Analysis Overview
SHA256
3a521e8eb6c4a7bc7e8981b6377b5ca5a50b47862cd29c15b394a3e1a91cb4f1
Threat Level: Likely malicious
The file release.zip was found to be: Likely malicious.
Malicious Activity Summary
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Sets service image path in registry
Checks BIOS information in registry
Themida packer
Checks whether UAC is enabled
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
Unsigned PE
Suspicious use of SetWindowsHookEx
Suspicious use of SendNotifyMessage
Suspicious behavior: LoadsDriver
Suspicious behavior: AddClipboardFormatListener
Suspicious use of FindShellTrayWindow
Modifies registry class
Suspicious behavior: GetForegroundWindowSpam
Enumerates system info in registry
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Opens file in notepad (likely ransom note)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-16 02:29
Signatures
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-16 02:29
Reported
2024-06-16 02:32
Platform
win10v2004-20240611-en
Max time kernel
91s
Max time network
101s
Command Line
Signatures
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\release.zip
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| BE | 23.41.178.51:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 51.178.41.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.238.32.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-16 02:29
Reported
2024-06-16 02:31
Platform
win10v2004-20240508-en
Max time kernel
146s
Max time network
152s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\release.rar
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-06-16 02:29
Reported
2024-06-16 02:32
Platform
win7-20240611-en
Max time kernel
142s
Max time network
129s
Command Line
Signatures
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\release\main\cheat.exe | N/A |
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\frAQBc8Wsa1xVPfv\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\frAQBc8Wsa1xVPfv" | C:\Users\Admin\AppData\Local\Temp\release\main\cheat.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\release\main\cheat.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\release\main\cheat.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\release\main\cheat.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\release\main\cheat.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\release\main\cheat.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLoadDriverPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\release\main\cheat.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2052 wrote to memory of 2560 | N/A | C:\Users\Admin\AppData\Local\Temp\release\main\cheat.exe | C:\Windows\system32\WerFault.exe |
| PID 2052 wrote to memory of 2560 | N/A | C:\Users\Admin\AppData\Local\Temp\release\main\cheat.exe | C:\Windows\system32\WerFault.exe |
| PID 2052 wrote to memory of 2560 | N/A | C:\Users\Admin\AppData\Local\Temp\release\main\cheat.exe | C:\Windows\system32\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\release\main\cheat.exe
"C:\Users\Admin\AppData\Local\Temp\release\main\cheat.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2052 -s 888
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | clientsettingscdn.roblox.com | udp |
| ES | 18.172.213.28:443 | clientsettingscdn.roblox.com | tcp |
| ES | 18.172.213.28:443 | clientsettingscdn.roblox.com | tcp |
| ES | 18.172.213.28:443 | clientsettingscdn.roblox.com | tcp |
| ES | 18.172.213.28:443 | clientsettingscdn.roblox.com | tcp |
Files
memory/2052-0-0x000000013F2C0000-0x000000013FD09000-memory.dmp
memory/2052-1-0x0000000077C20000-0x0000000077C22000-memory.dmp
memory/2052-2-0x000000013F2C0000-0x000000013FD09000-memory.dmp
memory/2052-4-0x000000013F2C0000-0x000000013FD09000-memory.dmp
memory/2052-3-0x000000013F2C0000-0x000000013FD09000-memory.dmp
memory/2052-6-0x000000013F2C0000-0x000000013FD09000-memory.dmp
memory/2052-5-0x000000013F2C0000-0x000000013FD09000-memory.dmp
memory/2052-7-0x000000013F2C0000-0x000000013FD09000-memory.dmp
memory/2052-8-0x000000013F2C0000-0x000000013FD09000-memory.dmp
memory/2052-10-0x000000013F2C0000-0x000000013FD09000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-06-16 02:29
Reported
2024-06-16 02:31
Platform
win10v2004-20240508-en
Max time kernel
143s
Max time network
151s
Command Line
Signatures
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\release\main\loader.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\release\main\loader.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\release\main\loader.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\release\main\loader.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\release\main\loader.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\release\main\loader.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\release\main\loader.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3096 wrote to memory of 1572 | N/A | C:\Users\Admin\AppData\Local\Temp\release\main\loader.exe | C:\Windows\system32\cmd.exe |
