adwind | ddf1395c86c239c3c9c930038e69e5992c3d8260a47c96c1a21cdc770dfd5bf4

Resubmissions

21/06/2024, 17:58

240621-wkgm1ayfmc 10

Analysis

max time kernel
147s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
21/06/2024, 17:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Blank-Owner455.exe
Size

1.3MB
MD5

0708b141816e1287fb4bfec4c837ef6e
SHA1

65884a0d7f3fab21c1e1d9432525f6f9d255744a
SHA256

ddf1395c86c239c3c9c930038e69e5992c3d8260a47c96c1a21cdc770dfd5bf4
SHA512

cab5388cbad7750362acec225385d62abfb01cf7dcc32c85555334d90c86d84212bcf0dff47ff960003805cb2c4ef962543ae328ffe2fc75f4c156e01ef24e84
SSDEEP

24576:8x6//3ra8haNNG+NOYJFYNxNTvliZMa3X3N:MSWMaHtNnKNiOaH3N

Score

10^/10

adwind discovery persistence trojan

Malware Config

Signatures

AdWind
A Java-based RAT family operated as malware-as-a-service.
trojan adwind

Class file contains resources related to AdWind 1 IoCs

resource	yara_rule
sample	family_adwind4

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	Blank-Owner455.exe
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	Blank-Owner455.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2692	icacls.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Home = "C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe -jar C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\.tmp\\1718992771593.tmp"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Home = "C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe -jar C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\.tmp\\1718992830887.tmp"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Home = "C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe -jar C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\.tmp\\1718992729687.tmp"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133634663862406571"	chrome.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings	7zFM.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings	7zFM.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings	Blank-Owner455.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings	Blank-Owner455.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
4964	NOTEPAD.EXE
4468	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1248	chrome.exe
1248	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 4 IoCs

pid	Process
2336	7zFM.exe
3376	OpenWith.exe
4636	7zFM.exe
2816	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	2336	7zFM.exe
Token: 35	2336	7zFM.exe
Token: SeSecurityPrivilege	2336	7zFM.exe
Token: SeRestorePrivilege	3860	7zFM.exe
Token: 35	3860	7zFM.exe
Token: SeShutdownPrivilege	1248	chrome.exe
Token: SeCreatePagefilePrivilege	1248	chrome.exe
Token: SeShutdownPrivilege	1248	chrome.exe
Token: SeCreatePagefilePrivilege	1248	chrome.exe
Token: SeShutdownPrivilege	1248	chrome.exe
Token: SeCreatePagefilePrivilege	1248	chrome.exe
Token: SeShutdownPrivilege	1248	chrome.exe
Token: SeCreatePagefilePrivilege	1248	chrome.exe
Token: SeShutdownPrivilege	1248	chrome.exe
Token: SeCreatePagefilePrivilege	1248	chrome.exe
Token: SeShutdownPrivilege	1248	chrome.exe
Token: SeCreatePagefilePrivilege	1248	chrome.exe
Token: SeShutdownPrivilege	1248	chrome.exe
Token: SeCreatePagefilePrivilege	1248	chrome.exe
Token: SeShutdownPrivilege	1248	chrome.exe
Token: SeCreatePagefilePrivilege	1248	chrome.exe
Token: SeShutdownPrivilege	1248	chrome.exe
Token: SeCreatePagefilePrivilege	1248	chrome.exe
Token: SeShutdownPrivilege	1248	chrome.exe
Token: SeCreatePagefilePrivilege	1248	chrome.exe
Token: SeShutdownPrivilege	1248	chrome.exe
Token: SeCreatePagefilePrivilege	1248	chrome.exe
Token: SeShutdownPrivilege	1248	chrome.exe
Token: SeCreatePagefilePrivilege	1248	chrome.exe
Token: SeShutdownPrivilege	1248	chrome.exe
Token: SeCreatePagefilePrivilege	1248	chrome.exe
Token: SeShutdownPrivilege	1248	chrome.exe
Token: SeCreatePagefilePrivilege	1248	chrome.exe
Token: SeShutdownPrivilege	1248	chrome.exe
Token: SeCreatePagefilePrivilege	1248	chrome.exe
Token: SeShutdownPrivilege	1248	chrome.exe
Token: SeCreatePagefilePrivilege	1248	chrome.exe
Token: SeShutdownPrivilege	1248	chrome.exe
Token: SeCreatePagefilePrivilege	1248	chrome.exe
Token: SeShutdownPrivilege	1248	chrome.exe
Token: SeCreatePagefilePrivilege	1248	chrome.exe
Token: SeShutdownPrivilege	1248	chrome.exe
Token: SeCreatePagefilePrivilege	1248	chrome.exe
Token: SeShutdownPrivilege	1248	chrome.exe
Token: SeCreatePagefilePrivilege	1248	chrome.exe
Token: SeShutdownPrivilege	1248	chrome.exe
Token: SeCreatePagefilePrivilege	1248	chrome.exe
Token: SeShutdownPrivilege	1248	chrome.exe
Token: SeCreatePagefilePrivilege	1248	chrome.exe
Token: SeShutdownPrivilege	1248	chrome.exe
Token: SeCreatePagefilePrivilege	1248	chrome.exe
Token: SeShutdownPrivilege	1248	chrome.exe
Token: SeCreatePagefilePrivilege	1248	chrome.exe
Token: SeShutdownPrivilege	1248	chrome.exe
Token: SeCreatePagefilePrivilege	1248	chrome.exe
Token: SeShutdownPrivilege	1248	chrome.exe
Token: SeCreatePagefilePrivilege	1248	chrome.exe
Token: SeShutdownPrivilege	1248	chrome.exe
Token: SeCreatePagefilePrivilege	1248	chrome.exe
Token: SeShutdownPrivilege	1248	chrome.exe
Token: SeCreatePagefilePrivilege	1248	chrome.exe
Token: SeShutdownPrivilege	1248	chrome.exe
Token: SeCreatePagefilePrivilege	1248	chrome.exe
Token: SeShutdownPrivilege	1248	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2336	7zFM.exe
2336	7zFM.exe
2336	7zFM.exe
3860	7zFM.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
4604	7zFM.exe
1248	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe

Suspicious use of SetWindowsHookEx 60 IoCs

pid	Process
2428	OpenWith.exe
4376	javaw.exe
2244	OpenWith.exe
3376	OpenWith.exe
4048	javaw.exe
3376	OpenWith.exe
3376	OpenWith.exe
3376	OpenWith.exe
3376	OpenWith.exe
3376	OpenWith.exe
3376	OpenWith.exe
3376	OpenWith.exe
3376	OpenWith.exe
3376	OpenWith.exe
3376	OpenWith.exe
5364	javaw.exe
4956	OpenWith.exe
4956	OpenWith.exe
4956	OpenWith.exe
4956	OpenWith.exe
4956	OpenWith.exe
4956	OpenWith.exe
4956	OpenWith.exe
4956	OpenWith.exe
4956	OpenWith.exe
4956	OpenWith.exe
4956	OpenWith.exe
4956	OpenWith.exe
4956	OpenWith.exe
4956	OpenWith.exe
4956	OpenWith.exe
2816	OpenWith.exe
2816	OpenWith.exe
2816	OpenWith.exe
2816	OpenWith.exe
2816	OpenWith.exe
2816	OpenWith.exe
2816	OpenWith.exe
2816	OpenWith.exe
2816	OpenWith.exe
2816	OpenWith.exe
2816	OpenWith.exe
2816	OpenWith.exe
2816	OpenWith.exe
2816	OpenWith.exe
2816	OpenWith.exe
2816	OpenWith.exe
2816	OpenWith.exe
2816	OpenWith.exe
2816	OpenWith.exe
2816	OpenWith.exe
2816	OpenWith.exe
2816	OpenWith.exe
2816	OpenWith.exe
2816	OpenWith.exe
2816	OpenWith.exe
2816	OpenWith.exe
2816	OpenWith.exe
2816	OpenWith.exe
2816	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5072 wrote to memory of 4376	5072	Blank-Owner455.exe	83
PID 5072 wrote to memory of 4376	5072	Blank-Owner455.exe	83
PID 4376 wrote to memory of 2692	4376	javaw.exe	84
PID 4376 wrote to memory of 2692	4376	javaw.exe	84
PID 4376 wrote to memory of 4620	4376	javaw.exe	87
PID 4376 wrote to memory of 4620	4376	javaw.exe	87
PID 4376 wrote to memory of 1184	4376	javaw.exe	90
PID 4376 wrote to memory of 1184	4376	javaw.exe	90
PID 1184 wrote to memory of 2016	1184	cmd.exe	92
PID 1184 wrote to memory of 2016	1184	cmd.exe	92
PID 4492 wrote to memory of 4048	4492	Blank-Owner455.exe	119
PID 4492 wrote to memory of 4048	4492	Blank-Owner455.exe	119
PID 4048 wrote to memory of 4844	4048	javaw.exe	120
PID 4048 wrote to memory of 4844	4048	javaw.exe	120
PID 4048 wrote to memory of 3784	4048	javaw.exe	122
PID 4048 wrote to memory of 3784	4048	javaw.exe	122
PID 3784 wrote to memory of 3196	3784	cmd.exe	124
PID 3784 wrote to memory of 3196	3784	cmd.exe	124
PID 1248 wrote to memory of 1712	1248	chrome.exe	127
PID 1248 wrote to memory of 1712	1248	chrome.exe	127
PID 1248 wrote to memory of 4808	1248	chrome.exe	128
