General Info

URL

https://outlookexpressmail.net/EXP/

Full analysis
https://app.any.run/tasks/837505f5-e890-4bfd-b49c-6d55b5f9eed4
Verdict
Malicious activity
Analysis date
3/14/2019, 13:23:03
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
keylogger
hawkeye
stealer
evasion
trojan
Indicators:

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
300 seconds
Additional time used
240 seconds
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
off

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (68.0.3440.106)
  • Google Update Helper (1.3.33.17)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 61.0.2 (x86 en-US) (61.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Actions looks like stealing of personal data
  • vbc.exe (PID: 1920)
  • vbc.exe (PID: 2872)
Stealing of credential data
  • vbc.exe (PID: 1920)
  • vbc.exe (PID: 2872)
Connects to CnC server
  • RegAsm.exe (PID: 3940)
Application was dropped or rewritten from another process
  • 655.exe (PID: 3376)
  • P.O.exe (PID: 3336)
Detected Hawkeye Keylogger
  • RegAsm.exe (PID: 3940)
Changes the autorun value in the registry
  • 655.exe (PID: 3376)
Connects to SMTP port
  • RegAsm.exe (PID: 3940)
Executes scripts
  • RegAsm.exe (PID: 3940)
Loads DLL from Mozilla Firefox
  • vbc.exe (PID: 2872)
Cleans NTFS data-stream (Zone Identifier)
  • P.O.exe (PID: 3336)
Executable content was dropped or overwritten
  • cmd.exe (PID: 2184)
  • chrome.exe (PID: 3536)
Starts CMD.EXE for commands execution
  • P.O.exe (PID: 3336)
Application launched itself
  • chrome.exe (PID: 3536)
Reads Internet Cache Settings
  • chrome.exe (PID: 3536)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Screenshots

Processes

Total processes
45
Monitored processes
13
Malicious processes
6
Suspicious processes
1

Behavior graph

+
drop and start start chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs p.o.exe no specs cmd.exe cmd.exe no specs 655.exe #HAWKEYE regasm.exe vbc.exe vbc.exe
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
3536
CMD
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://outlookexpressmail.net/EXP/
Path
C:\Program Files\Google\Chrome\Application\chrome.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
3221225547
Version:
Company
Google Inc.
Description
Google Chrome
Version
68.0.3440.106
Modules
Image
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\68.0.3440.106\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\winmm.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\psapi.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ole32.dll
c:\program files\google\chrome\application\68.0.3440.106\chrome.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msdmo.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\oleacc.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\hid.dll
c:\windows\system32\propsys.dll
c:\windows\system32\dwrite.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\credui.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\d3d11.dll
c:\windows\system32\dxgi.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\winusb.dll
c:\windows\system32\msi.dll
c:\windows\system32\wevtapi.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\mscms.dll
c:\windows\system32\wlanapi.dll
c:\windows\system32\wlanutil.dll
c:\windows\system32\audioses.dll
c:\windows\system32\mmdevapi.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\wpc.dll
c:\windows\system32\samlib.dll
c:\windows\system32\firewallapi.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\winsta.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\kbdus.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\wship6.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\slc.dll
c:\windows\system32\imageres.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptnet.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\mssprxy.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\users\admin\downloads\p.o.exe
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\mpr.dll
c:\windows\system32\wshqos.dll

PID
2228
CMD
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=68.0.3440.106 --initial-client-data=0x78,0x7c,0x80,0x74,0x84,0x6fe300b0,0x6fe300c0,0x6fe300cc
Path
C:\Program Files\Google\Chrome\Application\chrome.exe
Indicators
No indicators
Parent process
chrome.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Google Inc.
Description
Google Chrome
Version
68.0.3440.106
Modules
Image
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\68.0.3440.106\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\winmm.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\psapi.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll

PID
3468
CMD
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=3540 --on-initialized-event-handle=304 --parent-handle=308 /prefetch:6
Path
C:\Program Files\Google\Chrome\Application\chrome.exe
Indicators
No indicators
Parent process
chrome.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Google Inc.
Description
Google Chrome
Version
68.0.3440.106
Modules
Image
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\68.0.3440.106\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\winmm.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\psapi.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ole32.dll
c:\program files\google\chrome\application\68.0.3440.106\chrome_watcher.dll