| PID 3096 wrote to memory of 1572 | N/A | C:\Users\Admin\AppData\Local\Temp\release\main\loader.exe | C:\Windows\system32\cmd.exe |
| PID 1572 wrote to memory of 1408 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\certutil.exe |
| PID 1572 wrote to memory of 1408 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\certutil.exe |
| PID 1572 wrote to memory of 1864 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\find.exe |
| PID 1572 wrote to memory of 1864 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\find.exe |
| PID 1572 wrote to memory of 2952 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\find.exe |
| PID 1572 wrote to memory of 2952 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\find.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\release\main\loader.exe
"C:\Users\Admin\AppData\Local\Temp\release\main\loader.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\release\main\loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
C:\Windows\system32\certutil.exe
certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\release\main\loader.exe" MD5
C:\Windows\system32\find.exe
find /i /v "md5"
C:\Windows\system32\find.exe
find /i /v "certutil"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4236,i,1067197275908310731,12785105794523264014,262144 --variations-seed-version --mojo-platform-channel-handle=3852 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | keyauth.win | udp |
| N/A | 127.0.0.1:49815 | tcp | |
| N/A | 127.0.0.1:49817 | tcp |
Files
memory/3096-0-0x00007FF66FD50000-0x00007FF6707EF000-memory.dmp
memory/3096-1-0x00007FFC179B0000-0x00007FFC179B2000-memory.dmp
memory/3096-3-0x00007FF66FD50000-0x00007FF6707EF000-memory.dmp
memory/3096-2-0x00007FF66FD50000-0x00007FF6707EF000-memory.dmp
memory/3096-4-0x00007FF66FD50000-0x00007FF6707EF000-memory.dmp
memory/3096-5-0x00007FF66FD50000-0x00007FF6707EF000-memory.dmp
memory/3096-6-0x00007FF66FD50000-0x00007FF6707EF000-memory.dmp
memory/3096-7-0x00007FF66FD50000-0x00007FF6707EF000-memory.dmp
memory/3096-8-0x00007FF66FD50000-0x00007FF6707EF000-memory.dmp
memory/3096-9-0x00007FF66FD50000-0x00007FF6707EF000-memory.dmp
memory/3096-10-0x00007FF66FD50000-0x00007FF6707EF000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-06-16 02:29
Reported
2024-06-16 02:32
Platform
win7-20240611-en
Max time kernel
117s
Max time network
124s
Command Line
Signatures
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\release\map\map.exe | N/A |
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\OawqTxFBUuJSNvRqtfsdsaBWtu\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\OawqTxFBUuJSNvRqtfsdsaBWtu" | C:\Users\Admin\AppData\Local\Temp\release\map\map.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\release\map\map.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\release\map\map.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\release\map\map.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\release\map\map.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\release\map\map.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLoadDriverPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\release\map\map.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\release\map\map.exe
"C:\Users\Admin\AppData\Local\Temp\release\map\map.exe"
Network
Files
memory/2248-0-0x000000013F830000-0x0000000140146000-memory.dmp
memory/2248-1-0x0000000077A30000-0x0000000077A32000-memory.dmp
memory/2248-2-0x000000013F830000-0x0000000140146000-memory.dmp
memory/2248-3-0x000000013F830000-0x0000000140146000-memory.dmp
memory/2248-4-0x000000013F830000-0x0000000140146000-memory.dmp
memory/2248-5-0x000000013F830000-0x0000000140146000-memory.dmp
memory/2248-9-0x000000013F830000-0x0000000140146000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-16 02:29
Reported
2024-06-16 02:32
Platform
win7-20240611-en
Max time kernel
104s
Max time network
155s
Command Line
Signatures
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\release.zip
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef68c9758,0x7fef68c9768,0x7fef68c9778
