84db2274e64723614690ec6d69844879d54709e8680a10170da02269b3df7f4e

Analysis

max time kernel
98s
max time network
152s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
26-05-2023 08:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Filestar.23.0.13.0.win-x64.DvgQL.exe
Size

19.5MB
MD5

17ff423a11de7b4f9d75f5b34982453a
SHA1

f7af47f0019e7fa780ed9449f4155d277b2f91da
SHA256

84db2274e64723614690ec6d69844879d54709e8680a10170da02269b3df7f4e
SHA512

2c939dc460987c05c759d6f732a94895b09d990e826c7eb63f14563e12be69ac13782ed296a741581a09980e70d7a74835c1cd193213046650dd4889f21fd6a5
SSDEEP

393216:6hn5QEJ2nYTOYz7yZF4MYUlX1kQ5nqE3UgofnLOmBDwYoJBVbZKZjNg2PFaV:cn5QEJn7yXU5LOQyVbZKpFa

Score

9^/10

coreentity discovery

Malware Config

Signatures

CoreEntity .NET Packer 1 IoCs

A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

coreentity

Processes:

resource	yara_rule
C:\Program Files\Filestar\Avalonia.Visuals.dll	coreentity

Executes dropped EXE 3 IoCs

Processes:

Filestar.23.0.13.0.win-x64.DvgQL.tmpunzip.exeFilestar.exe

pid process

1336 Filestar.23.0.13.0.win-x64.DvgQL.tmp
2156 unzip.exe
2764 Filestar.exe

pid	process
1336	Filestar.23.0.13.0.win-x64.DvgQL.tmp
2156	unzip.exe
2764	Filestar.exe

Loads dropped DLL 52 IoCs

Processes:

Filestar.23.0.13.0.win-x64.DvgQL.exeFilestar.23.0.13.0.win-x64.DvgQL.tmpFilestar.exeWerFault.exe

pid	process
1764	Filestar.23.0.13.0.win-x64.DvgQL.exe
1336	Filestar.23.0.13.0.win-x64.DvgQL.tmp
1336	Filestar.23.0.13.0.win-x64.DvgQL.tmp
1336	Filestar.23.0.13.0.win-x64.DvgQL.tmp
1192
1192
1192
1192
1336	Filestar.23.0.13.0.win-x64.DvgQL.tmp
1336	Filestar.23.0.13.0.win-x64.DvgQL.tmp
1192
1192
2764	Filestar.exe
2764	Filestar.exe
2764	Filestar.exe
2764	Filestar.exe
2764	Filestar.exe
2764	Filestar.exe
2764	Filestar.exe
2764	Filestar.exe
2764	Filestar.exe
2764	Filestar.exe
2764	Filestar.exe
2764	Filestar.exe
2764	Filestar.exe
2764	Filestar.exe
2764	Filestar.exe
2764	Filestar.exe
2764	Filestar.exe
2764	Filestar.exe
2764	Filestar.exe
2764	Filestar.exe
2764	Filestar.exe
2764	Filestar.exe
2764	Filestar.exe
2764	Filestar.exe
2764	Filestar.exe
2764	Filestar.exe
2764	Filestar.exe
2764	Filestar.exe
2764	Filestar.exe
2764	Filestar.exe
2764	Filestar.exe
2764	Filestar.exe
2764	Filestar.exe
2764	Filestar.exe
2764	Filestar.exe
2764	Filestar.exe
2984	WerFault.exe
2984	WerFault.exe
2984	WerFault.exe
2984	WerFault.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

Processes:

Filestar.23.0.13.0.win-x64.DvgQL.tmp

description	ioc	process
File created	C:\Program Files\Filestar\is-L5LP5.tmp	Filestar.23.0.13.0.win-x64.DvgQL.tmp
File created	C:\Program Files\Filestar\is-GNSJG.tmp	Filestar.23.0.13.0.win-x64.DvgQL.tmp
File created	C:\Program Files\Filestar\is-EE031.tmp	Filestar.23.0.13.0.win-x64.DvgQL.tmp
File opened for modification	C:\Program Files\Filestar\LiteDB.dll	Filestar.23.0.13.0.win-x64.DvgQL.tmp
File opened for modification	C:\Program Files\Filestar\System.Web.Services.Description.dll	Filestar.23.0.13.0.win-x64.DvgQL.tmp
File created	C:\Program Files\Filestar\is-PGCR0.tmp	Filestar.23.0.13.0.win-x64.DvgQL.tmp
File created	C:\Program Files\Filestar\is-09S4A.tmp	Filestar.23.0.13.0.win-x64.DvgQL.tmp
File created	C:\Program Files\Filestar\is-NLSOG.tmp	Filestar.23.0.13.0.win-x64.DvgQL.tmp
File opened for modification	C:\Program Files\Filestar\Azure.Storage.Common.dll	Filestar.23.0.13.0.win-x64.DvgQL.tmp
File created	C:\Program Files\Filestar\is-B01C4.tmp	Filestar.23.0.13.0.win-x64.DvgQL.tmp
File created	C:\Program Files\Filestar\is-CHTQM.tmp	Filestar.23.0.13.0.win-x64.DvgQL.tmp
File created	C:\Program Files\Filestar\is-UMUFO.tmp	Filestar.23.0.13.0.win-x64.DvgQL.tmp
File created	C:\Program Files\Filestar\is-27NJN.tmp	Filestar.23.0.13.0.win-x64.DvgQL.tmp
File opened for modification	C:\Program Files\Filestar\FilestarCli.exe	Filestar.23.0.13.0.win-x64.DvgQL.tmp
File opened for modification	C:\Program Files\Filestar\Filestar.Integration.dll	Filestar.23.0.13.0.win-x64.DvgQL.tmp
File opened for modification	C:\Program Files\Filestar\Filestar.exe	Filestar.23.0.13.0.win-x64.DvgQL.tmp
File created	C:\Program Files\Filestar\is-LAM31.tmp	Filestar.23.0.13.0.win-x64.DvgQL.tmp
File created	C:\Program Files\Filestar\is-NK07J.tmp	Filestar.23.0.13.0.win-x64.DvgQL.tmp
File opened for modification	C:\Program Files\Filestar\ReactiveUI.Fody.Helpers.dll	Filestar.23.0.13.0.win-x64.DvgQL.tmp
File opened for modification	C:\Program Files\Filestar\RestSharp.dll	Filestar.23.0.13.0.win-x64.DvgQL.tmp
File opened for modification	C:\Program Files\Filestar\Microsoft.Extensions.PlatformAbstractions.dll	Filestar.23.0.13.0.win-x64.DvgQL.tmp
File created	C:\Program Files\Filestar\is-G0FSV.tmp	Filestar.23.0.13.0.win-x64.DvgQL.tmp
File opened for modification	C:\Program Files\Filestar\Avalonia.Base.dll	Filestar.23.0.13.0.win-x64.DvgQL.tmp
File created	C:\Program Files\Filestar\is-6RQP1.tmp	Filestar.23.0.13.0.win-x64.DvgQL.tmp
File created	C:\Program Files\Filestar\is-0T2DE.tmp	Filestar.23.0.13.0.win-x64.DvgQL.tmp
File created	C:\Program Files\Filestar\is-0F9A2.tmp	Filestar.23.0.13.0.win-x64.DvgQL.tmp
File opened for modification	C:\Program Files\Filestar\JetBrains.Annotations.dll	Filestar.23.0.13.0.win-x64.DvgQL.tmp
File created	C:\Program Files\Filestar\is-ATQND.tmp	Filestar.23.0.13.0.win-x64.DvgQL.tmp
File created	C:\Program Files\Filestar\is-AJJKM.tmp	Filestar.23.0.13.0.win-x64.DvgQL.tmp
File created	C:\Program Files\Filestar\is-IO493.tmp	Filestar.23.0.13.0.win-x64.DvgQL.tmp
File created	C:\Program Files\Filestar\is-T9D7T.tmp	Filestar.23.0.13.0.win-x64.DvgQL.tmp
File opened for modification	C:\Program Files\Filestar\Microsoft.Extensions.DependencyInjection.dll	Filestar.23.0.13.0.win-x64.DvgQL.tmp
File opened for modification	C:\Program Files\Filestar\Avalonia.Dialogs.dll	Filestar.23.0.13.0.win-x64.DvgQL.tmp
File opened for modification	C:\Program Files\Filestar\Microsoft.ApplicationInsights.dll	Filestar.23.0.13.0.win-x64.DvgQL.tmp
File created	C:\Program Files\Filestar\is-GB0HP.tmp	Filestar.23.0.13.0.win-x64.DvgQL.tmp
File created	C:\Program Files\Filestar\is-HF241.tmp	Filestar.23.0.13.0.win-x64.DvgQL.tmp
File opened for modification	C:\Program Files\Filestar\System.Security.Permissions.dll	Filestar.23.0.13.0.win-x64.DvgQL.tmp
File opened for modification	C:\Program Files\Filestar\Avalonia.Animation.dll	Filestar.23.0.13.0.win-x64.DvgQL.tmp
File opened for modification	C:\Program Files\Filestar\Avalonia.Skia.dll	Filestar.23.0.13.0.win-x64.DvgQL.tmp
File created	C:\Program Files\Filestar\is-RUCCA.tmp	Filestar.23.0.13.0.win-x64.DvgQL.tmp
File created	C:\Program Files\Filestar\is-T1SLN.tmp	Filestar.23.0.13.0.win-x64.DvgQL.tmp
File opened for modification	C:\Program Files\Filestar\Microsoft.Toolkit.Uwp.Notifications.dll	Filestar.23.0.13.0.win-x64.DvgQL.tmp
File opened for modification	C:\Program Files\Filestar\Microsoft.Extensions.Primitives.dll	Filestar.23.0.13.0.win-x64.DvgQL.tmp
File created	C:\Program Files\Filestar\unins000.dat	Filestar.23.0.13.0.win-x64.DvgQL.tmp
File created	C:\Program Files\Filestar\is-CULIN.tmp	Filestar.23.0.13.0.win-x64.DvgQL.tmp
File created	C:\Program Files\Filestar\is-S8I21.tmp	Filestar.23.0.13.0.win-x64.DvgQL.tmp
File opened for modification	C:\Program Files\Filestar\Avalonia.MicroCom.dll	Filestar.23.0.13.0.win-x64.DvgQL.tmp
File opened for modification	C:\Program Files\Filestar\Microsoft.Extensions.FileSystemGlobbing.dll	Filestar.23.0.13.0.win-x64.DvgQL.tmp
File opened for modification	C:\Program Files\Filestar\ColorTextBlock.Avalonia.dll	Filestar.23.0.13.0.win-x64.DvgQL.tmp
File created	C:\Program Files\Filestar\is-1P258.tmp	Filestar.23.0.13.0.win-x64.DvgQL.tmp
File created	C:\Program Files\Filestar\is-MM1G7.tmp	Filestar.23.0.13.0.win-x64.DvgQL.tmp
File opened for modification	C:\Program Files\Filestar\System.Data.Odbc.dll	Filestar.23.0.13.0.win-x64.DvgQL.tmp
File created	C:\Program Files\Filestar\is-JOEF1.tmp	Filestar.23.0.13.0.win-x64.DvgQL.tmp
File created	C:\Program Files\Filestar\is-6AOPR.tmp	Filestar.23.0.13.0.win-x64.DvgQL.tmp
File created	C:\Program Files\Filestar\is-MST3N.tmp	Filestar.23.0.13.0.win-x64.DvgQL.tmp
File opened for modification	C:\Program Files\Filestar\MultiParse.dll	Filestar.23.0.13.0.win-x64.DvgQL.tmp
File created	C:\Program Files\Filestar\is-38VUI.tmp	Filestar.23.0.13.0.win-x64.DvgQL.tmp
File created	C:\Program Files\Filestar\is-4F17D.tmp	Filestar.23.0.13.0.win-x64.DvgQL.tmp
File created	C:\Program Files\Filestar\is-98RKD.tmp	Filestar.23.0.13.0.win-x64.DvgQL.tmp
File created	C:\Program Files\Filestar\is-BA7AT.tmp	Filestar.23.0.13.0.win-x64.DvgQL.tmp
File opened for modification	C:\Program Files\Filestar\Newtonsoft.Json.dll	Filestar.23.0.13.0.win-x64.DvgQL.tmp
File opened for modification	C:\Program Files\Filestar\Microsoft.Extensions.Http.dll	Filestar.23.0.13.0.win-x64.DvgQL.tmp
File opened for modification	C:\Program Files\Filestar\Avalonia.Input.dll	Filestar.23.0.13.0.win-x64.DvgQL.tmp
File opened for modification	C:\Program Files\Filestar\Serilog.Sinks.File.dll	Filestar.23.0.13.0.win-x64.DvgQL.tmp

