Malware Analysis Report

2024-09-11 03:41

Sample ID 240616-dfqe8s1bmn
Target https://github.com/pankoza2-pl/malware
Tags
bootkit discovery exploit persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

Threat Level: Likely malicious

The file https://github.com/pankoza2-pl/malware was found to be: Likely malicious.

Malicious Activity Summary

bootkit discovery exploit persistence

Possible privilege escalation attempt

Modifies file permissions

Executes dropped EXE

Writes to the Master Boot Record (MBR)

Legitimate hosting services abused for malware hosting/C2

Modifies boot configuration data using bcdedit

Drops file in Windows directory

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Enumerates system info in registry

Suspicious use of SendNotifyMessage

Checks SCSI registry key(s)

Modifies data under HKEY_USERS

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Pre-OS Boot
T1542
Bootkit
T1542.003
Privilege Escalation
TA0004
Defense Evasion
TA0005
File and Directory Permissions Modification
T1222
Pre-OS Boot
T1542
Bootkit
T1542.003
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Web Service
T1102
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-16 02:57

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-16 02:57

Reported

2024-06-16 03:01

Platform

win10-20240404-en

Max time kernel

177s

Max time network

135s

Command Line

"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/pankoza2-pl/malware

Signatures

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\0x07.exe N/A
N/A N/A C:\Users\Admin\Downloads\0x07.exe N/A
N/A N/A C:\Windows\Temp\winconfig.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\DetectKey.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A camo.githubusercontent.com N/A N/A

Modifies boot configuration data using bcdedit

Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\Downloads\0x07.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rescache\_merged\4183903823\2290032291.pri C:\Windows\system32\taskmgr.exe N/A
File created C:\Windows\rescache\_merged\1601268389\715946058.pri C:\Windows\system32\taskmgr.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133629803111661006" C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\0x07.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\7-Zip\7zG.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\0x07.exe N/A
N/A N/A C:\Users\Admin\Downloads\0x07.exe N/A
N/A N/A C:\Windows\Temp\winconfig.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\DetectKey.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1268 wrote to memory of 2604 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1268 wrote to memory of 2604 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1268 wrote to memory of 516 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1268 wrote to memory of 516 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1268 wrote to memory of 516 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1268 wrote to memory of 516 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1268 wrote to memory of 516 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1268 wrote to memory of 516 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1268 wrote to memory of 516 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1268 wrote to memory of 516 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1268 wrote to memory of 516 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1268 wrote to memory of 516 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1268 wrote to memory of 516 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1268 wrote to memory of 516 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1268 wrote to memory of 516 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1268 wrote to memory of 516 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1268 wrote to memory of 516 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1268 wrote to memory of 516 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1268 wrote to memory of 516 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1268 wrote to memory of 516 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1268 wrote to memory of 516 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1268 wrote to memory of 516 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1268 wrote to memory of 516 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1268 wrote to memory of 516 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1268 wrote to memory of 516 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1268 wrote to memory of 516 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1268 wrote to memory of 516 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1268 wrote to memory of 516 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1268 wrote to memory of 516 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1268 wrote to memory of 516 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1268 wrote to memory of 516 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1268 wrote to memory of 516 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1268 wrote to memory of 516 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1268 wrote to memory of 516 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1268 wrote to memory of 516 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1268 wrote to memory of 516 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1268 wrote to memory of 516 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1268 wrote to memory of 516 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1268 wrote to memory of 516 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1268 wrote to memory of 516 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1268 wrote to memory of 2660 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1268 wrote to memory of 2660 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1268 wrote to memory of 1476 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1268 wrote to memory of 1476 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1268 wrote to memory of 1476 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1268 wrote to memory of 1476 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1268 wrote to memory of 1476 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1268 wrote to memory of 1476 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1268 wrote to memory of 1476 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1268 wrote to memory of 1476 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1268 wrote to memory of 1476 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1268 wrote to memory of 1476 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1268 wrote to memory of 1476 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1268 wrote to memory of 1476 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1268 wrote to memory of 1476 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1268 wrote to memory of 1476 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1268 wrote to memory of 1476 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1268 wrote to memory of 1476 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1268 wrote to memory of 1476 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1268 wrote to memory of 1476 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1268 wrote to memory of 1476 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1268 wrote to memory of 1476 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1268 wrote to memory of 1476 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1268 wrote to memory of 1476 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Processes

