memory of 2068	4976	chrome.exe	87
PID 4976 wrote to memory of 2068	4976	chrome.exe	87
PID 4976 wrote to memory of 2068	4976	chrome.exe	87
PID 4976 wrote to memory of 2068	4976	chrome.exe	87
PID 4976 wrote to memory of 2068	4976	chrome.exe	87
PID 4976 wrote to memory of 2068	4976	chrome.exe	87
PID 4976 wrote to memory of 2068	4976	chrome.exe	87
PID 4976 wrote to memory of 2068	4976	chrome.exe	87
PID 4976 wrote to memory of 2068	4976	chrome.exe	87
PID 4976 wrote to memory of 2068	4976	chrome.exe	87
PID 4976 wrote to memory of 2068	4976	chrome.exe	87
PID 4976 wrote to memory of 2068	4976	chrome.exe	87

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/pankoza2-pl/malware
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff935dab58,0x7fff935dab68,0x7fff935dab78
  2⤵
  PID:2040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1808 --field-trial-handle=1876,i,4259866835094419989,12350825513278686652,131072 /prefetch:2
  2⤵
  PID:1592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 --field-trial-handle=1876,i,4259866835094419989,12350825513278686652,131072 /prefetch:8
  2⤵
  PID:228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2204 --field-trial-handle=1876,i,4259866835094419989,12350825513278686652,131072 /prefetch:8
  2⤵
  PID:2068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3076 --field-trial-handle=1876,i,4259866835094419989,12350825513278686652,131072 /prefetch:1
  2⤵
  PID:3596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3096 --field-trial-handle=1876,i,4259866835094419989,12350825513278686652,131072 /prefetch:1
  2⤵
  PID:3624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4564 --field-trial-handle=1876,i,4259866835094419989,12350825513278686652,131072 /prefetch:8
  2⤵
  PID:2364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4848 --field-trial-handle=1876,i,4259866835094419989,12350825513278686652,131072 /prefetch:8
  2⤵
  PID:1020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=992 --field-trial-handle=1876,i,4259866835094419989,12350825513278686652,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=1452 --field-trial-handle=1876,i,4259866835094419989,12350825513278686652,131072 /prefetch:1
  2⤵
  PID:5092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4856 --field-trial-handle=1876,i,4259866835094419989,12350825513278686652,131072 /prefetch:1
  2⤵
  PID:3116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1664 --field-trial-handle=1876,i,4259866835094419989,12350825513278686652,131072 /prefetch:8
  2⤵
  PID:428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4476 --field-trial-handle=1876,i,4259866835094419989,12350825513278686652,131072 /prefetch:8
  2⤵
  PID:2624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4576 --field-trial-handle=1876,i,4259866835094419989,12350825513278686652,131072 /prefetch:1
  2⤵
  PID:4124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=4680 --field-trial-handle=1876,i,4259866835094419989,12350825513278686652,131072 /prefetch:1
  2⤵
  PID:1000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=4280 --field-trial-handle=1876,i,4259866835094419989,12350825513278686652,131072 /prefetch:1
  2⤵
  PID:4860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=3164 --field-trial-handle=1876,i,4259866835094419989,12350825513278686652,131072 /prefetch:1
  2⤵
  PID:3576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2752 --field-trial-handle=1876,i,4259866835094419989,12350825513278686652,131072 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:1432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4516 --field-trial-handle=1876,i,4259866835094419989,12350825513278686652,131072 /prefetch:8
  2⤵
  PID:3736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4772 --field-trial-handle=1876,i,4259866835094419989,12350825513278686652,131072 /prefetch:8
  2⤵
  PID:2768
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\memz.bat" "
  2⤵
  PID:1376
- - C:\Windows\system32\certutil.exe
    certutil -decode c installer.exe
    3⤵
    PID:916
- - C:\Users\Admin\Downloads\installer.exe
    installer.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:3028
  - - C:\Users\Admin\Downloads\installer.exe
      "C:\Users\Admin\Downloads\installer.exe" /watchdog
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1756
  - - C:\Users\Admin\Downloads\installer.exe
      "C:\Users\Admin\Downloads\installer.exe" /watchdog
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:4348
  - - C:\Users\Admin\Downloads\installer.exe
      "C:\Users\Admin\Downloads\installer.exe" /watchdog
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:904
  - - C:\Users\Admin\Downloads\installer.exe
      "C:\Users\Admin\Downloads\installer.exe" /watchdog
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:4780
  - - C:\Users\Admin\Downloads\installer.exe
      "C:\Users\Admin\Downloads\installer.exe" /watchdog
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:4276
  - - C:\Users\Admin\Downloads\installer.exe
      "C:\Users\Admin\Downloads\installer.exe" /main
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Writes to the Master Boot Record (MBR)
      Suspicious use of SetWindowsHookEx
      PID:4440
    - - C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\System32\notepad.exe" \note.txt
        5⤵
        