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2984 2764 WerFault.exe Filestar.exe
Office loads VBA resources, possible macro or embedded object present

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

pid	pid_target	process	target process
2984	2764	WerFault.exe	Filestar.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1520 taskkill.exe

pid	process
1520	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXEFilestar.23.0.13.0.win-x64.DvgQL.tmp

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Filestar.recipe\shell\open	Filestar.23.0.13.0.win-x64.DvgQL.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\Filestar.exe\ = "C:\\Program Files\\Filestar\\Filestar.exe"	Filestar.23.0.13.0.win-x64.DvgQL.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.recipe	Filestar.23.0.13.0.win-x64.DvgQL.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\Applications\Filestar.exe	Filestar.23.0.13.0.win-x64.DvgQL.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\Filestar.exe	Filestar.23.0.13.0.win-x64.DvgQL.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\Filestar.recipe\shell\open\command	Filestar.23.0.13.0.win-x64.DvgQL.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\Background\shell\Filestar\command\ = "\"C:\\Program Files\\Filestar\\Filestar.exe\" \"%V\""	Filestar.23.0.13.0.win-x64.DvgQL.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\Filestar.exe\shell\open\command	Filestar.23.0.13.0.win-x64.DvgQL.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\Background\shell\Filestar\ = "Convert with Filestar"	Filestar.23.0.13.0.win-x64.DvgQL.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.recipe\OpenWithProgids	Filestar.23.0.13.0.win-x64.DvgQL.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\*\shell\Filestar\command	Filestar.23.0.13.0.win-x64.DvgQL.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\Filestar\Icon = "C:\\Program Files\\Filestar\\Filestar.exe"	Filestar.23.0.13.0.win-x64.DvgQL.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\directory\shell\Filestar\command	Filestar.23.0.13.0.win-x64.DvgQL.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Filestar.recipe	Filestar.23.0.13.0.win-x64.DvgQL.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Filestar.23.0.13.0.win-x64.DvgQL.tmp

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	Filestar.23.0.13.0.win-x64.DvgQL.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	Filestar.23.0.13.0.win-x64.DvgQL.tmp

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXEvlc.exe

pid process

1080 WINWORD.EXE
844 vlc.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Filestar.23.0.13.0.win-x64.DvgQL.tmpchrome.exe

pid process

1336 Filestar.23.0.13.0.win-x64.DvgQL.tmp
1336 Filestar.23.0.13.0.win-x64.DvgQL.tmp
2520 chrome.exe
2520 chrome.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

vlc.exe

pid process

844 vlc.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

taskkill.exechrome.exe

description pid process

Token: SeDebugPrivilege 1520 taskkill.exe
Token: SeShutdownPrivilege 2520 chrome.exe
Token: SeShutdownPrivilege 2520 chrome.exe

pid	process
1080	WINWORD.EXE
844	vlc.exe

pid	process
1336	Filestar.23.0.13.0.win-x64.DvgQL.tmp
1336	Filestar.23.0.13.0.win-x64.DvgQL.tmp
2520	chrome.exe
2520	chrome.exe

description	pid	process
Token: SeDebugPrivilege	1520	taskkill.exe
Token: SeShutdownPrivilege	2520	chrome.exe
Token: SeShutdownPrivilege	2520	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

vlc.exe

pid	process
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

vlc.exe

pid	process
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe
844	vlc.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

WINWORD.EXEvlc.exe

pid process

1080 WINWORD.EXE
1080 WINWORD.EXE
1080 WINWORD.EXE
844 vlc.exe

pid	process
1080	WINWORD.EXE
1080	WINWORD.EXE
1080	WINWORD.EXE
844	vlc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Filestar.23.0.13.0.win-x64.DvgQL.exeFilestar.23.0.13.0.win-x64.DvgQL.tmpcmd.exechrome.exeFilestar.exe