PID
2632
CMD
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=936,7358489227563244169,12394431903020360121,131072 --enable-features=PasswordImport --gpu-preferences=KAAAAAAAAACAAwBAAQAAAAAAAAAAAGAAEAAAAAAAAAAAAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --service-request-channel-token=8593F8F35E58DC355323114D3D5705DE --mojo-platform-channel-handle=996 --ignored=" --type=renderer " /prefetch:2
Path
C:\Program Files\Google\Chrome\Application\chrome.exe
Indicators
No indicators
Parent process
chrome.exe
User
admin
Integrity Level
LOW
Exit code
0
Version:
Company
Google Inc.
Description
Google Chrome
Version
68.0.3440.106
Modules
Image
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\68.0.3440.106\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\winmm.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\psapi.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\program files\google\chrome\application\68.0.3440.106\chrome_child.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msdmo.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\comdlg32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dwrite.dll
c:\windows\system32\winspool.drv
c:\windows\system32\dbghelp.dll
c:\windows\system32\dxgi.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\mf.dll
c:\windows\system32\atl.dll
c:\windows\system32\mfplat.dll
c:\windows\system32\avrt.dll
c:\windows\system32\ksuser.dll
c:\windows\system32\msmpeg2vdec.dll
c:\windows\system32\evr.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\slc.dll
c:\windows\system32\sqmapi.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\dxva2.dll
c:\program files\google\chrome\application\68.0.3440.106\d3dcompiler_47.dll
c:\windows\system32\ddraw.dll
c:\windows\system32\dciman32.dll
c:\program files\google\chrome\application\68.0.3440.106\swiftshader\libglesv2.dll
c:\program files\google\chrome\application\68.0.3440.106\swiftshader\libegl.dll

PID
3384
CMD
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=936,7358489227563244169,12394431903020360121,131072 --enable-features=PasswordImport --service-pipe-token=D0B8B9D179219C3E61B73DB195BB9AA8 --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=D0B8B9D179219C3E61B73DB195BB9AA8 --renderer-client-id=4 --mojo-platform-channel-handle=1896 /prefetch:1
Path
C:\Program Files\Google\Chrome\Application\chrome.exe
Indicators
No indicators
Parent process
chrome.exe
User
admin
Integrity Level
LOW
Exit code
0
Version:
Company
Google Inc.
Description
Google Chrome
Version
68.0.3440.106
Modules
Image
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\68.0.3440.106\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\winmm.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\psapi.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\program files\google\chrome\application\68.0.3440.106\chrome_child.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msdmo.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\comdlg32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dwrite.dll
c:\windows\system32\winspool.drv
c:\windows\system32\dbghelp.dll
c:\windows\system32\dxgi.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\cryptbase.dll

PID
3928
CMD
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=936,7358489227563244169,12394431903020360121,131072 --enable-features=PasswordImport --service-pipe-token=DBF90E562A45A729BA8B0254D43506F4 --lang=en-US --extension-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=DBF90E562A45A729BA8B0254D43506F4 --renderer-client-id=3 --mojo-platform-channel-handle=2040 /prefetch:1
Path
C:\Program Files\Google\Chrome\Application\chrome.exe
Indicators
No indicators
Parent process
chrome.exe
User
admin
Integrity Level
LOW
Exit code
0
Version:
Company
Google Inc.
Description
Google Chrome
Version
68.0.3440.106
Modules
Image
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\68.0.3440.106\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\winmm.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\psapi.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\program files\google\chrome\application\68.0.3440.106\chrome_child.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msdmo.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\comdlg32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dwrite.dll
c:\windows\system32\winspool.drv
c:\windows\system32\dbghelp.dll
c:\windows\system32\dxgi.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\cryptbase.dll

PID
3336
CMD
"C:\Users\admin\Downloads\P.O.exe"
Path
C:\Users\admin\Downloads\P.O.exe
Indicators
No indicators
Parent process
chrome.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
FINDER ECHIPAMENTE SRL
Description
Outlook Express Backup plugin
Version
15.10.19.1
Modules
Image
c:\users\admin\downloads\p.o.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\225759bb87c854c0fff27b1d84858c21\mscorlib.ni.dll
c:\windows\system32\ole32.dll
c:\windows\system32\cryptbase.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\system32\oleaut32.dll
c:\windows\microsoft.net\framework\v4.0.30319\nlssorting.dll
c:\windows\system32\shell32.dll
c:\windows\system32\bcrypt.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system\52cca48930e580e3189eac47158c20be\system.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.drawing\646b4b01cb29986f8e076aa65c9e9753\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.windows.forms\5aac750b35b27770dccb1a43f83cced7\system.windows.forms.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.core\55560c2014611e9119f99923c9ebdeef\system.core.ni.dll
c:\windows\system32\psapi.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\propsys.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll

PID
2184
CMD
"C:\Windows\System32\cmd.exe" /c copy "C:\Users\admin\Downloads\P.O.exe" "C:\Users\admin\AppData\Local\655.exe"
Path
C:\Windows\System32\cmd.exe
Indicators
Parent process
P.O.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
2744
CMD
"C:\Windows\System32\cmd.exe" /c, "C:\Users\admin\AppData\Local\655.exe"
Path
C:\Windows\System32\cmd.exe
Indicators
No indicators
Parent process
P.O.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll
c:\users\admin\appdata\local\655.exe