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/pankoza2-pl/malware

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffec93f9758,0x7ffec93f9768,0x7ffec93f9778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1580 --field-trial-handle=1848,i,2038923737374361853,9174255587212238519,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1808 --field-trial-handle=1848,i,2038923737374361853,9174255587212238519,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2004 --field-trial-handle=1848,i,2038923737374361853,9174255587212238519,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2852 --field-trial-handle=1848,i,2038923737374361853,9174255587212238519,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2860 --field-trial-handle=1848,i,2038923737374361853,9174255587212238519,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4816 --field-trial-handle=1848,i,2038923737374361853,9174255587212238519,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5020 --field-trial-handle=1848,i,2038923737374361853,9174255587212238519,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5116 --field-trial-handle=1848,i,2038923737374361853,9174255587212238519,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5336 --field-trial-handle=1848,i,2038923737374361853,9174255587212238519,131072 /prefetch:8

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap31748:70:7zEvent27962

C:\Users\Admin\Downloads\0x07.exe

"C:\Users\Admin\Downloads\0x07.exe"

C:\Users\Admin\Downloads\0x07.exe

"C:\Users\Admin\Downloads\0x07.exe"

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Windows\Temp\winconfig.exe

"C:\Windows\Temp\winconfig.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\CE76.tmp\CE77.tmp\CE78.bat C:\Windows\Temp\winconfig.exe"

C:\Users\Admin\AppData\Roaming\DetectKey.exe

"C:\Users\Admin\AppData\Roaming\DetectKey.exe"

C:\Windows\system32\bcdedit.exe

bcdedit /delete {current}

C:\Windows\System32\Wbem\WMIC.exe

wmic process where name='taskmgr.exe' delete /nointeractive

C:\Windows\System32\Wbem\WMIC.exe

wmic process where name='perfmon.exe' delete /nointeractive

C:\Windows\System32\Wbem\WMIC.exe

wmic process where name='mmc.exe' delete /nointeractive

C:\Windows\System32\Wbem\WMIC.exe

wmic process where name='PartAssist.exe' delete /nointeractive

C:\Windows\System32\Wbem\WMIC.exe

wmic process where name='control.exe' delete /nointeractive

C:\Windows\System32\Wbem\WMIC.exe

wmic process where name='ProcessHacker.exe' delete /nointeractive

C:\Windows\System32\Wbem\WMIC.exe

wmic process where name='Security Task Manager.exe' delete /nointeractive

C:\Windows\System32\Wbem\WMIC.exe

wmic process where name='Security Task Manager Protable.exe' delete /nointeractive