PID 1248 wrote to memory of 4808	1248	chrome.exe	128
PID 1248 wrote to memory of 4808	1248	chrome.exe	128
PID 1248 wrote to memory of 4808	1248	chrome.exe	128
PID 1248 wrote to memory of 4808	1248	chrome.exe	128
PID 1248 wrote to memory of 4808	1248	chrome.exe	128
PID 1248 wrote to memory of 4808	1248	chrome.exe	128
PID 1248 wrote to memory of 4808	1248	chrome.exe	128
PID 1248 wrote to memory of 4808	1248	chrome.exe	128
PID 1248 wrote to memory of 4808	1248	chrome.exe	128
PID 1248 wrote to memory of 4808	1248	chrome.exe	128
PID 1248 wrote to memory of 4808	1248	chrome.exe	128
PID 1248 wrote to memory of 4808	1248	chrome.exe	128
PID 1248 wrote to memory of 4808	1248	chrome.exe	128
PID 1248 wrote to memory of 4808	1248	chrome.exe	128
PID 1248 wrote to memory of 4808	1248	chrome.exe	128
PID 1248 wrote to memory of 4808	1248	chrome.exe	128
PID 1248 wrote to memory of 4808	1248	chrome.exe	128
PID 1248 wrote to memory of 4808	1248	chrome.exe	128
PID 1248 wrote to memory of 4808	1248	chrome.exe	128
PID 1248 wrote to memory of 4808	1248	chrome.exe	128
PID 1248 wrote to memory of 4808	1248	chrome.exe	128
PID 1248 wrote to memory of 4808	1248	chrome.exe	128
PID 1248 wrote to memory of 4808	1248	chrome.exe	128
PID 1248 wrote to memory of 4808	1248	chrome.exe	128
PID 1248 wrote to memory of 4808	1248	chrome.exe	128
PID 1248 wrote to memory of 4808	1248	chrome.exe	128
PID 1248 wrote to memory of 4808	1248	chrome.exe	128
PID 1248 wrote to memory of 4808	1248	chrome.exe	128
PID 1248 wrote to memory of 4808	1248	chrome.exe	128
PID 1248 wrote to memory of 4808	1248	chrome.exe	128
PID 1248 wrote to memory of 4028	1248	chrome.exe	129
PID 1248 wrote to memory of 4028	1248	chrome.exe	129
PID 1248 wrote to memory of 408	1248	chrome.exe	130
PID 1248 wrote to memory of 408	1248	chrome.exe	130
PID 1248 wrote to memory of 408	1248	chrome.exe	130
PID 1248 wrote to memory of 408	1248	chrome.exe	130
PID 1248 wrote to memory of 408	1248	chrome.exe	130
PID 1248 wrote to memory of 408	1248	chrome.exe	130
PID 1248 wrote to memory of 408	1248	chrome.exe	130
PID 1248 wrote to memory of 408	1248	chrome.exe	130
PID 1248 wrote to memory of 408	1248	chrome.exe	130
PID 1248 wrote to memory of 408	1248	chrome.exe	130
PID 1248 wrote to memory of 408	1248	chrome.exe	130