PID
3376
CMD
"C:\Users\admin\AppData\Local\655.exe"
Path
C:\Users\admin\AppData\Local\655.exe
Indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
FINDER ECHIPAMENTE SRL
Description
Outlook Express Backup plugin
Version
15.10.19.1
Modules
Image
c:\users\admin\appdata\local\655.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\225759bb87c854c0fff27b1d84858c21\mscorlib.ni.dll
c:\windows\system32\ole32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\microsoft.net\framework\v4.0.30319\nlssorting.dll
c:\windows\system32\shell32.dll
c:\windows\system32\bcrypt.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system\52cca48930e580e3189eac47158c20be\system.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.drawing\646b4b01cb29986f8e076aa65c9e9753\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.windows.forms\5aac750b35b27770dccb1a43f83cced7\system.windows.forms.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.core\55560c2014611e9119f99923c9ebdeef\system.core.ni.dll
c:\windows\system32\psapi.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\windowscodecs.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.v9921e851#\7ca6a7b9413844e82108a9d62f88a2d9\microsoft.visualbasic.ni.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\apphelp.dll
c:\windows\microsoft.net\framework\v4.0.30319\regasm.exe

PID
3940
CMD
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Path
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Indicators
Parent process
655.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Microsoft .NET Assembly Registration Utility
Version
4.6.1055.0 built by: NETFXREL2
Modules
Image
c:\windows\microsoft.net\framework\v4.0.30319\regasm.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\winmm.dll
c:\windows\system32\samcli.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\version.dll
c:\windows\system32\shell32.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\225759bb87c854c0fff27b1d84858c21\mscorlib.ni.dll
c:\windows\system32\cryptbase.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system\52cca48930e580e3189eac47158c20be\system.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.drawing\646b4b01cb29986f8e076aa65c9e9753\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.windows.forms\5aac750b35b27770dccb1a43f83cced7\system.windows.forms.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.core\55560c2014611e9119f99923c9ebdeef\system.core.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.v9921e851#\7ca6a7b9413844e82108a9d62f88a2d9\microsoft.visualbasic.ni.dll
c:\windows\microsoft.net\framework\v4.0.30319\nlssorting.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\bcrypt.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.management\4dfa27fdd6a4cce26f99585e1c744f9b\system.management.ni.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\wbem\wmiutils.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\microsoft.net\framework\v4.0.30319\wminet_utils.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll
c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe
c:\windows\assembly\nativeimages_v4.0.30319_32\system.configuration\46957030830964165644b52b0696c5d9\system.configuration.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.xml\d86b080a37c60a872c82b912a2a63dac\system.xml.ni.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\credssp.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\psapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll

PID
2872
CMD
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\admin\AppData\Local\Temp\tmp1BD7.tmp"
Path
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
Indicators
Parent process
RegAsm.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Visual Basic Command Line Compiler
Version
8.0.50727.5420
Modules
Image
c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\version.dll
c:\windows\system32\wininet.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\pstorec.dll
c:\windows\system32\atl.dll
c:\windows\system32\vaultcli.dll
c:\program files\mozilla firefox\nss3.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\dbghelp.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140.dll
c:\program files\mozilla firefox\api-ms-win-crt-runtime-l1-1-0.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\api-ms-win-core-timezone-l1-1-0.dll
c:\windows\system32\api-ms-win-core-file-l2-1-0.dll
c:\windows\system32\api-ms-win-core-localization-l1-2-0.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\api-ms-win-core-processthreads-l1-1-1.dll
c:\windows\system32\api-ms-win-core-file-l1-2-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-string-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-heap-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-stdio-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-convert-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-locale-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-math-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-multibyte-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-time-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-filesystem-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-environment-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-utility-l1-1-0.dll
c:\windows\system32\winmm.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\program files\mozilla firefox\softokn3.dll
c:\program files\mozilla firefox\freebl3.dll
c:\windows\system32\psapi.dll

PID
1920
CMD
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\admin\AppData\Local\Temp\tmp4588.tmp"
Path
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
Indicators
Parent process
RegAsm.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Visual Basic Command Line Compiler
Version
8.0.50727.5420
Modules
Image
c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\pstorec.dll
c:\windows\system32\atl.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\cryptbase.dll