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1136 --field-trial-handle=1364,i,13450837753843124151,1553721655716683990,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1516 --field-trial-handle=1364,i,13450837753843124151,1553721655716683990,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1596 --field-trial-handle=1364,i,13450837753843124151,1553721655716683990,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2276 --field-trial-handle=1364,i,13450837753843124151,1553721655716683990,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2288 --field-trial-handle=1364,i,13450837753843124151,1553721655716683990,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1384 --field-trial-handle=1364,i,13450837753843124151,1553721655716683990,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1388 --field-trial-handle=1364,i,13450837753843124151,1553721655716683990,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3488 --field-trial-handle=1364,i,13450837753843124151,1553721655716683990,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3472 --field-trial-handle=1364,i,13450837753843124151,1553721655716683990,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef68c9758,0x7fef68c9768,0x7fef68c9778
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1128 --field-trial-handle=1368,i,17832355121792930357,11403200759269870705,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1468 --field-trial-handle=1368,i,17832355121792930357,11403200759269870705,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1612 --field-trial-handle=1368,i,17832355121792930357,11403200759269870705,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2272 --field-trial-handle=1368,i,17832355121792930357,11403200759269870705,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2280 --field-trial-handle=1368,i,17832355121792930357,11403200759269870705,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1676 --field-trial-handle=1368,i,17832355121792930357,11403200759269870705,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1316 --field-trial-handle=1368,i,17832355121792930357,11403200759269870705,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3436 --field-trial-handle=1368,i,17832355121792930357,11403200759269870705,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3588 --field-trial-handle=1368,i,17832355121792930357,11403200759269870705,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3708 --field-trial-handle=1368,i,17832355121792930357,11403200759269870705,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=2780 --field-trial-handle=1368,i,17832355121792930357,11403200759269870705,131072 /prefetch:1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.187.196:443 | www.google.com | udp |
| GB | 142.250.187.196:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | play.google.com | udp |
| GB | 142.250.179.238:443 | play.google.com | udp |
| GB | 142.250.187.196:443 | www.google.com | udp |
| GB | 142.250.187.196:443 | www.google.com | tcp |
| GB | 142.250.179.238:443 | play.google.com | udp |
| GB | 142.250.179.238:443 | play.google.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | ogs.google.com | udp |
| GB | 142.250.187.238:443 | ogs.google.com | tcp |
| US | 8.8.8.8:53 | ssl.gstatic.com | udp |
| GB | 172.217.169.3:443 | ssl.gstatic.com | tcp |
| GB | 142.250.179.238:443 | play.google.com | udp |
| GB | 142.250.179.238:443 | play.google.com | tcp |
| GB | 142.250.179.238:443 | play.google.com | udp |
Files
\??\pipe\crashpad_1408_LVCIXYUCFXEHNBVQ
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp
| MD5 | 18e723571b00fb1694a3bad6c78e4054 |
| SHA1 | afcc0ef32d46fe59e0483f9a3c891d3034d12f32 |
| SHA256 | 8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa |
| SHA512 | 43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
| MD5 | f50f89a0a91564d0b8a211f8921aa7de |
| SHA1 | 112403a17dd69d5b9018b8cede023cb3b54eab7d |
| SHA256 | b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec |
| SHA512 | bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\fb96ec20-e3ca-47e9-81d4-aeb5fc516f09.tmp
| MD5 | 9b7a52bb67d76317e5d5ef46b5d0abf4 |
| SHA1 | 4afbe135217df7d56c61a7e07b59d47a8f1500ff |
| SHA256 | 4739474b3445188f14b96c35c52521dc54d5bf1cf048c3412ca57ab03362a590 |
| SHA512 | 947368ca89316fc095cafaf8012aaf5ba30bb4bc1ce7147047c0966081e76b0d27b577200de41dbb34dafc660ed36607da97b9c9983f040fa8debbea917f3a18 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
| MD5 | 9603934bfd2988e071be8969a5a3bf35 |
| SHA1 | 587d988ccf506448af1347612036144275756198 |
| SHA256 | 0360b912e54a1df87d256e63c082435dbfeed5cdce815b39bacca8823ac67eb4 |
| SHA512 | 28cf398370d81a0c178c5d8088bb7f8250b6437473aeafe9f026a672f553caa55391fb0ef71fac73b4717a681a0f02a054533c615230f4fa6252639e2ec64331 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations
| MD5 | 961e3604f228b0d10541ebf921500c86 |
| SHA1 | 6e00570d9f78d9cfebe67d4da5efe546543949a7 |
| SHA256 | f7b24f2eb3d5eb0550527490395d2f61c3d2fe74bb9cb345197dad81b58b5fed |
| SHA512 | 535f930afd2ef50282715c7e48859cc2d7b354ff4e6c156b94d5a2815f589b33189ffedfcaf4456525283e993087f9f560d84cfcf497d189ab8101510a09c472 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version
| MD5 | 9eae63c7a967fc314dd311d9f46a45b7 |
