laplas | hxxps://www[.]mediafire[.]com/file/wddo7ggxmyc704i/2O23-F1LES-S0ft[.]rar/file

Analysis

max time kernel
1800s
max time network
1798s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
25-05-2023 21:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.mediafire.com/file/wddo7ggxmyc704i/2O23-F1LES-S0ft.rar/file

Score

10^/10

laplas vidar xmrig 3a8269adbf2982cc1c6703fbf87bdce7 clipper discovery evasion miner persistence spyware stealer trojan

Malware Config

Extracted

Family

vidar

Version

Botnet

3a8269adbf2982cc1c6703fbf87bdce7

https://steamcommunity.com/profiles/76561199508624021

https://t.me/looking_glassbot

Attributes

profile_id_v2
3a8269adbf2982cc1c6703fbf87bdce7
user_agent
Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36

Extracted

Family

laplas

http://185.209.161.89

Attributes

api_key
6a2714906f1325d666e4cf9f6269c2352ccfb7e7f1a23c114287dc69ddf27cb0

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Suspicious use of NtCreateUserProcessOtherParentProcess 11 IoCs

description	pid	Process	procid_target
PID 1096 created 2600	1096	47586973850951078559.exe	25
PID 1096 created 2600	1096	47586973850951078559.exe	25
PID 1096 created 2600	1096	47586973850951078559.exe	25
PID 1096 created 2600	1096	47586973850951078559.exe	25
PID 1096 created 2600	1096	47586973850951078559.exe	25
PID 4488 created 2600	4488	updater.exe	25
PID 4488 created 2600	4488	updater.exe	25
PID 4488 created 2600	4488	updater.exe	25
PID 4488 created 2600	4488	updater.exe	25
PID 4488 created 2600	4488	updater.exe	25
PID 4488 created 2600	4488	updater.exe	25

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	37590181554456242966.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ntlhost.exe

XMRig Miner payload 4 IoCs

miner

resource	yara_rule
behavioral2/memory/4488-1349-0x00007FF6E6CB0000-0x00007FF6E7695000-memory.dmp	xmrig
behavioral2/memory/5932-1353-0x00007FF6EB4F0000-0x00007FF6EBCDF000-memory.dmp	xmrig
behavioral2/memory/5932-1379-0x00007FF6EB4F0000-0x00007FF6EBCDF000-memory.dmp	xmrig
behavioral2/memory/5932-1392-0x00007FF6EB4F0000-0x00007FF6EBCDF000-memory.dmp	xmrig

Downloads MZ/PE file

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\etc\hosts	47586973850951078559.exe
File created	C:\Windows\System32\drivers\etc\hosts	updater.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ntlhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	37590181554456242966.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	37590181554456242966.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ntlhost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation	Setup.exe

Executes dropped EXE 5 IoCs

pid	Process
5912	Setup.exe
5632	37590181554456242966.exe
1096	47586973850951078559.exe
4488	updater.exe
5732	ntlhost.exe

Loads dropped DLL 2 IoCs

pid	Process
5912	Setup.exe
5912	Setup.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	37590181554456242966.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	37590181554456242966.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ntlhost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
5632	37590181554456242966.exe
5732	ntlhost.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4488 set thread context of 5280	4488	updater.exe	176
PID 4488 set thread context of 5932	4488	updater.exe	177

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Libs\WR64.sys	updater.exe
File created	C:\Program Files\Google\Chrome\updater.exe	47586973850951078559.exe

Launches sc.exe 10 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5772	sc.exe
5852	sc.exe
5288	sc.exe
6108	sc.exe
1752	sc.exe
3752	sc.exe
4940	sc.exe
5400	sc.exe
2000	sc.exe
2856	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Setup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Setup.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	601	Go-http-client/1.1

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133295306512312334"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2348	chrome.exe
2348	chrome.exe
5912	Setup.exe
5912	Setup.exe
3092	chrome.exe
3092	chrome.exe
1096	47586973850951078559.exe
1096	47586973850951078559.exe
4712	powershell.exe
4712	powershell.exe
4712	powershell.exe
1096	47586973850951078559.exe
1096	47586973850951078559.exe
1096	47586973850951078559.exe
1096	47586973850951078559.exe
1096	47586973850951078559.exe
1096	47586973850951078559.exe
1756	powershell.exe
1756	powershell.exe
1756	powershell.exe
1096	47586973850951078559.exe
1096	47586973850951078559.exe
4488	updater.exe
4488	updater.exe
2796	powershell.exe
2796	powershell.exe
2796	powershell.exe
4488	updater.exe
4488	updater.exe
4488	updater.exe
4488	updater.exe
4488	updater.exe
4488	updater.exe
564	powershell.exe
564	powershell.exe
564	powershell.exe
4488	updater.exe
4488	updater.exe
4488	updater.exe
4488	updater.exe
5932	conhost.exe
5932	conhost.exe
5932	conhost.exe
5932	conhost.exe
5932	conhost.exe
5932	conhost.exe
5932	conhost.exe
5932	conhost.exe
5932	conhost.exe
5932	conhost.exe
5932	conhost.exe
5932	conhost.exe
5932	conhost.exe
5932	conhost.exe
5932	conhost.exe
5932	conhost.exe
5932	conhost.exe
5932	conhost.exe
5932	conhost.exe
5932	conhost.exe
5932	conhost.exe
5932	conhost.exe
5932	conhost.exe
5932	conhost.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
672	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 32 IoCs