Registry activity

Total events
595
Read events
534
Write events
60
Delete events
1

Modification events

PID
Process
Operation
Key
Name
Value
3536
chrome.exe
delete key
HKEY_CURRENT_USER\Software\Google\Chrome\BrowserExitCodes
3536
chrome.exe
write
HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon
failed_count
0
3536
chrome.exe
write
HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon
state
2
3536
chrome.exe
write
HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon
state
1
3536
chrome.exe
write
HKEY_CURRENT_USER\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96}
dr
1
3536
chrome.exe
write
HKEY_CURRENT_USER\Software\Google\Chrome
UsageStatsInSample
0
3536
chrome.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}
usagestats
0
3536
chrome.exe
write
HKEY_CURRENT_USER\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96}
metricsid
3536
chrome.exe
write
HKEY_CURRENT_USER\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96}
metricsid_installdate
0
3536
chrome.exe
write
HKEY_CURRENT_USER\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96}
metricsid_enableddate
0
3536
chrome.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}\_NumAccounts
aggregate
sum()
3536
chrome.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}\_NumAccounts
S-1-5-21-1302019708-1500728564-335382590-1000
1
3536
chrome.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}\_NumSignedIn
aggregate
sum()
3536
chrome.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}\_NumSignedIn
S-1-5-21-1302019708-1500728564-335382590-1000
0
3536
chrome.exe
write
HKEY_CURRENT_USER\Software\Google\Chrome\StabilityMetrics
user_experience_metrics.stability.exited_cleanly
0
3536
chrome.exe
write
HKEY_CURRENT_USER\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96}
lastrun
13197039799561875
3536
chrome.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
LanguageList
en-US
3536
chrome.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3536
chrome.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3536
chrome.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
3536
chrome.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000069000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
3536
chrome.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}\Enum
Implementing
1C00000001000000E307030004000E000C0017001A000C0000000000
3536
chrome.exe
write
HKEY_CURRENT_USER\Software\Google\Chrome\StabilityMetrics
user_experience_metrics.stability.exited_cleanly
1
3468
chrome.exe
write
HKEY_CURRENT_USER\Software\Google\Chrome\BrowserExitCodes
3536-13197039798561875
259
3468
chrome.exe
write
HKEY_CURRENT_USER\Software\Google\Chrome\BrowserExitCodes
3536-13197039798561875
0
3336
P.O.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3336
P.O.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3376
655.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Application
C:\Users\admin\AppData\Local\655.exe -boot
3940
RegAsm.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RegAsm_RASAPI32
EnableFileTracing
0
3940
RegAsm.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RegAsm_RASAPI32
EnableConsoleTracing
0
3940
RegAsm.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RegAsm_RASAPI32
FileTracingMask
4294901760
3940
RegAsm.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RegAsm_RASAPI32
ConsoleTracingMask
4294901760
3940
RegAsm.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RegAsm_RASAPI32
MaxFileSize
1048576
3940
RegAsm.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RegAsm_RASAPI32
FileDirectory
%windir%\tracing
3940
RegAsm.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RegAsm_RASMANCS
EnableFileTracing
0
3940
RegAsm.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RegAsm_RASMANCS
EnableConsoleTracing
0
3940
RegAsm.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RegAsm_RASMANCS
FileTracingMask
4294901760
3940
RegAsm.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RegAsm_RASMANCS
ConsoleTracingMask
4294901760
3940
RegAsm.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RegAsm_RASMANCS
MaxFileSize
1048576
3940
RegAsm.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RegAsm_RASMANCS
FileDirectory
%windir%\tracing