| SHA1 | caba9c2c93acfe0b9ceb9ab19b992b0fc19c71cf |
| SHA256 | 4288925b0cf871c7458c22c46936efb0e903802feb991a0e1803be94ca6c251d |
| SHA512 | bed924bff236bf5b6ce1df1db82e86c935e5830a20d9d24697efd82ca331e30604db8d04b0d692ec8541ec6deb2225bcc7d805b79f2db5726642198ecf6348b8 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\MANIFEST-000007
| MD5 | 22b937965712bdbc90f3c4e5cd2a8950 |
| SHA1 | 25a5df32156e12134996410c5f7d9e59b1d6c155 |
| SHA256 | cad3bbec41899ea5205612fc1494fa7ba88847fb75437a2def22211a4003e2eb |
| SHA512 | 931427ad4609ab4ca12b2ee852d4965680f58602b00c182a2d340acf3163d888be6cfad87ca089f2b47929ddfa66be03ab13a6d24922397334d6997d4c8ede3b |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG
| MD5 | c85d213628fa7887f739adadfb21b1d8 |
| SHA1 | 915d3449285d6e9e341f6b87a3aa8369d55a6457 |
| SHA256 | 5b3f77be789b1e129aa44a05e31e0838241885449383d52f4b949f820cba6081 |
| SHA512 | 15cc9905ae15b304292aade2043e9920e0da3c4f57d8e72b034b858bf7b6359b4767faffa395ed4b4501d61696f21587742d92a7beb7b14c508e60969e41096a |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | b906db17250e9b65498bbeb3808335b2 |
| SHA1 | 0ba8e2660d394b9b8dc994ec4757726fa6ad88be |
| SHA256 | 489855d4c1134479a9077e4d267268d496e99f7468b4761d415ddd732047fbfa |
| SHA512 | c2fddcfeafa20192cf5c30c00856d19609856508493bc4c39efab3e00251d39e5463601728b69c49870e50ae17497ed38752acd916cc1a35445283e73e3b1f12 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG
| MD5 | 8e4a76feba407f7e921d1f7d0d26761a |
| SHA1 | f19413c9e18f0abbf758e98a985a0fa1e7418d46 |
| SHA256 | 3ed8611d367ce5a3c580f1b852d3515d9c37ca0329bf191fc35a44dda8a3218b |
| SHA512 | 5d684188b7e2bb1182c4a7139427eef526bf9474c2508d2ebd3de84897c86101f4ac603a95bec030b5de7f83044725134dbd9b0f850b40d226de1af529affa25 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000009.dbtmp
| MD5 | 979c29c2917bed63ccf520ece1d18cda |
| SHA1 | 65cd81cdce0be04c74222b54d0881d3fdfe4736c |
| SHA256 | b3524365a633ee6d1fa9953638d2867946c515218c497a5ec2dbef7dc44a7c53 |
| SHA512 | e38f694fd6ab9f678ae156528230d7a8bfb7b59a13b227f59f9c38ab5617db11ebb6be1276323a905d09c4066a3fe820cf58077ab48bf201f3c467a98516ee7a |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\MANIFEST-000007
| MD5 | 2ac0494b5c4c6d605281ee87339a0cc7 |
| SHA1 | 6ea0fd5480bd086ed4110d0622388574f0222666 |
| SHA256 | 53161ecf97484ce07e22fbed3f642f3c1daec51a22b84be407522e5d38d2afbd |
| SHA512 | 77c6a0422b17b90dcc84094e184020613bfc7f71f07bb6fe15a68f48330e7b374c5228d65606341248983e3ec17c9b30a61e31ebdfac73f7e6abeb9d2b5f8f7e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\LOG
| MD5 | f8e3e574a71854231f6d59bc29059954 |
| SHA1 | 3f04f8d7d916ba51f3585b6dfd496fcc9e9f3ec5 |
| SHA256 | b8e5ef0d6e96eb74d27f63ab45333378c1523011a43a75d9face9a6fa83ab178 |
| SHA512 | f90431473a1a2be133cf286ae756c7f1b1ff54909ccc2aed69d92914d38ced4064654d8d57b93455b069c9e137c0b9ed9bf554ccbb187fc67df89ac4709f7c68 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\000009.log
| MD5 | e0c1a5ab8817127f70d37c7c09fc9774 |
| SHA1 | 915312cd6fdbe5f16b0141f493b9fa5b875fa8ac |
| SHA256 | 5c412347b1641676a2ace0e9eb2336b259a832f31be983a74d858ad7b5a293f7 |
| SHA512 | 262b15bd889ee1596407aa903b6c49137ea75b85064aa40ed79b18e7824160dedca6ab678b9f84b48a9c5d86d6a782112f5ae5f1fd7d271e35202942d043aa4a |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\MANIFEST-000007
| MD5 | ef5b9858f36c9a062e7407840420446e |
| SHA1 | 6690ef315ebfa28407ff35908e38fd01ea9c7542 |
| SHA256 | 3c0cab9695dd8034025a5b6456e54db827504dcc09d19d8acced13515ee0626a |
| SHA512 | 26098193f0d6edf2405f9553bb38cb44f5ef8401500c722ac05195946027b97208f6808cbabddcb022c1fdcdfe299e24c609932c22eb1cd401a3b6c7ecaa7f57 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000008.ldb
| MD5 | 57109098f801dbc74002b5112101ec42 |
| SHA1 | 8e44bddb46315a85e76ca0d076a0607ceff03ce7 |
| SHA256 | ccbf78b575b09210199bfb117f7bccb67a70e31132be12f30e60fa26d2027e38 |
| SHA512 | 4af48a77674fe57997aa1ecab9512c4ca4c2efff1008a41f2e8d9fed9c2d107465052adeeebb3434d016387d172b348b3dfd53ed46d76d0efecd47c2fd278f4b |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\MANIFEST-000007
| MD5 | 1be22f40a06c4e7348f4e7eaf40634a9 |
| SHA1 | 8205ec74cd32ef63b1cc274181a74b95eedf86df |
| SHA256 | 45a28788cde0d2a0232d19c391eae45777fe640790ac0674d6daa5672c444691 |
| SHA512 | b8f6f42d375e3ad8015d744fa2814994fa6e588b41cce0131fca48194dd40146b08169a8ce0da350525ff32a59a16edb503c72e0f07254955c82a0d38074856e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOG
| MD5 | 887075a72eb6b956cda15d1de30b36bf |
| SHA1 | 7f24621c0e024188fc73859b9660aa3a70c9d529 |
| SHA256 | f04b0b92fcf018e766fc34af782b3d82995daad9d6f8f1b21fb5a5843d0f4258 |
| SHA512 | 587aaa974628a682a778b887068eed41275901dbb1cb924cfaed4bc48a2a6376d3bba793c626d5f68c260792c3eba837a7fc2e186689640d354f61c881dc1bc5 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000010.dbtmp