C:\Windows\System32\Wbem\WMIC.exe

wmic process where name='CCleaner.exe' delete /nointeractive

C:\Windows\System32\Wbem\WMIC.exe

wmic process where name='procexp.exe' delete /nointeractive

C:\Windows\System32\Wbem\WMIC.exe

wmic process where name='procexp64.exe' delete /nointeractive

C:\Windows\System32\Wbem\WMIC.exe

wmic process where name='procexp64a.exe' delete /nointeractive

C:\Windows\System32\Wbem\WMIC.exe

wmic process where name='logonui.exe' delete /nointeractive

C:\Windows\System32\Wbem\WMIC.exe

wmic process where name='regedit.exe' delete /nointeractive

C:\Windows\System32\Wbem\WMIC.exe

wmic process where name='iexplore.exe' delete /nointeractive

C:\Windows\System32\Wbem\WMIC.exe

wmic process where name='chrome.exe' delete /nointeractive

C:\Windows\System32\Wbem\WMIC.exe

wmic process where name='firefox.exe' delete /nointeractive

C:\Windows\System32\Wbem\WMIC.exe

wmic process where name='opera.exe' delete /nointeractive

C:\Windows\System32\Wbem\WMIC.exe

wmic process where name='edge.exe' delete /nointeractive

C:\Windows\System32\Wbem\WMIC.exe

wmic process where name='msedge.exe' delete /nointeractive

C:\Windows\System32\Wbem\WMIC.exe

wmic process where name='brave.exe' delete /nointeractive

C:\Windows\System32\Wbem\WMIC.exe

wmic process where name='wmplayer.exe' delete /nointeractive

C:\Windows\System32\Wbem\WMIC.exe

wmic process where name='notepad.exe' delete /nointeractive

C:\Windows\System32\Wbem\WMIC.exe

wmic process where name='notepad++.exe' delete /nointeractive

C:\Windows\System32\Wbem\WMIC.exe

wmic process where name='taskmgr.exe' delete /nointeractive

C:\Windows\System32\Wbem\WMIC.exe

wmic process where name='perfmon.exe' delete /nointeractive

C:\Windows\System32\Wbem\WMIC.exe

wmic process where name='logonui.exe' delete /nointeractive

C:\Windows\System32\Wbem\WMIC.exe

wmic process where name='ProcessHacker.exe' delete /nointeractive

C:\Windows\system32\takeown.exe

takeown /f "C:\Windows\system32\taskmgr.exe"

C:\Windows\system32\takeown.exe

takeown /f "C:\Windows\system32\hal.dll"

C:\Windows\system32\takeown.exe

takeown /f "C:\Windows\system32\winload.exe"

C:\Windows\system32\takeown.exe

takeown /f "C:\Windows\system32\ntoskrnl.exe"

C:\Windows\system32\takeown.exe

takeown /f "C:\Windows\system32\perfmon.exe"

C:\Windows\system32\takeown.exe

takeown /f "C:\Windows\system32\resmon.exe"

C:\Windows\system32\takeown.exe

takeown /f "C:\Windows\system32\logonui.exe

C:\Windows\system32\takeown.exe

takeown /f "C:\Windows\system32\taskkill.exe"

C:\Windows\system32\takeown.exe

takeown /f "C:\Windows\system32\tasklist.exe"

C:\Windows\system32\takeown.exe

takeown /f "C:\Windows\system32\tskill.exe"

C:\Windows\system32\takeown.exe

takeown /f "C:\Windows\system32\logonui.exe"

C:\Windows\system32\takeown.exe

takeown /f "C:\Program Files\Process Hacker 2"

C:\Windows\system32\takeown.exe

takeown /f "C:\Windows\System32\drivers"