        PID:3416
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=john+cena+midi+legit+not+converted
        5⤵
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2516
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7fff824746f8,0x7fff82474708,0x7fff82474718
        6⤵
        
        PID:756
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,16800597430193047925,7435190966927830286,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
        6⤵
        
        PID:3764
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2052,16800597430193047925,7435190966927830286,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
        6⤵
        
        PID:2640
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2052,16800597430193047925,7435190966927830286,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2708 /prefetch:8
        6⤵
        
        PID:908
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,16800597430193047925,7435190966927830286,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
        6⤵
        
        PID:4896
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,16800597430193047925,7435190966927830286,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
        6⤵
        
        PID:1020
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,16800597430193047925,7435190966927830286,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4684 /prefetch:1
        6⤵
        
        PID:4388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5708 --field-trial-handle=1876,i,4259866835094419989,12350825513278686652,131072 /prefetch:8
  2⤵
  PID:2844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5924 --field-trial-handle=1876,i,4259866835094419989,12350825513278686652,131072 /prefetch:8
  2⤵
  PID:2424

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4768

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4172

C:\Users\Admin\Downloads\installer.exe
"C:\Users\Admin\Downloads\installer.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4268

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3640

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
d7d7517a2b84b84aef398bea57ccbec0

SHA1
8f663e0c9152a8ebd7d936593f4d65f5c5fba16e

SHA256
efdba9be785114c1f6470ba8e0b6885482cfec6ae9609949b4e8142025135bde

SHA512
e89c9ef21b3ff5c77c3f4ba41539b2ebd123d68af5b19f83dc619ea6c6bb6c1a3ce0366fc56a573318b8e82e4a6266ba43428a85da40a76f6488bbfc692b0c03

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
47afef7dd3e8266a3ae31c8b6b80f679

SHA1
0323d43de35f137dd193be976847c146beb12226

SHA256
4b009cfb9b02ba5d9bf4f0ee7cd278b2b29f10906f2558c2a3b69cb35101d07d

SHA512
f7220674858932880ae836c499a21bd2b5597017a5f719dc63f1c92cda4938bebe1b4a8ea70a206f4f4d5219b806485e8a76b9930af7204b0dcdebcf02e94003

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
7dbdda26c52bf6cf4eba1f62e42da4e2

SHA1
90b37a9685edf7e51e740e360ff6d36235b0046f

SHA256
c5194cb252506fd3c534a4958be92231275c359ef68d33e5052a8256865f9144

SHA512
78ee8ede4a8086f478c5c2278659d85116d52a5e5feb7701b58b4d3eaf828df56d384816dbc4fce37c952c1423fe591a149228cb38b86a913bbf5ef7fda8a8f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
f651f5d7b5c873988653a20856bb51d3

SHA1
f0f3d39a3e6c3748dd809faf6df1e027766ca040

SHA256
2fd4535547bc34fbfecdde0f1fd8e21397c212badcdc6e7a3db5a66aa2e2ae98

SHA512
9eba96b51f941d0ad494dcfd8b79dc6a682f0325a757bbed4768c61ed64aa27ec0e952d79e33485ee1ec60c1127946d834821113c45adb90f0ab375f6def71d1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
860b17a6b4a38a0fe70e01cb3405b3d7