| MD5 | 60e3f691077715586b918375dd23c6b0 |
| SHA1 | 476d3eab15649c40c6aebfb6ac2366db50283d1b |
| SHA256 | e91d13722e31f9b06c5df3582cad1ea5b73547ce3dc08b12ed461f095aad48ee |
| SHA512 | d1c146d27bbf19362d6571e2865bb472ce4fe43dc535305615d92d6a2366f98533747a8a70a578d1f00199f716a61ce39fac5cab9dd67e9c044bc49e7343130e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\000008.ldb
| MD5 | 4864d47bc6291efcca70b99e776069e3 |
| SHA1 | 8ee841c1a1748a49ebf34217dfb9c13600bee8d1 |
| SHA256 | fd429ebb6ccf5bf23ab3f3fdc78094d8695328597ecd00ad3745890953bb9750 |
| SHA512 | daec1baf66f323b3c718f5f5e708f3208e6eb90bb38fb973a5120211baf015b88967a1ffea34a798b5406f99968bcd81157cffaa1cd6095cb2a9025d92a027a2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000009.log
| MD5 | e556f26df3e95c19dbaeca8f5df0c341 |
| SHA1 | 247a89f0557fc3666b5173833db198b188f3aa2e |
| SHA256 | b0a7b19404285905663876774a2176939a6ed75ef3904e44283a125824bd0bf3 |
| SHA512 | 055bc4ab12feedf3245eaaf0a0109036909c44e3b69916f8a01e6c8459785317fe75ca6b28f8b339316fc2310d3e5392cd15dbdb0f84016667f304d377444e2e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\MANIFEST-000007
| MD5 | 5c28cc519c3870f9046f7149c730a37f |
| SHA1 | 52984267a05b6c242ff857509386dfd43b3b9560 |
| SHA256 | f84d83b2c870b1820d31c3dc954b27474343c816f37c39aa7841d2de9e97f35d |
| SHA512 | 445e849f06606dca371e69aec27fcd871cf5d9e0be54d421fc4a3a5cfc1c587f203622c393f8a4b81ae950bcfa0862955295e83722cd0b5fc7783a9c91b9962b |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\LOG
| MD5 | 3c91cbf1c3d47bf0dd5cbd504203705c |
| SHA1 | 7980abc5fe260a82c1d47874a699e0e629cc8997 |
| SHA256 | 3c1270c586069ada2bb8243d293cb2395c48da78bc2fdfe8f7376e34eb8a2d23 |
| SHA512 | 02062e6786726c7e677e607d74f97ba22369b22cdd94cc82bb3963447fdf8a69a0eb694a6f9da06ec76960022cb6571f8d9254cd4a077c59fdbe39406595a3fe |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG
| MD5 | 39118eebc87a9e335413c69c4dcab452 |
| SHA1 | 908d79e005da2ebbae83119da771cc10c99ad191 |
| SHA256 | 42a9b52f39e64baf75c4f5d27163a4439ffd76a3b2c984549bc00a5286836a6d |
| SHA512 | 3b085c6df737c0b6c46b1e8f38ba73e6790181042ae2632472d3dcb0b002199f430d4e30050cf0fde17bc6ecd6d572499cda1b3d2fd5ea2330e65a19ee054ce6 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\LOG
| MD5 | 10aab8abcd869bf175da63ec7745c895 |
| SHA1 | 53d0db656481729e849f4109fd04cd8d0e6de2c9 |
| SHA256 | eace6cfc94e03425b33710c0f324ca8c03b5148c1a2658083316a5c03c51dd03 |
| SHA512 | 3ec88aa9ef24ba3912e2e9c80cf3631bdca2069dd388756dc3baebb2a67795b2de9e5cdf311408319ea8892df70292b6e218f007a3b791650dced710fd1aecda |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\CURRENT
| MD5 | aefd77f47fb84fae5ea194496b44c67a |
| SHA1 | dcfbb6a5b8d05662c4858664f81693bb7f803b82 |
| SHA256 | 4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611 |
| SHA512 | b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\MANIFEST-000006
| MD5 | 78c55e45e9d1dc2e44283cf45c66728a |
| SHA1 | 88e234d9f7a513c4806845ce5c07e0016cf13352 |
| SHA256 | 7b69a2bee12703825dc20e7d07292125180b86685d2d1b9fd097df76fc6791ec |
| SHA512 | f2ad4594024871286b98a94223b8e7155c7934ef4ebb55f25a4a485a059f75b572d21bc96e9b48ed394be8a41fe0208f7bfb6e28a79d75640c5b684f0c848fe3 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\000009.log
| MD5 | e9c694b34731bf91073cf432768a9c44 |
| SHA1 | 861f5a99ad9ef017106ca6826efe42413cda1a0e |
| SHA256 | 01c766e2c0228436212045fa98d970a0ad1f1f73abaa6a26e97c6639a4950d85 |
| SHA512 | 2a359571c4326559459c881cba4ff4fa9f312f6a7c2955b120b907430b700ea6fd42a48fbb3cc9f0ca2950d114df036d1bb3b0618d137a36ebaaa17092fe5f01 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\MANIFEST-000007
| MD5 | b6d5d86412551e2d21c97af6f00d20c3 |
| SHA1 | 543302ae0c758954e222399987bb5e364be89029 |
| SHA256 | e0b2fdc217d9c571a35f41c21ed2596309f3f00a7297a8d1ded05f54f0e68191 |
| SHA512 | 5b56ae73a61add9e26f77d95c9b823f82a7fcdc75eed64b388fb4967f5c6c42cb0796b0b99dc25c89f38952786176c10d173dec7862a8a5ce5f820280f72d665 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_3
| MD5 | 5d6a37d94e949b12aa6c46c09ce63448 |
| SHA1 | 52a3885548c050f651ddea20d019a6264e4ca6c3 |
| SHA256 | c567d8705ff0c84ed1d7b0a86f07e03d16a17608f714fac5d5f5f082be33f8d1 |
| SHA512 | 9abc85ff3361e2d4ed93c022759a7c92a48722e95395d3da6a19a1357b5ebe96ea2bd3ebe597503e38df7ba7d70752f5e357e213a4a83b4062497ae3f6dcf994 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_1
| MD5 | 31a47ef7b45ef6897709f28b94ed00ab |
| SHA1 | dfb8d3f6e5139b71b62f694f2e1016ede4d0fe0b |
| SHA256 | 0d429adc85434d1075cc6ef82cbed076e5918058a8e80d76251405fef299dcf2 |
| SHA512 | fc5ac156ebe5c9b2b33818d9b361fe3a7c6c34699bf20f2390c776e7870d13bc85cf50c19604f9ba03b4fc7cda8995e767c0bf831d35e9e7b3717cab8370952d |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_0
| MD5 | 7d3d75502c1582340bb96fba9e8b55c3 |