description	pid	process	target process
PID 1764 wrote to memory of 1336	1764	Filestar.23.0.13.0.win-x64.DvgQL.exe	Filestar.23.0.13.0.win-x64.DvgQL.tmp
PID 1764 wrote to memory of 1336	1764	Filestar.23.0.13.0.win-x64.DvgQL.exe	Filestar.23.0.13.0.win-x64.DvgQL.tmp
PID 1764 wrote to memory of 1336	1764	Filestar.23.0.13.0.win-x64.DvgQL.exe	Filestar.23.0.13.0.win-x64.DvgQL.tmp
PID 1764 wrote to memory of 1336	1764	Filestar.23.0.13.0.win-x64.DvgQL.exe	Filestar.23.0.13.0.win-x64.DvgQL.tmp
PID 1764 wrote to memory of 1336	1764	Filestar.23.0.13.0.win-x64.DvgQL.exe	Filestar.23.0.13.0.win-x64.DvgQL.tmp
PID 1764 wrote to memory of 1336	1764	Filestar.23.0.13.0.win-x64.DvgQL.exe	Filestar.23.0.13.0.win-x64.DvgQL.tmp
PID 1764 wrote to memory of 1336	1764	Filestar.23.0.13.0.win-x64.DvgQL.exe	Filestar.23.0.13.0.win-x64.DvgQL.tmp
PID 1336 wrote to memory of 1520	1336	Filestar.23.0.13.0.win-x64.DvgQL.tmp	taskkill.exe
PID 1336 wrote to memory of 1520	1336	Filestar.23.0.13.0.win-x64.DvgQL.tmp	taskkill.exe
PID 1336 wrote to memory of 1520	1336	Filestar.23.0.13.0.win-x64.DvgQL.tmp	taskkill.exe
PID 1336 wrote to memory of 1520	1336	Filestar.23.0.13.0.win-x64.DvgQL.tmp	taskkill.exe
PID 1336 wrote to memory of 1808	1336	Filestar.23.0.13.0.win-x64.DvgQL.tmp	cmd.exe
PID 1336 wrote to memory of 1808	1336	Filestar.23.0.13.0.win-x64.DvgQL.tmp	cmd.exe
PID 1336 wrote to memory of 1808	1336	Filestar.23.0.13.0.win-x64.DvgQL.tmp	cmd.exe
PID 1336 wrote to memory of 1808	1336	Filestar.23.0.13.0.win-x64.DvgQL.tmp	cmd.exe
PID 1336 wrote to memory of 2156	1336	Filestar.23.0.13.0.win-x64.DvgQL.tmp	unzip.exe
PID 1336 wrote to memory of 2156	1336	Filestar.23.0.13.0.win-x64.DvgQL.tmp	unzip.exe
PID 1336 wrote to memory of 2156	1336	Filestar.23.0.13.0.win-x64.DvgQL.tmp	unzip.exe
PID 1336 wrote to memory of 2156	1336	Filestar.23.0.13.0.win-x64.DvgQL.tmp	unzip.exe
PID 1336 wrote to memory of 324	1336	Filestar.23.0.13.0.win-x64.DvgQL.tmp	cmd.exe
PID 1336 wrote to memory of 324	1336	Filestar.23.0.13.0.win-x64.DvgQL.tmp	cmd.exe
PID 1336 wrote to memory of 324	1336	Filestar.23.0.13.0.win-x64.DvgQL.tmp	cmd.exe
PID 1336 wrote to memory of 324	1336	Filestar.23.0.13.0.win-x64.DvgQL.tmp	cmd.exe
PID 324 wrote to memory of 2764	324	cmd.exe	Filestar.exe
PID 324 wrote to memory of 2764	324	cmd.exe	Filestar.exe
PID 324 wrote to memory of 2764	324	cmd.exe	Filestar.exe
PID 324 wrote to memory of 2764	324	cmd.exe	Filestar.exe
PID 2520 wrote to memory of 968	2520	chrome.exe	chrome.exe
PID 2520 wrote to memory of 968	2520	chrome.exe	chrome.exe
PID 2520 wrote to memory of 968	2520	chrome.exe	chrome.exe
PID 2764 wrote to memory of 2984	2764	Filestar.exe	WerFault.exe
PID 2764 wrote to memory of 2984	2764	Filestar.exe	WerFault.exe
PID 2764 wrote to memory of 2984	2764	Filestar.exe	WerFault.exe
PID 2520 wrote to memory of 2732	2520	chrome.exe	chrome.exe
PID 2520 wrote to memory of 2732	2520	chrome.exe	chrome.exe
PID 2520 wrote to memory of 2732	2520	chrome.exe	chrome.exe
PID 2520 wrote to memory of 2732	2520	chrome.exe	chrome.exe
PID 2520 wrote to memory of 2732	2520	chrome.exe	chrome.exe
PID 2520 wrote to memory of 2732	2520	chrome.exe	chrome.exe
PID 2520 wrote to memory of 2732	2520	chrome.exe	chrome.exe
PID 2520 wrote to memory of 2732	2520	chrome.exe	chrome.exe
PID 2520 wrote to memory of 2732	2520	chrome.exe	chrome.exe
PID 2520 wrote to memory of 2732	2520	chrome.exe	chrome.exe
PID 2520 wrote to memory of 2732	2520	chrome.exe	chrome.exe
PID 2520 wrote to memory of 2732	2520	chrome.exe	chrome.exe
PID 2520 wrote to memory of 2732	2520	chrome.exe	chrome.exe
PID 2520 wrote to memory of 2732	2520	chrome.exe	chrome.exe
PID 2520 wrote to memory of 2732	2520	chrome.exe	chrome.exe
PID 2520 wrote to memory of 2732	2520	chrome.exe	chrome.exe
PID 2520 wrote to memory of 2732	2520	chrome.exe	chrome.exe
PID 2520 wrote to memory of 2732	2520	chrome.exe	chrome.exe
PID 2520 wrote to memory of 2732	2520	chrome.exe	chrome.exe
PID 2520 wrote to memory of 2732	2520	chrome.exe	chrome.exe
PID 2520 wrote to memory of 2732	2520	chrome.exe	chrome.exe
PID 2520 wrote to memory of 2732	2520	chrome.exe	chrome.exe
PID 2520 wrote to memory of 2732	2520	chrome.exe	chrome.exe
PID 2520 wrote to memory of 2732	2520	chrome.exe	chrome.exe
PID 2520 wrote to memory of 2732	2520	chrome.exe	chrome.exe
PID 2520 wrote to memory of 2732	2520	chrome.exe	chrome.exe
PID 2520 wrote to memory of 2732	2520	chrome.exe	chrome.exe
PID 2520 wrote to memory of 2732	2520	chrome.exe	chrome.exe
PID 2520 wrote to memory of 2732	2520	chrome.exe	chrome.exe
PID 2520 wrote to memory of 2732	2520	chrome.exe	chrome.exe
PID 2520 wrote to memory of 2732	2520	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\Filestar.23.0.13.0.win-x64.DvgQL.exe
"C:\Users\Admin\AppData\Local\Temp\Filestar.23.0.13.0.win-x64.DvgQL.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1764

C:\Users\Admin\AppData\Local\Temp\is-RLSAL.tmp\Filestar.23.0.13.0.win-x64.DvgQL.tmp
"C:\Users\Admin\AppData\Local\Temp\is-RLSAL.tmp\Filestar.23.0.13.0.win-x64.DvgQL.tmp" /SL5="$70126,19571656,785920,C:\Users\Admin\AppData\Local\Temp\Filestar.23.0.13.0.win-x64.DvgQL.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1336

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im FilestarAgent.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1520

