Malware Analysis Report

2024-10-19 07:18

Sample ID 240702-f2njwa1gnq
Target Heist Editor.exe
SHA256 880c660c294b6a8cecfd83182de82154b75ae2fcd723d34bd498e05771a2efb2
Tags
themida evasion trojan
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

880c660c294b6a8cecfd83182de82154b75ae2fcd723d34bd498e05771a2efb2

Threat Level: Likely malicious

The file Heist Editor.exe was found to be: Likely malicious.

Malicious Activity Summary

themida evasion trojan

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Themida packer

Checks BIOS information in registry

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

Opens file in notepad (likely ransom note)

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Enumerates system info in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-02 05:22

Signatures

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-02 05:22

Reported

2024-07-02 05:26

Platform

win7-20240508-en

Max time kernel

43s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Heist Editor.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\Heist Editor.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\Heist Editor.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\Heist Editor.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\Heist Editor.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Heist Editor.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" C:\Windows\explorer.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4c00310000000000e258f32a100041646d696e00380008000400efbea858f071e258f32a2a00000030000000000004000000000000000000000000000000410064006d0069006e00000014000000 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}" C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WFlags = "0" C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0" C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193" C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000 C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1" C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\ShowCmd = "1" C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\HotKey = "0" C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616209" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 7400310000000000a858f0711100557365727300600008000400efbeee3a851aa858f0712a000000e601000000000100000000000000000036000000000055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000 C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}" C:\Windows\explorer.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\notepad.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\notepad.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Heist Editor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Heist Editor.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1676 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\Heist Editor.exe C:\Windows\system32\cmd.exe
PID 1676 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\Heist Editor.exe C:\Windows\system32\cmd.exe
PID 1676 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\Heist Editor.exe C:\Windows\system32\cmd.exe
PID 3012 wrote to memory of 2592 N/A C:\Windows\system32\cmd.exe C:\Windows\explorer.exe
PID 3012 wrote to memory of 2592 N/A C:\Windows\system32\cmd.exe C:\Windows\explorer.exe
PID 3012 wrote to memory of 2592 N/A C:\Windows\system32\cmd.exe C:\Windows\explorer.exe
PID 1676 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\Heist Editor.exe C:\Windows\system32\cmd.exe
PID 1676 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\Heist Editor.exe C:\Windows\system32\cmd.exe
PID 1676 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\Heist Editor.exe C:\Windows\system32\cmd.exe
PID 2576 wrote to memory of 2560 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\notepad.exe
PID 2576 wrote to memory of 2560 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\notepad.exe
PID 2576 wrote to memory of 2560 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\notepad.exe
PID 2928 wrote to memory of 2496 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2928 wrote to memory of 2496 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2928 wrote to memory of 2496 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2928 wrote to memory of 308 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2928 wrote to memory of 308 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2928 wrote to memory of 308 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2928 wrote to memory of 308 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2928 wrote to memory of 308 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2928 wrote to memory of 308 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2928 wrote to memory of 308 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2928 wrote to memory of 308 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2928 wrote to memory of 308 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2928 wrote to memory of 308 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2928 wrote to memory of 308 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2928 wrote to memory of 308 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2928 wrote to memory of 308 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2928 wrote to memory of 308 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2928 wrote to memory of 308 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2928 wrote to memory of 308 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2928 wrote to memory of 308 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2928 wrote to memory of 308 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2928 wrote to memory of 308 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2928 wrote to memory of 308 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2928 wrote to memory of 308 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2928 wrote to memory of 308 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2928 wrote to memory of 308 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2928 wrote to memory of 308 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2928 wrote to memory of 308 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2928 wrote to memory of 308 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2928 wrote to memory of 308 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2928 wrote to memory of 308 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2928 wrote to memory of 308 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2928 wrote to memory of 308 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2928 wrote to memory of 308 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2928 wrote to memory of 308 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2928 wrote to memory of 308 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2928 wrote to memory of 308 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2928 wrote to memory of 308 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2928 wrote to memory of 308 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2928 wrote to memory of 308 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2928 wrote to memory of 308 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2928 wrote to memory of 308 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2928 wrote to memory of 2140 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2928 wrote to memory of 2140 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2928 wrote to memory of 2140 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2928 wrote to memory of 760 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2928 wrote to memory of 760 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2928 wrote to memory of 760 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2928 wrote to memory of 760 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2928 wrote to memory of 760 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2928 wrote to memory of 760 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2928 wrote to memory of 760 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Heist Editor.exe

"C:\Users\Admin\AppData\Local\Temp\Heist Editor.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c explorer/select,C:\Users\Admin\HELanguage.hel

C:\Windows\explorer.exe

explorer /select,C:\Users\Admin\HELanguage.hel

C:\Windows\explorer.exe

C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c start notepad C:\Users\Admin\HELanguage.hel

C:\Windows\system32\notepad.exe

notepad C:\Users\Admin\HELanguage.hel

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef66c9758,0x7fef66c9768,0x7fef66c9778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1148 --field-trial-handle=1140,i,1977069693946526873,2760896208435864220,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1476 --field-trial-handle=1140,i,1977069693946526873,2760896208435864220,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1512 --field-trial-handle=1140,i,1977069693946526873,2760896208435864220,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2156 --field-trial-handle=1140,i,1977069693946526873,2760896208435864220,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2168 --field-trial-handle=1140,i,1977069693946526873,2760896208435864220,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1436 --field-trial-handle=1140,i,1977069693946526873,2760896208435864220,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1416 --field-trial-handle=1140,i,1977069693946526873,2760896208435864220,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3472 --field-trial-handle=1140,i,1977069693946526873,2760896208435864220,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3580 --field-trial-handle=1140,i,1977069693946526873,2760896208435864220,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3508 --field-trial-handle=1140,i,1977069693946526873,2760896208435864220,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3740 --field-trial-handle=1140,i,1977069693946526873,2760896208435864220,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3720 --field-trial-handle=1140,i,1977069693946526873,2760896208435864220,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=2404 --field-trial-handle=1140,i,1977069693946526873,2760896208435864220,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=2720 --field-trial-handle=1140,i,1977069693946526873,2760896208435864220,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=3584 --field-trial-handle=1140,i,1977069693946526873,2760896208435864220,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4060 --field-trial-handle=1140,i,1977069693946526873,2760896208435864220,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=2500 --field-trial-handle=1140,i,1977069693946526873,2760896208435864220,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4088 --field-trial-handle=1140,i,1977069693946526873,2760896208435864220,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=4064 --field-trial-handle=1140,i,1977069693946526873,2760896208435864220,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=4276 --field-trial-handle=1140,i,1977069693946526873,2760896208435864220,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=4292 --field-trial-handle=1140,i,1977069693946526873,2760896208435864220,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4500 --field-trial-handle=1140,i,1977069693946526873,2760896208435864220,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=4528 --field-trial-handle=1140,i,1977069693946526873,2760896208435864220,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=3772 --field-trial-handle=1140,i,1977069693946526873,2760896208435864220,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=3712 --field-trial-handle=1140,i,1977069693946526873,2760896208435864220,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3836 --field-trial-handle=1140,i,1977069693946526873,2760896208435864220,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2972 --field-trial-handle=1140,i,1977069693946526873,2760896208435864220,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --mojo-platform-channel-handle=4460 --field-trial-handle=1140,i,1977069693946526873,2760896208435864220,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --mojo-platform-channel-handle=4420 --field-trial-handle=1140,i,1977069693946526873,2760896208435864220,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --mojo-platform-channel-handle=3720 --field-trial-handle=1140,i,1977069693946526873,2760896208435864220,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=1324 --field-trial-handle=1140,i,1977069693946526873,2760896208435864220,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1556 --field-trial-handle=1140,i,1977069693946526873,2760896208435864220,131072 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp
US 8.8.8.8:53 apis.google.com udp
GB 142.250.200.14:443 apis.google.com tcp
US 8.8.8.8:53 play.google.com udp
GB 142.250.179.238:443 play.google.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 ogs.google.com udp
GB 142.250.187.238:443 ogs.google.com tcp
US 8.8.8.8:53 ssl.gstatic.com udp
GB 172.217.169.3:443 ssl.gstatic.com tcp
GB 142.250.187.196:443 www.google.com udp
GB 142.250.179.238:443 play.google.com udp
US 8.8.8.8:53 consent.google.com udp
US 8.8.8.8:53 freethevbucks.com udp
US 69.48.182.238:443 freethevbucks.com tcp
US 69.48.182.238:443 freethevbucks.com tcp
US 69.48.182.238:443 freethevbucks.com udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
GB 172.217.16.226:443 googleads.g.doubleclick.net tcp
US 8.8.8.8:53 fundingchoicesmessages.google.com udp
US 8.8.8.8:53 region1.analytics.google.com udp
US 8.8.8.8:53 stats.g.doubleclick.net udp
US 8.8.8.8:53 www.google.co.uk udp
US 216.239.34.36:443 region1.analytics.google.com tcp
GB 142.250.200.3:443 www.google.co.uk tcp
BE 64.233.167.154:443 stats.g.doubleclick.net tcp
GB 142.250.187.238:443 fundingchoicesmessages.google.com udp
GB 142.250.187.238:443 fundingchoicesmessages.google.com udp
US 69.48.182.238:443 freethevbucks.com udp
GB 172.217.16.226:443 googleads.g.doubleclick.net tcp
GB 172.217.16.226:443 googleads.g.doubleclick.net tcp
US 8.8.8.8:53 tpc.googlesyndication.com udp
GB 172.217.16.225:443 tpc.googlesyndication.com tcp
GB 172.217.16.225:443 tpc.googlesyndication.com udp
GB 172.217.16.226:443 googleads.g.doubleclick.net udp
US 8.8.8.8:53 syndicatedsearch.goog udp
GB 172.217.16.238:443 syndicatedsearch.goog tcp
US 8.8.8.8:53 partner.googleadservices.com udp
GB 142.250.178.2:443 partner.googleadservices.com tcp
US 216.239.34.36:443 region1.analytics.google.com udp
US 8.8.8.8:53 esseps.com udp
US 208.76.9.135:443 esseps.com tcp
US 208.76.9.135:443 esseps.com tcp
GB 142.250.187.196:443 www.google.com udp
US 8.8.8.8:53 www.tagmanager.com udp
US 8.8.8.8:53 cdn.jsdelivr.net udp
US 151.101.193.229:443 cdn.jsdelivr.net tcp
US 8.8.8.8:53 securepubads.g.doubleclick.net udp
GB 142.250.200.34:443 securepubads.g.doubleclick.net tcp
US 8.8.8.8:53 www.adsensecustomsearchads.com udp
GB 142.250.187.238:443 www.adsensecustomsearchads.com tcp
US 8.8.8.8:53 ats.alot.com udp
US 208.76.9.101:443 ats.alot.com tcp
GB 142.250.200.34:443 securepubads.g.doubleclick.net udp
US 8.8.8.8:53 connect.facebook.net udp
GB 163.70.147.23:443 connect.facebook.net tcp
GB 163.70.147.23:443 connect.facebook.net udp
US 8.8.8.8:53 www.facebook.com udp
GB 163.70.147.35:443 www.facebook.com tcp
GB 163.70.147.35:443 www.facebook.com udp
GB 142.250.178.2:443 partner.googleadservices.com udp
GB 142.250.187.238:443 www.adsensecustomsearchads.com udp
US 8.8.8.8:53 afs.googleusercontent.com udp
GB 172.217.16.225:443 afs.googleusercontent.com tcp
US 151.101.193.229:443 cdn.jsdelivr.net tcp
US 151.101.193.229:443 cdn.jsdelivr.net tcp
GB 172.217.16.225:443 afs.googleusercontent.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.187.206:443 redirector.gvt1.com tcp
US 8.8.8.8:53 r5---sn-5hne6n6e.gvt1.com udp
NL 172.217.132.234:443 r5---sn-5hne6n6e.gvt1.com udp
US 8.8.8.8:53 www.mailjet.com udp
GB 142.250.200.3:443 www.google.co.uk udp
GB 3.9.51.5:443 www.mailjet.com tcp
GB 216.58.212.195:80 www.gstatic.com tcp
GB 3.9.51.5:443 www.mailjet.com tcp
GB 3.9.51.5:443 www.mailjet.com tcp
GB 3.9.51.5:443 www.mailjet.com tcp
US 8.8.8.8:53 images.ctfassets.net udp
US 8.8.8.8:53 dev.visualwebsiteoptimizer.com udp
US 8.8.8.8:53 cdn.cookielaw.org udp
US 34.96.102.137:443 dev.visualwebsiteoptimizer.com tcp
GB 18.245.253.27:443 images.ctfassets.net tcp
US 104.19.178.52:443 cdn.cookielaw.org tcp
GB 18.245.253.27:443 images.ctfassets.net tcp
US 8.8.8.8:53 content-autofill.googleapis.com udp
GB 142.250.180.10:443 content-autofill.googleapis.com tcp
GB 3.9.51.5:443 www.mailjet.com tcp
GB 3.9.51.5:443 www.mailjet.com tcp
GB 3.9.51.5:443 www.mailjet.com tcp
GB 3.9.51.5:443 www.mailjet.com tcp
US 104.19.178.52:443 cdn.cookielaw.org tcp
US 104.19.178.52:443 cdn.cookielaw.org tcp
US 8.8.8.8:53 geolocation.onetrust.com udp
US 104.18.32.137:443 geolocation.onetrust.com tcp
GB 142.250.180.10:443 content-autofill.googleapis.com udp
US 8.8.8.8:53 beacons.gcp.gvt2.com udp
US 192.178.49.163:443 beacons.gcp.gvt2.com tcp
GB 18.245.253.27:443 images.ctfassets.net tcp
US 8.8.8.8:53 privacyportal-de.onetrust.com udp
US 172.64.155.119:443 privacyportal-de.onetrust.com tcp
GB 142.250.179.238:443 play.google.com udp
US 192.178.49.163:443 beacons.gcp.gvt2.com udp
US 8.8.8.8:53 battlelog.co udp
US 104.22.31.188:443 battlelog.co tcp
US 104.22.31.188:443 battlelog.co tcp
US 8.8.8.8:53 static.zdassets.com udp
US 104.18.70.113:443 static.zdassets.com tcp
BE 64.233.167.154:443 stats.g.doubleclick.net udp
US 8.8.8.8:53 apps.identrust.com udp
BE 2.17.107.226:80 apps.identrust.com tcp
US 8.8.8.8:53 ekr.zdassets.com udp
US 104.18.72.113:443 ekr.zdassets.com tcp
GB 142.250.200.3:443 www.google.co.uk udp
US 216.239.34.36:443 region1.analytics.google.com udp
US 104.22.31.188:443 battlelog.co tcp
US 8.8.8.8:53 betteraimtechnologies.zendesk.com udp
US 104.16.53.111:443 betteraimtechnologies.zendesk.com tcp
US 8.8.8.8:53 widget-mediator.zopim.com udp
IE 52.212.33.222:443 widget-mediator.zopim.com tcp
US 104.16.53.111:443 betteraimtechnologies.zendesk.com tcp
GB 142.250.200.3:443 www.google.co.uk udp
GB 142.250.200.3:443 www.google.co.uk tcp
US 8.8.8.8:53 encrypted-vtbn0.gstatic.com udp
GB 142.250.180.14:443 encrypted-vtbn0.gstatic.com tcp
US 8.8.8.8:53 www.youtube.com udp
GB 142.250.180.14:443 www.youtube.com tcp
GB 142.250.180.14:443 www.youtube.com tcp
US 8.8.8.8:53 i.ytimg.com udp
US 8.8.8.8:53 rr2---sn-5hne6nsk.googlevideo.com udp
GB 142.250.187.246:443 i.ytimg.com tcp
GB 142.250.187.246:443 i.ytimg.com tcp
NL 172.217.132.39:443 rr2---sn-5hne6nsk.googlevideo.com tcp
NL 172.217.132.39:443 rr2---sn-5hne6nsk.googlevideo.com tcp
US 8.8.8.8:53 rr1---sn-5hnekn76.googlevideo.com udp
NL 209.85.226.6:443 rr1---sn-5hnekn76.googlevideo.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 jnn-pa.googleapis.com udp
IE 209.85.203.84:443 accounts.google.com tcp
GB 142.250.200.42:443 jnn-pa.googleapis.com tcp
IE 209.85.203.84:443 accounts.google.com udp
GB 142.250.179.238:443 www.youtube.com udp
GB 142.250.179.238:443 www.youtube.com tcp
US 8.8.8.8:53 rr1---sn-q4flrnez.googlevideo.com udp
US 173.194.191.198:443 rr1---sn-q4flrnez.googlevideo.com udp
GB 142.250.187.246:443 i.ytimg.com udp
US 8.8.8.8:53 yt3.ggpht.com udp
GB 142.250.180.1:443 yt3.ggpht.com tcp
US 8.8.8.8:53 youtube.com udp
GB 142.250.200.46:443 youtube.com tcp
US 8.8.8.8:53 i9.ytimg.com udp
GB 172.217.16.238:443 i9.ytimg.com tcp
GB 142.250.180.1:443 yt3.ggpht.com udp
US 8.8.8.8:53 consent.youtube.com udp
GB 216.58.212.206:443 consent.youtube.com tcp

Files

memory/1676-1-0x00000000779F0000-0x00000000779F2000-memory.dmp

memory/1676-0-0x000000013F7C0000-0x0000000140A96000-memory.dmp

memory/1676-2-0x000000013F7C0000-0x0000000140A96000-memory.dmp

memory/1676-4-0x000000013F7C0000-0x0000000140A96000-memory.dmp

memory/1676-7-0x000000013F7C0000-0x0000000140A96000-memory.dmp

memory/1676-3-0x000000013F7C0000-0x0000000140A96000-memory.dmp

memory/1676-9-0x000000013F7C0000-0x0000000140A96000-memory.dmp

memory/1676-8-0x000000013F7C0000-0x0000000140A96000-memory.dmp

memory/1676-10-0x000000013F7C0000-0x0000000140A96000-memory.dmp

memory/1676-6-0x000000013F7C0000-0x0000000140A96000-memory.dmp

memory/1676-5-0x000000013F7C0000-0x0000000140A96000-memory.dmp

C:\Users\Admin\HELanguage.hel

MD5 e48671f08c254445aab192942dbf6059
SHA1 e349a76d4d6562e81fb1b7cd9bec0a79a2adce4f
SHA256 7c642b8a501c94cd614f1178b2d11e3d39557ae5a26bd8e17e6c2a29f7790bcc
SHA512 d33216bd275286dfb8891b374e88e9f91bcb9f9dd50f6dbca298ae7cfabc92dfadab321f29845c2c612e2ef75e7b32c257f886ffad437eb3118bf112115b76f6

memory/2668-18-0x0000000003590000-0x00000000035A0000-memory.dmp

C:\Users\Admin\HE_Config.hec

MD5 094acb45fe35409f4f9fa34365cda714
SHA1 afe86528e78075b38afbe92f9df4433aa5843932
SHA256 deae8f9d469a291e3d2e0fd8606153e6d29c3560a32786043e7fe0557955195e
SHA512 15576071836ccef7ddf13faebb58a2e0a40468539a364f76cb9683bc913f0dbd8d9106e8b8aed2d56dcd1368981f480ec80f21954da5661be8eb89c0ae686b11

C:\Users\Admin\HEModel.hem

MD5 5d1a149f3203d84bd7a15c0f33398732
SHA1 ffb7ce1713781e256a8318b00364c11ff8c2c245
SHA256 77fff2b08f004f4cb4d695063e4f08d55271a5ad93273391e9a9e47c32b7e190
SHA512 8ed13f99e8fde319f1369231b1886e67e7333a48dccd5a242a0e531f9efda788ea9389b41a2043886a84d61fd6c90119461840d2443478deb7c1a7a811279901

C:\Users\Admin\HEVehicle.hev

MD5 cf7f9aee23075a7915cb46cc438c794b
SHA1 7cd29eac5c4ca59ce23ccd3a51fd53d4ed3608d4
SHA256 fbfa926cc6ace7c9ebd9c4ec2003370e21aa2d580e624eaa262045cb034c85de
SHA512 bcfc09ff5a0d5a5a9723f2f15104342454211810ef99f99a4094c78bfdad2f85fefbfa295a00ee0c1aeb66d6f878fa9c123e6e8ac1b109bd81040cf4541fb5c6

memory/1676-22-0x000000013F7C0000-0x0000000140A96000-memory.dmp

memory/1676-24-0x000000013F7C0000-0x0000000140A96000-memory.dmp

\??\pipe\crashpad_2928_MHTFTKDDVNKHDGGI

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp

MD5 18e723571b00fb1694a3bad6c78e4054
SHA1 afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA256 8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA512 43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 824c4df546ccd6b4b4f5e27334ed82db
SHA1 aede9fb3b54fdb5d00481e3da9c9b8dcf1d90ef2
SHA256 187ec22873924cc876676fcd2bc27e3f1493feef244e989e43e37ee25438c4cb
SHA512 4a7f5741a6c641c2d47429103462c15adf7680b05692249b2835e697f3c53e7aabd83f602f4ed6bbe6710b19e8246e2d06ebd3b390c6a39516ba53416cc07b67

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 3d3065591088992803afdb9f537f7c39
SHA1 c34a566df7df43135ecd3613ef77c613b3a13bc3
SHA256 e9c02ec238e4744d0d49ee81be48640e3ff7d17879cbad16f9cb01dad3e57d93
SHA512 545dc21f3bd116eb606f2368862ff663851067983c3f29dd1891f5bfac1d99d0464a2d7833ece17e4b55d04ca6bbf2f6d5549abf67b937b3d0158fd4d0ff1997

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 b8793ac9ad39ec8ed59e1ce87fac8f15
SHA1 80eb364d114f97478943e3ee1bd08fbc5b25573c
SHA256 671a1585d04b437f4d8e33f48e98e9ae5c0bc91d51f160a0377f067a57e8e3cd
SHA512 c538e7e85d327d86edc23d8a3da460c437721fa35eefee3bb543ba3ccbda1c653b8e90c45493b8baebf38eab9819c6992db61e3e18234e66468de8aa1f17cc6a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\8b0d4c2e-e312-40d8-b984-e33e6516d3d4.tmp

MD5 d15bf21197358128a298b1c90a5a2e7d
SHA1 de541edb8a78c64d7240b75442b4e3665838a83e
SHA256 08dd8796b9a24a2df13ebea1c134d03c4dd062d9f8af54f4d53c65c0252a1514
SHA512 a7d6e67b7887ba2391b412209a71355625ea0ccc2263a8b533197fd0cab4d6241187b341bddb55bd31b464a840d0f49d20d336daf18b91d790509fd0ba9a932d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarCB5.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 691ff6d14698662992b60966d4cd01bc
SHA1 52cac2dd0533813a6e32f23fc4a3aeb6ba0714b8
SHA256 92c86b53a59e8bb9f982968b506b192b1f2002842cc8cc660ff2545aaf3b8738
SHA512 4f26b058050e23dfa3027b26b04e0efa3ef34007017ce5fc5f43ff89b6aebf9668c5a28eb4b322ffafcd1e3b7c7729db2eb0dbc5c83e4e028f12e5be24333512

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 706d1ae35c43b091590473c854afe27e
SHA1 c94dd8f6838a33e5e1e0a42d6124c8dabeb00871
SHA256 d10b843af5f0700f39ea282643d852f19d7aa99624cb10136a864a7f2f674687
SHA512 9eff697cb767c970a6372da988765e99f89097f0df603b7c6726736f809dc66ce027cf20ea3799c36f13d08f1c154c79c08eb8cbf3b259e275501bc8041be999

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000031

MD5 015c126a3520c9a8f6a27979d0266e96
SHA1 2acf956561d44434a6d84204670cf849d3215d5f
SHA256 3c4d6a1421c7ddb7e404521fe8c4cd5be5af446d7689cd880be26612eaad3cfa
SHA512 02a20f2788bb1c3b2c7d3142c664cdec306b6ba5366e57e33c008edb3eb78638b98dc03cdf932a9dc440ded7827956f99117e7a3a4d55acadd29b006032d9c5c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 ddd796e79110d9725c26719aebb3da05
SHA1 36f85a67c6563c10d67c525be5d125e17d690425
SHA256 182eda2fe99c94691e41d7bf3874e94d1051c6f72bdb74bf9163518ef9f0f6f0
SHA512 59cbb5b817ae50bf5ac99945ce6d728379a0e349673e2e8d491d65fe7f32493bd807c1279b8be895b0cf4f4b6d690e9e22af276cd28b611d089baf7e30ef2391

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ebdd0421b4ad27d1e16562c2ed9cc946
SHA1 9fd0f3e3e4f2d53c6196879cb038fa39f9d18438
SHA256 d94d31da8987e1d143191264d0cc9d016a1cae0ca3e3635409ab0fac094a5ae7
SHA512 0d8426a7a305802a4fdba8b9736fc392fa5547a7fe0a1526f039c48d0acc1f85f25b2899bec3f89c3251ddcf628ebd6944b98c16d511ea57a553ffc690d4f59c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4ef8877b931868f32497def338673184
SHA1 aa76227ebe66dac342e8ebb5d0eeecd108378c0f
SHA256 4cdfc6cf5dad51e553442f06097ef8288e050afdd4d6d736ab2ea2b6794caaa6
SHA512 42a281bc6b7ef2e1a9d3f44f754423ec9a594a63f37dd99e6ac3a52de0410d51db13f44d5bce1d4bddcb0a1f4b4cbb3c10d47f1e1633cbf0e5c249aa6bcf06e2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d3e952ce2b425909ae0165ee4b7cc83a
SHA1 4db1d40a94e169d24eda55996f3a989f74bc1b19
SHA256 f5116a3aa39a64614161ea3794af9140830b816951570af012a5a2a0f196f5ad
SHA512 2565c271f053a662e9a1b0da6eadb24ba416d89f54ddeb388792704911a8dc4ae9b4c2e1049b794ed27d1d4ca0cfa9ea1b1582597560aea6d4c7b7b5a9f9c0a1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 41df90eb145334424cb2bc7b3c58449c
SHA1 3c94896cbab75434c91ba6cfc65c118f7261706a
SHA256 13ae2922bc2bc800275da1af001189d88ade14acdea9c733a6b57a80af2a6190
SHA512 be3a242df026fffadd197e55586d759b2a70349c5dcb01324296761c2a5090ee5a0d680113bc871848b2a91ac1d17d8e9ad2805311b3532aa79a3b135173dbc0

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\CURRENT~RFf775cff.TMP

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 625ae51e84929600c9f239e81c739f3e
SHA1 1564b04d1f6677849930b51f04b6baaeccf6872f
SHA256 8307b0ad1ece0b1c4d25a07c2fd8fe5b9f1b40722a872f33e59f282def293ebb
SHA512 f051837ed0e2c2d5c40d7ab32c2472db2cdc18fbcd2ee82886cceac272403ca5c74dd195a918a3dc027eb0356997c0fd4c58e341481338c79e33290f28545417

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 c7fe027dd4874f54b0235bd3b248dfc0
SHA1 dffc605d0602d3159c5e57fb1e3be176127d6d50
SHA256 14327ea011a92162ec5754b0599858416378823f290388d2d880a98556c9f1f3
SHA512 8fa801112ba5a612455ec17fd3d9b2a6aa18876e747c0f1d9acb111a020bd6ecb00b85653f2544c7245c45abc8871b9214ee99f02067231cb96d69a0590a02d8

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 eaf391f6fb9ec94789e9a96f432b6b3e
SHA1 998d6b1bac52fc725b8016878fc55164568870ee
SHA256 115144fe750ac9cbfb10c470ba3b9f529635dfe86eeec94f899b49a46b95604a
SHA512 4683abe92d4796ced85e089778674d432ca725844660e2c1049d75d93be2ce6af42161d5d3ff8b78a6cb4dfbecca83255b2b93eb6e004e11004f4d0d18a45f59

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

MD5 926a808758b808b3afbf37f5aaaddd22
SHA1 a7cadc90f8857afc814b567ef2ef2a35685bb514
SHA256 5915cea734384a0ca9aaab575e3ae097875bb40d4b13228317d7c7a54f5eaa0c
SHA512 5999d6a808a6bda45dda71dfe45a8f613a80c1c22e3a775a8a70ad6bf279239bdc8c4b412f3059562264ea68d4ab6a2e9919645c2c64b3ec950e60bc1af26390

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00003d

MD5 151fb811968eaf8efb840908b89dc9d4
SHA1 7ec811009fd9b0e6d92d12d78b002275f2f1bee1
SHA256 043fd8558e4a5a60aaccd2f0377f77a544e3e375242e9d7200dc6e51f94103ed
SHA512 83aface0ab01da52fd077f747c9d5916e3c06b0ea5c551d7d316707ec3e8f3f986ce1c82e6f2136e48c6511a83cb0ac67ff6dc8f0e440ac72fc6854086a87674

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 2556188d0ed0147e8bbe764e7474c2ea
SHA1 4de72037057f9c3368d7813aa5a26fcd806a705d
SHA256 db12e1d40e8ef4ffafa880e70f267ca5ffc7ccbec91a8f70a6859d4543cf4958
SHA512 b9097b20524872b8f1eb4507148be18e3e7187e30e0616e829dc7115806dda5c3b0dc46cb3d030c9af8ca9651d5a687cfb64ede3fd3439ca919280c36cad34dd

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 3b10d334b4b9ac5f3fb9c4661afc4f17
SHA1 d30281eb3af73562ea691c4f7fabdd78dfd84d17
SHA256 a5a9f0e7b31463deabfc2ebbac9635da22bb639b423893424d960783a35c7d30
SHA512 36629635d95490ec0ed4b3ed6170ac7c08abf7c510e7978fd0ecbabce23541e5a09b27014be78533fee678a962d53a93c232344cfa53e2675fbeface7e21e46e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 304acecc51c98dacc8ce7be455453e6e
SHA1 16bc08655a3c0ac4ae7863cdd7a381f7a5c625b3
SHA256 43a4a9dd2efee409fb9326c29b6f439368637e4799cd0e35bc02d6a6826a82e0
SHA512 2f80f1b3a7ee90a0db0e495a4d15c7eadad6d58464a96932a1b711064aecf610778d3a5e8dad49eaa0a6aa3e9ed3b5130908ed8040035803620659767d9b54b1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 76f9d383876cbf5b7c062c8557429556
SHA1 765e89198a3654fc2c92d203514d31e13038b047
SHA256 e00658ac4d0d6d97dd1a1a0a17a83a8c57a1c18dcebe361e558fc6c52c240a95
SHA512 d9150732ca7fe5ae5aa5e5393749e2cb5bd951292f7ca95612cbba9a8b4e9fb958e9a3907436a1cecf7d6d16b0a2a298d8621c6ed945ed605c98c645d1a1102a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00005f