| SHA1 | 2db02efb8e41c59e3af4399c1a6d2f48b3cf8a13 |
| SHA256 | 8f99cf5bbcc51b70ed6c537a417145b0ae215d8e55b63a7a3b790c223282f59a |
| SHA512 | a863c670efafd98c264e1733db82adce473ca10c4b694c7e8b16c760895f36d297b39b5cd2f83be4cecaa1ab0795eaa00a95f91597897ef1d0c4939032f7af2b |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
| MD5 | abe17fc6377d1c9737bababd467636a1 |
| SHA1 | 4b2cccf66116fefe0e0ac9b3b43e2c95b159b046 |
| SHA256 | d7351c5b9ff4f1b3b7527b108468e68965064134225ae2963d74bfeb33761f87 |
| SHA512 | 1345e8952c7d88835f09feeeaca9e3a20914618acfa82e4cfc2e21840dda6b0a1862597366934ba9fd49d2c48e660453c817717217a9834051545432149f4202 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | 0e96651aa6e57d5d718fdf3686345e26 |
| SHA1 | a343e550f3090add19d008542c3ed41bb4a18596 |
| SHA256 | f470f5cc3e2adf65fbcdf7db032568fb44e905f8fab2a1d56e1f6ba364ff3972 |
| SHA512 | cab021868249843f7d5aab29c007e017bd88fdc88ffc17c6a70be531508eb40bcfbfdb4f089a6f50b0215d8008e51396f2f024c2b1d551cc6f5692f4f3a6d231 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | dd3538474b254cfda78a02b430ab83f4 |
| SHA1 | 7f1aef7f3ce0a934f631860e4de0e0b9da86e144 |
| SHA256 | 4b1ddb06a108f02882f0eb9b4fd89864c86c02313c67bcdeed2e1ec0a31ed4b6 |
| SHA512 | 6b4c5233c59fb9ec8403e1a720fe050ca5fc419087c1759d9322e10584c0ad67cf61846b046455580cd0a49e036e137eb9b1c43c6f6e43d8c7d44046a8d8dd56 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Reporting and NEL
| MD5 | 405d5b67c9917b16ee8ea4bb1fb22f2f |
| SHA1 | 4e5908bb47c8fe80a17ac63f42b7d68c51bb5f6d |
| SHA256 | 2b97d6e8d6e49652952e62ca646e2a10733f2b34c21bf78f8676d4bfa4e6a606 |
| SHA512 | 8a19c7e4fb2afb78083dbc40d8dfb62ecf1583782a089432f3b678e54ad0d2ae028c1d0a90ae11de67e5c766edaa0029bc45f04d21d42209f4819e7fac9dd972 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005
| MD5 | 8b886fea030513e9b61c995f66f95d45 |
| SHA1 | 57c98cfd9bb3fde04a55d5a7875669b6a1e0cc02 |
| SHA256 | a41f542991abc21c62e3cba01469602aab692b52be46e27f04bbd8a0b9b68603 |
| SHA512 | 2ca9e7823201999a342c74184027a06abb35e2e8c1367f42e08fe32b9bb0179a5ad99859b57acc50bb24035a10a8e5d978b8f4a40ebc0328bf276814aa49dd91 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sessions\Session_13362978618660400
| MD5 | 9a96c087de0bd38640a29828f5e71311 |
| SHA1 | 8e8f75d67b74ede9b10fc8aafa65c0cb0a3679a3 |
| SHA256 | 1694c088848213d622d64b40983ad2b91752537523ad20679049ef484ea333f4 |
| SHA512 | 6ca8f201981b5e40a6d273107e2942a6d59b8e0fe70c496095cbd5b17b75473ed4bd3bbbe8d6c888e4f654e11013e9d26684bc0a7a0f98c11c2ffce9e7664a2d |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\chrome_shutdown_ms.txt
| MD5 | 5cf40d4a572da2e992d9d96fd62a71ef |
| SHA1 | 050b5cc9e26406605fa9c2e7658c43e785f4374c |
| SHA256 | db1038bd756e9b48c35ac8d94351cfce279a5e6f15b9b5e99a3ed234f6e66091 |
| SHA512 | 60926f849f5f8fcb6bda5819655b42bf6415254b5407e2b6c794cad47353efcad48ed373dbce8cb2e3ef95ddddbc10d27160b5f7a4b0afc316681c04fcbb1af5 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 27aa0679b42450d88e6648faf98e3c5b |
| SHA1 | 5332ed2508e5c3fbfabd1b2ea0cda51b8a39b379 |
| SHA256 | 86f19ccc1ae1288136476d651800d1178962c365a33088aada4dfd46bc59952a |
| SHA512 | 3ec78ca04d49c2f9463303f0403c75de704e042874dd61c75467a7d99a6d64f124c392216d0b06a616e392e0eb481808d8ab15e0cbbd012c20970ca2f2e111f6 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-16 02:29
Reported
2024-06-16 02:31
Platform
win7-20240508-en
Max time kernel
143s
Max time network
118s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2168 wrote to memory of 2664 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2168 wrote to memory of 2664 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2168 wrote to memory of 2664 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2664 wrote to memory of 2900 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\rundll32.exe |
| PID 2664 wrote to memory of 2900 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\rundll32.exe |
| PID 2664 wrote to memory of 2900 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\rundll32.exe |
| PID 2900 wrote to memory of 3032 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files\VideoLAN\VLC\vlc.exe |
| PID 2900 wrote to memory of 3032 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files\VideoLAN\VLC\vlc.exe |
| PID 2900 wrote to memory of 3032 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files\VideoLAN\VLC\vlc.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\release.rar
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\release.rar
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\release.rar
C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\release.rar"
Network
Files
memory/3032-30-0x000007FEFA9A0000-0x000007FEFA9D4000-memory.dmp
memory/3032-29-0x000000013FC50000-0x000000013FD48000-memory.dmp