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" "C:\Windows\system32\cmd.exe" /S /C ""dotnet" --version > "C:\Users\Admin\AppData\Local\Temp\is-JB3DM.tmp\~execwithresult.txt""
3⤵
PID:1808

C:\Users\Admin\AppData\Local\Temp\is-JB3DM.tmp\unzip.exe
"C:\Users\Admin\AppData\Local\Temp\is-JB3DM.tmp\unzip.exe" C:\Users\Admin\AppData\Local\Temp\is-JB3DM.tmp\dotnetruntime.zip -d C:\ProgramData\Filestar\dotnetruntime
3⤵
- Executes dropped EXE
PID:2156

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "set FILESTAR_DOTNET_ROOT=C:\ProgramData\Filestar\dotnetruntime & "C:\Program Files\Filestar\Filestar.exe""
3⤵
- Suspicious use of WriteProcessMemory
PID:324

C:\Program Files\Filestar\Filestar.exe
"C:\Program Files\Filestar\Filestar.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2764

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2764 -s 1048
5⤵
- Loads dropped DLL
- Program crash
PID:2984

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n /f "C:\Users\Admin\Desktop\ExitReceive.dotm"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1080

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\UnregisterCompare.ram"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:844

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2520

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7feece29758,0x7feece29768,0x7feece29778
2⤵
PID:968

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1140 --field-trial-handle=1112,i,12032320144451161379,394489606329534372,131072 /prefetch:2
2⤵
PID:2732

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1504 --field-trial-handle=1112,i,12032320144451161379,394489606329534372,131072 /prefetch:8
2⤵
PID:2552

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1588 --field-trial-handle=1112,i,12032320144451161379,394489606329534372,131072 /prefetch:8
2⤵
PID:2104

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=1500 --field-trial-handle=1112,i,12032320144451161379,394489606329534372,131072 /prefetch:1
2⤵
PID:1292

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2252 --field-trial-handle=1112,i,12032320144451161379,394489606329534372,131072 /prefetch:1
2⤵
PID:2424

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=3276 --field-trial-handle=1112,i,12032320144451161379,394489606329534372,131072 /prefetch:2
2⤵
PID:2512

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3568 --field-trial-handle=1112,i,12032320144451161379,394489606329534372,131072 /prefetch:1
2⤵
PID:2148

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3764 --field-trial-handle=1112,i,12032320144451161379,394489606329534372,131072 /prefetch:8
2⤵
PID:1992

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3872 --field-trial-handle=1112,i,12032320144451161379,394489606329534372,131072 /prefetch:8
2⤵
PID:2036

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=3952 --field-trial-handle=1112,i,12032320144451161379,394489606329534372,131072 /prefetch:1
2⤵
PID:2820

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:588

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:2288

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x494
1⤵
PID:2440

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2224

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Filestar\Avalonia.Animation.dll
Filesize
66KB

MD5
fa31ec4a36884194133b70034c466463

SHA1
c9cf1ee64b20956cfae7b0e5ca6fa126a7712bfc

SHA256
8a73cdfc1c88e4c7db1a42c4f5ed1f79a608674366b1f78d85e89195baa0a132

SHA512
c8afe458c97837a272343be4a77a0ccac8f515902165293e6971eac849c94b7155f6749be96e39fb189b7a0e2633905eb0c569be50cf25683bb1a55edd1d84be

Download Submit
C:\Program Files\Filestar\Avalonia.Base.dll
Filesize
294KB

MD5
6547b376a50d19f1ed589a5ac9bc4fa9

SHA1
34ac7b9caa230e9ad219b903ef386fea1ee61aa1

SHA256
61b24cd0739643f3210fa56bfd0c71d4f7b9634e857cc9d8b3d6cc5805c76325

SHA512
a89fa78c9a566c3984f14c3dbe50f1f30b2ca8d0f4dd4138f2e0957ae083db0ef0dbe7ea1c4abb80bb9899d738f243edc330f564c73b5fe0d7bf0dfe8bd6dc7a

Download Submit
C:\Program Files\Filestar\Avalonia.Controls.dll
Filesize
939KB

MD5
29b13f95fdf014e7b0154b6cd27367b2

SHA1
968ed317e02b5b23d9c74957cb8a3a60623a31f0

SHA256
d6289a613f500aac7caf39db3703ffedb2e9272f89a953484f67c1cb3920e132

SHA512
39947dc6184698edcc618a828a80740834169d827142942f95ef36d26e2560735fd5395c9de828cf989feb1b21f43826b5516c8347fe59b4c0fdb4287656dee6

Download Submit
C:\Program Files\Filestar\Avalonia.DesktopRuntime.dll
Filesize
35KB

MD5
bc837da881ea1acebff0d44718012a71

SHA1
97430cf097a84cb9cce83db6f5343b0c825bba46

SHA256
0329a955da72ceb02919ed99af7dcdafa1e35ed7edcb87d2de32276d92994d72

SHA512
93bd45caf58a2da0e835a380b31edc473b5fbfc16f1081c03a26327140d794ab12c016c47e746ebcafba52a86991614186d8f1a25e6e84320489b3866cfb0012

Download Submit
C:\Program Files\Filestar\Avalonia.Input.dll
Filesize
116KB

MD5
70385f3d931d5303d67726bb2e327554

SHA1
099b0b0b9f8be85ce0db7b239a19de3afb3c30e2

SHA256
bb331558aca25cd56ac702e173c790fdeaecf4bc4af7133f2552d079491da5ea

SHA512
5231b41578d672159815501e003e0c5cd029e4bc6f195e329b27da80ade6f9cde0ba6bc4536571990a89d1a32a84208847caf69562f555c165e60952b32c3088

Download Submit
C:\Program Files\Filestar\Avalonia.Interactivity.dll
Filesize
28KB

MD5
84766ad61197313fa53b52f6efa9e60f

SHA1
15146b48c23f3db9af330abde63e33a2e64ae960

SHA256
6e5ac097279c9a0d205473e00771a3e19537de020a8e9898bcbf439a6ae25dfd

SHA512
b4a6bcdc57faa30a7cd579692e3d820fad81c6820929c7ba099263805b09630e41061272e89ad6cf4e4b8043ef30fb67103eaae45d458d094960ee1ab03c630c