Files activity

Executable files
3
Suspicious files
27
Text files
65
Unknown types
3

Dropped files

PID
Process
Filename
Type
2184
cmd.exe
C:\Users\admin\AppData\Local\655.exe
executable
MD5: dedea5fd70fa74bee1b3d0a9f06b44a1
SHA256: 98a8b1fe9a3d154456bb8b32ad28cf4d4b391dd1668c2c55a383db73428a3254
3536
chrome.exe
C:\Users\admin\Downloads\Unconfirmed 946288.crdownload
executable
MD5: 60de0f1493af65364f21b8567609921c
SHA256: ad74e626cb6611e1683b4bafcd5f572dfdfc1e141060a426f7f85bd2c44be105
3536
chrome.exe
C:\Users\admin\Downloads\P.O.exe
executable
MD5: dedea5fd70fa74bee1b3d0a9f06b44a1
SHA256: 98a8b1fe9a3d154456bb8b32ad28cf4d4b391dd1668c2c55a383db73428a3254
3536
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Local State
text
MD5: e7acd47b6c3b7bb99299db31166657ee
SHA256: b47b91c3ea90e523847972f61cc33755c8d3d583fb905bc9ea3b1f16992fe9d6
3536
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\chrome_shutdown_ms.txt
text
MD5: b2f8d345a14b6c044e55d13c97d9a66e
SHA256: ccb49cd2237dda16950261beca5f98bd31a10d4e7909131045890ef2f522f8f1
3536
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Local State
text
MD5: 523b73e533ee3772889744deed08b489
SHA256: 80d8027def4158640f7ac2ad494f5f55445e02053549d734a429ab99454f8ab5
3536
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Local State~RF1b0953.TMP
text
MD5: 523b73e533ee3772889744deed08b489
SHA256: 80d8027def4158640f7ac2ad494f5f55445e02053549d734a429ab99454f8ab5
3536
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\e695d9d8-c336-4d15-b1a8-a799868244f2.tmp
––
MD5:  ––
SHA256:  ––
3536
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Network Persistent State
text
MD5: 8a499c9ce17a2e5aca40e19df3cab8ff
SHA256: 81a6fa3934c3b6c4d0cb4fed4b20196709d13dd1a4065389994c6efa30d3b28e
3536
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Network Persistent State~RF1b0943.TMP
text
MD5: 8a499c9ce17a2e5aca40e19df3cab8ff
SHA256: 81a6fa3934c3b6c4d0cb4fed4b20196709d13dd1a4065389994c6efa30d3b28e
3536
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RF1b0934.TMP
text
MD5: 7768353497db11f64fb5db4f835b8d63
SHA256: 5406618f5cc7ce9e8284c789541ad594bef9b3da68fc72425d1d26b6bc1719a7
3536
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
text
MD5: 7768353497db11f64fb5db4f835b8d63
SHA256: 5406618f5cc7ce9e8284c789541ad594bef9b3da68fc72425d1d26b6bc1719a7
3536
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\c84bff90-8384-465f-a91e-d365f40447e3.tmp
––
MD5:  ––
SHA256:  ––
3536
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
binary
MD5: d932a31a0fb91833edb0325c6b434b34
SHA256: 8049465356163740d6e4c0bb56b9dcaa90149631646fa6bb56d01de223bd1f8e
3536
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Local State~RF1b0934.TMP
text
MD5: 523b73e533ee3772889744deed08b489
SHA256: 80d8027def4158640f7ac2ad494f5f55445e02053549d734a429ab99454f8ab5
3536
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Safe Browsing Cookies
sqlite
MD5: 278ff0b95db0cb7ac751fbaa35eb1100
SHA256: 94a4eaf76885dc65d51d7fef8a8f207251436c6930fab10789df19c4119a9ee0
3536
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\2b7e412f-2f76-4df6-986a-d9f308b9b732.tmp
––
MD5:  ––
SHA256:  ––
3536
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Safe Browsing Cookies-journal
––
MD5:  ––
SHA256:  ––
3536
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_1
binary
MD5: ed3d1c71e33729de7febf8fe5e6ec916
SHA256: 69c86a85adc870f4b414d529894f622580db21bbefb5e2c4da4ba14141c7b1fc
3536
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Current Tabs
binary
MD5: fa32c495c5b6e4767a85380842b788ee
SHA256: 9392acbefd2822bd83cd578568007d00667bd2c7a1cac137d6308403845a75bc
3536
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Last Tabs
binary
MD5: 9409bab446b7204c6235dfddd6066e89
SHA256: 68c1cb50ec24ac5a1dbdc7d9c845e94a1e9d60f312cf92a694f0791cd7ea105e
3536
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\d4685e81-0449-443f-a00e-ad9a6a33cb66.tmp
––
MD5:  ––
SHA256:  ––
3536
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOG
text
MD5: 0ea5602e7c0f65ce0779754d7330b2f3
SHA256: 03b044d81c2af48cec2d046de56317d8a0ad6d1ad80dbefc98699777028d9eaa
3536
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Cache\data_2
binary
MD5: a999c3a1a7360a1f2536da1b57e9cda6
SHA256: 354ed06a2c3ac1451dd883b4e5004a4fe7430318b87c3336bcd08d4abbfe1f9c
3536
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Cache\data_3
––
MD5:  ––
SHA256:  ––
3536
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Cache\data_1
binary
MD5: c71348a82390b6db75857b8e9e9be37d
SHA256: 6745e947ec99ea112a6a25c0eb6f637642565b3b6cd2b4b6ed074888022b72e5
3536
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB\LOG
text
MD5: 9e8dbbf5a35631c656b34a18407d4ceb
SHA256: e482f9c7db5571f6d921ec03e8d77c66f1a0f5293222a869fd86302b90aa1c6a
3536
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\LOG
text
MD5: e24c6b5564d71434c5139f20d9fe9d1a
SHA256: 5eaf30fd5ae9aa1a84281c341cc4d6ca2d8c9d288d64c3e2eee169fe2e05a53f
3536
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG
text
MD5: b74fc484c467d796141b1e2522c602d9
SHA256: a3508a5abe98619cfcb1cbde2869ecf4033ef4db7578ce4e578f93a0848abb85
3536
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pkedcjkdefgpdelpbcmbmeomcjbeemfm\LOG
text
MD5: bdb7e1c819940675f58645fd9fd9087c
SHA256: 6e02229ce4f01377e353186eda2cd83b116f48224d8b877a3a98d29df4f6ce91
3536
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Thumbnails\LOG
text
MD5: d2af0e90f61b327a17fe1598d8a3e225
SHA256: eacc77a2c0a2f8b88d2380f03f24d658c99bf0a3f8eba8a96a17d3bc87d67acd
3536
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG
text
MD5: 8435d798e21616e2e9ed1c2f676c908b
SHA256: 4a790f4288e6cf452aa7805364bd44286c68bbb55fead62fa343351303d2d76d