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4620	attrib.exe
4844	attrib.exe
4884	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Blank-Owner455.exe
"C:\Users\Admin\AppData\Local\Temp\Blank-Owner455.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5072
- C:\Program Files\Java\jre-1.8\bin\javaw.exe
  "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\MoonRar.jar"
  2⤵
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4376
- - C:\Windows\system32\icacls.exe
    C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
    3⤵
    - Modifies file permissions
    PID:2692
- - C:\Windows\SYSTEM32\attrib.exe
    attrib +H C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1718992729687.tmp
    3⤵
    - Views/modifies file attributes
    PID:4620
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c "REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1718992729687.tmp" /f"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1184
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1718992729687.tmp" /f
      4⤵
      Adds Run key to start application
      PID:2016

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2428

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:624

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Blank-Owner455.exe"
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2336

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2244

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
1⤵
- Opens file in notepad (likely ransom note)
PID:4468

C:\Users\Admin\AppData\Local\Temp\Blank-Owner455.exe
"C:\Users\Admin\AppData\Local\Temp\Blank-Owner455.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4492
- C:\Program Files\Java\jre-1.8\bin\javaw.exe
  "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\MoonRar.jar"
  2⤵
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4048
- - C:\Windows\SYSTEM32\attrib.exe
    attrib +H C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1718992771593.tmp
    3⤵
    - Views/modifies file attributes
    PID:4844
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c "REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1718992771593.tmp" /f"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3784
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1718992771593.tmp" /f
      4⤵
      Adds Run key to start application
      PID:3196

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3376

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Blank-Owner455.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3860

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa2e60ab58,0x7ffa2e60ab68,0x7ffa2e60ab78
  2⤵
  PID:1712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1776 --field-trial-handle=1940,i,4897145085093273509,6537140090646347945,131072 /prefetch:2
  2⤵
  PID:4808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 --field-trial-handle=1940,i,4897145085093273509,6537140090646347945,131072 /prefetch:8
  2⤵
  PID:4028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2144 --field-trial-handle=1940,i,4897145085093273509,6537140090646347945,131072 /prefetch:8
  2⤵
  PID:408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3112 --field-trial-handle=1940,i,4897145085093273509,6537140090646347945,131072 /prefetch:1
  2⤵
  PID:3216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3120 --field-trial-handle=1940,i,4897145085093273509,6537140090646347945,131072 /prefetch:1
  2⤵
  PID:4272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4388 --field-trial-handle=1940,i,4897145085093273509,6537140090646347945,131072 /prefetch:1
  2⤵
  PID:3248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4512 --field-trial-handle=1940,i,4897145085093273509,6537140090646347945,131072 /prefetch:8
  2⤵
  PID:4564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4556 --field-trial-handle=1940,i,4897145085093273509,6537140090646347945,131072 /prefetch:8
  2⤵
  PID:2460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4676 --field-trial-handle=1940,i,4897145085093273509,6537140090646347945,131072 /prefetch:8
  2⤵
  PID:4980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4868 --field-trial-handle=1940,i,4897145085093273509,6537140090646347945,131072 /prefetch:8
  2⤵
  PID:4564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4876 --field-trial-handle=1940,i,4897145085093273509,6537140090646347945,131072 /prefetch:8
  2⤵
  PID:3012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4732 --field-trial-handle=1940,i,4897145085093273509,6537140090646347945,131072 /prefetch:1
  2⤵
  PID:5172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3652 --field-trial-handle=1940,i,4897145085093273509,6537140090646347945,131072 /prefetch:1
  2⤵
  PID:5576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3348 --field-trial-handle=1940,i,4897145085093273509,6537140090646347945,131072 /prefetch:8
  2⤵
  PID:5968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5144 --field-trial-handle=1940,i,4897145085093273509,6537140090646347945,131072 /prefetch:8
  2⤵
  PID:5984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5228 --field-trial-handle=1940,i,4897145085093273509,6537140090646347945,131072 /prefetch:8
  2⤵
  PID:5992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3276 --field-trial-handle=1940,i,4897145085093273509,6537140090646347945,131072 /prefetch:8
  2⤵
  PID:3376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2896 --field-trial-handle=1940,i,4897145085093273509,6537140090646347945,131072 /prefetch:8
  2⤵
  PID:1988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2708 --field-trial-handle=1940,i,4897145085093273509,6537140090646347945,131072 /prefetch:8
  2⤵
  PID:3700