Download Submit
C:\Program Files\Filestar\Avalonia.Layout.dll
Filesize
91KB

MD5
ee1bfe00d4848f130fa9ef7b569abdc7

SHA1
d341da8e99598b26fcc04ae759b111158471c019

SHA256
679ff4ce7f13d2de065305451d72817f28bc04795052b0c19805f2be94282fb6

SHA512
d9c45a7f7e2e9aec9e1c03d0b19cf7edd0b90cfdb28ccd58e58567bca7e4ff460838790cffcb95086d7385afd37dd45107b04ffa2be44b3f8c21bdbe35a20540

Download Submit
C:\Program Files\Filestar\Avalonia.Native.dll
Filesize
219KB

MD5
9a172c0b88e4b7a7db37ecaccbb8f93c

SHA1
0b7e72b6016cad8677dc8f3edb125cced8bbbc85

SHA256
5411923ebada93fcce2fb77a5edc09ee5cf865968993b0abddae0d51b31e1127

SHA512
74de1192ec76db3e886f3bb923e156e01fe8eb10f54495aeac2a9eaf2f4410a842dce6617168b2f3bc9e6d1bc8e8be3830109ded276bdc4d3330193c04a16cee

Download Submit
C:\Program Files\Filestar\Avalonia.ReactiveUI.dll
Filesize
31KB

MD5
276b333b8017cfacdf4e8a1aee022c96

SHA1
11a7e33ff9ed9118d1ad07dd7cf371efee5ccd80

SHA256
00529dc5483a8e0b3aceca9caa2b198ecf3b14abf99ec641aac7fdb5c9517f9d

SHA512
70037d84d0cf86793ff9f8e5d0f53083441a999b82e0093b661e89a8054a076941f9769087dbc588410cbf4fbe08acd0c961f24c2235fe2ca89c8c49555d4ec8

Download Submit
C:\Program Files\Filestar\Avalonia.Styling.dll
Filesize
97KB

MD5
756478839170170faa1415d6b2a41734

SHA1
3b2258f7a1a9c484c54f040c0e96ccf7062bec8a

SHA256
ad5d0030effb60c14cd4c85e3a52ba7396f2a564d81f40bbb13c1a4f69b9ef1b

SHA512
8356a9f9b7607dd52b8895212dd917e21c2126e5bf60abead717d8ff03f6406e4937ab4e3ac698229d58bcf37d369b881d0db780c47a6d7a32e0544722a51fa8

Download Submit
C:\Program Files\Filestar\Avalonia.Visuals.dll
Filesize
448KB

MD5
d97f5cdd1c0fa12878b50eb53d970448

SHA1
a4a3b3097c13939d6c5dbc9396582b47333a9af7

SHA256
67645e1eb11a866687ae93b85aa36da89c9f23383db969dc3574dc0f429ddc12

SHA512
66678422b8e5148f882276dca2000578bc5fa09f8bc8622da222aa99909bc8c96f78bc35a8d36649db98d39d385498bd9082fa434429444ee47c128fc0043469

Download Submit
C:\Program Files\Filestar\Filestar.Core.dll
Filesize
450KB

MD5
e9c84ef06d610bb06b8ad57bff84d9ae

SHA1
cf14b69efa47147b0cdd0b4e97a0cb5f8668bdac

SHA256
8b0128a091a6be4fd0fa7e859d669d0a827063047bad5f91d9bc5ee3d0f32a67

SHA512
309c10ff97c0978ec1f26d2c5b636749e7aa29acdb5aaf7aeee9792022c5b0171af32ac1b77949a10ae857f268f7e31f9b30b258fe7cb3b6b498ed46ff0977d0

Download Submit
C:\Program Files\Filestar\Filestar.Integration.dll
Filesize
241KB

MD5
b7b849688893aaf2d3c413232b018971

SHA1
e0634b60af6412410a20c108069978c99c627f0f

SHA256
9718f577816686d70a4286018e51665c2ff5a034a20794c77fe183d3fc32add1

SHA512
471868be3a90c5f7324ded2577e416b4ef43146247dc0febee3b8ff9e4553532d5099419afd1d08a87c6ee506e2d74157eb5fc32c546c3e556237ebb58b598a2

Download Submit
C:\Program Files\Filestar\Filestar.Platform.dll
Filesize
6KB

MD5
39c43c83ae8fda841181a368f4ab03fd

SHA1
d63320b4586503d454581e4c176ccbeeae7dbe10

SHA256
2d8b601eec13613e64ef6604eced1969cc1e679df12c9fc487d4cbe0d8471be5

SHA512
9f9e59370af3cc39c900ce42b1c87cfc26fa7938379a2e3b6f74e2153a6586d4ef27346e12939bc63af0c824105dac9b4b3d9ae1ad46f5b0df421cef5bb3dda6

Download Submit
C:\Program Files\Filestar\Filestar.deps.json
Filesize
161KB

MD5
4e237bdc5f50a2998e1632cb7cbea996

SHA1
712d0b1e2db12a62cd73ca00f4bb16498ada392c

SHA256
6461450cb20e116685db419bf55d8531c088ca55abfce35e8fdde86ee3e37c17

SHA512
0ec4f5d589d35c9a897e056a8b9c12f5fe9bc63334297979efc0805067a3b69e8cc31b8bdb06bbc6d5838065c5a0a43c92514ffd43d63229f194c8670be42633

Download Submit
C:\Program Files\Filestar\Filestar.dll
Filesize
1.1MB

MD5
d434f71f18173022115863169d7b3305

SHA1
053d4bea2640b2af98ad6baf6867ca4c571d941e

SHA256
1b3b5c4190e22823df2e204a6e15613748c92870b2b02e288537897aa6714736

SHA512
dbfede921357754bed624367a83b6cf77591a49b70d4beea5adb0e0bc7e4010e3fb67697fb2883501190cee71ce1889b17fbd8391d9fce802c741fbb930357f9