3536
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG
text
MD5: 99ebb3170bbf1b616588f1d2a49124a8
SHA256: caea0c460f27ba550eec6261d0b79f6cc5aae04650faded6dfaca9963d0ec160
3536
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Cache\data_0
binary
MD5: 6a7254bd784ac6db5a319cce9118f28e
SHA256: ed6bd7f3be7a6593d7f95558b3141a55321c373949e3a0678c450f392d8667e9
3536
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\MANIFEST-000016
binary
MD5: cf286cb4fd0f3dcc234806e1b865987b
SHA256: 21dc23520bba7268b53957a39981c9a85d3658edc4f5455e98cac3378a440d76
3536
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB\MANIFEST-000016
binary
MD5: cf286cb4fd0f3dcc234806e1b865987b
SHA256: 21dc23520bba7268b53957a39981c9a85d3658edc4f5455e98cac3378a440d76
3536
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Visited Links
binary
MD5: 1c75dbe937de82b0ab3e922774e37779
SHA256: 6cf34e43bea049c7d15653c583bb460ef5a6a86379c168612d89b0b5a5a9a3e2
3536
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\History
sqlite
MD5: 199df8aec67f1db4c35da6c85ca037dd
SHA256: e9f6e05756d76674dcf036ef78c153c6bb0396b7ab7844f0b5aae50609917bf7
3536
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\History-journal
––
MD5:  ––
SHA256:  ––
3536
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Login Data
sqlite
MD5: 54ad1e10b6b57bc9b9eed994e581dd5f
SHA256: 24d2a7516de320c3e91b1513cad94ce5ce2b964bbb8a3d1f66e8083b3205b19c
3536
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\History Provider Cache
binary
MD5: bfc077fb81a6705679050a54b71b242c
SHA256: 58f1a9e72a91b4d28880cc2ee28c8b5819d7387b7f92bb833aad3befd9c847ab
3536
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal
––
MD5:  ––
SHA256:  ––
3536
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Current Session
binary
MD5: 60ae00f18e05d881845fbcf1d9163965
SHA256: 84f49870ad6d62907ab2b4a401f70746e90a7f214335d73c7223e2f184d555d6
3536
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\TransportSecurity
text
MD5: e9b9c74046451dc92428ec7604add2b5
SHA256: ad2c5d1058408d8093990a3adbb2b4cf65f8a517f261f0eb043f8081ae8e570e
3536
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\TransportSecurity~RF1b052c.TMP
text
MD5: e9b9c74046451dc92428ec7604add2b5
SHA256: ad2c5d1058408d8093990a3adbb2b4cf65f8a517f261f0eb043f8081ae8e570e
3536
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\02343f4f-0345-4d15-aa78-fea773a1bb86.tmp
––
MD5:  ––
SHA256:  ––
3536
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
text
MD5: 5797d060e622b230e0f12c4ebea345d2
SHA256: fca60e7667cb2cc6e03e76163bae2fa1bd0d59f7c13cb15b4d86a5899a12ef29
3536
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RF1b04af.TMP
text
MD5: 5797d060e622b230e0f12c4ebea345d2
SHA256: fca60e7667cb2cc6e03e76163bae2fa1bd0d59f7c13cb15b4d86a5899a12ef29
3536
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\bf7c6a03-60f5-4299-9d0b-89226a49eed8.tmp
––
MD5:  ––
SHA256:  ––
2228
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\CrashpadMetrics.pma
binary
MD5: b59113c2dcd2d346f31a64f231162ada
SHA256: 1d97c69aea85d3b06787458ea47576b192ce5c5db9940e5eaa514ff977ce2dc2
3536
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Local State~RF1b0461.TMP
text
MD5: e7acd47b6c3b7bb99299db31166657ee
SHA256: b47b91c3ea90e523847972f61cc33755c8d3d583fb905bc9ea3b1f16992fe9d6
3536
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\62f0a2b8-dbb4-4f16-8187-65db3c28771a.tmp
––
MD5:  ––
SHA256:  ––
3536
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\DownloadMetadata
binary
MD5: 5417ebbdbeba3e7a212a51d575006097
SHA256: 0ac9d6ee11afee8ecc67a9355f07686599b170385a8e9b355dff52f88f0336c4
3536
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\DownloadMetadata~RF1afbc6.TMP
binary
MD5: 5417ebbdbeba3e7a212a51d575006097
SHA256: 0ac9d6ee11afee8ecc67a9355f07686599b170385a8e9b355dff52f88f0336c4
3536
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\f3503c45-5060-4b2f-a0e2-20e96b694c25.tmp
––
MD5:  ––
SHA256:  ––
3536
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\in_progress_download_metadata_store
––
MD5:  ––
SHA256:  ––
3536
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\in_progress_download_metadata_store~RF1af6f4.TMP
––
MD5:  ––
SHA256:  ––
3536
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\DownloadMetadata
binary
MD5: 9526610497ed51367dedf243471ca5ba
SHA256: 3a805bc70ea3b3d4fc85704b3e7df2e77843b5a14ff6e52c5a1dc25b2345f692
3536
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\c0f9bab9-b55d-4457-8dab-b429fa935e25.tmp
––
MD5:  ––
SHA256:  ––
3536
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\95a35b58-249b-454e-9f9f-021df29f8e19.tmp
––
MD5:  ––
SHA256:  ––
3536
chrome.exe
C:\Users\admin\Downloads\P.O.exe:Zone.Identifier
text
MD5: fbccf14d504b7b2dbcb5a5bda75bd93b
SHA256: eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
3940
RegAsm.exe
C:\Users\admin\AppData\Local\Temp\25291068-43af-3e16-50f6-5889d9ce7904
text
MD5: 0e94f508a7733660f34dd8bdee3498be
SHA256: 557b364bfb2cb6e9af4bdb2dc00a8854ae502e2901bd2dd106af7197e0709116
3536
chrome.exe
C:\Users\admin\Downloads\Unconfirmed 946288.crdownload
––
MD5:  ––
SHA256:  ––
1920
vbc.exe
C:\Users\admin\AppData\Local\Temp\tmp4588.tmp
text
MD5: 7fb9a9ad0fd9b1e0108ed71fbb276048
SHA256: 7d63c301317e144b0133a72250ae2d8e09af65a92e6a807ec58a71939fe530a9
3536
chrome.exe
C:\Users\admin\Downloads\533bde24-3f92-47a6-8151-0519c34ecf14.tmp
––
MD5:  ––
SHA256:  ––
3536
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\in_progress_download_metadata_store
binary
MD5: c3251d10be17591df1deccba01c9e0fe
SHA256: cb934fa8d028ff1473f5077c07fdb63775147c48a3ea22638aae4881ce6b3af5
3536
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\in_progress_download_metadata_store~RF1aed7e.TMP