memory/3032-32-0x000007FEFA810000-0x000007FEFA828000-memory.dmp
memory/3032-34-0x000007FEFA7D0000-0x000007FEFA7E1000-memory.dmp
memory/3032-33-0x000007FEFA7F0000-0x000007FEFA807000-memory.dmp
memory/3032-36-0x000007FEFA680000-0x000007FEFA691000-memory.dmp
memory/3032-35-0x000007FEFA7B0000-0x000007FEFA7C7000-memory.dmp
memory/3032-37-0x000007FEFA660000-0x000007FEFA67D000-memory.dmp
memory/3032-38-0x000007FEFA640000-0x000007FEFA651000-memory.dmp
memory/3032-31-0x000007FEF5E10000-0x000007FEF60C6000-memory.dmp
memory/3032-41-0x000007FEF7470000-0x000007FEF74B1000-memory.dmp
memory/3032-42-0x000007FEF6980000-0x000007FEF69A1000-memory.dmp
memory/3032-44-0x000007FEF7450000-0x000007FEF7461000-memory.dmp
memory/3032-45-0x000007FEF6960000-0x000007FEF6971000-memory.dmp
memory/3032-46-0x000007FEF6940000-0x000007FEF6951000-memory.dmp
memory/3032-48-0x000007FEF6900000-0x000007FEF6911000-memory.dmp
memory/3032-40-0x000007FEF5AD0000-0x000007FEF5CDB000-memory.dmp
memory/3032-43-0x000007FEF7730000-0x000007FEF7748000-memory.dmp
memory/3032-51-0x000007FEF5A30000-0x000007FEF5A97000-memory.dmp
memory/3032-61-0x000007FEF36C0000-0x000007FEF3840000-memory.dmp
memory/3032-66-0x000007FEF2A60000-0x000007FEF2A76000-memory.dmp
memory/3032-65-0x000007FEF2A80000-0x000007FEF2A91000-memory.dmp
memory/3032-64-0x000007FEF2AA0000-0x000007FEF2ACF000-memory.dmp
memory/3032-63-0x000007FEFAD60000-0x000007FEFAD70000-memory.dmp
memory/3032-62-0x000007FEF69C0000-0x000007FEF69D7000-memory.dmp
memory/3032-60-0x000007FEF5860000-0x000007FEF5872000-memory.dmp
memory/3032-59-0x000007FEF5880000-0x000007FEF5891000-memory.dmp
memory/3032-58-0x000007FEF58A0000-0x000007FEF58C3000-memory.dmp
memory/3032-57-0x000007FEF58D0000-0x000007FEF58E8000-memory.dmp
memory/3032-67-0x000007FEF2990000-0x000007FEF2A55000-memory.dmp
memory/3032-56-0x000007FEF58F0000-0x000007FEF5914000-memory.dmp
memory/3032-55-0x000007FEF5920000-0x000007FEF5948000-memory.dmp
memory/3032-68-0x000007FEF2940000-0x000007FEF2982000-memory.dmp
memory/3032-54-0x000007FEF5950000-0x000007FEF59A7000-memory.dmp
memory/3032-53-0x000007FEF68C0000-0x000007FEF68D1000-memory.dmp
memory/3032-52-0x000007FEF59B0000-0x000007FEF5A2C000-memory.dmp
memory/3032-50-0x000007FEF5AA0000-0x000007FEF5AD0000-memory.dmp
memory/3032-49-0x000007FEF68E0000-0x000007FEF68F8000-memory.dmp
memory/3032-47-0x000007FEF6920000-0x000007FEF693B000-memory.dmp
memory/3032-69-0x000007FEF28D0000-0x000007FEF2932000-memory.dmp
memory/3032-70-0x000007FEF2860000-0x000007FEF28CD000-memory.dmp
memory/3032-39-0x000007FEF44E0000-0x000007FEF5590000-memory.dmp
C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini
| MD5 | b3ad5b4a85a1cb1cb93fcd7ca4e546fa |
| SHA1 | 7d15274b51f3da99d45025f5776992b3bfc8a35f |
| SHA256 | 63aa3f657a65a47280405d5c42a9fc858da7109a65fbae3ad8446a2bc72ea226 |
| SHA512 | f6e26d0e557f944277c1e2fb0a95d51da985f922c6f8c746e012128662cbdd7180b6fccb13325f36dec056c406809ea485404d7ee746ad0674ac526d588e813e |
Analysis: behavioral7
Detonation Overview
Submitted
2024-06-16 02:29
Reported
2024-06-16 02:31
Platform
win7-20240221-en
Max time kernel
150s
Max time network
119s
Command Line
Signatures
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\release\main\loader.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\release\main\loader.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\release\main\loader.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\release\main\loader.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\release\main\loader.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\release\main\loader.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\release\main\loader.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\release\main\loader.exe
"C:\Users\Admin\AppData\Local\Temp\release\main\loader.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\release\main\loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
C:\Windows\system32\certutil.exe
certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\release\main\loader.exe" MD5
C:\Windows\system32\find.exe
find /i /v "md5"
C:\Windows\system32\find.exe
find /i /v "certutil"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | keyauth.win | udp |
| US | 172.67.72.57:443 | keyauth.win | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| BE | 23.14.90.91:80 | apps.identrust.com | tcp |
| N/A | 127.0.0.1:49207 | tcp | |
| N/A | 127.0.0.1:49209 | tcp | |
| US | 8.8.8.8:53 | x2.c.lencr.org | udp |
| BE | 104.90.25.32:80 | x2.c.lencr.org | tcp |
Files
memory/1504-0-0x000000013F180000-0x000000013FC1F000-memory.dmp
memory/1504-1-0x0000000077220000-0x0000000077222000-memory.dmp
memory/1504-2-0x000000013F180000-0x000000013FC1F000-memory.dmp
memory/1504-3-0x000000013F180000-0x000000013FC1F000-memory.dmp
memory/1504-4-0x000000013F180000-0x000000013FC1F000-memory.dmp