pid	Process
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2348	chrome.exe
Token: SeCreatePagefilePrivilege	2348	chrome.exe
Token: SeShutdownPrivilege	2348	chrome.exe
Token: SeCreatePagefilePrivilege	2348	chrome.exe
Token: SeShutdownPrivilege	2348	chrome.exe
Token: SeCreatePagefilePrivilege	2348	chrome.exe
Token: SeShutdownPrivilege	2348	chrome.exe
Token: SeCreatePagefilePrivilege	2348	chrome.exe
Token: SeShutdownPrivilege	2348	chrome.exe
Token: SeCreatePagefilePrivilege	2348	chrome.exe
Token: SeShutdownPrivilege	2348	chrome.exe
Token: SeCreatePagefilePrivilege	2348	chrome.exe
Token: SeShutdownPrivilege	2348	chrome.exe
Token: SeCreatePagefilePrivilege	2348	chrome.exe
Token: SeShutdownPrivilege	2348	chrome.exe
Token: SeCreatePagefilePrivilege	2348	chrome.exe
Token: SeShutdownPrivilege	2348	chrome.exe
Token: SeCreatePagefilePrivilege	2348	chrome.exe
Token: SeShutdownPrivilege	2348	chrome.exe
Token: SeCreatePagefilePrivilege	2348	chrome.exe
Token: SeShutdownPrivilege	2348	chrome.exe
Token: SeCreatePagefilePrivilege	2348	chrome.exe
Token: SeShutdownPrivilege	2348	chrome.exe
Token: SeCreatePagefilePrivilege	2348	chrome.exe
Token: SeShutdownPrivilege	2348	chrome.exe
Token: SeCreatePagefilePrivilege	2348	chrome.exe
Token: SeShutdownPrivilege	2348	chrome.exe
Token: SeCreatePagefilePrivilege	2348	chrome.exe
Token: SeShutdownPrivilege	2348	chrome.exe
Token: SeCreatePagefilePrivilege	2348	chrome.exe
Token: SeShutdownPrivilege	2348	chrome.exe
Token: SeCreatePagefilePrivilege	2348	chrome.exe
Token: SeShutdownPrivilege	2348	chrome.exe
Token: SeCreatePagefilePrivilege	2348	chrome.exe
Token: SeShutdownPrivilege	2348	chrome.exe
Token: SeCreatePagefilePrivilege	2348	chrome.exe
Token: SeShutdownPrivilege	2348	chrome.exe
Token: SeCreatePagefilePrivilege	2348	chrome.exe
Token: SeShutdownPrivilege	2348	chrome.exe
Token: SeCreatePagefilePrivilege	2348	chrome.exe
Token: SeShutdownPrivilege	2348	chrome.exe
Token: SeCreatePagefilePrivilege	2348	chrome.exe
Token: SeShutdownPrivilege	2348	chrome.exe
Token: SeCreatePagefilePrivilege	2348	chrome.exe
Token: SeShutdownPrivilege	2348	chrome.exe
Token: SeCreatePagefilePrivilege	2348	chrome.exe
Token: SeShutdownPrivilege	2348	chrome.exe
Token: SeCreatePagefilePrivilege	2348	chrome.exe
Token: SeShutdownPrivilege	2348	chrome.exe
Token: SeCreatePagefilePrivilege	2348	chrome.exe
Token: SeShutdownPrivilege	2348	chrome.exe
Token: SeCreatePagefilePrivilege	2348	chrome.exe
Token: SeShutdownPrivilege	2348	chrome.exe
Token: SeCreatePagefilePrivilege	2348	chrome.exe
Token: SeShutdownPrivilege	2348	chrome.exe
Token: SeCreatePagefilePrivilege	2348	chrome.exe
Token: SeShutdownPrivilege	2348	chrome.exe
Token: SeCreatePagefilePrivilege	2348	chrome.exe
Token: SeShutdownPrivilege	2348	chrome.exe
Token: SeCreatePagefilePrivilege	2348	chrome.exe
Token: SeShutdownPrivilege	2348	chrome.exe
Token: SeCreatePagefilePrivilege	2348	chrome.exe
Token: SeShutdownPrivilege	2348	chrome.exe
Token: SeCreatePagefilePrivilege	2348	chrome.exe