binary
MD5: c3251d10be17591df1deccba01c9e0fe
SHA256: cb934fa8d028ff1473f5077c07fdb63775147c48a3ea22638aae4881ce6b3af5
3536
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\40bb5c85-4413-4f80-87f4-d9cd86e1fcd1.tmp
––
MD5:  ––
SHA256:  ––
3536
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Last Session
binary
MD5: 02536c23edc1e418a6fea313d20b2a39
SHA256: 8e8de8689482b477d0beebe0a4ac24b9cabcbfa84848f66b4c0f55cd96dc0fe9
3536
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOG.old
text
MD5: 80b8c44b60f8bd20d1cf8277ec794bb1
SHA256: 6371157cf7270dd227625ddf799da6c38c60b3e2110fe540b8bc9df48aef09a6
3536
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOG.old~RF1ae521.TMP
text
MD5: 80b8c44b60f8bd20d1cf8277ec794bb1
SHA256: 6371157cf7270dd227625ddf799da6c38c60b3e2110fe540b8bc9df48aef09a6
3536
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pkedcjkdefgpdelpbcmbmeomcjbeemfm\LOG.old
text
MD5: ea6d75c35eb812fdc5762d84963de026
SHA256: a4e911f2978a45872ede6742468623884a33bca6e015dfb35dd4d55034d9ab74
3536
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pkedcjkdefgpdelpbcmbmeomcjbeemfm\LOG.old~RF1ae1c6.TMP
text
MD5: ea6d75c35eb812fdc5762d84963de026
SHA256: a4e911f2978a45872ede6742468623884a33bca6e015dfb35dd4d55034d9ab74
3536
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG.old
text
MD5: 84042895723ac99f9599edfc7500051c
SHA256: ac49bbf4b490c77bddf11de45ef4965c72b16b00cb2519fdb627363f760c6219
3536
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG.old~RF1ae178.TMP
text
MD5: 84042895723ac99f9599edfc7500051c
SHA256: ac49bbf4b490c77bddf11de45ef4965c72b16b00cb2519fdb627363f760c6219
3536
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Translate Ranker Model~RF1ae12a.TMP
binary
MD5: d81d3411adebeab33adad3d4bcebb566
SHA256: 2a3c70955de9bb1c091e0007deca0c978f5414b110daeeeaea7f222ab08bf013
3536
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Translate Ranker Model
binary
MD5: d81d3411adebeab33adad3d4bcebb566
SHA256: 2a3c70955de9bb1c091e0007deca0c978f5414b110daeeeaea7f222ab08bf013
3536
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\72ce728c-b5c4-491e-ae88-d1a07d3371be.tmp
––
MD5:  ––
SHA256:  ––
3536
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Thumbnails\LOG.old
text
MD5: f727dd25cda7b2cc574098cee1f5764a
SHA256: 5f7bd6926940e400ee7faa6d620192ca299f7b5aaa92d672f8173a767b3fbbff
3536
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Thumbnails\LOG.old~RF1ade7a.TMP
text
MD5: f727dd25cda7b2cc574098cee1f5764a
SHA256: 5f7bd6926940e400ee7faa6d620192ca299f7b5aaa92d672f8173a767b3fbbff
3536
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
binary
MD5: 9c016064a1f864c8140915d77cf3389a
SHA256: 0e7265d4a8c16223538edd8cd620b8820611c74538e420a88e333be7f62ac787
3536
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB\CURRENT~RF1ade3c.TMP
text
MD5: edd71dd3bade6cd69ff623e1ccf7012d
SHA256: befea596b4676ccf7cc37ea8048044bfa0556c8931d76fdeeb693d20264e50d6
3536
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\CURRENT~RF1ade3c.TMP
text
MD5: edd71dd3bade6cd69ff623e1ccf7012d
SHA256: befea596b4676ccf7cc37ea8048044bfa0556c8931d76fdeeb693d20264e50d6
3536
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB\CURRENT
text
MD5: edd71dd3bade6cd69ff623e1ccf7012d
SHA256: befea596b4676ccf7cc37ea8048044bfa0556c8931d76fdeeb693d20264e50d6
3536
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\CURRENT
text
MD5: edd71dd3bade6cd69ff623e1ccf7012d
SHA256: befea596b4676ccf7cc37ea8048044bfa0556c8931d76fdeeb693d20264e50d6
3536
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\000016.dbtmp
––
MD5:  ––
SHA256:  ––
3536
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB\000016.dbtmp
––
MD5:  ––
SHA256:  ––
3536
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.old
text
MD5: 197882774a7ecec9046bc48f63189b66
SHA256: 27377b0d5f989997c2c3f74acf163eed44b60631ddaa768f6655d7be555742b2
3536
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\LOG.old~RF1addfd.TMP
text
MD5: 1aa66efdb743fb0a8dcc1cd79b0b6542
SHA256: 28d56532cced7375a2a1c7731e57c1a1c2ec1ac9827f3e5beee7f8069a5f87dd
3536
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\LOG.old
text
MD5: 1aa66efdb743fb0a8dcc1cd79b0b6542
SHA256: 28d56532cced7375a2a1c7731e57c1a1c2ec1ac9827f3e5beee7f8069a5f87dd
3536
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\f5be564f-133c-4618-9f7f-cee17226846f.tmp
––
MD5:  ––
SHA256:  ––
3536
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.old~RF1addfd.TMP
text
MD5: 197882774a7ecec9046bc48f63189b66
SHA256: 27377b0d5f989997c2c3f74acf163eed44b60631ddaa768f6655d7be555742b2
3536
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG.old
text
MD5: 92be6b127e72365885ad4c3fb6534ee2
SHA256: 54302a2573acc775720e7db0ad85873276713302b4f72596a8dcc44b01c70e51
3536
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG.old~RF1addde.TMP
text
MD5: 92be6b127e72365885ad4c3fb6534ee2
SHA256: 54302a2573acc775720e7db0ad85873276713302b4f72596a8dcc44b01c70e51
3536
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB\LOG.old
text
MD5: 8ca4ba2b95d7089861a48ed69fde6561
SHA256: aa64c14d0c68b62bbab62a6d6fa4662ff89e1fbc7b337c926ac213c191d6406c
3536
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB\LOG.old~RF1addbf.TMP
text
MD5: 8ca4ba2b95d7089861a48ed69fde6561
SHA256: aa64c14d0c68b62bbab62a6d6fa4662ff89e1fbc7b337c926ac213c191d6406c
3536
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Last Version
text
MD5: c10ebd4db49249efc8d112b2920d5f73
SHA256: 90a1b994cafe902f22a88a22c0b6cc9cb5b974bf20f8964406dd7d6c9b8867d1
2872
vbc.exe
C:\Users\admin\AppData\Local\Temp\tmp1BD7.tmp
text
MD5: c48992aae0e8fd5463a7b1617b2e0b88
SHA256: 04802c51a3ee5e9f7d48462c50b17abc0e84d54f5525d70e4c904bcc0634c3ce