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:2476

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Blank-Owner.rar"
1⤵
- Suspicious use of FindShellTrayWindow
PID:4604

C:\Program Files\Java\jre-1.8\bin\javaw.exe
"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\MoonRar.jar"
1⤵
- Suspicious use of SetWindowsHookEx
PID:5364
- C:\Windows\SYSTEM32\attrib.exe
  attrib +H C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1718992830887.tmp
  2⤵
  - Views/modifies file attributes
  PID:4884
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c "REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1718992830887.tmp" /f"
  2⤵
  PID:4168
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1718992830887.tmp" /f
    3⤵
    - Adds Run key to start application
    PID:532

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\MoonRar.jar"
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:4636

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4956
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zOC12846B8\checksum
  2⤵
  PID:3432

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2816
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zOC124D769\qBCrnyGwukynsVTgOSptqniebLX.class
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:4964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
ebba4ef3ae4677f6280fa729648c1aaa

SHA1
7d13859afc5c5599c7d107833f85ef34713b5d5a

SHA256
bf294b917df8675dab0e2582d8d25b6f7a435672e6a59468fc483a13c39842b5

SHA512
cad86de001564bd1e731f74d8a8ebfd9330f62fb6390f7c240a99a353f14e3353d85f9a19fe8315c15b63b36e548bd68cc4af793e3a3a293bb5c37a1f8649fd7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
384B

MD5
45057a97c76a3fd43c904d787048db4a

SHA1
830abff53e15a9ccb3ec15e21a644c9260005db1

SHA256
b8ecd49197df95686bfa1028a7e1eefa1a19353f9f82191a0058144233193f31

SHA512
e48856be65f2eb9d3808f233fa2d509f8e058d69cc3e39d2841790d6a91a9d96b3348dbaec57ee56d358b827c95c9fa36445acaddf6cd2ad39294ca8639ec875

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
5f7cf381560a4135076575f2c29ab40a

SHA1
9f00e75e8c8aeab04256035a9e04af0d5a3a3636

SHA256
f27de40374dd2a400d6c643569a22172bcf61b69ffa6c66ce96b1a005f0e2180

SHA512
0aa61dc1cbce107e7c31433e1ef39f622cd805d19a6fb9fd5de7dae1adab257cb5b390425afa8fc37b59d71859d42317885db9cb9d26fcef8c66f44819c31f70

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
523B

MD5
deeef2b8ea08aeda20a359fc9509a5dc

SHA1
610ff3b9042c3ae5ab749d8430e8918b94760b39

SHA256
c8a2b15c2752b7f664e86ce4b25f0cccdf1f804fa2798ac4c79a0b75b33f9fac

SHA512
238bcb9a15e1d9605bf511f10f32a753709de9abbbe170a3def15e0e9fd6c250943a1424d85d3e10d249c2fe1e29813e3ecfedf8ab36bf930f2bffc9def81814

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
384232916ed985b802b7b9d133f16fc6

SHA1
ddc5a20fb5db1a5f3ee9779b8d5eeb6edbfb25bf

SHA256
25afe0be42e7a52af9bb45487331357f9558762cfc8744f8ff90c75706162a03

SHA512
7c4b7026e8ecf93ac6e8cf1c9c2c111f82e3e66b8043cbfe595f9c3d1f88ab7ef785bdb33a12bbc7ade0633af65e098e7e9d19349a3c50a377d26bfe4d93b8d3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
523B

MD5
f15fc7f320a54e9908b5cbb9d248d93b

SHA1
f6b9431b632503683104ee1fbb5831258706a4a4

SHA256
db7d1083007241cc87c63ce330ad4ff525016ba4932455a0e43ea6bf36020b8d

SHA512
1f68d9f7402e7bc58aee3cb1c2cbc90622f73f58907389a869ab2da9b04668172308c34f478451c436e1ee513d2aa564c19cde1c58b6492cf481b9862a2dc3d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
c82024495906d7a8c64d9de88e39f8af