SHA1
b6e73a5fc2b478c3edf0756db37be02279f814b0

SHA256
ef47f574b55adec0abd252aaebaa77db0f68fd95525d57094d4f82248c70459c

SHA512
c9c462df16f1640a53aaddc3b7567eaaede4d093bf3b59addc2dcfa1c474675164d255fa0f38b63b7aaa4b45f4cc81fe3b4f174a19ca168a803a4c3e440c7150

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
5209fb7da3c042d1ebb077fb5431f385

SHA1
0f796207f034df2a897f2883d3a75f4effe55129

SHA256
0544dcbdfd7e1ba6a212a447cf9e963d68f683c4fff9f04c536f00a386f5a87d

SHA512
89a4307e39a6087229c17762f6e852dba70519dd75dee8e4c018b6ef1e00236b68800f9c05d1372accc3c424ddbd796a95f4b9e5a5f90cf80f4dd38cf79c28bd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
47508ce5a0819ba9367f00c79f6f01dc

SHA1
517ef4616cea93205650f1e9dc661b5f7ba86b6f

SHA256
d38d75cfbbf356c44ece9d2e71f88cea841669c109392149bb77208bd9273e19

SHA512
9ed3d4b76d76409e8a0d017bc6bb85b5dc91dc9fa6e465f8f86c922f51af8707ea3d32e1cc602c4763417c437a627085f11b0b11be37eaefecea1a176bf50f13

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
84d8f6c18a093157b574656f8191af73

SHA1
f26aa1e50faea4cecf49a4a4d7f72a4b1cefb58d

SHA256
272bb92c5db86ab8b27365aa65a5bd4686a5237aeb00cd38474e31ea4df90124

SHA512
073a7328e857a316a8c84462227598714f6fbd65fd0bbd3f0cd143e4d990a517634918d3c39654b675e08f70639fa13253be117c37933039c83d7293fcbfe659

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
2e7ac8fac4d575cacc68da634defb32d

SHA1
d90b9b5bb9461e64a32c13a1e9ce4b6e6207e9a4

SHA256
2385c33f88c79c90a54f3e3c81a1b13a292bc7699d82c69b151576a3dfd16baa

SHA512
85ec8223c37d0672711112fa0f3b471d4b0cacde9543a1938e016236ce6f7248898a276a407a745b96037b7af75c447e9a8f83680b6d9ce28d5287f24662061f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
312a6d139e87edaed6443d7b0ffc2c0c

SHA1
c9c3de1258562e7cec6629eaf9b042a91e17b3ee

SHA256
816e4af77da93e0f2b6fc46ca6f2314770b2d1b0bb5a4d73507d3f73928a4303

SHA512
f41b3d1a4649d8fc71218ebc6fdc54d97d68ede6531dc823a30e7e640cf081a2264142ad02a6a2a44c0a48268078a06d57b244f9cc40f41b6d105a2d6479ea11

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
db93cd788fdc24f93581ba118d63ef32

SHA1
eda490dbe4ba8e839bb4094550bb4709e8f5abdb

SHA256
d66aeab732970370b2e3b0f18d8387f494d574686d9030f4c7ed5fd3ffc7c375

SHA512
6b18fd2ea33f41499008bbb3daddbaf649af12f9aa302bd99e87f47d644be568403885d251f0c9d25176d58cede8ccb8b0daea1a439833272282d2dfac4576b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
d608424f3e3940d0c85c6b35955d1aac

SHA1
3931ccaca8d6f3070def689b53be91d5a635206e

SHA256
ee051e49c9f75c0f1ea7647ec0648be41e8e0c20a91606ca14af434d5f562609

SHA512
deaf4f3bfdcc447984cf3801a415b64e4a0195be230404a097326a03c0d8c650fde5fcf7fd115811cee9776f2e3ad2041041b08e5b41cc79e193d087fcfb6e6e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
e208566da3c544fb068c455e536de7fe

SHA1
05e6aacc8e27024584c522da4d9d0d33e47064e4

SHA256
5a1f5a8afac505349230626341ec24b5b0e382af06383f594fee643fb737a53c

SHA512
6c014929e8595498083d38e97ec8f97252a7d2e00a1254c76cf911083f6af22576d7a85accd9d9340d6e8901b34483904cbd2c0bd5be752ba5f5eb3d0812f4d4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
ec82b75aa73e70ab642ca0a38ce5001b