C:\Windows\System32\Wbem\WMIC.exe

wmic process where name='taskmgr.exe' delete /nointeractive

C:\Windows\System32\Wbem\WMIC.exe

wmic process where name='perfmon.exe' delete /nointeractive

C:\Windows\System32\Wbem\WMIC.exe

wmic process where name='logonui.exe' delete /nointeractive

C:\Windows\System32\Wbem\WMIC.exe

wmic process where name='ProcessHacker.exe' delete /nointeractive

C:\Windows\system32\icacls.exe

icacls "C:\Windows\system32\taskmgr.exe" /grant "everyone":F

C:\Windows\system32\icacls.exe

icacls "C:\Windows\system32\hal.dll" /grant "everyone":F

C:\Windows\system32\icacls.exe

icacls "C:\Windows\system32\winload.exe" /grant "everyone":F

C:\Windows\system32\icacls.exe

icacls "C:\Windows\system32\ntoskrnl.exe" /grant "everyone":F

C:\Windows\system32\icacls.exe

icacls "C:\Windows\system32\perfmon.exe" /grant "everyone":F

C:\Windows\system32\icacls.exe

icacls "C:\Windows\system32\logonui.exe" /grant "everyone":F

C:\Windows\system32\icacls.exe

icacls "C:\Windows\system32\resmon.exe" /grant "everyone":F

C:\Windows\system32\icacls.exe

icacls "C:\Windows\system32\taskkill.exe" /grant "everyone":F

C:\Windows\system32\icacls.exe

icacls "C:\Windows\system32\tasklist.exe" /grant "everyone":F

C:\Windows\system32\icacls.exe

icacls "C:\Windows\system32\tskill.exe" /grant "everyone":F

C:\Windows\system32\icacls.exe

icacls "C:\Program Files\Process Hacker 2" /q /c /t /grant "everyone":F

C:\Windows\system32\icacls.exe

icacls "C:\Windows\System32\drivers" /q /c /t /grant "everyone":F

C:\Windows\System32\Wbem\WMIC.exe

wmic process where name='taskmgr.exe' delete /nointeractive

C:\Windows\System32\Wbem\WMIC.exe

wmic process where name='perfmon.exe' delete /nointeractive

C:\Windows\System32\Wbem\WMIC.exe

wmic process where name='logonui.exe' delete /nointeractive

C:\Windows\System32\Wbem\WMIC.exe

wmic process where name='ProcessHacker.exe' delete /nointeractive

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo y"

C:\Windows\system32\cacls.exe

cacls "C:\Windows\system32\taskmgr.exe" /grant "everyone":F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo y"

C:\Windows\system32\cacls.exe

cacls "C:\Windows\system32\hal.dll" /grant "everyone":F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo y"

C:\Windows\system32\cacls.exe

cacls "C:\Windows\system32\ntoskrnl.exe" /grant "everyone":F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo y"

C:\Windows\system32\cacls.exe

cacls "C:\Windows\system32\perfmon.exe" /grant "everyone":F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo y"

C:\Windows\system32\cacls.exe

cacls "C:\Windows\system32\logonui.exe" /grant "everyone":F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo y"

C:\Windows\system32\cacls.exe

cacls "C:\Windows\system32\resmon.exe" /grant "everyone":F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo y"

C:\Windows\system32\cacls.exe

cacls "C:\Windows\system32\taskkill.exe" /grant "everyone":F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo y"

C:\Windows\system32\cacls.exe

cacls "C:\Windows\system32\tasklist.exe" /grant "everyone":F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo y"

C:\Windows\system32\cacls.exe

cacls "C:\Windows\system32\tskill.exe" /grant "everyone":F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo y"

C:\Windows\system32\cacls.exe

cacls "C:\Program Files\Process Hacker 2" /grant "everyone":F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo y"

C:\Windows\system32\cacls.exe

cacls "C:\Windows\System32\drivers" /grant "everyone":F

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 github.githubassets.com udp
US 8.8.8.8:53 avatars.githubusercontent.com udp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 8.8.8.8:53 user-images.githubusercontent.com udp
US 185.199.110.133:443 user-images.githubusercontent.com tcp
US 8.8.8.8:53 github-cloud.s3.amazonaws.com udp
US 185.199.111.133:443 user-images.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 154.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 133.110.199.185.in-addr.arpa udp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 content-autofill.googleapis.com udp
GB 142.250.180.10:443 content-autofill.googleapis.com tcp
US 8.8.8.8:53 collector.github.com udp
US 140.82.112.21:443 collector.github.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 8.8.8.8:53 api.github.com udp
US 140.82.112.21:443 collector.github.com tcp
GB 20.26.156.210:443 api.github.com tcp
GB 142.250.180.10:443 content-autofill.googleapis.com udp
US 8.8.8.8:53 21.112.82.140.in-addr.arpa udp
US 8.8.8.8:53 10.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 210.156.26.20.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 camo.githubusercontent.com udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 3.173.189.20.in-addr.arpa udp

Files

\??\pipe\crashpad_1268_IFYXFDIIQYENJVHW

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

MD5 99914b932bd37a50b983c5e7c90ae93b
SHA1 bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA256 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA512 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 eb996dd0efc163c7424ee72d127b2ec7
SHA1 66e69058348c034665c9b30e95c130aded9c67fa
SHA256 0a3aa258565e3f8b08c23bf7eb7b5c8a8e0ba9b5ba70f498338ddb59bef4e5b0
SHA512 62039ac17a3596f00397ea5566c4271e2af84180bcd0756c9b41baf007ede48c4c73a85d66984183423dbef5dab65162830e415b2d76e60f937addc21c8eb363