SHA1
6f6c48e2d2c68b691e59bcc65f4c6047b2f59589

SHA256
3aa5046f747a0ad14dafbdc90758fec0b367eb7f84d7351738a0e13437d0ad8f

SHA512
95b3cb1b9423340a0d9bd517ccad55e3df8a18f838c761455751b9df7a3e161ba5b15ed9a38934fc93dd07bcfdba361c127d0c506bb4fbf728b3f66039694b2a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
72baee364952ddac8b598ed7c968cc68

SHA1
f7f158c49c7cefb7f24f63d1965f5ec781c7a7d1

SHA256
bb2982302cfbbd7d54b68c9859c1c11ad9e2c028d87ea9602998050b11cbcdad

SHA512
eff946952a59cb88bdfdc430ccb50cb721af98d675faaae2357a09c4b2f86f8a44f0e1f922e9714c0e3edae94b3e4bb219bf84a8163eb75d69f1807d5f83ebe8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
e3aff487f618d51aae7cab7806a518d4

SHA1
d8ac36476d5ed7038fb84164714412dab45cc5fd

SHA256
cf71ef539d1a954f5c1da290834602beb497c1de2ee21b12dca6f4e38653027d

SHA512
7feb5d208a22a2d10e927972900a9bfb7bee52f3723028bb3191f49e2938cdcae08df2eeb43c93aff766ae80cb3c5c22422ff3035594039ff18c66f12cb51f0b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
ea188659694aa13c781d25d05b685f1a

SHA1
4e969a22f2f4fbe686c9ed1449245d4c2221f902

SHA256
36a86d07bd0a33a270ece702296ac42937e8c9c41d26ecb36b767c3aed1756f1

SHA512
90d9a9a464f3772c235721b30b96b6ebfd355a2e26559330935bb92b395f4dd9d91eb78ffe84fc0878ac4b8c4c2a92dd10bc3912d751742bbf353180577a4e4f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
33c76910e9242f2e8a8d0747c2724da6

SHA1
11eabc6cd7b1e2205b8e6e352a1b9b5ba6d00d42

SHA256
cd0be713124262a140b0eeaf881973cbcb82eb435fccf750d5fe98bd1e67aef0

SHA512
4be37f5cdc91c986bbeb5af589e74fbf7e9df2d2e56c7bedf87b6a0c009cde67a150f1935c115aefa67ebaf64c9cd6ed5be8d9018cf83dbaecf79821dcfe4c6f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
279KB

MD5
0cfcf444270f233b57faae410a992c90

SHA1
bb7c08fe7337971ce0062ceab4fae8187a69a030

SHA256
06e18f72d9575080955c54ed149db1502d6b461b0350de2f59a45cb5b848a6a0

SHA512
9ee936688a8f263b4773f21290762f127300f748147486bc02398acf438469b2d5dbed2e0ff9ec16383b9c622c2141d9c9f4f22dce620715a9bba1595cdfdfe8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
94KB

MD5
2ab3bd6206c2eb305aea27c62a9afd98

SHA1
a6c1122cdcbef4369482c9181d0c674f17362b60

SHA256
ab9d40d946bb6a94658d54be8a671a2dcbd3c2affbc8b3e9d3101fcfa961b470

SHA512
a11be7ba8c239217ae564254b9816120c76c80ce279e7546a217065e4ce473dbb6039d2fa3c5f2e626b7e8ddf00ada3e419e992b569b6f2b8e2fdb48e09d26da

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe588b53.TMP

Filesize
88KB

MD5
af87ca4c93804ed9816093cf84dc19ef

SHA1
a9330107dc215cb0a7566f0f470c7b7ed7d7f8ff

SHA256
348a8caf697ae29f83320f2573d4c5478309b32349c13e285378008e1c8a0fc7

SHA512
2ba21f6c4ed5d7ac358a8e056c93de1d8cbe79e289ed559b951980ead557ac6dd6918fcd11f3f84de45c252bbef7b149357c29d0c5f10cd9ba9a386b0db80276