SHA1
4e5115cf846bdcc650acfb8c945d14e1d9a84ffc

SHA256
1d2d8953c703fa29d95d819f3b35beda0f8c2997110685fef2ec190ed6bdcddb

SHA512
ea4d499598861ff76c63df62a6972ffc7aacf0e75052840b4ff52b4bdd23111f73c000e48a2853e566fa8a3edfb0aed0118266de619ef63f5e2a978e6edde54f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
e152684faba679047194cff276931ace

SHA1
c6507fc9c894a862bbda2096ee7fa616ca236e70

SHA256
8509be5cfbbc0a63e4ff70985e88195912af76c03084dedbea4a7982632dfa90

SHA512
fdba5592ba239c87fd8279d0a916e512c6f6272bb54320661e5cc7ce84bf2aa0c64e90eb4177115804f8b4c6bbfa95899df5c5e4e8e79524ef66570b21e3fc14

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
353257cb76face3a850b527d7860a05f

SHA1
426daa24619ee332215c149ac04ab69d7fd1a026

SHA256
d98fa3989c7d4cdf0b0f7c9359bbabd88e3f0ca7eb4d7735ffc1eea202d9b3ca

SHA512
96170466a7b48def838e2e277dc7393751cf4f5bc8e0b8a0a649680af0e8a2cd1b6dd2a3d0705f03e03c1f7f30e3bdecfd60807ca082fd05942a60d284b4119e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
56B

MD5
94275bde03760c160b707ba8806ef545

SHA1
aad8d87b0796de7baca00ab000b2b12a26427859

SHA256
c58cb79fa4a9ade48ed821dd9f98957b0adfda7c2d267e3d07951c2d371aa968

SHA512
2aabd49bc9f0ed3a5c690773f48a92dbbbd60264090a0db2fe0f166f8c20c767a74d1e1d7cc6a46c34cfbd1587ddb565e791d494cd0d2ca375ab8cc11cd8f930

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe603ec2.TMP

Filesize
120B

MD5
e6fdad35d00c1055d11bab0be8a4138b

SHA1
c09ee83e93918731c2deeaef0565efbd31732203

SHA256
ee57ef773129a9b9214fd61e5018c81cf0ab5f6f8acca33d44f14556b9d10b41

SHA512
2189b5b9205cc7b53de7cb553241f6af69bc34f48c563b0bbb1fa8a8e64612d22836a863da7a4e8c596ca8e9594e2c45ec33f28b8c106fb61a03c5844f471d96

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
1151b10dee7887617f50728b622b9767

SHA1
819ebe41f6164ac408b5c09e949d607272cb3c7c

SHA256
cc1c6e5a0c937ac2c78b137112ae2aa0c9c7b0601f457a7e90bdeaaeb6962bc7

SHA512
786e4938dc9657fde7f1aa89c8774093ceb3cd9ef8e051285b006331db6140a635f8b706bbc08d868f610c1faa33b324b0e0d94b2e0f36fd7dd5d38d576f41ab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
b3320e07f4d19383b04522128d92c15a

SHA1
260b5c6adfcd63b071d7cf8c16c4cf0403d13212

SHA256
9bde03fd98955da8d430912bc81257a186b5f035f8ced8a5d3da08ecc8004f16

SHA512
1977c4bd60a8b95ffd42d550408a174a06a4d2d19f13274111724798366e9b7400bc694ddfdc85196747eaf9acbf857360e4b381eb630415d3b00385846a05f1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
100KB

MD5
fb8dde308439bb5cde30ed25a9b5f4d4

SHA1
525fbbe92ab8aa288673546ff324c95119a53716

SHA256
1806f54081e5cf2fc380a5cfe9207b516fb70f631b884847d3f34fa753145dc1

SHA512
83e43c47f4738e28672e9158e6b505b4d2131a2b665bda5432858185698db5af552ad7473cc86227d01bf60259b80a69235aedbe6d877e0564cc8e973bd2bda7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe613400.TMP