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 8af8a2653ba4ba69b489feafb4f00da7
SHA1 703505d7ef0d0de1e163b395a7797ad008cfe25a
SHA256 325ab34348c9e1eddbfa5fde0960941f6ddbcb6b9a93c2a1001bd2fb1716d4bd
SHA512 81f8f45c0e50a3de00aebe3a6fd46b643f3267ed63ec77c93f77f844c7871c40db0f658fe93eee6934c775b52b55e38ff4690b8065afeea46e5d938a178a9bfa

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 5bdc13d52e6b497c3fcce54d4ee5b1d6
SHA1 cd7745b01c1ba4221591eccca9898d4c7539a8f8
SHA256 5adb0a9568ba93a3591fee0489536e9ad743c1daf0eb46eb0f68b33f8a722e30
SHA512 cc9fbbacb8a92fc238b085f2a511a197c0a27e00e9187c62fbdd1a32b8fd07f4000a64d597fc6e289eb9637510929c05ef03035df317eca3d2a15e7339e5d3e7

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 2c49b6ad4e5882a7b225deabee481f84
SHA1 62fe89c244dae435cdec595c6f6226d4eefb6804
SHA256 201cbaaa78feac6e3456e38d232547f33a4719afcc4b9f0632a9c39e580793a4
SHA512 df5f9131b080e5a5dc8ff89d8b22dd064a81b74e59ef88e1932b86bb5b74cb68d4222f2b221621fdd23c25ad8f165ec3d89f4f509d11480e18414fa08bbf78b2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 9ebfaa3594aaac23717f753211ca0bca
SHA1 9f310f0e288c88f890016d7e3b923f54e6f36f5f
SHA256 44c1386ed5828372ffe3d21e4b6317e23e551d9493765e7bf5b2d3ba68135c33
SHA512 ee7e97a390761ca4f5ee412819e8e1bdbaa47b63830377a21356fd2b2153287b79a9236c8f4864f2b3b98d5e833183196ac30204f13ebb8ee783abdbf304e3d6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 bae3f3b214338ba43ef81f14799ce2fd
SHA1 3eab3ccbeaa25bf9e1bec02dad3ab7f277f704cd
SHA256 c4e868526ba1e2795d0678c0cd44e7c24d22a8bfe3a2a34d2f85922111d142b4
SHA512 f3637dcd56236cf7fa9b0e21ee858423980d80314c625ea53770ea1e2163ff84220d73d1cf45e4f01758c71ea89b2214e763c6a053f951a0b86735ebe4089635

C:\Users\Admin\Downloads\0x07.zip

MD5 538ad11dfc1ddeb82f18d74ae66a683c
SHA1 c9e767ad44d5852069da50dfa355ccef32b6b294
SHA256 99dcd7c066843b8f00661445467b4f0e2ee48444e36cf8a3e64bb227b06b7da7
SHA512 0abe0d6ce62d44cf177705c7cb3b813844f853ffc460629fcff55145080a53894151cd5dbb388cb997f923b149a42fb7123154957d64de59261127a7e281fdb3

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 de4bf36c6aed32fd644afe74bd1bacdb
SHA1 f5ddf8ffa86b3ae6d7ec896d8c136306b5a9a8a1
SHA256 392ed027d968c7ee208350a6f462a976c206b9e953aec239d0109504860f6aea
SHA512 0410ff2547b6a514e0c5fe75e9bde61f3b4267d12254c37607ea3354d082b655de294629ff77512033f106e4cd7cc23e6b7ee261e4340ebb923fd840a2e37248

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

MD5 3d8e4626810e43d7b685c2929a1dfaf7
SHA1 9561e4216fefbb82a000fdb2278eda3747eef343
SHA256 9ed1ab2d3543373c484765d81305352ffecc660956f96b1e8b767eb3fbf0b6d8
SHA512 6b4ccebe1ad1d96d8e08ce3a3dbec3d6571307cf1d460f75f5e080f111709ae935022d64699bfb0c09d1a2fb36f2849d815ef9a1ed43572e6bd44531ee19dc84