Suspicious use of FindShellTrayWindow 43 IoCs

pid	Process
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
5468	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2348 wrote to memory of 2228	2348	chrome.exe	81
PID 2348 wrote to memory of 2228	2348	chrome.exe	81
PID 2348 wrote to memory of 2748	2348	chrome.exe	82
PID 2348 wrote to memory of 2748	2348	chrome.exe	82
PID 2348 wrote to memory of 2748	2348	chrome.exe	82
PID 2348 wrote to memory of 2748	2348	chrome.exe	82
PID 2348 wrote to memory of 2748	2348	chrome.exe	82
PID 2348 wrote to memory of 2748	2348	chrome.exe	82
PID 2348 wrote to memory of 2748	2348	chrome.exe	82
PID 2348 wrote to memory of 2748	2348	chrome.exe	82
PID 2348 wrote to memory of 2748	2348	chrome.exe	82
PID 2348 wrote to memory of 2748	2348	chrome.exe	82
PID 2348 wrote to memory of 2748	2348	chrome.exe	82
PID 2348 wrote to memory of 2748	2348	chrome.exe	82
PID 2348 wrote to memory of 2748	2348	chrome.exe	82
PID 2348 wrote to memory of 2748	2348	chrome.exe	82
PID 2348 wrote to memory of 2748	2348	chrome.exe	82
PID 2348 wrote to memory of 2748	2348	chrome.exe	82
PID 2348 wrote to memory of 2748	2348	chrome.exe	82
PID 2348 wrote to memory of 2748	2348	chrome.exe	82
PID 2348 wrote to memory of 2748	2348	chrome.exe	82
PID 2348 wrote to memory of 2748	2348	chrome.exe	82
PID 2348 wrote to memory of 2748	2348	chrome.exe	82
PID 2348 wrote to memory of 2748	2348	chrome.exe	82
PID 2348 wrote to memory of 2748	2348	chrome.exe	82
PID 2348 wrote to memory of 2748	2348	chrome.exe	82
PID 2348 wrote to memory of 2748	2348	chrome.exe	82
PID 2348 wrote to memory of 2748	2348	chrome.exe	82
PID 2348 wrote to memory of 2748	2348	chrome.exe	82
PID 2348 wrote to memory of 2748	2348	chrome.exe	82
PID 2348 wrote to memory of 2748	2348	chrome.exe	82
PID 2348 wrote to memory of 2748	2348	chrome.exe	82
PID 2348 wrote to memory of 2748	2348	chrome.exe	82
PID 2348 wrote to memory of 2748	2348	chrome.exe	82
PID 2348 wrote to memory of 2748	2348	chrome.exe	82
PID 2348 wrote to memory of 2748	2348	chrome.exe	82
PID 2348 wrote to memory of 2748	2348	chrome.exe	82
PID 2348 wrote to memory of 2748	2348	chrome.exe	82
PID 2348 wrote to memory of 2748	2348	chrome.exe	82
PID 2348 wrote to memory of 2748	2348	chrome.exe	82
PID 2348 wrote to memory of 4732	2348	chrome.exe	83
PID 2348 wrote to memory of 4732	2348	chrome.exe	83
PID 2348 wrote to memory of 1740	2348	chrome.exe	84
PID 2348 wrote to memory of 1740	2348	chrome.exe	84
PID 2348 wrote to memory of 1740	2348	chrome.exe	84
PID 2348 wrote to memory of 1740	2348	chrome.exe	84
PID 2348 wrote to memory of 1740	2348	chrome.exe	84
PID 2348 wrote to memory of 1740	2348	chrome.exe	84
PID 2348 wrote to memory of 1740	2348	chrome.exe	84
PID 2348 wrote to memory of 1740	2348	chrome.exe	84
PID 2348 wrote to memory of 1740	2348	chrome.exe	84
PID 2348 wrote to memory of 1740	2348	chrome.exe	84
PID 2348 wrote to memory of 1740	2348	chrome.exe	84
PID 2348 wrote to memory of 1740	2348	chrome.exe	84
PID 2348 wrote to memory of 1740	2348	chrome.exe	84
PID 2348 wrote to memory of 1740	2348	chrome.exe	84
PID 2348 wrote to memory of 1740	2348	chrome.exe	84
PID 2348 wrote to memory of 1740	2348	chrome.exe	84
PID 2348 wrote to memory of 1740	2348	chrome.exe	84
PID 2348 wrote to memory of 1740	2348	chrome.exe	84
PID 2348 wrote to memory of 1740	2348	chrome.exe	84
PID 2348 wrote to memory of 1740	2348	chrome.exe	84
PID 2348 wrote to memory of 1740	2348	chrome.exe	84
PID 2348 wrote to memory of 1740	2348	chrome.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://www.mediafire.com/file/wddo7ggxmyc704i/2O23-F1LES-S0ft.rar/file
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2348
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb04ee9758,0x7ffb04ee9768,0x7ffb04ee9778
    3⤵
    PID:2228
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1820 --field-trial-handle=1816,i,1100920483349776137,12122402187075201597,131072 /prefetch:2
    3⤵
    PID:2748
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1816,i,1100920483349776137,12122402187075201597,131072 /prefetch:8
    3⤵
    PID:4732
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2208 --field-trial-handle=1816,i,1100920483349776137,12122402187075201597,131072 /prefetch:8
    3⤵
    PID:1740
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3204 --field-trial-handle=1816,i,1100920483349776137,12122402187075201597,131072 /prefetch:1
    3⤵
    PID:3772
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3184 --field-trial-handle=1816,i,1100920483349776137,12122402187075201597,131072 /prefetch:1
    3⤵
    PID:3860
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=5060 --field-trial-handle=1816,i,1100920483349776137,12122402187075201597,131072 /prefetch:1
    3⤵
    PID:3540
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=5308 --field-trial-handle=1816,i,1100920483349776137,12122402187075201597,131072 /prefetch:1
    3⤵
    PID:876
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=6072 --field-trial-handle=1816,i,1100920483349776137,12122402187075201597,131072 /prefetch:1
    3⤵
    PID:1500
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=6068 --field-trial-handle=1816,i,1100920483349776137,12122402187075201597,131072 /prefetch:1
    3⤵
    PID:3944
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=6424 --field-trial-handle=1816,i,1100920483349776137,12122402187075201597,131072 /prefetch:1
    3⤵
    PID:3456
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4440 --field-trial-handle=1816,i,1100920483349776137,12122402187075201597,131072 /prefetch:1
    3⤵
    PID:3140
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=6368 --field-trial-handle=1816,i,1100920483349776137,12122402187075201597,131072 /prefetch:1
    3⤵
    PID:1652
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4788 --field-trial-handle=1816,i,1100920483349776137,12122402187075201597,131072 /prefetch:8
    3⤵
    PID:636
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=5904 --field-trial-handle=1816,i,1100920483349776137,12122402187075201597,131072 /prefetch:1
    3⤵
    PID:3968
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=5000 --field-trial-handle=1816,i,1100920483349776137,12122402187075201597,131072 /prefetch:1
    3⤵
    PID:3120
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=4996 --field-trial-handle=1816,i,1100920483349776137,12122402187075201597,131072 /prefetch:1
    3⤵
    PID:2924
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=6568 --field-trial-handle=1816,i,1100920483349776137,12122402187075201597,131072 /prefetch:1
    3⤵
    PID:3896
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=7160 --field-trial-handle=1816,i,1100920483349776137,12122402187075201597,131072 /prefetch:8
    3⤵
    PID:3768
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8044 --field-trial-handle=1816,i,1100920483349776137,12122402187075201597,131072 /prefetch:8
    3⤵
    PID:3272
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8368 --field-trial-handle=1816,i,1100920483349776137,12122402187075201597,131072 /prefetch:8
    3⤵
    PID:1704
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=8336 --field-trial-handle=1816,i,1100920483349776137,12122402187075201597,131072 /prefetch:1
    3⤵
    PID:5944
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=8356 --field-trial-handle=1816,i,1100920483349776137,12122402187075201597,131072 /prefetch:1
    3⤵
    PID:6084
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=8124 --field-trial-handle=1816,i,1100920483349776137,12122402187075201597,131072 /prefetch:1
    3⤵
    PID:5500
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=8248 --field-trial-handle=1816,i,1100920483349776137,12122402187075201597,131072 /prefetch:1
    3⤵
    PID:3768
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=7836 --field-trial-handle=1816,i,1100920483349776137,12122402187075201597,131072 /prefetch:1
    3⤵
    PID:1704
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=27 --mojo-platform-channel-handle=7896 --field-trial-handle=1816,i,1100920483349776137,12122402187075201597,131072 /prefetch:1
    3⤵
    PID:5656
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=28 --mojo-platform-channel-handle=5756 --field-trial-handle=1816,i,1100920483349776137,12122402187075201597,131072 /prefetch:1
    3⤵
    PID:1868
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=29 --mojo-platform-channel-handle=4792 --field-trial-handle=1816,i,1100920483349776137,12122402187075201597,131072 /prefetch:1
    3⤵
    PID:5176
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=30 --mojo-platform-channel-handle=5792 --field-trial-handle=1816,i,1100920483349776137,12122402187075201597,131072 /prefetch:1
    3⤵
    PID:5196
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=31 --mojo-platform-channel-handle=8052 --field-trial-handle=1816,i,1100920483349776137,12122402187075201597,131072 /prefetch:1
    3⤵
    PID:408
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=32 --mojo-platform-channel-handle=7668 --field-trial-handle=1816,i,1100920483349776137,12122402187075201597,131072 /prefetch:1
    3⤵
    PID:2244
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=33 --mojo-platform-channel-handle=8408 --field-trial-handle=1816,i,1100920483349776137,12122402187075201597,131072 /prefetch:1
    3⤵
    PID:5440
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=35 --mojo-platform-channel-handle=8252 --field-trial-handle=1816,i,1100920483349776137,12122402187075201597,131072 /prefetch:1
    3⤵
    PID:5724
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=34 --mojo-platform-channel-handle=8508 --field-trial-handle=1816,i,1100920483349776137,12122402187075201597,131072 /prefetch:1
    3⤵
    PID:5512
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=36 --mojo-platform-channel-handle=4812 --field-trial-handle=1816,i,1100920483349776137,12122402187075201597,131072 /prefetch:1
    3⤵
    PID:4972
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=37 --mojo-platform-channel-handle=9160 --field-trial-handle=1816,i,1100920483349776137,12122402187075201597,131072 /prefetch:1
    3⤵
    PID:4940
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=38 --mojo-platform-channel-handle=8896 --field-trial-handle=1816,i,1100920483349776137,12122402187075201597,131072 /prefetch:1
    3⤵
    PID:5232
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=40 --mojo-platform-channel-handle=7736 --field-trial-handle=1816,i,1100920483349776137,12122402187075201597,131072 /prefetch:1
    3⤵
    PID:3140
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=39 --mojo-platform-channel-handle=8932 --field-trial-handle=1816,i,1100920483349776137,12122402187075201597,131072 /prefetch:1
    3⤵
    PID:5860
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=9068 --field-trial-handle=1816,i,1100920483349776137,12122402187075201597,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3092
- C:\Program Files\7-Zip\7zG.exe
  "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\2O23-F1LES-S0ft\" -spe -an -ai#7zMap6121:92:7zEvent1233
  2⤵
  - Suspicious use of FindShellTrayWindow
  PID:5468
- C:\Users\Admin\Downloads\2O23-F1LES-S0ft\Setup.exe
  "C:\Users\Admin\Downloads\2O23-F1LES-S0ft\Setup.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:5912
- - C:\ProgramData\37590181554456242966.exe
    "C:\ProgramData\37590181554456242966.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:5632
  - - C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:5732
- - C:\ProgramData\47586973850951078559.exe
    "C:\ProgramData\47586973850951078559.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    PID:1096
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4712
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:2204
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:5772
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:4940
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:5400
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:2000
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:5852
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:1584
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    PID:4892
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    PID:4972
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    PID:1108
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    PID:4780
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#doisr#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1756
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:6076
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:2796
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:5252
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:2856
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:5288
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:6108
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:1752
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:3752
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:5696
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    PID:1492
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    PID:5820
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    PID:4628
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#doisr#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:564
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe
  2⤵
  PID:5280
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:5932