MD5 52c0748c04b16f065830bf2bac98b6a4
SHA1 23fc3617ff639ae05e8f87d6349c5b4f86656409
SHA256 740aa2002623f90b4cb6d4ec3963092479355393dd9bfc194acc88900df6fa1a
SHA512 bd45b0a2026e7027787c027c3d4a1276dcf4b655fa90e62b0b5c6248f680bd52853a2c40f094b108bf49a5030ef49ed1bc0b511b8166a90a79585a0acf0ab6bd

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000062

MD5 e499b19b32aa0d3356895de9021585ca
SHA1 b1f8b92ede12d2ab543e9e4cfb89f8468610c7a4
SHA256 7d45b6f483836758509ac29028761b4538f948334a5b9fd26189d2d2dc64a20e
SHA512 37547003df67161a320603a72507749fe254d98e0af6dc21dc5892c0469610e64c7f65d88df91c80b7db3bb5e642d38c23aac5fdb60ce2dfdc4123bdd56516d6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000061

MD5 bd427509728a3ddbb10fe203cad7eeef
SHA1 078194e0cb9b93b4d77ddfb701b3b739517821bb
SHA256 55cc50b165f976a7b8e290cfffbb0b2c17e475e88cd1f14bb9d39a2872a38c50
SHA512 0088747369cf02085a50bcdef8912507b4c0676aea9497db8a6fd1deb2c1ac012401caab7f5efd3f5b8af8b51e7f9ae7dee89bbe179b546439eba20ebfe45bca

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 71a6ffa17fb830854ffa63280b014032
SHA1 123239e0a753c722f4108f8f534877141212b2aa
SHA256 f46451bd8d0baf8ebcbb7081aab38049b9c292aabf57c63ab7b10341e598851b
SHA512 6182e8303ae7629136e11eb77ac7d1e32db2c30e6b26bb1ad223342f1d4ae917ccacbc3e09f06c22da8cdabea328508258d55d2521ba1617b4f346fb2b53705b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 3a2585834edabfce78b6f80073c1cfb7
SHA1 29b6322084e525029278664018d6636f303d49ef
SHA256 2a72562e5b07486471f324a2b10788000af1dc9d91bc4f806760f15b3ba4abb4
SHA512 4cd51072629bf7b00a0d8bd3f3202e9ee91b1d39ca9fe897b97be54b73b3a38453c0e3a3c5da00a20b5aa751a656c0f631268a67a71fdb1187c8d3c82cad856b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000d

MD5 2280e0e4c8efa0f5fc1c10980425f5cf
SHA1 1d78ccb26fef7f1bf5bf29de100811e1ac8bda23
SHA256 b9225cb1f0df94ebe87b9eb2ad8c63cf664d2dfdb47aeaff785de6c7ce01aa74
SHA512 b759fcbf578947c0290ab703652df9f37abb1f9f5cf6140acaa8c4d4ee655ee0ee1f9bee9d4fd210d9e12585a51358b52e0e9c0878abf2713e6fd69a496ac624

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000e

MD5 8f5c02a2d7cb398342851ad2ca3c87cf
SHA1 21b7243532e43301a97ec5cf0d11e4d621b0d784
SHA256 08e636b5f642629c05ffe78ffb5f1b808fe37fe9a7b37409b11bb95e7990ece9
SHA512 348549184e00dd37d1217bdaed5fed7faa08362c3838ec8c0c2469359b659c2cae11d5aaface994499195b38412e1c07ee2300e531f2cc552e2d14761418f27c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000f

MD5 d3ce8132fff199a89682d53d7c7f33d3
SHA1 cebe2b4b10cdab32d5e883b51e21f4c8c62af86b
SHA256 24f1cbb7ca9a5e6ecbcc90504ed4c768ebe3a8ad2def99b58ea7cc89bc13813e
SHA512 4e5768a5278c732bf4878457d8acdd39b5b0230236e4577f856e5757aa38a508eab84c7f6b8df853ed5c4e9edad8d0233bbb1358e7b9aaf2e59d5ec2498791ab

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\000002.dbtmp

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 9bb7c254e204da65b36d4b659136dbc6
SHA1 f55681869b7c85c859120cb8283468ff34fd22de
SHA256 7eeb53c7beac1c1b079afa48f65548cf3fb55d4d1ff18a85eb7c0f475e84878a
SHA512 74aad164d102c6bb636b2308ae7afd33ddb7b6193f38eab852a65960058e5e8bbad34ce77e3b15f7b8806396f847b308a33848a43d5e9b539cdf1758bef68636

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 ed12386ce87160467106b2999510b6a1
SHA1 c39253a633fb35fb9ed91939bcf69ed2a6ed2e0f
SHA256 5dd6b9af39fc0f1e2a1eba1811f31e25ffa71e7c91d75bac83c6a5d119976920
SHA512 41fad12f7b7553b679421a9e8a4a99ebb97b5e383c825f7224e45dd24662f97923f3cc36755a46c3c02d7f328a42d028e6b8c37b5ac7cafd774f484723ade119

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 04de60d811d5d8e4f6cce16b6df0b50a
SHA1 fb56504b28009ba8bdc5e10c47a3e2abfc8d8779
SHA256 484d14a653a3b3879189544f54a02e4a34fcedb7186c1967be9d2c87bb9ed55c
SHA512 be196162d3a00cba35bfdfe652d4e97e1fec80b65e274fa4f1f618f48a6abca185063bdbec2d3a5e5e3c2c1b5619ab32c11a3ea1fa11f96f93c6b5bae59758c1

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Shortcuts Menu Icons\Monochrome\1\512.png

MD5 7f57c509f12aaae2c269646db7fde6e8
SHA1 969d8c0e3d9140f843f36ccf2974b112ad7afc07
SHA256 1d5c9f67fe93f9fcc1a1b61ebc35bda8f98f1261e5005ae37af71f42aab1d90f
SHA512 3503a0f4939bed9e1fd5e086b17d6de1063220dffdab2d2373aa9582a2454a9d8f18c1be74442f4e597bdba796d2d69220bd9e6be632a15367225b804187ea18

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp\scoped_dir2928_165924059\Shortcuts Menu Icons\0\512.png

MD5 12a429f9782bcff446dc1089b68d44ee
SHA1 e41e5a1a4f2950a7f2da8be77ca26a66da7093b9
SHA256 e1d7407b07c40b5436d78db1077a16fbf75d49e32f3cbd01187b5eaaa10f1e37
SHA512 1da99c5278a589972a1d711d694890f4fd4ec4e56f83781ab9dee91ba99530a7f90d969588fa24dce24b094a28bdecbea80328cee862031a8b289f3e4f38ce7a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

MD5 3766bab36e34e990677b49d6894e03dd
SHA1 a53365065e2090e33b5e4be904e296237a90fa1e
SHA256 b733cc3b24b85ff7fa453437e012a399daa383fe464607ec58e70ac66ba8d85d
SHA512 fd924672ca78b80b79e7bba8dbaa312c70b2dfd813b5ef61ba9ad77d3a6b3503438105f72d130c8e1fb21ca286383f0d5b90f88d8ce4760334541f8520948425

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-02 05:22

Reported

2024-07-02 05:26

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Heist Editor.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\Heist Editor.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\Heist Editor.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\Heist Editor.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\Heist Editor.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Heist Editor.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\explorer.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1" C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 7800310000000000a858bc531100557365727300640009000400efbe874f7748e258f12a2e000000c70500000000010000000000000000003a0000000000070de60055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 5000310000000000e258f42a100041646d696e003c0009000400efbea858bc53e258f42a2e00000076e1010000000100000000000000000000000000000016d06400410064006d0069006e00000014000000 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 C:\Windows\explorer.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\notepad.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Heist Editor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Heist Editor.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Heist Editor.exe

"C:\Users\Admin\AppData\Local\Temp\Heist Editor.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c explorer/select,C:\Users\Admin\HELanguage.hel

C:\Windows\explorer.exe

explorer /select,C:\Users\Admin\HELanguage.hel

C:\Windows\explorer.exe

C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c start notepad C:\Users\Admin\HELanguage.hel

C:\Windows\system32\notepad.exe

notepad C:\Users\Admin\HELanguage.hel

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 208.143.182.52.in-addr.arpa udp

Files

memory/2024-0-0x00007FF6981E0000-0x00007FF6994B6000-memory.dmp

memory/2024-1-0x00007FFD5C750000-0x00007FFD5C752000-memory.dmp

memory/2024-2-0x00007FF6981E0000-0x00007FF6994B6000-memory.dmp

memory/2024-4-0x00007FF6981E0000-0x00007FF6994B6000-memory.dmp

memory/2024-3-0x00007FF6981E0000-0x00007FF6994B6000-memory.dmp

memory/2024-6-0x00007FF6981E0000-0x00007FF6994B6000-memory.dmp

memory/2024-5-0x00007FF6981E0000-0x00007FF6994B6000-memory.dmp

memory/2024-8-0x00007FF6981E0000-0x00007FF6994B6000-memory.dmp

memory/2024-7-0x00007FF6981E0000-0x00007FF6994B6000-memory.dmp

memory/2024-10-0x00007FF6981E0000-0x00007FF6994B6000-memory.dmp

memory/2024-9-0x00007FF6981E0000-0x00007FF6994B6000-memory.dmp

C:\Users\Admin\HELanguage.hel

MD5 e48671f08c254445aab192942dbf6059
SHA1 e349a76d4d6562e81fb1b7cd9bec0a79a2adce4f
SHA256 7c642b8a501c94cd614f1178b2d11e3d39557ae5a26bd8e17e6c2a29f7790bcc
SHA512 d33216bd275286dfb8891b374e88e9f91bcb9f9dd50f6dbca298ae7cfabc92dfadab321f29845c2c612e2ef75e7b32c257f886ffad437eb3118bf112115b76f6

memory/2024-18-0x00007FF6981E0000-0x00007FF6994B6000-memory.dmp

memory/2024-20-0x00007FF6981E0000-0x00007FF6994B6000-memory.dmp

memory/2024-23-0x00007FF6981E0000-0x00007FF6994B6000-memory.dmp