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe582bce.TMP

MD5 ae148e505032bc74e379fd7eeec52b04
SHA1 9b0f81a853ee4f2a868aa153f6fc915fce81ca78
SHA256 9d6e730d66e15f82ac9f34e82a101cc28aa3b4e9dc71b4d43c7fe1a58e7a51c9
SHA512 4d8d85b8b3fd01bb35e0917d97eb13cf4b1d1d0cf16fb8ddff4922538689818f34dc4ff81f70b3d1b8e4c522006ac55cf04f852e5528352402f1dc1ab3b077e4

C:\Users\Admin\Downloads\0x07.exe

MD5 733eb0ab951ae42a8d8cca413201e428
SHA1 640ffb3ee44eb86afaea92e6c5aa158a5d4aafd1
SHA256 52d6d769eb474d4138ac31e05634a6ca7a4ebef5920f8356c1cd70d9fa42c2fb
SHA512 c7cdf77aa881c5dbb2abf17913dbf645fe88e16fa11fa055392d36ccf936fc43050c48feb631e193fe044123a190f123d2d6ff12234c0ff7c8c7c6e290209d8f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 8ee97ded28fbb34238309dc49c958367
SHA1 28b8edf9dc673262a38a3142f94ab7028ce0290e
SHA256 0b3308d943fc5a5d318741b74bb1bd07e189e0c0437fe61285f502f21676b109
SHA512 38e4186cce0290a327c91dac10a3258ddb73f6bcb3036d8f39464d66e9673d2ace673f3370891006de9a55df089d43c28a89afaaa3c64e3c9cded7a6d781c981

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 c677a1ca5b5c1bd9c7b6c88c10678163
SHA1 662a28a675bcb9714ec7b657de89fe668655eceb
SHA256 0602d76b37111a3088583e892d11373d6fec46b1ea845b9668a61cd9f2bc47e1
SHA512 a2d1afb22539425a6a7c96f0d00b5c7ee76eb16e3e7eaef3d59f8b09b8a906abda1399b5c184ee80c5d96918c03d4b23f83c5efcdf6799d6834d1347f735e287

C:\Windows\Temp\winconfig.exe

MD5 11d457ee914f72a436fa4a8a8f8446dd
SHA1 d0308ca82ed9716b667e8e77e9ae013b9af44116
SHA256 c55e98b21e7e8639d4a6702de75bccc47b337bc639ea33231a507946f74964ef
SHA512 4c861cb0fa7170d6c71e11b3a826d1802ff0f9d029cfefa7428655929d5bab4bf56abeeb963e4927def3e959f2d4a0f199c8c3bf3ecbef8885189a52eeef666b

C:\Users\Admin\AppData\Local\Temp\CE76.tmp\CE77.tmp\CE78.bat

MD5 a645734f3bf4a2682cbaf546789ec0c4
SHA1 fafcc11909412bf51f217e12dfaa93a15181a3e2
SHA256 3b9b5b1659a881d15962541fb56638379a6e5b5d02435f8c50574ec003bc64b0
SHA512 efa399503b982eda2058a70b10289275fe3c51280bdbb649be40cc3f17c6085267236dc0f6f8bbbf782105e6f5510e6dbbd97de8e87113abc1d8c340ccad9a6d

C:\Users\Admin\AppData\Roaming\DetectKey.exe

MD5 aba9a3cf4e1db4602c25405987b809a6
SHA1 6cd545ea023ce9cdfe76607c6801cc11ff7d9e80
SHA256 490df924cadff4806ad1c1a261c71f7e06320826eda532394462e7ee32c570d6
SHA512 e5a9e28549bab93f5cf2464707b3b46859271dea16f69e8757b00f79989b2665d3b9bc3d9794d1d9e1111f8ee03ecb933f1fadfcd2adeb695dc0fce0b8f90675