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:232

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1104

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:4488

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
1⤵
PID:5500

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\updater.exe

Filesize
9.9MB

MD5
3534c429c2ba189a2ed4cb866ad0fa94

SHA1
ad06745ad34b8ec4366db55686271e28b3e2b177

SHA256
1c37941b0cf1cd8a4c9bf83de0ee33ac4338abd68c9498d3c87090c118a07f4e

SHA512
363c9817724c8d93d76ce9c3556189391218d75db1daf4332088c607635959fd36708870313c3588fdced03fbaf6a4fe5dfad3d35ed67a9912ff642c348c95e5

Download Submit
C:\Program Files\Google\Chrome\updater.exe

Filesize
9.9MB

MD5
3534c429c2ba189a2ed4cb866ad0fa94

SHA1
ad06745ad34b8ec4366db55686271e28b3e2b177

SHA256
1c37941b0cf1cd8a4c9bf83de0ee33ac4338abd68c9498d3c87090c118a07f4e

SHA512
363c9817724c8d93d76ce9c3556189391218d75db1daf4332088c607635959fd36708870313c3588fdced03fbaf6a4fe5dfad3d35ed67a9912ff642c348c95e5

Download Submit
C:\ProgramData\37590181554456242966.exe

Filesize
4.6MB

MD5
bfa86f8062c7e1c44f8e82f12f77caef

SHA1
6951a0b2308f72fccb62c263f083ff4e7ce5f93d

SHA256
ad1761fa2b7f8730c013e0baf2f37d00ac0a8bb93e2dcd82bcb05f36e7638cf7

SHA512
b9b19be52ec5f4d522b6b5210a42adbee59b23a67be217dce7cef997eb489cd9f3076c30e267425062f5359a7995c07262f12925c8397b12deef4726337536d9

Download Submit
C:\ProgramData\37590181554456242966.exe

Filesize
4.6MB

MD5
bfa86f8062c7e1c44f8e82f12f77caef

SHA1
6951a0b2308f72fccb62c263f083ff4e7ce5f93d

SHA256
ad1761fa2b7f8730c013e0baf2f37d00ac0a8bb93e2dcd82bcb05f36e7638cf7

SHA512
b9b19be52ec5f4d522b6b5210a42adbee59b23a67be217dce7cef997eb489cd9f3076c30e267425062f5359a7995c07262f12925c8397b12deef4726337536d9

Download Submit
C:\ProgramData\37590181554456242966.exe

Filesize
4.6MB

MD5
bfa86f8062c7e1c44f8e82f12f77caef

SHA1
6951a0b2308f72fccb62c263f083ff4e7ce5f93d

SHA256
ad1761fa2b7f8730c013e0baf2f37d00ac0a8bb93e2dcd82bcb05f36e7638cf7

SHA512
b9b19be52ec5f4d522b6b5210a42adbee59b23a67be217dce7cef997eb489cd9f3076c30e267425062f5359a7995c07262f12925c8397b12deef4726337536d9

Download Submit
C:\ProgramData\47586973850951078559.exe

Filesize
9.9MB

MD5
3534c429c2ba189a2ed4cb866ad0fa94

SHA1
ad06745ad34b8ec4366db55686271e28b3e2b177

SHA256
1c37941b0cf1cd8a4c9bf83de0ee33ac4338abd68c9498d3c87090c118a07f4e

SHA512
363c9817724c8d93d76ce9c3556189391218d75db1daf4332088c607635959fd36708870313c3588fdced03fbaf6a4fe5dfad3d35ed67a9912ff642c348c95e5

Download Submit
C:\ProgramData\47586973850951078559.exe

Filesize
9.9MB

MD5
3534c429c2ba189a2ed4cb866ad0fa94

SHA1
ad06745ad34b8ec4366db55686271e28b3e2b177

SHA256
1c37941b0cf1cd8a4c9bf83de0ee33ac4338abd68c9498d3c87090c118a07f4e

SHA512
363c9817724c8d93d76ce9c3556189391218d75db1daf4332088c607635959fd36708870313c3588fdced03fbaf6a4fe5dfad3d35ed67a9912ff642c348c95e5

Download Submit
C:\ProgramData\47586973850951078559.exe

Filesize
9.9MB

MD5
3534c429c2ba189a2ed4cb866ad0fa94

SHA1
ad06745ad34b8ec4366db55686271e28b3e2b177

SHA256
1c37941b0cf1cd8a4c9bf83de0ee33ac4338abd68c9498d3c87090c118a07f4e

SHA512
363c9817724c8d93d76ce9c3556189391218d75db1daf4332088c607635959fd36708870313c3588fdced03fbaf6a4fe5dfad3d35ed67a9912ff642c348c95e5

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771

Filesize
1KB

MD5
ae58f0029f59bd8b070c5895624549d5

SHA1
9f2a17be215a9da9ad2222c873239c60c8600844

SHA256
6cb8199da2fc8b19501d5b3e55b35e317c371a26b8475157680d6d83e09e56e4

SHA512
0e1c19b9ff74f3f53d808d2df89ecb36609c4325f7fa3421c241081f51ff87b0dce5448cec4f780c999dcfd015f5fab58d6c19181522ce9d23670369b74260da

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

Filesize
62KB

MD5
b5fcc55cffd66f38d548e8b63206c5e6

SHA1
79db08ababfa33a4f644fa8fe337195b5aba44c7

SHA256
7730df1165195dd5bb6b40d6e519b4ce07aceb03601a77bca6535d31698d4ca1

SHA512
aaa17175e90dbca04f0fa753084731313e70119fef7d408b41ff4170116ab24eaee0bd05dca2cc43464b1ee920819e5ce6f6e750d97e3c4fc605f01e7ff9c649

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A

Filesize
893B

MD5
d4ae187b4574036c2d76b6df8a8c1a30

SHA1
b06f409fa14bab33cbaf4a37811b8740b624d9e5

SHA256
a2ce3a0fa7d2a833d1801e01ec48e35b70d84f3467cc9f8fab370386e13879c7

SHA512
1f44a360e8bb8ada22bc5bfe001f1babb4e72005a46bc2a94c33c4bd149ff256cce6f35d65ca4f7fc2a5b9e15494155449830d2809c8cf218d0b9196ec646b0c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D

Filesize
1KB

MD5
4435594bebef27fd028962496ca8ec40

SHA1
085d14c8da839f739e50d96577bd9241161aa2ea

SHA256
958716eb9eb978894b3132056eee2ce828ceaa52103dc6b606ecb4cf3b4f71cb

SHA512
ee0a9b36b5f43dd594f4774c945053f41bd2962abc38df75cc1fff05e27a5199087fbe6ee38f7a73cfeedb16314d10f7cc72062434f87f414760c29cd6668ff7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771