Filesize
88KB

MD5
57990e9104f5f1229766e1a550caa176

SHA1
2ee9ebcee1c824891b662229e2330f173a403b5e

SHA256
e587de60c428c95dfce3940cae57331678f4631bb441b4a210c4b2e591eba0fe

SHA512
6fd77bbcf7d72ab5980328913fb3f503f9c7ca24c238afdfd0896feb862c4c38ef74561ce88962c8b5a6727c8714b2815c1f6fe481ba7843bbfa5b88ede7e192

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b2a1398f937474c51a48b347387ee36a

SHA1
922a8567f09e68a04233e84e5919043034635949

SHA256
2dc0bf08246ddd5a32288c895d676017578d792349ca437b1b36e7b2f0ade6d6

SHA512
4a660c0549f7a850e07d8d36dab33121af02a7bd7e9b2f0137930b4c8cd89b6c5630e408f882684e6935dcb0d5cb5e01a854950eeda252a4881458cafcc7ef7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1ac52e2503cc26baee4322f02f5b8d9c

SHA1
38e0cee911f5f2a24888a64780ffdf6fa72207c8

SHA256
f65058c6f1a745b37a64d4c97a8e8ee940210273130cec97a67f568088b5d4d4

SHA512
7670d606bc5197ecb7db3ddaecd6f74a80e6decae92b94e0e8145a7f463fa099058e89f9dfa1c45b9197c36e5e21994698186a2ec970bbdb0937fe28ca46a834

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
03122a1b13704ec06757e576d9c0e6e4

SHA1
3bd67fc0bc36c2d51a4f98aa423ee9804b24261b

SHA256
d51f7f03e7705deeb51c1a19027db22b34caa8fd9f696b73a8d07a7eb000019f

SHA512
2b9569382068d11311f53821f2a9560130cf1e5a3dcf4edbce576f911ac8a1b389d3f7f7b781130dc0ea7172a02864b89de8bfa44dd8a9520a6815ab589ab568

Download Submit
C:\Users\Admin\AppData\Local\Temp\208fb8d1-28d9-40e2-88b7-b3101cfa53e1.tmp

Filesize
22KB

MD5
8a61abaa7503339f2e4b7e82f9654d96

SHA1
d87d6ebfe336608ee513fe223e273daa6cdf6260

SHA256
e1ccf67c2a92c333d5616421d1d8d4a17be6f37098d2b0e7e1b5a5788bcd3559

SHA512
49cd8611bc691b4b085481e5df49a940436cbdf0c5fadfe9010579e946d85c584040475bc30b969e267e6df301855c57345672fc0193888baa133217188c5ef8

Download Submit
C:\Users\Admin\Downloads\c

Filesize
4KB

MD5
37a9cd6863fe0be7ac4fac684fe01daf

SHA1
9b3a0cd6125db47a70e44f67cd34c4033e4b8ad7

SHA256
fc3389aad1ce867a1651a0cdc72ff33073501ec34a3bd36611984540dc611441

SHA512
42515a3aedb4e2139b80d152065bb42b16db01cc11af1d392700ad03662d7b61f8745288ff431c1cfabf5015bbdd9bc573f5367388c60681103f45ac4665195d

Download Submit
C:\Users\Admin\Downloads\c

Filesize
20KB

MD5
6a99fa18d6921277de7ab5af3d4649a0

SHA1
86a1871b49524dc75466474a89c6893a2cc82d7e

SHA256
ac4fa2b814601bf7914ee0dde1059c77a70de66693a758240c182d6c45a4d946

SHA512
94a84915a35fa4c27c7f21eca7fc47635928fa31e5664bb67115be3925e302ec67bd8e9dccc456c0b32deadb0718cbbfd8bccafe1c230c7aab2b9ed87504f19c

Download Submit
C:\Users\Admin\Downloads\installer.exe

Filesize
14KB

MD5
19dbec50735b5f2a72d4199c4e184960

SHA1
6fed7732f7cb6f59743795b2ab154a3676f4c822

SHA256
a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d

SHA512
aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads