blackshades | 6deff5735317a9b7addf8d9f8d3aeca1de68364e63b69037b2c916bcaee44003

Resubmissions

07/03/2025, 19:43

250307-yfp5pavye1 10

07/03/2025, 19:34

250307-x958bswky3 10

07/03/2025, 19:02

250307-xpxqfsvvbv 10

Analysis

max time kernel
465s
max time network
579s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07/03/2025, 19:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_58ef8399e896e60b181961292fb6d666.exe
Size

1.2MB
MD5

58ef8399e896e60b181961292fb6d666
SHA1

d5b651f75234877814d8efabb6256fbc23c662ed
SHA256

6deff5735317a9b7addf8d9f8d3aeca1de68364e63b69037b2c916bcaee44003
SHA512

b9c4059148ff6ff96b376b69450a5234b4de8684ef41173601c24140da62a2b623f4117f5f483be478c9542be676cd705511d9540689b247cd44215b8c2f7b37
SSDEEP

24576:D6t9iwCQliK/JJDORRrQl9uM1aIcLkNC2brX5qXI8PP:Wt9iwJTDOPsrNcwNbwxP

Score

10^/10

blackshades darkcomet hawkeye enzcrash credential_access defense_evasion discovery keylogger persistence rat spyware stealer trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

enzcrash

whatthe.no-ip.biz:1604

Mutex

DC_MUTEX-F54S21D

Attributes

InstallPath
winupdate.exe
gencode
=fgh�Num+Xi-
install
true
offline_keylogger
true
persistence
true
reg_key
Windows Updater

rc4.plain

Extracted

Family

darkcomet

Attributes

gencode
install
false
offline_keylogger
false
persistence
false

rc4.plain

Signatures

Blackshades
Blackshades is a remote access trojan with various capabilities.
rat blackshades
Blackshades family
blackshades

Blackshades payload 7 IoCs

resource	yara_rule
behavioral1/memory/2104-156-0x0000000000400000-0x0000000000474000-memory.dmp	family_blackshades
behavioral1/memory/540-184-0x0000000000400000-0x0000000000474000-memory.dmp	family_blackshades
behavioral1/memory/540-198-0x0000000000400000-0x0000000000474000-memory.dmp	family_blackshades
behavioral1/memory/540-219-0x0000000000400000-0x0000000000474000-memory.dmp	family_blackshades
behavioral1/memory/540-220-0x0000000000400000-0x0000000000474000-memory.dmp	family_blackshades
behavioral1/memory/540-226-0x0000000000400000-0x0000000000474000-memory.dmp	family_blackshades
behavioral1/memory/540-234-0x0000000000400000-0x0000000000474000-memory.dmp	family_blackshades

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet
HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye
Hawkeye family
hawkeye

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\winupdate.exe"	JaffaCakes118_58ef8399e896e60b181961292fb6d666.exe

Modifies firewall policy service 3 TTPs 3 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "1"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	explorer.exe

Modifies security service 2 TTPs 1 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	explorer.exe

Windows security bypass 2 TTPs 2 IoCs

defense_evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	explorer.exe

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	WINDOWSUPDATE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\fredolin = "C:\\Users\\Admin\\AppData\\Roaming\\windowsupdate.exe"	WINDOWSUPDATE.EXE

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5CFF3DC2-AEED-D5C9-ED8B-B1D0CEDCDABC}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\windowsupdate.exe"	WINDOWSUPDATE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{5CFF3DC2-AEED-D5C9-ED8B-B1D0CEDCDABC}	WINDOWSUPDATE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Active Setup\Installed Components\{5CFF3DC2-AEED-D5C9-ED8B-B1D0CEDCDABC}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\windowsupdate.exe"	WINDOWSUPDATE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5CFF3DC2-AEED-D5C9-ED8B-B1D0CEDCDABC}	WINDOWSUPDATE.EXE

Disables RegEdit via registry modification 1 IoCs

defense_evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	explorer.exe

Disables Task Manager via registry modification
defense_evasion

Downloads MZ/PE file 1 IoCs

flow	pid	Process
115	2404	chrome.exe

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\mbamtestfile.dat	MBSetup.exe
File opened for modification	C:\Windows\SysWOW64\drivers\mbamtestfile.dat	MBSetup.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MBSetup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	MBSetup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	JaffaCakes118_58ef8399e896e60b181961292fb6d666.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	explorer.exe

Executes dropped EXE 5 IoCs

pid	Process
540	WINDOWSUPDATE.EXE
2736	WINUPDTR.EXE
2104	WINDOWSUPDATE.EXE
2476	WINUPDTR.EXE
2820	MBSetup.exe

Loads dropped DLL 16 IoCs

pid	Process
2352	JaffaCakes118_58ef8399e896e60b181961292fb6d666.exe
540	WINDOWSUPDATE.EXE
540	WINDOWSUPDATE.EXE
540	WINDOWSUPDATE.EXE
2352	JaffaCakes118_58ef8399e896e60b181961292fb6d666.exe
2352	JaffaCakes118_58ef8399e896e60b181961292fb6d666.exe
2736	WINUPDTR.EXE
2736	WINUPDTR.EXE
2736	WINUPDTR.EXE
2360	explorer.exe
2360	explorer.exe
2360	explorer.exe
2104	WINDOWSUPDATE.EXE
2104	WINDOWSUPDATE.EXE
2476	WINUPDTR.EXE
2476	WINUPDTR.EXE

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Updater = "C:\\Users\\Admin\\AppData\\Roaming\\winupdate.exe"	JaffaCakes118_58ef8399e896e60b181961292fb6d666.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\fredolin = "C:\\Users\\Admin\\AppData\\Roaming\\windowsupdate.exe"	WINDOWSUPDATE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\fredolin = "C:\\Users\\Admin\\AppData\\Roaming\\windowsupdate.exe"	WINDOWSUPDATE.EXE

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2260 set thread context of 2352	2260	JaffaCakes118_58ef8399e896e60b181961292fb6d666.exe	30
PID 2352 set thread context of 1088	2352	JaffaCakes118_58ef8399e896e60b181961292fb6d666.exe	39
PID 1088 set thread context of 2360	1088	explorer.exe	47

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00090000000164c8-30.dat	upx
behavioral1/memory/540-36-0x0000000000400000-0x0000000000474000-memory.dmp	upx
behavioral1/memory/2104-156-0x0000000000400000-0x0000000000474000-memory.dmp	upx
behavioral1/memory/540-184-0x0000000000400000-0x0000000000474000-memory.dmp	upx
behavioral1/memory/540-198-0x0000000000400000-0x0000000000474000-memory.dmp	upx
behavioral1/memory/540-219-0x0000000000400000-0x0000000000474000-memory.dmp	upx
behavioral1/memory/540-220-0x0000000000400000-0x0000000000474000-memory.dmp	upx
behavioral1/memory/540-226-0x0000000000400000-0x0000000000474000-memory.dmp	upx
behavioral1/memory/540-234-0x0000000000400000-0x0000000000474000-memory.dmp	upx

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\mbamtestfile.dat	MBSetup.exe
File opened for modification	C:\Program Files (x86)\mbamtestfile.dat	MBSetup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_58ef8399e896e60b181961292fb6d666.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINDOWSUPDATE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINUPDTR.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINUPDTR.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MBSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_58ef8399e896e60b181961292fb6d666.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINDOWSUPDATE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	JaffaCakes118_58ef8399e896e60b181961292fb6d666.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	JaffaCakes118_58ef8399e896e60b181961292fb6d666.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	JaffaCakes118_58ef8399e896e60b181961292fb6d666.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	JaffaCakes118_58ef8399e896e60b181961292fb6d666.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	explorer.exe

Delays execution with timeout.exe 2 IoCs

defense_evasion

pid	Process
1616	timeout.exe
2740	timeout.exe

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	JaffaCakes118_58ef8399e896e60b181961292fb6d666.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
1980	reg.exe
740	reg.exe
772	reg.exe
1880	reg.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2820	MBSetup.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2360	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2352	JaffaCakes118_58ef8399e896e60b181961292fb6d666.exe
Token: SeSecurityPrivilege	2352	JaffaCakes118_58ef8399e896e60b181961292fb6d666.exe
Token: SeTakeOwnershipPrivilege	2352	JaffaCakes118_58ef8399e896e60b181961292fb6d666.exe
Token: SeLoadDriverPrivilege	2352	JaffaCakes118_58ef8399e896e60b181961292fb6d666.exe
Token: SeSystemProfilePrivilege	2352	JaffaCakes118_58ef8399e896e60b181961292fb6d666.exe
Token: SeSystemtimePrivilege	2352	JaffaCakes118_58ef8399e896e60b181961292fb6d666.exe
Token: SeProfSingleProcessPrivilege	2352	JaffaCakes118_58ef8399e896e60b181961292fb6d666.exe
Token: SeIncBasePriorityPrivilege	2352	JaffaCakes118_58ef8399e896e60b181961292fb6d666.exe
Token: SeCreatePagefilePrivilege	2352	JaffaCakes118_58ef8399e896e60b181961292fb6d666.exe
Token: SeBackupPrivilege	2352	JaffaCakes118_58ef8399e896e60b181961292fb6d666.exe
Token: SeRestorePrivilege	2352	JaffaCakes118_58ef8399e896e60b181961292fb6d666.exe
Token: SeShutdownPrivilege	2352	JaffaCakes118_58ef8399e896e60b181961292fb6d666.exe
Token: SeDebugPrivilege	2352	JaffaCakes118_58ef8399e896e60b181961292fb6d666.exe
Token: SeSystemEnvironmentPrivilege	2352	JaffaCakes118_58ef8399e896e60b181961292fb6d666.exe
Token: SeChangeNotifyPrivilege	2352	JaffaCakes118_58ef8399e896e60b181961292fb6d666.exe
Token: SeRemoteShutdownPrivilege	2352	JaffaCakes118_58ef8399e896e60b181961292fb6d666.exe
Token: SeUndockPrivilege	2352	JaffaCakes118_58ef8399e896e60b181961292fb6d666.exe
Token: SeManageVolumePrivilege	2352	JaffaCakes118_58ef8399e896e60b181961292fb6d666.exe
Token: SeImpersonatePrivilege	2352	JaffaCakes118_58ef8399e896e60b181961292fb6d666.exe
Token: SeCreateGlobalPrivilege	2352	JaffaCakes118_58ef8399e896e60b181961292fb6d666.exe
Token: 33	2352	JaffaCakes118_58ef8399e896e60b181961292fb6d666.exe
Token: 34	2352	JaffaCakes118_58ef8399e896e60b181961292fb6d666.exe
Token: 35	2352	JaffaCakes118_58ef8399e896e60b181961292fb6d666.exe
Token: 1	540	WINDOWSUPDATE.EXE
Token: SeCreateTokenPrivilege	540	WINDOWSUPDATE.EXE
Token: SeAssignPrimaryTokenPrivilege	540	WINDOWSUPDATE.EXE
Token: SeLockMemoryPrivilege	540	WINDOWSUPDATE.EXE
Token: SeIncreaseQuotaPrivilege	540	WINDOWSUPDATE.EXE
Token: SeMachineAccountPrivilege	540	WINDOWSUPDATE.EXE
Token: SeTcbPrivilege	540	WINDOWSUPDATE.EXE
Token: SeSecurityPrivilege	540	WINDOWSUPDATE.EXE
Token: SeTakeOwnershipPrivilege	540	WINDOWSUPDATE.EXE
Token: SeLoadDriverPrivilege	540	WINDOWSUPDATE.EXE
Token: SeSystemProfilePrivilege	540	WINDOWSUPDATE.EXE
Token: SeSystemtimePrivilege	540	WINDOWSUPDATE.EXE
Token: SeProfSingleProcessPrivilege	540	WINDOWSUPDATE.EXE
Token: SeIncBasePriorityPrivilege	540	WINDOWSUPDATE.EXE
Token: SeCreatePagefilePrivilege	540	WINDOWSUPDATE.EXE
Token: SeCreatePermanentPrivilege	540	WINDOWSUPDATE.EXE
Token: SeBackupPrivilege	540	WINDOWSUPDATE.EXE
Token: SeRestorePrivilege	540	WINDOWSUPDATE.EXE
Token: SeShutdownPrivilege	540	WINDOWSUPDATE.EXE
Token: SeDebugPrivilege	540	WINDOWSUPDATE.EXE
Token: SeAuditPrivilege	540	WINDOWSUPDATE.EXE
Token: SeSystemEnvironmentPrivilege	540	WINDOWSUPDATE.EXE
Token: SeChangeNotifyPrivilege	540	WINDOWSUPDATE.EXE
Token: SeRemoteShutdownPrivilege	540	WINDOWSUPDATE.EXE
Token: SeUndockPrivilege	540	WINDOWSUPDATE.EXE
Token: SeSyncAgentPrivilege	540	WINDOWSUPDATE.EXE
Token: SeEnableDelegationPrivilege	540	WINDOWSUPDATE.EXE
Token: SeManageVolumePrivilege	540	WINDOWSUPDATE.EXE
Token: SeImpersonatePrivilege	540	WINDOWSUPDATE.EXE
Token: SeCreateGlobalPrivilege	540	WINDOWSUPDATE.EXE
Token: 31	540	WINDOWSUPDATE.EXE
Token: 32	540	WINDOWSUPDATE.EXE
Token: 33	540	WINDOWSUPDATE.EXE
Token: 34	540	WINDOWSUPDATE.EXE
Token: 35	540	WINDOWSUPDATE.EXE
Token: SeRestorePrivilege	2352	JaffaCakes118_58ef8399e896e60b181961292fb6d666.exe
Token: SeBackupPrivilege	2352	JaffaCakes118_58ef8399e896e60b181961292fb6d666.exe
Token: SeShutdownPrivilege	2808	chrome.exe
Token: SeShutdownPrivilege	2808	chrome.exe
Token: SeIncreaseQuotaPrivilege	2360	explorer.exe
Token: SeSecurityPrivilege	2360	explorer.exe

Suspicious use of FindShellTrayWindow 42 IoCs

pid	Process
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
540	WINDOWSUPDATE.EXE
540	WINDOWSUPDATE.EXE
2104	WINDOWSUPDATE.EXE
2104	WINDOWSUPDATE.EXE
2360	explorer.exe
540	WINDOWSUPDATE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2260 wrote to memory of 2352	2260	JaffaCakes118_58ef8399e896e60b181961292fb6d666.exe	30
PID 2260 wrote to memory of 2352	2260	JaffaCakes118_58ef8399e896e60b181961292fb6d666.exe	30
PID 2260 wrote to memory of 2352	2260	JaffaCakes118_58ef8399e896e60b181961292fb6d666.exe	30
PID 2260 wrote to memory of 2352	2260	JaffaCakes118_58ef8399e896e60b181961292fb6d666.exe	30
PID 2260 wrote to memory of 2352	2260	JaffaCakes118_58ef8399e896e60b181961292fb6d666.exe	30
PID 2260 wrote to memory of 2352	2260	JaffaCakes118_58ef8399e896e60b181961292fb6d666.exe	30
PID 2260 wrote to memory of 2352	2260	JaffaCakes118_58ef8399e896e60b181961292fb6d666.exe	30
PID 2260 wrote to memory of 2352	2260	JaffaCakes118_58ef8399e896e60b181961292fb6d666.exe	30
PID 2260 wrote to memory of 2352	2260	JaffaCakes118_58ef8399e896e60b181961292fb6d666.exe	30
PID 2260 wrote to memory of 2352	2260	JaffaCakes118_58ef8399e896e60b181961292fb6d666.exe	30
PID 2260 wrote to memory of 2352	2260	JaffaCakes118_58ef8399e896e60b181961292fb6d666.exe	30
PID 2260 wrote to memory of 2352	2260	JaffaCakes118_58ef8399e896e60b181961292fb6d666.exe	30
PID 2260 wrote to memory of 2352	2260	JaffaCakes118_58ef8399e896e60b181961292fb6d666.exe	30
PID 2260 wrote to memory of 2352	2260	JaffaCakes118_58ef8399e896e60b181961292fb6d666.exe	30
PID 2260 wrote to memory of 2352	2260	JaffaCakes118_58ef8399e896e60b181961292fb6d666.exe	30
PID 2260 wrote to memory of 2352	2260	JaffaCakes118_58ef8399e896e60b181961292fb6d666.exe	30
PID 2352 wrote to memory of 540	2352	JaffaCakes118_58ef8399e896e60b181961292fb6d666.exe	31
PID 2352 wrote to memory of 540	2352	JaffaCakes118_58ef8399e896e60b181961292fb6d666.exe	31
PID 2352 wrote to memory of 540	2352	JaffaCakes118_58ef8399e896e60b181961292fb6d666.exe	31
PID 2352 wrote to memory of 540	2352	JaffaCakes118_58ef8399e896e60b181961292fb6d666.exe	31
PID 2352 wrote to memory of 540	2352	JaffaCakes118_58ef8399e896e60b181961292fb6d666.exe	31
PID 2352 wrote to memory of 540	2352	JaffaCakes118_58ef8399e896e60b181961292fb6d666.exe	31
PID 2352 wrote to memory of 540	2352	JaffaCakes118_58ef8399e896e60b181961292fb6d666.exe	31
PID 2808 wrote to memory of 2840	2808	chrome.exe	34
PID 2808 wrote to memory of 2840	2808	chrome.exe	34
PID 2808 wrote to memory of 2840	2808	chrome.exe	34
PID 2352 wrote to memory of 2736	2352	JaffaCakes118_58ef8399e896e60b181961292fb6d666.exe	32
PID 2352 wrote to memory of 2736	2352	JaffaCakes118_58ef8399e896e60b181961292fb6d666.exe	32
PID 2352 wrote to memory of 2736	2352	JaffaCakes118_58ef8399e896e60b181961292fb6d666.exe	32
PID 2352 wrote to memory of 2736	2352	JaffaCakes118_58ef8399e896e60b181961292fb6d666.exe	32
PID 2352 wrote to memory of 2736	2352	JaffaCakes118_58ef8399e896e60b181961292fb6d666.exe	32
PID 2352 wrote to memory of 2736	2352	JaffaCakes118_58ef8399e896e60b181961292fb6d666.exe	32
PID 2352 wrote to memory of 2736	2352	JaffaCakes118_58ef8399e896e60b181961292fb6d666.exe	32
PID 2736 wrote to memory of 2344	2736	WINUPDTR.EXE	36
PID 2736 wrote to memory of 2344	2736	WINUPDTR.EXE	36
PID 2736 wrote to memory of 2344	2736	WINUPDTR.EXE	36
PID 2736 wrote to memory of 2344	2736	WINUPDTR.EXE	36
PID 2736 wrote to memory of 2344	2736	WINUPDTR.EXE	36
PID 2736 wrote to memory of 2344	2736	WINUPDTR.EXE	36
PID 2736 wrote to memory of 2344	2736	WINUPDTR.EXE	36
PID 2344 wrote to memory of 1616	2344	cmd.exe	38
PID 2344 wrote to memory of 1616	2344	cmd.exe	38
PID 2344 wrote to memory of 1616	2344	cmd.exe	38
PID 2344 wrote to memory of 1616	2344	cmd.exe	38
PID 2344 wrote to memory of 1616	2344	cmd.exe	38
PID 2344 wrote to memory of 1616	2344	cmd.exe	38
PID 2344 wrote to memory of 1616	2344	cmd.exe	38
PID 2352 wrote to memory of 1088	2352	JaffaCakes118_58ef8399e896e60b181961292fb6d666.exe	39
PID 2352 wrote to memory of 1088	2352	JaffaCakes118_58ef8399e896e60b181961292fb6d666.exe	39
PID 2352 wrote to memory of 1088	2352	JaffaCakes118_58ef8399e896e60b181961292fb6d666.exe	39
PID 2352 wrote to memory of 1088	2352	JaffaCakes118_58ef8399e896e60b181961292fb6d666.exe	39
PID 2352 wrote to memory of 1088	2352	JaffaCakes118_58ef8399e896e60b181961292fb6d666.exe	39
PID 2352 wrote to memory of 1088	2352	JaffaCakes118_58ef8399e896e60b181961292fb6d666.exe	39
PID 2352 wrote to memory of 1088	2352	JaffaCakes118_58ef8399e896e60b181961292fb6d666.exe	39
PID 2352 wrote to memory of 1088	2352	JaffaCakes118_58ef8399e896e60b181961292fb6d666.exe	39
PID 2352 wrote to memory of 1088	2352	JaffaCakes118_58ef8399e896e60b181961292fb6d666.exe	39
PID 2808 wrote to memory of 352	2808	chrome.exe	40
PID 2808 wrote to memory of 352	2808	chrome.exe	40
PID 2808 wrote to memory of 352	2808	chrome.exe	40
PID 2808 wrote to memory of 352	2808	chrome.exe	40
PID 2808 wrote to memory of 352	2808	chrome.exe	40
PID 2808 wrote to memory of 352	2808	chrome.exe	40
PID 2808 wrote to memory of 352	2808	chrome.exe	40
PID 2808 wrote to memory of 352	2808	chrome.exe	40

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_58ef8399e896e60b181961292fb6d666.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_58ef8399e896e60b181961292fb6d666.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2260
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_58ef8399e896e60b181961292fb6d666.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_58ef8399e896e60b181961292fb6d666.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Checks BIOS information in registry
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2352
- - C:\Users\Admin\AppData\Local\Temp\WINDOWSUPDATE.EXE
    "C:\Users\Admin\AppData\Local\Temp\WINDOWSUPDATE.EXE"
    3⤵
    - Adds policy Run key to start application
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:540
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2864
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1980
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\WINDOWSUPDATE.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WINDOWSUPDATE.exe:*:Enabled:Windows Messanger" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:1816
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\WINDOWSUPDATE.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WINDOWSUPDATE.exe:*:Enabled:Windows Messanger" /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:740
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:1932
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:772
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\windowsupdate.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\windowsupdate.exe:*:Enabled:Windows Messanger" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:1180
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\windowsupdate.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\windowsupdate.exe:*:Enabled:Windows Messanger" /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1880
- - C:\Users\Admin\AppData\Local\Temp\WINUPDTR.EXE
    "C:\Users\Admin\AppData\Local\Temp\WINUPDTR.EXE"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2736
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c timeout 5 && del C:\Users\Admin\AppData\Local\Temp\WINUPDTR.EXE
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2344
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 5
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:1616
- - C:\Windows\SysWOW64\explorer.exe
    "C:\Windows\SysWOW64\explorer.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:1088
  - - C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\SysWOW64\explorer.exe"
      4⤵
      Modifies firewall policy service
      Modifies security service
      Windows security bypass
      Disables RegEdit via registry modification
      Checks BIOS information in registry
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Enumerates system info in registry
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2360
    - - C:\Users\Admin\AppData\Local\Temp\WINDOWSUPDATE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\WINDOWSUPDATE.EXE"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2104
    - - C:\Users\Admin\AppData\Local\Temp\WINUPDTR.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\WINUPDTR.EXE"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2476
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout 5 && del C:\Users\Admin\AppData\Local\Temp\WINUPDTR.EXE
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2500
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 5
        7⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:2740

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7129758,0x7fef7129768,0x7fef7129778
  2⤵
  PID:2840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1136 --field-trial-handle=1312,i,14445331091214940442,5605035144975599862,131072 /prefetch:2
  2⤵
  PID:352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1520 --field-trial-handle=1312,i,14445331091214940442,5605035144975599862,131072 /prefetch:8
  2⤵
  - Downloads MZ/PE file
  PID:2404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1592 --field-trial-handle=1312,i,14445331091214940442,5605035144975599862,131072 /prefetch:8
  2⤵
  PID:1060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2264 --field-trial-handle=1312,i,14445331091214940442,5605035144975599862,131072 /prefetch:1
  2⤵
  PID:2892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2296 --field-trial-handle=1312,i,14445331091214940442,5605035144975599862,131072 /prefetch:1
  2⤵
  PID:2208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1408 --field-trial-handle=1312,i,14445331091214940442,5605035144975599862,131072 /prefetch:2
  2⤵
  PID:2128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2988 --field-trial-handle=1312,i,14445331091214940442,5605035144975599862,131072 /prefetch:1
  2⤵
  PID:2156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3412 --field-trial-handle=1312,i,14445331091214940442,5605035144975599862,131072 /prefetch:8
  2⤵
  PID:1044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3528 --field-trial-handle=1312,i,14445331091214940442,5605035144975599862,131072 /prefetch:8
  2⤵
  PID:2816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3508 --field-trial-handle=1312,i,14445331091214940442,5605035144975599862,131072 /prefetch:8
  2⤵
  PID:840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3400 --field-trial-handle=1312,i,14445331091214940442,5605035144975599862,131072 /prefetch:8
  2⤵
  PID:1464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3436 --field-trial-handle=1312,i,14445331091214940442,5605035144975599862,131072 /prefetch:8
  2⤵
  PID:1508
- C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  PID:1176
- - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x154,0x158,0x15c,0x128,0x160,0x13fbd7688,0x13fbd7698,0x13fbd76a8
    3⤵
    PID:1932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=576 --field-trial-handle=1312,i,14445331091214940442,5605035144975599862,131072 /prefetch:1
  2⤵
  PID:2356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=2772 --field-trial-handle=1312,i,14445331091214940442,5605035144975599862,131072 /prefetch:1
  2⤵
  PID:444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2384 --field-trial-handle=1312,i,14445331091214940442,5605035144975599862,131072 /prefetch:8
  2⤵
  PID:2584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3504 --field-trial-handle=1312,i,14445331091214940442,5605035144975599862,131072 /prefetch:8
  2⤵
  PID:2260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3940 --field-trial-handle=1312,i,14445331091214940442,5605035144975599862,131072 /prefetch:8
  2⤵
  PID:2868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3944 --field-trial-handle=1312,i,14445331091214940442,5605035144975599862,131072 /prefetch:8
  2⤵
  PID:2516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3780 --field-trial-handle=1312,i,14445331091214940442,5605035144975599862,131072 /prefetch:8
  2⤵
  PID:2384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2256 --field-trial-handle=1312,i,14445331091214940442,5605035144975599862,131072 /prefetch:8
  2⤵
  PID:2344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3976 --field-trial-handle=1312,i,14445331091214940442,5605035144975599862,131072 /prefetch:8
  2⤵
  PID:2184
- C:\Users\Admin\Downloads\MBSetup.exe
  "C:\Users\Admin\Downloads\MBSetup.exe"
  2⤵
  - Drops file in Drivers directory
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2820

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
484eb8645fb5e89e2c08e27da4809b8d

SHA1
9644a403947e1dd74b55e94071b23a4a175cd7b6

SHA256
aa32be2365cbcf66dc242d49022800653201c875777b78a778abfc18e3b8549d

SHA512
f1e9dabb1862c0873025ac3016199135056dcdc2f6ac9fc80a85431b7502ea124244c72cd9a27b4b51610a46249e7f519c1506d5f022ee4c1b88f7e6f842d718

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8026d955ce26254e124d226becd23d56

SHA1
da1abea1a3cbfcdb5d9c165e27c3d9bb4d5be592

SHA256
d2baf77aba5a302e7ab4d3ab2d08655895b0e1f57c575b4540a73e6e7e29a4b0

SHA512
13eaf9f6c3d977f5cde7c2c97cdc15613049b7ded7973a227c30fa789f0d41b21a6c9b21db210147700fcbefdee718350ff29a426a20e758f6fa8f28ccf57462

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a62a180ef77080ed2f6f68ebd5ef8d8f

SHA1
db67688cec2ef4ddb0b902fe70f2681d47692161

SHA256
c0bef926f84110dab5a08309d4aebeb3a6cda5ddb6340c3246fe0efd681d387f

SHA512
4173c73d83cbf9bf1380de4f117d6ee5b8ad3d0ccc229c81eb2daca4c8f1d1903f2795cc4564bb31355af32c82a479fc2637a2105f2f4cf6d27c1aca996c52e0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\3c993efb-7e05-4e42-9a1d-666a69517b68.tmp

Filesize
354KB

MD5
f459089f64a006810e317955035fe190

SHA1
e3e25e27d6a3ec1a9a9e9aa94545d38df1cd083d

SHA256
feafa00a41669d2b3f3b49e327180aa21e43db99f9c63463dfb2abd123b23720

SHA512
ecf61e07a47ac15cc88f9f801dfefa19f28bde88a1ea4f459bf1747f0362c043c2cd2c7cf34c99c6804d91327490f355819404b296ad6d3febc0ed629bda57eb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\8e0c5be5-2050-47bd-bb66-734b73fab50b.tmp

Filesize
6KB

MD5
11355caefcc9589ae36c1f9f8a8316af

SHA1
38911293ac65d71b2c95333cf7809651afba8344

SHA256
ca0e4a14aef19f8438f7fb80c37d8029a2b2d6bfaa137d80235c43c87dbe2bf7

SHA512
c5c639069e04d25640e9ec9f8923c238b74e4015037478400f3079ce5a396c50d31d82e02e8ca49104afdda5b7c0f602a7c6f5af75060063fd02d3dad430bee8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000014

Filesize
171KB

MD5
40c1320bc877bf54deb60155e22d608a

SHA1
c4735517bdf6903f80e28d80fbae2c58d8e105c7

SHA256
71e7d96e0b15924a58f28b82f88627957a5ea25f7a23930c295186f3412cca2c

SHA512
d52634fb3d303dceec351f3d9dcf5e8387e9b2c1fd4f7f07ad25a557cc1ca0c7f7ec7005a62ab235904596770152bf63ec2c0bb0e2316b31cd330d79818823a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000015