Filesize
450B

MD5
bd550d7b85ec0f13700fae80397fc5b8

SHA1
af729ec5edb9acaed876e91c31505325b7fcb2df

SHA256
bb9ddccc49a3e2e6445f8024df6fe3faff493e21d2681c8244845ba5518eff0e

SHA512
0721d1ba987f2b25c8c65f96ff37aef14597e7af685c13eb74d9c3ba749c424332a8dd6472967233b55fca2255fd5f2eae0a4ca23ba9bb328f5e58e1d61488db

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Filesize
330B

MD5
c767ffaad7a7bca1fdec3b973d25a375

SHA1
88edb54368405ce6df51f1f66ad91b722914b93a

SHA256
31f9a101e6a26c0bc3cffdf03dfa41ae1e2f6be33db3e52d5d1eea1e0db60873

SHA512
e46f58a0460662258365d1d9780918ec5ac993b6fdc3d23a599c03a2570c0a45ec1eff4905a8da895599b6d42928e1110a846be0ee872b4146f2e88e4cf3dbf6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Filesize
330B

MD5
532a4bc969755f439563c7f32bf6c772

SHA1
bdef2c860f0dcc2dc3f5cd43f8bfd73597b7a045

SHA256
9208c5f3c145bed2679f6dc83621bd603ad41935ba00de7a23c21dc90c48d5ed

SHA512
6599ccd49ce885c0980c4b3fecc40bbacc4085c32850c969cfaa142bb42a7d5fbd2992ff6c85e2bfecc18d2fcc52ef838bd1f689884683ac152f1d657d6419d5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Filesize
330B

MD5
2c54cf2bf631dcf1dce1c6ea7ed7ea3c

SHA1
2b53885fbf230b1a988b34b0846f0f7d2b5b2e93

SHA256
9fc6dee080d103dbe203a1e96be743a9d8e5e98b754e86445d057511794ee69f

SHA512
d3d9bc747e33830139de1db4c585e0b36e07af9806a113fc6d5033a2781effc44c2a9a2f7aee98117c80954ff3ddc65837d3a19cada4b898654923bc00b7b30a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Filesize
330B

MD5
00f70c0302c5b36f5e209b1eb7c59e30

SHA1
83934403c4067f6f0db0a0804c93eed888737eae

SHA256
8698f1cd7cef83f51917683d7c1c3d7b4c4639ad36141a4c76526e223a2b3aa6

SHA512
219900f840fef1da32020817115db9f525517b6cafe7ac34f50475cd02300c853eb80b15a8e1774355971446f512f885313282ec632669698b16eee180bb1670

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A

Filesize
252B

MD5
4657f818f5a6e1a70b4d99e8699d3d5b

SHA1
ed241d2c56b0b505397d5f71a77c262fd587e611

SHA256
031a18e6c8c895282e2cd923c12ff4972fb5616dc57022d31f029723e04c8f89

SHA512
349d3cb60c3de175d46510db2d7e814390a9ec580e3dd9037ac9a4b1a270e471d5ce6ffc290aeb03a3a3cd7d64eee3ac5479a2f6b1a6a2ffb18b96b4053c303e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D

Filesize
458B

MD5
b1a18cf823d3c4b7996ce5a392d81614

SHA1
e86244c5214e4f647fac00b22c430fb5fe292d08

SHA256
79709aeedd50c84473af564ddb80afa2e157524b74c02e584192f1d58743fa2c

SHA512
8dc23816451b8648e9ed37770a223d3dec7855834219ecb3835c47febd6bd7b08a72a5bb1968ae91ab974e3b4ce1354236771cee3ae3a82feaa1f71ba28bbfe8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
45a005b7f068fa437a7fe9f0c6be4cb3

SHA1
c0f50049f40ab3c2042e05dcbb33e76861d9adb1

SHA256
e52a772994f262e03c2c202c135c451981d7c1de4520051e6c63a504aede2e8e

SHA512
ec4f6ad452b7044d694d9b82fd723f8c75ed7794e9dede043820cc37cac1a66a683f16dd68c220c17f5ebc832f9e832e2306f20e0cf6c980d76e7e3185fefb77

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
0523162affdc020f38355c37bbb55084

SHA1
c60e2755c5bc0b3ab095d0b16388dcf19266c2af

SHA256
412fb1d9c6e95fcbe0be8dcec685f3c58d8ee47fcfcfb480be63a87fb2010196

SHA512
cc73855109c537a9f8ba9a65e11da8491c925566d6769e4fbc42763cee6bdd44e96728598d6456ecf8943444c0f5a9fdad2252e62aa9e4cd00125e33c6cc0681

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
86351c116a372da7180d74333f9c3e76

SHA1
f361d8991243d3a51ed61c11c7bdf41dcfef8d2a

SHA256
352af790238a173d21557debf1db55453fde4446d1fa476f339d255b4a01a06d

SHA512
6a5ff408489f1edf8c5bdb1b321d7ab66635a99d98b97cd8e2babbeebc3aaca44009ab2a2d596430c973d55110e74e785292a4e3289215bdfba62c1a3fe2207a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\History

Filesize
148KB

MD5
0f60e51832dd5e7aca2351d2c86b67ec

SHA1
45cb8341a4a01bed17e50b1aabaf1d98b30e10b4

SHA256
c69947cd48acb6a687e0faf9d3e56a3f68422416032eb88b980ddba2ef169142

SHA512
b6919bc4641e148d799f7e2793c84e3300458cfdba1a3a77f84bc4ff4ee7aca84f55d27e5d7eecb0f5343934b58dc418b42828412dedfc8acb953ed69768ff8b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies

Filesize
60KB

MD5
b6fc0c85c036dac5748f17f5b25ee62d

SHA1
16175893abd20c2488686b12810eadb4d6cfa104

SHA256
66ea0af996ba00524d1c5747f59379c7946c2061090d93c613e46adb174feb8f

SHA512
c10237e76c7bc4646224e8c91c994065ceff974ac2859752062b9a2cbd7ca98fc8b80d78ba078488f36f04e40f4ed504717613bfa5291e42d16520de13a24f58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
15KB

MD5
a8ff09a5a764b166e54eca34b720075f

SHA1
08b7e0b891777c3b1bcff0e06949de9c03fcce2d

SHA256
6846d7354a82beeabb3b2138581365b29ee667f1891477e31a6372031a6c91d5

SHA512
ad73390dcec6e83d0c5fa853744b847e96763b5188dc100faaf2e29d7acb8270ab57e321c435a17770f2f96a2e9ede923f79bd748775b347b1f31a56378e8207

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
15KB

MD5
172412e2039ac6eb076d875df863eca7

SHA1
b723a91704f9d9713bd85481776aca74a849eff1

SHA256
99d30cec4353b89a983c1311c45dafa1ecdafadbeda9584df6b3934fe5729524

SHA512
c78646d5fab9b734bafd783cf6dea90f2f66ae7861026e9060a24c591ed7809cfc7650a086b8e0250d87b26abbc7cf929406c12764c65cfe710e6ad424649b64

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
15KB

MD5
6ccdd5675f51d34d86054aae49808801

SHA1
4fb234ccdbcbb277f0abd998d1d9aeb90ba0139b

SHA256
b01fc3dfafbf7de8bddf4bb44db966ac1e31bac0147387eb181dac1f19f7b13d

SHA512
1ba0a3cac7a24c831c1a54ce903cdf59be2ee6c43b400f2fb0c46959ecb5ad795fd2657c410212fc4b3267270aa38887159e6f450d8719973fede0965b887333

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
12KB

MD5
b09fed24b954ef6b5dad415180cecde6

SHA1
3b637360acbf9a5fafa53aba2d45a871e9c3bf53

SHA256
a148f3d00981fae031cf701bd1116396173fd066416a8d1741bd662ba20c6fa7

SHA512
a30b345c27f95492eb05d10ab6d987717e55ea22b1f68a11b36c9ed2e4a1cbe993a0a618584278da3ef79e72510da805d55949b8751cae93e63617e1a0be2937

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
6737e27e42892f7b21b9d36b408d5cca

SHA1
1af45cece914f95808132d2c667563619714337e

SHA256
269878b57a3dee184baf9717632cc2a3a5605b678ec04ef2f742125c97b53696

SHA512
170bad356da65f68184e7e8b8b6f08282492b3989ade92ade8380d21faba1ee0115612556ce9b2140c1367d7a375844e0ce2f0e94209eb36f2b468b1c299ef7d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
62058c44a3c5c7f403230b2e08e90d2e

SHA1
d3dacf941bed197b29c9754dfd834104a88c57eb

SHA256
43e5fe951c03b2a5f0b093b5ec964855704b1abff36a69712960c0bc201066aa

SHA512
9d58f7b99332b6dbc943f1f759b5c506358f66792824a8e99dfc717c6c287dc7dbe2ec8d34519b3b97a8d51326ee8d7652d6b5bfc5e49ffe297bfbc0bf94e1c7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
4KB

MD5
b36ccb4d2d7f653054fde188a1bf25fe

SHA1
d58b39e781bf74a3667ac5889492baa0aa989362

SHA256
4f9dd3d80ee885dd4d6944c940fa88b1de4c4d90fd58d383472a6e62724e41c7

SHA512
ae988981ff79a43e2ba3a9e96a2930cbd2deb373d9ed21066dbbcbab8b5b395b93e2cf74275e2f448fc7abdf07481af4d341373894d2db94cb3792fd171cee82

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
5KB

MD5
38b14a5fdb9afe4f4274936461e0fb38

SHA1
4b5736e662ce3c4db346f57359028c59eebcb5d0

SHA256
228e79e1f31e20bcaac3c114a92d4ec8e24ed30d0518f11063842175bcfcb0ea

SHA512
3589c9f73fc19b3896d5b5baf421ee13b649ff0aaeaa4feef69ec23fe00055739a0425201f8a99ef7e654cd10156b0c157b18cfac1a6d4e712737adb8fa7c4fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
5KB

MD5
237795ae3867379fe4c10de56f90aaa4

SHA1
fc9bf6eef0f5248e61db0a48faf19d857d0dfa4e

SHA256
55ca940b33ad657686dcfa9f71ca1906cd7feb77ee8786c40236d4a794b5b1ff

SHA512
752ea7a96a40260cf1efb450e863ba33603b3577f1002677b4a1b61745d59abe3ee979b27e0736c19a85ccf64eac852a60b36b8865510a701940c05e6444b448

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
4KB

MD5
7b714b44805efb106feb0b1dcb6950ac

SHA1
6cb8216380fbc94c1badcd8fbb098099e1a574b4

SHA256
3851d47d906e5c7643d7e0d25c14d5ab38d185295124f9153680df7c664c4f1c

SHA512
2c3540d68af19acb7e7ddbc55d3cecdb74985ff0f2957193b82450749f79b2283efa2cd0dd66ba6558912e5c1f5b89d80904d990a388dc198916b506cb9e632f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
5KB

MD5
a8c408f3188d94684f7557ab08b593db

SHA1
d2a7322d4afec71ee1430f5f2e0949734ebe2f7a

SHA256
682b724c3b3d5d1557ba1cde1ee1595a1ca12bc792e8b680d7bc225375b49bf6

SHA512
ae8e45d5de0ec89db0ebfe974a677d733d04d96a9b7bc3f87e75fa6394de15f3af3752b2c5b99039fd252f69c7ec2b092b00b70d9d2b7353d14c04bc723159fa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
5KB

MD5
154a87aa4aef69e276706db114299bb9

SHA1
ead215a53f47b5f6d192bf9abd745f742520683f

SHA256
02aebb6626482b2c4e5b08cf41d41e31f2de97800ce28bce8bb95de692980e52

SHA512
f544b3a97b5a438ccea0af34a47696637e60cfc7348dcbd5adde2919c467aa461dfa34683fa127983a43f215999db4711a0b323b45dedf1f61935c276b3ade2c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
02a07deb3c70d50027532ef9d370229b

SHA1
3a2551c0a010b2a7dbd3faa34715fbc5507647b8

SHA256
38930d44b3f3951b9645517bcd0bae5f0eaea05219b90746ef7e6ad316024c5b

SHA512
f6b74a190b58f76882af014fdb20c81f79659582bf1405a3148f2c19ac3a94a440f86e341eb053c4cada9a50bd4333ef4d42bb521d3f02ed1ed43774f6bf4cff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
c3294cc9c8a8d4f661dc08797c198086

SHA1
72f2c06120bcadc6f82e765a1f39583e0ba9ab46

SHA256
2f5da31610061b5830e47759017bba913e4171c4112a7a65ff75dc0fabaf5ccd

SHA512
09c4dcb4a914a5f522ff69cb85fb837d2f29ee3834cf3fb26baf6b8d3fa87ef06126cc72f2745b4bf817d5a9d243d18714bcd9c6926d224ccc236067f6002291

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
3d09ba888ff43fc6fb2f8055833a81ef

SHA1
e84154e90a139fb2b6aa2840297707ab82f5e9df

SHA256
2511099abe7b116f6de3ea6d7a5e14f1fe43f3e3d976113e27aa0c8949e029e1

SHA512
be13591436150ca12a67d3beec6db5d09f4deb0859a3b982a3a9fa13a61c00a793a4ae43955fb138b0c5a494f10783231563cb82c30800bab3e0256e5e074d15

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
7db5273bc75cfa882cd24714f458bca3

SHA1
66cf19bc7ff16b3089fe2afbf45e1b6d11b5ba90

SHA256
ad4dd7a62cfe5c2f6f2e084f64c0a584b9e3e7b80db0e6b7cf4fab0853698bbc

SHA512
ce69aae811f9c8f371543b5c1ee3fe922fb393a1975ed5822850eeb19fb567cd4f7fe21df0403dfcd0dddaf978369c27c8a824000eefcd4cfb8644ed8d7498b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
153KB

MD5
a7f3564c6061848063f141f911b0b0a4

SHA1
651be6b28354776fcaf1827849c39c1cff572f65

SHA256
c0685be8732b860d8c3478068118e7c9d74c8394b59df9fdb89554273434ce11

SHA512
88caf0506f38459c2a490b2475e76150da344d81e95a0b157401765de0c1ccdea7b3ff879f5626d93e573721d2998c4214b2674adc321d42408657af4bebbcbe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
153KB