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Blank-Owner455.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zOC124D769\qBCrnyGwukynsVTgOSptqniebLX.class

Filesize
1KB

MD5
d733719962096cda529a0d261910e84b

SHA1
c652a56378446df7a98f082a0c0cb2163d5b5c8c

SHA256
685aa7da718f59786d55c79d76441ffbcb1b1060aeecad27a8f7ab52bd37f30d

SHA512
cc81bb2bdf2ae084b9ee856e04c5b442f6b6c22e012b1d2bb2fa1ce449ff59cc48eb4f45fb5ef45d6d47cca6206a458f7a4d08ae95be5d59270a324e5eba6f08

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zOC12846B8\checksum

Filesize
625B

MD5
655a907bc3c0513a72d86d4b180e340b

SHA1
ce44d91b3720b8031cd1c6ca275ad31482d4deac

SHA256
d24f101afcd0862781a3d4403d004779c4362f8d3e32124993a57ac568e7f198

SHA512
43d66d8ef220f09000636769ec1b7c04c6b8e7f490695d23cb409d748a939d1dea3a22a61dadaeccc0e6b57c1df5417377355c1f8b86ce3fc27a92a61be2315a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Blank-Owner.rar

Filesize
316KB

MD5
4bb75dd3f0af72e071b7072cf1f1b494

SHA1
bd17cdd9a3af9e0c43dbd2e4bca71f3a53a0f684

SHA256
8bed2b83b1f3c779f551d3be05ba3aa3f62ce200026d9a6a48a89029b3650a8d

SHA512
e197bb0007b060bcd48da64bfaef69739454e6e434a465d4fc9cbc0aa30b2568d90dc433bbae076dbc30cf1bbcc2cbb2782b889731391ce118d967598ad0101c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MoonRar.jar

Filesize
830KB

MD5
d8339dcc4a19345bd7cb55def570eef1

SHA1
de69d3fe9a794282859c106e9a90e6647c1a0305

SHA256
5eec9251dc8001252eec5303f4de828ee5d9dc079680d6d6ce6b192c10a1f7e3

SHA512
207e56d4a3d2d60297d01098c23835482187fe444850f9abea8fb0e3f75e18d4c0403f0e893f30b51b307ccae020a512dec94f0963c29b429be5176613425fa7

Download Submit
C:\Users\Admin\Downloads\winrar-x64-701.exe

Filesize
3.8MB

MD5
46c17c999744470b689331f41eab7df1

SHA1
b8a63127df6a87d333061c622220d6d70ed80f7c

SHA256
c5b5def1c8882b702b6b25cbd94461c737bc151366d2d9eba5006c04886bfc9a

SHA512
4b02a3e85b699f62df1b4fe752c4dee08cfabc9b8bb316bc39b854bd5187fc602943a95788ec680c7d3dc2c26ad882e69c0740294bd6cb3b32cdcd165a9441b6

Download Submit
memory/4048-82-0x00000260FD560000-0x00000260FD561000-memory.dmp

Filesize
4KB

Download
memory/4048-79-0x00000260FD560000-0x00000260FD561000-memory.dmp

Filesize
4KB

Download
memory/4048-163-0x00000260FD560000-0x00000260FD561000-memory.dmp

Filesize
4KB

Download
memory/4376-36-0x000002155B5D0000-0x000002155B5D1000-memory.dmp

Filesize
4KB

Download
memory/4376-29-0x000002155B5D0000-0x000002155B5D1000-memory.dmp

Filesize
4KB

Download
memory/4376-42-0x000002155B5D0000-0x000002155B5D1000-memory.dmp

Filesize
4KB

Download
memory/4376-47-0x000002155B5D0000-0x000002155B5D1000-memory.dmp

Filesize
4KB

Download
memory/5072-1-0x0000000000A60000-0x0000000000BB0000-memory.dmp

Filesize
1.3MB

Download
memory/5072-0-0x00007FFA311C3000-0x00007FFA311C5000-memory.dmp

Filesize
8KB

Download
memory/5364-320-0x000001CE34800000-0x000001CE34801000-memory.dmp

Filesize
4KB

Download
memory/5364-321-0x000001CE34800000-0x000001CE34801000-memory.dmp

Filesize
4KB

Download