Download Submit
C:\Program Files\Filestar\Filestar.exe
Filesize
202KB

MD5
6f0caefb33150b91de5bed7cabfe2985

SHA1
60b86515ec185789a0c91a21bc7b99de2a9df893

SHA256
4fd67cae90acf0f95d72cea69881d87f060521f6deaee88e5079d46ba6a46ecd

SHA512
61dbf5c33c347b5b8bb3964b8588eb621722ed4db0225ae28a5a48c65e488e8427cfb8e1ea646fa226c0ad4717d8c27c28d9e33923403e4fbbc1e542e2736462

Download Submit
C:\Program Files\Filestar\Filestar.exe
Filesize
202KB

MD5
6f0caefb33150b91de5bed7cabfe2985

SHA1
60b86515ec185789a0c91a21bc7b99de2a9df893

SHA256
4fd67cae90acf0f95d72cea69881d87f060521f6deaee88e5079d46ba6a46ecd

SHA512
61dbf5c33c347b5b8bb3964b8588eb621722ed4db0225ae28a5a48c65e488e8427cfb8e1ea646fa226c0ad4717d8c27c28d9e33923403e4fbbc1e542e2736462

Download Submit
C:\Program Files\Filestar\Filestar.runtimeconfig.json
Filesize
253B

MD5
24e4653829de1022d01cd7ddd26e2f22

SHA1
9160a009cb381e044ba4c63e4435da6bfeb9dc6d

SHA256
ded3aeb5856a11db0b654a785574490cab55839ebfb17efe9e39b89618fc5b91

SHA512
efd4bbba1baec0b47003831510e3aa539db9ef468e0f06ba9d7ba6d0b3800035f7c818d7d90171bfd377ec97d08c4617555bcff635dd83efceb412b1a9cca820

Download Submit
C:\Program Files\Filestar\ReactiveUI.dll
Filesize
292KB

MD5
0f612ec1c7e2cd49b2c536f63cb78dc1

SHA1
971226cfacadd6b247957b541adff5d69b1791f3

SHA256
7de74f18502c93f7f715b0a75e5a11651ebdf4528cef8df7be917b62e537e400

SHA512
b5c1447c83936e63397f2c84277b63ffadc61eb137b9ebb338e08cbf1442666d1e5433634a7269aa2dca0c92b67fb539f2e233b592bded9a8df4de35c10f3e76

Download Submit
C:\Program Files\Filestar\Splat.dll
Filesize
136KB

MD5
5892b7270c7a459127843237d661b8b1

SHA1
a3ca0eb85ed0c932124bab1eb32224788e0e13d8

SHA256
8d16a68fc18c2463e1a0172dc0364267fdbe22ac1ca2bb13cf93008a24fb1ef3

SHA512
491141198de87ac77563594f3d0eaf732d160323aef890df627a5469816f71dee6d9d65823260dd6119043491334ef806ba8eb11f4a804af232bfaca8167f83a

Download Submit
C:\ProgramData\Filestar\dotnetruntime\host\fxr\6.0.3\hostfxr.dll
Filesize
366KB

MD5
cc31dc8b7046570d73e759861eebb155

SHA1
1ca53e4dcbb1c605d2d067b6e5c38e0f08ce7ef3

SHA256
f089f933eec4cecd2bb570d85bb857e380120c250d81b871cb3927e301bbaf4f

SHA512
518d54594d91a6df042a39a44ed773058e539961a81e4ef553e8c568a723f67b3fd350174d58484f6edefd9922b45e248ba89bf42854cbc44d44977b75574ef1

Download Submit
C:\ProgramData\Filestar\dotnetruntime\shared\Microsoft.NETCore.App\6.0.3\Microsoft.NETCore.App.deps.json
Filesize
32KB

MD5
f5d5bb7ab29b2fd1955c87a2593c9b59

SHA1
afdb4263e3f40f442474dd917eceacae99255b59

SHA256
0449a4910a48e97c22487a7e55c9fa50d7ea401a0faacee65eb69a26ddb783ef

SHA512
371cf693a6435a181ce23d1522df24da4b519d5be47b766716d6927c99dad79772959f36746c88dc822116080e32d128370b8f48901c4cdac35fa6af58cdd7fb

Download Submit
C:\ProgramData\Filestar\dotnetruntime\shared\Microsoft.NETCore.App\6.0.3\Microsoft.NETCore.App.runtimeconfig.json
Filesize
159B

MD5
3fbd84a952d4bab02e11fec7b2bbc90e

SHA1
e92de794f3c8d5a5a1a0b75318be9d5fb528d07d

SHA256
1b7aa545d9d3216979a9efe8d72967f6e559a9c6a22288d14444d6c5c4c15738

SHA512
c97c1da7ae94847d4edf11625dc5b5085838c3842a550310cca5c70ba54be907ff454ca1e0080ba451eacfc5954c3f778f8b4e26c0933e55c121c86c9a24400b

Download Submit
C:\ProgramData\Filestar\dotnetruntime\shared\Microsoft.NETCore.App\6.0.3\System.Collections.dll
Filesize
258KB

MD5
0e84eb681939e3ac44f4b73682135d85

SHA1
25e786e779eb557bedb5b0d3e9936a9a69cd1846

SHA256
e0319a6fc8c7da9ecd44a60503d9da2654aa1b7177b9a91406dc2f71e1de13c3

SHA512
27de4e6cfb62e6d08e555e252db23694d34cc367585e96aa83c2865368c0ef758871e6f1dbd5f67ab39ca2337b78c3907602179dff4384ab2075174e0001ec8c

Download Submit
C:\ProgramData\Filestar\dotnetruntime\shared\Microsoft.NETCore.App\6.0.3\System.ComponentModel.Primitives.dll
Filesize
73KB

MD5
b702c752fa9fb6a841bf47176a87f803

SHA1
a603df01a434ab527e3f11c7f6b421872cda8a44

SHA256
e7823d9e2dd9159e3f203a2da4b4cc622a928263f7e551009ae1ecafae1e1699

SHA512
4eff5ace6a226f74ff5fc33d8d20c8dbc014cf4e21dba4d170bbbbb74fbf61e34224532773cf261753d2bc65c4f0d5927f909f3ad74ead7518e699e225791daf

Download Submit
C:\ProgramData\Filestar\dotnetruntime\shared\Microsoft.NETCore.App\6.0.3\System.Linq.dll
Filesize
525KB