MD5
a7f3564c6061848063f141f911b0b0a4

SHA1
651be6b28354776fcaf1827849c39c1cff572f65

SHA256
c0685be8732b860d8c3478068118e7c9d74c8394b59df9fdb89554273434ce11

SHA512
88caf0506f38459c2a490b2475e76150da344d81e95a0b157401765de0c1ccdea7b3ff879f5626d93e573721d2998c4214b2674adc321d42408657af4bebbcbe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aaaac7c68d2b7997ed502c26fd9f65c2

SHA1
7c5a3731300d672bf53c43e2f9e951c745f7fbdf

SHA256
8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb

SHA512
c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_duxmxs0h.umk.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
833.6MB

MD5
6908f5f32e3cfc5b982646fed133cc89

SHA1
0e5084cf1e8ca0e7d93d00de669d0fdca028c4fd

SHA256
392067c0a779140bcce634a188516089c85e72810a69eed1d2acf93b11275c45

SHA512
32b47e6d423d1d9a2818f0dfe9d7fd627d7fbe369842c5e9cf8e504318e98a9cd7f13d13057e839d1b5735c5feb7491e36af38f34c25472b8b773cf54a7e5927

Download Submit
C:\Users\Admin\Downloads\2O23-F1LES-S0ft.rar

Filesize
16.1MB

MD5
7dfc684dd97c18828e2a85b6415dee45

SHA1
5c2de26ff4d9993852e1397755c561e4b359853c

SHA256
a76c4f346a0f72cc1fcf8c471abb0ecd2e914c5863a4f4556d884212f8d3b2fb

SHA512
9579a1f3787806fb2864ce8cb6dbe3aeb4d0db7ac336a5352ccfc4cde770c5ce9cb3fd6f1b005fe61da31b341d3ee2eccbe9c592c76dd7347507ef981d4721ea

Download Submit
C:\Users\Admin\Downloads\2O23-F1LES-S0ft\Framework\Privacy Policy\UBT_en.rtf

Filesize
78KB

MD5
1aec177b22e45f99fc812d5bfedd2f07

SHA1
2103b6c5ae4f024739485baba385385f15d6b79b

SHA256
6b45386a52901170d24db77537044197450bf3412590b694de589596c5f68839

SHA512
5b207f7d31698f1250722e61dcafab511bfba8868579acf9fdbaa110b78eae1129bcc0bd40e02125354a9812e99b1d8f1c288dae343cc27ed05aea6dabf2415a

Download Submit
C:\Users\Admin\Downloads\2O23-F1LES-S0ft\Framework\Privacy Policy\UBT_pt.rtf

Filesize
67KB

MD5
b77c9bd407bd96f78df9de69a4c73d72

SHA1
79e2c3189b94f84e048a1649a622b3bd7775d2fb

SHA256
5716cec8bd05d09a80cb4bc9924b114f7ffd8e1c93478462c6c928bca387f079

SHA512
ccf9e0f935637095bc91bf78f07a2ced51f73460993d6cb9935eb3cb544ccec8247e4a11ef622b7e8f32e89289764757712a37d06958a97a7fd7ddf4705d72e3

Download Submit
C:\Users\Admin\Downloads\2O23-F1LES-S0ft\Setup.exe

Filesize
1622.3MB

MD5
76132c8c083dcba9039a77b710c59f84

SHA1
4956a23e70a2190a99ded88df72401898a99e520

SHA256
b5c65fa6b65da2b0e82a6d0db4da90f6025e0ce802ee4a0492338ac8de5ad09d

SHA512
c1cf386277e19f562b3195a5df208f594d7094cfd00cfdcb43e8778aacec12d0dd75a11dcb6ce88dde002b4cb3d9260ef2293b81ca850c901dc62d803e45d604

Download Submit
C:\Users\Admin\Downloads\2O23-F1LES-S0ft\Setup.exe

Filesize
1622.3MB

MD5
76132c8c083dcba9039a77b710c59f84

SHA1
4956a23e70a2190a99ded88df72401898a99e520

SHA256
b5c65fa6b65da2b0e82a6d0db4da90f6025e0ce802ee4a0492338ac8de5ad09d

SHA512
c1cf386277e19f562b3195a5df208f594d7094cfd00cfdcb43e8778aacec12d0dd75a11dcb6ce88dde002b4cb3d9260ef2293b81ca850c901dc62d803e45d604

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
4KB

MD5
bdb25c22d14ec917e30faf353826c5de

SHA1
6c2feb9cea9237bc28842ebf2fea68b3bd7ad190

SHA256
e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495

SHA512
b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b42c70c1dbf0d1d477ec86902db9e986

SHA1
1d1c0a670748b3d10bee8272e5d67a4fabefd31f

SHA256
8ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a

SHA512
57fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
3KB

MD5
00930b40cba79465b7a38ed0449d1449

SHA1
4b25a89ee28b20ba162f23772ddaf017669092a5

SHA256
eda1aae2c8fce700e3bdbe0186cf3db88400cf0ac13ec736e84dacba61628a01

SHA512
cbe4760ec041e7da7ab86474d5c82969cfccb8ccc5dbdac9436862d5b1b86210ab90754d3c8da5724176570d8842e57a716a281acba8719e90098a6f61a17c62

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
3KB

MD5
00930b40cba79465b7a38ed0449d1449

SHA1
4b25a89ee28b20ba162f23772ddaf017669092a5

SHA256
eda1aae2c8fce700e3bdbe0186cf3db88400cf0ac13ec736e84dacba61628a01

SHA512
cbe4760ec041e7da7ab86474d5c82969cfccb8ccc5dbdac9436862d5b1b86210ab90754d3c8da5724176570d8842e57a716a281acba8719e90098a6f61a17c62