Filesize
125KB

MD5
36e0645bd3392c55e78f2ea848fbb4e8

SHA1
26c60221905666dfc8002072a0083a1f06cbd8c9

SHA256
bbf5ef817d938f8bbb1bada103e55f96170f62fe6cf7b54b4019071e7072ee15

SHA512
404f91a851752fa3e2a6a70be6b341b5fde778d3b2e9134c69da971e00c003c7e9d309f4e681464a2a566aa8e9ad18bba158a2bb10cc1b320d448037da74c717

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000016

Filesize
173KB

MD5
4a8c93f2cb84336bb11796a549941d40

SHA1
78cbc69d480b07951b23865e27437a565822afc8

SHA256
7dfe96249d73eae447d1edadecd5cc098ab76099647c9e2cf8f3b616d5fe5ee7

SHA512
dd9115f956d945e3d34cf85cb4acf326c37a43f7039ceed076e24077b31bf9cddcf5d92aa491ddc4b5bd37134426231b70527037f76420c8bae9e9700df60e8e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000017

Filesize
120KB

MD5
6c2918af41500d21e282f720f0b2e364

SHA1
7c664d8e579fddeba428d0374daa7576edb55af7

SHA256
2d71a55f5dad7cda17ce63dd9d673c81550681f90d9c059ca23e3be81967c602

SHA512
14859485890626032ac253f7d00277675aa460e206ef537d81ba8cec9fa26e90928ec3c6c90ca5a3977698b45f2619a8c58cb8dc9764cd3e2fb27999a46f2b1a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000018

Filesize
19KB

MD5
d3907d0ccd03b1134c24d3bcaf05b698

SHA1
d9cfe6b477b49d47b6241b4281f4858d98eaca65

SHA256
f2abf7fbabe298e5823d257e48f5dc2138c6d5e0c210066f76b0067e8eda194f

SHA512
4c5df954bd79ed77ee12a49f0f3194e7dbf2720212b0989dad1bc12e2e3701c3ef045b10d4cd53dc5534f00e83a6a6891297c681a5cb3b33a42640ae4e01bbfd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000019

Filesize
19KB

MD5
bcb7c7e2499a055f0e2f93203bdb282b

SHA1
d4a23b132e1ca8a6cb4e678d519f6ae00a8aac58

SHA256
f6537e32263e6c49bf59bd6e4952b6bf06c8f09152c5b016365fef70e35856cf

SHA512
89e5e40a465e3786d35e2eba60bdc0fe2e5bd032dd4a9aa128f52e5b4b9e0871c4c4859f5b681c497fe3c9362e24827ed7cdc55515e3da0718f5129dcc82fe40

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001a

Filesize
19KB

MD5
0774a8b7ca338dc1aba5a0ec8f2b9454

SHA1
6baf2c7cc3a03676c10ce872ef9fa1aa4e185901

SHA256
e0fd57c0d9537d9c9884b6a8ad8c1823800d94dcfb6a2cc988780fe65a592fe6

SHA512
a0066b2a6b656e54f7789fea5c4c965b8603d0b1c3d0b5560cfbafd469a4cb5a566c143c336bcbd443bae2648e960aa0e635770e7c94d0cb49c19326f6ca7b69

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001d

Filesize
71KB

MD5
d472fad806c3061a01d7dce7f4012555

SHA1
1caa6b3753145fa2799ab7dc06c0cd516f287678

SHA256
e406eb7608d1fe40ca8f30ac99d8c3075db85552a232698d2281b8329f51ebb7

SHA512
7939607d7d792f3ffb8af58038ccbd3a1664bc89b7ca8830793517cd12f6f74dadf5115bf9d9b9884ec8fa5885cb98859a049542c6c9e73c604abf328bcc822b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001e

Filesize
54KB

MD5
9880989851fcd47652a37312edb17547

SHA1
fcf275884bff18a926de0bcd46c6bc8918356d86

SHA256
1fc4302f08484cb4df0a32e6cf6ce58cc057de2eed9c645cfdabebef1d3306d1

SHA512
53be2da27a9c74be74a9bdad217c8724affd822a4ae7980439f124d1f8a3e1125b8664e16427308e423a1aa05d83a4b015201ddcd89fed09f9d83902b27e44a9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001f

Filesize
52KB

MD5
8c9f5d592b2671b4910fbd685ae61401

SHA1
2c38e925773617e94fb911f4d1573bd0f44d607b

SHA256
837bb391f879a1edd4521ce965b614bb760c6a2eeacde80329a57631196bea73

SHA512
458c84f09f7473cc56928085cb0325c893ca2f923e921eacfe62b66d4c926b3c99e1c10c8e17c30e00d4d538200d99a6dc1be74818bfa3c219b28714caede9af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000020

Filesize
18KB

MD5
a90e737d05ebfa82bf96168def807c36

SHA1
ddc76a0c64ebefe5b9a12546c59a37c03d5d1f5b

SHA256
24ed9db3eb0d97ecf1f0832cbd30bd37744e0d2b520ccdad5af60f7a08a45b90

SHA512
bf1944b5daf9747d98f489eb3edbae84e7bc29ff50436d6b068b85091c95d17fe15b721df0bff08df03232b90b1776a82539d7917599b0a3b2f2f299e7525a51

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000024

Filesize
159KB

MD5
56eb72954f90d329d2fa05255e2bdb80

SHA1
ad2009e8810dec318432dcd7b364506972781015

SHA256
d4c30f97a6fba1602bc90b21fce05a5839d3a7850ecec4d9233d1b031b8a8fba

SHA512
8ec77ce8af86b0c163064dc1d32a1be99e42ed727efcf1972b83927ffdf27fda425a04fc7e2338745b672d3bb1a27d3759551e489500823a8df095b01def420f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000025

Filesize
69KB

MD5
e398ab9780f85f9692c1cdb911ea9f2f

SHA1
f08bd9cff5c093b883e15676c7ce16436f71b6d9

SHA256
e21095102953fb478fb7408f67733231b2464ba5e729d1c57f596c78ccdb044a

SHA512
164dcf61853344c9ddafec860923f8a6e529c6bde06025d04fd6a866bbc6d3b605d1560aa5e0e1f29fdec4485e69acdcdcc2624037571209d90ea545551a7a06

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000026

Filesize
59KB

MD5
abb58e40dc6bcd02d3155af3d55a7e9b

SHA1
ce59f1d5a433f048dd580cea6b7a55f39adf2020

SHA256
4f94b28c8a92677f8062ab15476375728daac8c3e2c33f2184773dd8dfb39ec4

SHA512
35eb3e2e976f205d5d8d7020cdda5cb2ca255afd349471b8ce0f4394857175e340f6714a42a0d7f4b28f9e17df078f6322acf27c3cb8d6f51dc093cc8976b4ca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
87fcce60cf5c43f415352894e983a9b7

SHA1
3a3cb295f7a6498c8623d3fd929e58b641d30f5d

SHA256
3afc31b3295f050c92096eeff5a3347f9f2eacd7d1f21c2a6f0757496d4125ad

SHA512
db48d87b4fddc2b8af8318e9070e652fd904934dfecc3e6749cf16bd1544a98d4e9caf176c6e1fa77589269b4926348c587b34e668013c59a77bddefbb2d645a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
523B

MD5
05841d8f0077e153039c7858a9fa9c39

SHA1
0c5acead91746c46ecdbf1291d6be92bb6e5fb6e

SHA256
60e85d5cd3173b07800938fc9bfda3518769348bbd12efcfc59cb91d98bae10b

SHA512
f55744b08fe9b4689d7c3f831050fe01311439f767d2c2c3c4254ab37dc8762b89fca40b766e28b72be4dd4c4a849495d10cb6d0ae07fa6b58ed4c977bc2ba86

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
363B

MD5
7d27359efc546819667af434024afee7

SHA1
14831a49e4d963cc7987a2dd65f1850b3b5e5c97

SHA256
8a591251324252d81c7096ee96ea9156b01690703c9340faf13474f85dd16802

SHA512
7a26e0aaf2958460843813513ebaf66f0f07e1b9171147139480ff0de674013710e8d6a2972b28e8c54731d7f9134476e7cd052f979f513db3349966bdc62a64

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\a9a7ef6e-60a3-4a8d-99db-55b4004ac9d6.tmp

Filesize
5KB

MD5
84af4322a5ab31000a0faf1ae5f64445

SHA1
9a15c1121e0e323fefe900aefc9b2dba95e15a1d

SHA256
ea57adfdaf8ac37406574d19eddef24b1880082b5dae35cc84c0f6942a17648a

SHA512
cf56c2c264678008b69696a13b8335d877d7fa3c88e83506ee3607b13d0bc47abc0b2e359f1e29138cc7e5ed8800660255c3eb6781101bcdff1dfefdcc835867

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
b40cb1ada5b961e02f1597a890f93803

SHA1
a29eab39ecf05f575d21ae1842b0cd29778a1dee

SHA256
06d01c52b281b90d8c40ac67b359176c21e00a02828bf2c51f2e9644dbc7ab98

SHA512
cb1dc1ff9dc1b2593195c1075dc9bf9aa79722abd2d76dab97e990f1edafbc64b43e94248e0bf7e98cf4bd0e6ef8a50a57a6dcf2a4cc3a491857316d926c97c0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
90a1b4cd68c8c75429521b2ca55eda71

SHA1
ffa9ffb4155a5682898836b25f049a580b6f49ca

SHA256
5638ed4d1672b8f78a7c387fbc9d999836767a69125d289e99796ca194a3f254

SHA512
91feba43db3b977a789d0f7a4c3d733626e2a15d0b8e7a992f3208c5699685f26859a173470a3b7f69c0b2bfe4fcbf5fc62297dd920474519015b3aac224f885

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
787eca3247bdc99f44e0d8e5ac593269

SHA1
a30b9789a299ab1fc2d5b94a30e80eac820e510b

SHA256
0c696414c720f87065e92a2c136f68160e89ecad25d0e27879eac42d02c6cd98

SHA512
4da91698215d56ccddb0ceb94ff07e863a1756a06d56b61db3095cdf3358c5ec31fbe0b0d09007cb2885e9d32d9a209672307b5e8572da7055e959814658bcf0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
0503714cbb713368277ebe785eac8209

SHA1
85e9fcdf9ca2bc6fb8036eaa23234098bc979713

SHA256
9e9494a0c76b307edd834356ec9a76852e4df1777c565e9434a6500871f821c1

SHA512
95f208403fe2b51b338bc11387480278b3d54fd0a03b5ebaab8de6fb6dd67de09263c39322a501c1fd9169acccca11a190467729f5bf0560c5fa40489754cfae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
170KB

MD5
87477e80c94200f3aeeee88683cd265e

SHA1
a3ab957f1fd003e881a6502fd60fb5d7f862aecc

SHA256
668244244cea996103abee2594396fb865ccbdaf27d81dbacb23a3d84ba322f0

SHA512
caa23da094c2ddd7c162891a30119a37518d728a7349a8e4b2848e09a835fccdc08d5b611171a392db1f834b879c091624244852205ed19ae4ad8441aea03a62

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
382KB

MD5
02066085b49f72742a5cc89d48982276

SHA1
e54fc3766d91899a4a7fa2d95a790339ac429c17

SHA256
8c7c29d1d00b233f611c8ff384fa5f4155c0ab1ef6d84af862a16278d56fca01

SHA512
04cd21618ba47631951f90478a6e6c0a9de4a8191055233492ef9bdd48ac36fef8cbd2cac834a00dbe0dcc5026f641bc38b0e7621be6ac48822005f3339c6499

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
353KB

MD5
10ad0bf6a867471a80969b2bede8ef6e

SHA1
c0aa57f71808eb982956c217c3b0360de0f415fb

SHA256
76a95fe7ce2887538ed4c728a2dc9646253eda22b05c4ea4a7c4f716eb684c88

SHA512
826e099eff649d9aa7c404e86516ceef28f26b14f846c9a2ad360bfe9095d24828c91384f4e3408d05cd70552b11f86ed94c0a0394a9c4095a04f06d7dbc25b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab39B.tmp

Filesize
71KB

MD5
83142242e97b8953c386f988aa694e4a

SHA1
833ed12fc15b356136dcdd27c61a50f59c5c7d50

SHA256
d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

SHA512
bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3EE.tmp

Filesize
183KB

MD5
109cab5505f5e065b63d01361467a83b

SHA1
4ed78955b9272a9ed689b51bf2bf4a86a25e53fc

SHA256
ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673

SHA512
753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

Download Submit
C:\Users\Admin\AppData\Roaming\chrtmp

Filesize
92KB

MD5
6093b9b9effe107a1958b5e8775d196a

SHA1
f86ede48007734aebe75f41954ea1ef64924b05e

SHA256
a10b04d057393f5974c776ed253909cafcd014752a57da2971ae0dddfa889ab0

SHA512
2d9c20a201655ffcce71bfafa71b79fe08eb8aa02b5666588302608f6a14126a5a1f4213a963eb528514e2ea2b17871c4c5f9b5ef89c1940c40c0718ec367a77

Download Submit
C:\Users\Admin\AppData\Roaming\data.dat

Filesize
32B

MD5
85339a4aaa0d95f77166d3c1389f8faf

SHA1
e1271db082522454a14d21cea8c2ed72939916d7

SHA256
7859659168a469116376649ed9df8371d38ab3a98c72fd6a9819ac13f3641d81

SHA512
646c6e43a0674000b2014468fd32edbd20c51ca1063dd9f8c39e3a6f3222abc7f0aa13aec23088c0bf628cd247885ca7150ff8f92eebe11a1cce17c2e6db0a94

Download Submit
C:\Users\Admin\AppData\Roaming\data.dat

Filesize
202B

MD5
86dcede3be1ef2a3853834b24eb85560

SHA1
e73b6d8ac821b532ac53f0523daf70055ea7a225

SHA256
0cd471d212dbd992b3b9003975c4c863d27b1888bbb4bed60b2c6df018509eff

SHA512
38d0b376f1c8e2043091d5afbac7786c9b7a2c7e9824c81f22fbdd7f84c0a9a0e44f0adcdf48c029909fe7253cde065ebdf583dafebf1132368aaa31351b23bc

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 645019.crdownload

Filesize
2.7MB

MD5
1e17ceff00f18d129b514bd6b01d9e85

SHA1
e2e5b38df2052b7ed3f95e3f0e2dabc079c64f29

SHA256
64517ef6dd936d54c2ef6a6edad5e018cef9facd71693b9a94dceca2847fce6a

SHA512
73ace5997c333a8c9d0279a77f51e335a724c39d7bd450b4aab9b162bd5eccc4d457536abab663ce539046e91e6e57a04814426c416418d077ef8320ad672b2d

Download Submit
\Users\Admin\AppData\Local\Temp\WINDOWSUPDATE.EXE

Filesize
163KB

MD5
24e2f8699579dc971a255076c08e829f

SHA1
5b45b15f4993d3112083b73806415d5eb587b9ea

SHA256
2a05046af890c5c4daa47277ccf630ac99228709ee489bd5517ba019fd0f5750

SHA512
de76329069c601feb874159360a28e3106dca47c05b069cb4c1d25e80a6fe7a44e6fa756a83c9f4d7da0b1f27628e389aaa60e2db7ae29d5e6d47537acce4a84

Download Submit
\Users\Admin\AppData\Local\Temp\WINUPDTR.EXE

Filesize
340KB

MD5
55642a17d2b2f4a3b0622380cbd7a398

SHA1
54a6f1c9d6f207af5dcea9557b420fade8a30f82

SHA256
c8bb9bc16ff8cebc7ec50e94c4d6ee1c884c5bbe57c61b5dde520e953845fca0

SHA512
83084e5595f4e5e226f4a924100b8f9d9707b15966aa54956a0169b84c1e852b55f82280f8f9014ec78ece6e151078aa51c4ae2e841f23a44b9c060ad24d0948

Download Submit
memory/540-43-0x0000000000370000-0x00000000003E4000-memory.dmp

Filesize
464KB

Download
memory/540-41-0x0000000000370000-0x00000000003E4000-memory.dmp

Filesize
464KB

Download
memory/540-234-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/540-42-0x0000000000370000-0x00000000003E4000-memory.dmp

Filesize
464KB

Download
memory/540-220-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/540-184-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/540-193-0x0000000000370000-0x00000000003E4000-memory.dmp

Filesize
464KB

Download
memory/540-194-0x0000000000370000-0x00000000003E4000-memory.dmp

Filesize
464KB

Download
memory/540-198-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/540-36-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/540-226-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/540-219-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1088-65-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1088-129-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/1088-63-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/1088-66-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/1088-71-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/1088-70-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/1088-68-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/1088-74-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/1088-131-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/2104-152-0x0000000000320000-0x0000000000394000-memory.dmp

Filesize
464KB

Download
memory/2104-156-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2352-13-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/2352-16-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2352-18-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/2352-22-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/2352-67-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/2352-23-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/2352-24-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/2352-20-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/2352-19-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/2352-14-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/2352-0-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/2352-32-0x0000000003830000-0x00000000038A4000-memory.dmp

Filesize
464KB

Download
memory/2352-2-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/2352-5-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/2352-6-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/2352-9-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/2352-10-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/2360-206-0x00000000039D0000-0x0000000003A44000-memory.dmp

Filesize
464KB

Download
memory/2360-159-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/2360-128-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/2360-160-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/2360-161-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/2360-134-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/2360-148-0x00000000039D0000-0x0000000003A44000-memory.dmp

Filesize
464KB

Download
memory/2360-133-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/2360-132-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download