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
1
TCP/UDP connections
10
DNS requests
8
Threats
7

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
3940 RegAsm.exe GET 200 66.171.248.178:80 http://bot.whatismyipaddress.com/ US
text
shared

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
3536 chrome.exe 172.217.23.131:443 Google Inc. US whitelisted
3536 chrome.exe 69.64.54.205:443 server4you Inc. US unknown
3536 chrome.exe 216.58.208.35:443 Google Inc. US whitelisted
3536 chrome.exe 172.217.18.13:443 Google Inc. US whitelisted
3536 chrome.exe 216.58.210.14:443 Google Inc. US whitelisted
3536 chrome.exe 216.58.207.35:443 Google Inc. US whitelisted
3940 RegAsm.exe 66.171.248.178:80 Alchemy Communications, Inc. US malicious
3940 RegAsm.exe 208.91.198.143:587 PDR US shared

DNS requests

Domain IP Reputation
www.gstatic.com 216.58.208.35
whitelisted
outlookexpressmail.net 69.64.54.205
unknown
clientservices.googleapis.com 172.217.23.131
whitelisted
accounts.google.com 172.217.18.13
whitelisted
sb-ssl.google.com 216.58.210.14
whitelisted
ssl.gstatic.com 216.58.207.35
whitelisted
bot.whatismyipaddress.com 66.171.248.178
shared
smtp.bestbirdss.com 208.91.198.143
208.91.199.223
208.91.199.225
208.91.199.224
malicious

Threats

PID Process Class Message
3940 RegAsm.exe A Network Trojan was detected MALWARE [PTsecurity] Spy.HawkEye IP Check
3940 RegAsm.exe Generic Protocol Command Decode SURICATA Applayer Detect protocol only one direction
3940 RegAsm.exe A Network Trojan was detected ET TROJAN HawkEye Keylogger Report SMTP
3940 RegAsm.exe A Network Trojan was detected MALWARE [PTsecurity] HawkEye Reborn8 Stealing Data via SMTP

3 ETPRO signatures available at the full report

Debug output strings

No debug info.