Download Submit
memory/564-1343-0x000001FB228A9000-0x000001FB228AF000-memory.dmp

Filesize
24KB

Download
memory/564-1341-0x000001FB228A0000-0x000001FB228B0000-memory.dmp

Filesize
64KB

Download
memory/564-1330-0x000001FB228A0000-0x000001FB228B0000-memory.dmp

Filesize
64KB

Download
memory/564-1331-0x000001FB228A0000-0x000001FB228B0000-memory.dmp

Filesize
64KB

Download
memory/564-1329-0x000001FB228A0000-0x000001FB228B0000-memory.dmp

Filesize
64KB

Download
memory/1096-1208-0x00007FF7007D0000-0x00007FF7011B5000-memory.dmp

Filesize
9.9MB

Download
memory/1096-1243-0x00007FF7007D0000-0x00007FF7011B5000-memory.dmp

Filesize
9.9MB

Download
memory/1096-1206-0x00007FF7007D0000-0x00007FF7011B5000-memory.dmp

Filesize
9.9MB

Download
memory/1096-1265-0x00007FF7007D0000-0x00007FF7011B5000-memory.dmp

Filesize
9.9MB

Download
memory/1756-1249-0x0000022F23130000-0x0000022F23140000-memory.dmp

Filesize
64KB

Download
memory/1756-1248-0x0000022F23130000-0x0000022F23140000-memory.dmp

Filesize
64KB

Download
memory/1756-1252-0x0000022F23130000-0x0000022F23140000-memory.dmp

Filesize
64KB

Download
memory/2796-1293-0x000002AA61030000-0x000002AA6104C000-memory.dmp

Filesize
112KB

Download
memory/2796-1301-0x000002AA612B0000-0x000002AA612BA000-memory.dmp

Filesize
40KB

Download
memory/2796-1302-0x000002AA60CF0000-0x000002AA60D00000-memory.dmp

Filesize
64KB

Download
memory/2796-1300-0x000002AA612A0000-0x000002AA612A6000-memory.dmp

Filesize
24KB

Download
memory/2796-1279-0x000002AA60CF0000-0x000002AA60D00000-memory.dmp

Filesize
64KB

Download
memory/2796-1280-0x000002AA60CF0000-0x000002AA60D00000-memory.dmp

Filesize
64KB

Download
memory/2796-1299-0x000002AA61270000-0x000002AA61278000-memory.dmp

Filesize
32KB

Download
memory/2796-1283-0x000002AA60CF0000-0x000002AA60D00000-memory.dmp

Filesize
64KB

Download
memory/2796-1298-0x000002AA612C0000-0x000002AA612DA000-memory.dmp

Filesize
104KB

Download
memory/2796-1294-0x000002AA61110000-0x000002AA6111A000-memory.dmp

Filesize
40KB

Download
memory/2796-1295-0x000002AA61280000-0x000002AA6129C000-memory.dmp

Filesize
112KB

Download
memory/2796-1296-0x00007FF490F50000-0x00007FF490F60000-memory.dmp

Filesize
64KB

Download
memory/2796-1297-0x000002AA61260000-0x000002AA6126A000-memory.dmp

Filesize
40KB

Download
memory/4488-1281-0x00007FF6E6CB0000-0x00007FF6E7695000-memory.dmp

Filesize
9.9MB

Download
memory/4488-1268-0x00007FF6E6CB0000-0x00007FF6E7695000-memory.dmp

Filesize
9.9MB

Download
memory/4488-1349-0x00007FF6E6CB0000-0x00007FF6E7695000-memory.dmp

Filesize
9.9MB

Download
memory/4488-1306-0x00007FF6E6CB0000-0x00007FF6E7695000-memory.dmp

Filesize
9.9MB

Download
memory/4712-1230-0x0000023B1D280000-0x0000023B1D290000-memory.dmp

Filesize
64KB

Download
memory/4712-1219-0x0000023B1D280000-0x0000023B1D290000-memory.dmp

Filesize
64KB

Download
memory/4712-1218-0x0000023B358D0000-0x0000023B358F2000-memory.dmp

Filesize
136KB

Download
memory/4712-1220-0x0000023B1D280000-0x0000023B1D290000-memory.dmp

Filesize
64KB

Download
memory/5280-1352-0x00007FF6C7AE0000-0x00007FF6C7B0A000-memory.dmp

Filesize
168KB

Download
memory/5280-1391-0x00007FF6C7AE0000-0x00007FF6C7B0A000-memory.dmp

Filesize
168KB

Download
memory/5632-1200-0x00000000006C0000-0x0000000001027000-memory.dmp

Filesize
9.4MB

Download
memory/5632-1204-0x00000000006C0000-0x0000000001027000-memory.dmp

Filesize
9.4MB

Download
memory/5632-1231-0x00000000006C0000-0x0000000001027000-memory.dmp

Filesize
9.4MB

Download
memory/5632-1232-0x00000000006C0000-0x0000000001027000-memory.dmp

Filesize
9.4MB

Download
memory/5632-1201-0x00000000006C0000-0x0000000001027000-memory.dmp

Filesize
9.4MB

Download
memory/5632-1202-0x00000000006C0000-0x0000000001027000-memory.dmp

Filesize
9.4MB

Download
memory/5632-1203-0x00000000006C0000-0x0000000001027000-memory.dmp

Filesize
9.4MB

Download
memory/5632-1267-0x00000000006C0000-0x0000000001027000-memory.dmp

Filesize
9.4MB

Download
memory/5632-1207-0x00000000006C0000-0x0000000001027000-memory.dmp

Filesize
9.4MB

Download
memory/5632-1181-0x00000000006C0000-0x0000000001027000-memory.dmp

Filesize
9.4MB

Download
memory/5632-1199-0x00000000006C0000-0x0000000001027000-memory.dmp

Filesize
9.4MB

Download
memory/5632-1197-0x00000000006C0000-0x0000000001027000-memory.dmp

Filesize
9.4MB

Download
memory/5632-1366-0x00000000006C0000-0x0000000001027000-memory.dmp

Filesize
9.4MB

Download
memory/5732-1371-0x0000000000340000-0x0000000000CA7000-memory.dmp

Filesize
9.4MB

Download
memory/5732-1389-0x0000000000340000-0x0000000000CA7000-memory.dmp

Filesize
9.4MB

Download
memory/5732-1369-0x0000000000340000-0x0000000000CA7000-memory.dmp

Filesize
9.4MB

Download
memory/5732-1370-0x0000000000340000-0x0000000000CA7000-memory.dmp

Filesize
9.4MB

Download
memory/5732-1367-0x0000000000340000-0x0000000000CA7000-memory.dmp

Filesize
9.4MB

Download
memory/5732-1372-0x0000000000340000-0x0000000000CA7000-memory.dmp

Filesize
9.4MB

Download
memory/5732-1373-0x0000000000340000-0x0000000000CA7000-memory.dmp

Filesize
9.4MB

Download
memory/5732-1374-0x0000000000340000-0x0000000000CA7000-memory.dmp

Filesize
9.4MB

Download
memory/5732-1375-0x0000000000340000-0x0000000000CA7000-memory.dmp

Filesize
9.4MB

Download
memory/5732-1376-0x0000000000340000-0x0000000000CA7000-memory.dmp

Filesize
9.4MB

Download
memory/5732-1377-0x0000000000340000-0x0000000000CA7000-memory.dmp

Filesize
9.4MB

Download
memory/5732-1407-0x0000000000340000-0x0000000000CA7000-memory.dmp

Filesize
9.4MB

Download
memory/5912-1059-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/5912-1038-0x0000000000690000-0x00000000011D9000-memory.dmp

Filesize
11.3MB

Download
memory/5932-1488-0x0000020201940000-0x0000020201960000-memory.dmp

Filesize
128KB

Download
memory/5932-1392-0x00007FF6EB4F0000-0x00007FF6EBCDF000-memory.dmp

Filesize
7.9MB

Download
memory/5932-1379-0x00007FF6EB4F0000-0x00007FF6EBCDF000-memory.dmp

Filesize
7.9MB

Download
memory/5932-1348-0x000002016F220000-0x000002016F240000-memory.dmp

Filesize
128KB

Download
memory/5932-1353-0x00007FF6EB4F0000-0x00007FF6EBCDF000-memory.dmp

Filesize
7.9MB

Download
memory/5932-1492-0x0000020201940000-0x0000020201960000-memory.dmp

Filesize
128KB

Download
memory/5932-1504-0x0000020201940000-0x0000020201960000-memory.dmp

Filesize
128KB

Download
memory/5932-1505-0x0000020201960000-0x0000020201980000-memory.dmp

Filesize
128KB

Download
memory/5932-1509-0x0000020201940000-0x0000020201960000-memory.dmp

Filesize
128KB

Download
memory/5932-1510-0x0000020201960000-0x0000020201980000-memory.dmp

Filesize
128KB

Download
memory/5932-1368-0x00000201F13C0000-0x00000201F1400000-memory.dmp

Filesize
256KB

Download