memory/1504-6-0x000000013F180000-0x000000013FC1F000-memory.dmp
memory/1504-8-0x000000013F180000-0x000000013FC1F000-memory.dmp
memory/1504-7-0x000000013F180000-0x000000013FC1F000-memory.dmp
memory/1504-5-0x000000013F180000-0x000000013FC1F000-memory.dmp
memory/1504-17-0x000000013F180000-0x000000013FC1F000-memory.dmp
memory/1504-20-0x000000013F180000-0x000000013FC1F000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2024-06-16 02:29
Reported
2024-06-16 02:31
Platform
win7-20240220-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Processes
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\release\readme.txt
Network
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-06-16 02:29
Reported
2024-06-16 02:31
Platform
win10v2004-20240508-en
Max time kernel
51s
Max time network
52s
Command Line
Signatures
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\release\map\map.exe | N/A |
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\nMEHufbaoVHjDMu\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\nMEHufbaoVHjDMu" | C:\Users\Admin\AppData\Local\Temp\release\map\map.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\release\map\map.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\release\map\map.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\release\map\map.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\release\map\map.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\release\map\map.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLoadDriverPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\release\map\map.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\release\map\map.exe
"C:\Users\Admin\AppData\Local\Temp\release\map\map.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
memory/4416-0-0x00007FF7720E0000-0x00007FF7729F6000-memory.dmp
memory/4416-1-0x00007FFE75CD0000-0x00007FFE75CD2000-memory.dmp
memory/4416-3-0x00007FF7720E0000-0x00007FF7729F6000-memory.dmp
memory/4416-2-0x00007FF7720E0000-0x00007FF7729F6000-memory.dmp
memory/4416-4-0x00007FF7720E0000-0x00007FF7729F6000-memory.dmp
memory/4416-5-0x00007FF7720E0000-0x00007FF7729F6000-memory.dmp
memory/4416-8-0x00007FF7720E0000-0x00007FF7729F6000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2024-06-16 02:29
Reported
2024-06-16 02:32
Platform
win10v2004-20240508-en
Max time kernel
51s
Max time network
56s
Command Line
Signatures
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Processes
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\release\readme.txt
Network
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-06-16 02:29
Reported
2024-06-16 02:32
Platform
win10v2004-20240611-en
Max time kernel
150s
Max time network
158s
Command Line
Signatures
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\release\main\cheat.exe | N/A |
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\frAQBc8Wsa1xVPfv\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\frAQBc8Wsa1xVPfv" | C:\Users\Admin\AppData\Local\Temp\release\main\cheat.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\release\main\cheat.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\release\main\cheat.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\release\main\cheat.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\release\main\cheat.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\release\main\cheat.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLoadDriverPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\release\main\cheat.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\release\main\cheat.exe
"C:\Users\Admin\AppData\Local\Temp\release\main\cheat.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | clientsettingscdn.roblox.com | udp |
| ES | 18.172.213.21:443 | clientsettingscdn.roblox.com | tcp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.213.172.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 187.218.172.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.210.172.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 142.53.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 169.117.168.52.in-addr.arpa | udp |
Files
memory/1964-0-0x00007FF73E600000-0x00007FF73F049000-memory.dmp
memory/1964-1-0x00007FFA7FCB0000-0x00007FFA7FCB2000-memory.dmp
memory/1964-2-0x00007FF73E600000-0x00007FF73F049000-memory.dmp
memory/1964-3-0x00007FF73E600000-0x00007FF73F049000-memory.dmp
memory/1964-4-0x00007FF73E600000-0x00007FF73F049000-memory.dmp
memory/1964-7-0x00007FF73E600000-0x00007FF73F049000-memory.dmp
memory/1964-6-0x00007FF73E600000-0x00007FF73F049000-memory.dmp
memory/1964-8-0x00007FF73E600000-0x00007FF73F049000-memory.dmp
memory/1964-5-0x00007FF73E600000-0x00007FF73F049000-memory.dmp
memory/1964-20-0x00007FF73E600000-0x00007FF73F049000-memory.dmp
memory/1964-22-0x00007FF73E600000-0x00007FF73F049000-memory.dmp