MD5
bf7f629a2413598cfee66263be25e5de

SHA1
ba94ecd077ba880cc7b76f7dc5a9a02896c2d15b

SHA256
82f89d35a84f8de9363312cec89936d154968a265d46cc01e68b1fa68bde0b77

SHA512
5cf6c98bc945812726c03a1beb8e1df1752acdb7027c4e9b7353c30321a97c54bee9d7f891174235632aaa9012a22f858e1b2fc611c969ebbe67de967b249dc0

Download Submit
C:\ProgramData\Filestar\dotnetruntime\shared\Microsoft.NETCore.App\6.0.3\System.ObjectModel.dll
Filesize
89KB

MD5
282d4495ac9a1aba8790bbe1a67ba132

SHA1
d3f713985f0cd59902a274a32389ee62720b9b43

SHA256
3a0ce000db5f70d709cbb8bffca1d01e319ebf2745a619f6ba95beb15f026553

SHA512
2ae954760416bfed932a6f6c0ae32869cf80de4e1144d3ab692200007e26f84318adb99607be09a41fad6351fde0dc2cd9869d565eee78d78472c3270c2c3161

Download Submit
C:\ProgramData\Filestar\dotnetruntime\shared\Microsoft.NETCore.App\6.0.3\System.Private.CoreLib.dll
Filesize
10.1MB

MD5
879185455e611d24bda7ef5a108e0dee

SHA1
d29fcd719fe6554ab25509c8e12bb47e0f3d405a

SHA256
1088114a032fb108d8d6e1becf3e5e6de63f102e2dfa3b5bc861fe7bc698472f

SHA512
0881826e162416ba586d84ed94f9d92a26cb62937fce54df393572c430a78b309fe631f225d1147484b5d39152f7b013e8a4644320d5bed0dedbc30d57bb1768

Download Submit
C:\ProgramData\Filestar\dotnetruntime\shared\Microsoft.NETCore.App\6.0.3\System.Runtime.dll
Filesize
41KB

MD5
530a2f36665ca2de5a0221179e71c672

SHA1
212fb0017f5b781d67de1d75972ca72088f32300

SHA256
e207fa74039b215ec2896987dced7aa1290c0c00819cd88b0e54321551c3fe90

SHA512
97a8d0dc02bf1b4a9643d2a97989b85f94b552da1325e242f94f986942d25e0451501fa8a7734fe0a592d8e4d0ac3ed4f9d2a8e39d72d2f9dbc75ba97e19985a

Download Submit
C:\ProgramData\Filestar\dotnetruntime\shared\Microsoft.NETCore.App\6.0.3\System.Threading.dll
Filesize
77KB

MD5
022a8543017d8a94954b481da5710185

SHA1
8e9a2f2493f031f4d97603a4c6e8dbdf5c2aa103

SHA256
11f45946611e6dc0ce3ce897bc518fa87bbfffd8c916a5ebe8fdf4d20778154c

SHA512
b9a1567a6fcd8362b43e9a162e7a8c8394a4edbc4767921f9917e60d63c751189fb16db8965ee5d1138ee62ee70ee8593b08b9f4fc4abe3d4f0b7fe8104fb1ce

Download Submit
C:\ProgramData\Filestar\dotnetruntime\shared\Microsoft.NETCore.App\6.0.3\api-ms-win-crt-utility-l1-1-0.dll
Filesize
20KB

MD5
fcd6b29932d6fb307964b2d3f94e6b48

SHA1
be560f8a63c8e36a7b3fa48ff384f99f69a5d4f7

SHA256
cfb2ee4e426bb00b76163c1a66cf8cfef8d7450cbf9bbce3bc9eb2053f51e0e5

SHA512
3edfcf559f1e21870277358e6d266a1a0cea68b163b11c73108f3b6a56006d20b51410a3b4ea39bf80906bf6c9d573e1072697cfcd6a3d37e3679ea54757c69f

Download Submit
C:\ProgramData\Filestar\dotnetruntime\shared\Microsoft.NETCore.App\6.0.3\clrjit.dll
Filesize
1.4MB

MD5
5c84b3607a2f0d68a941768de1039fcf

SHA1
858299df8e0f927cca55e32d135ad6e75b145f19

SHA256
485ffda975e0b7856040d4689c14797b774c16991d8ebeceb60e1ee84d4e98f1

SHA512
0f590a265dc22281533b38d3bbecefdccae57e10d9680055357d4e3c48f01fe47d33c956fdde43be8e7514a543318e22ffefd2ceb0b83b7dd087e9fb74f705eb

Download Submit
C:\ProgramData\Filestar\dotnetruntime\shared\Microsoft.NETCore.App\6.0.3\coreclr.dll
Filesize
4.9MB

MD5
780f40bc43b6241ce07cc44054f507a6

SHA1
9a6194f9a4b73b295d9bed1a644eff402b3256da

SHA256
d079840280b152d04132b91c8b620fede520691529f10e4e756aeed8a9953327

SHA512
ee4e770de08ff7f8f17eed6095d399176311fadf0eb35cc029563f5ba85c1eeb8df546edeef59a68387772bd258eaf73badd8b3ed5cef41b358c650adba6162e

Download Submit
C:\ProgramData\Filestar\dotnetruntime\shared\Microsoft.NETCore.App\6.0.3\hostpolicy.dll
Filesize
381KB

MD5
e6abf192d5420dd6062cfd1284ef7c13

SHA1
4afa426df5254265b9f7c4b157e3ebeb46cf1f34

SHA256
ee5c213d1b9a9be67909b2dace4898c1a836a441177030f349cc79231612cf73

SHA512
831c0077809c4f9a20faf1a6b04a6352a83b47d9baa020da6aea4dfdd494bcf8631a23740da290cdf2bf2985a74b5a8fd3bc24b806bf0d19d438aa5fa58705ea

Download Submit
C:\ProgramData\Filestar\dotnetruntime\shared\Microsoft.NETCore.App\6.0.3\mscorrc.dll
Filesize
143KB

MD5
837846d612d8ff449fc8edd172f4854d

SHA1
798bd08a0575a3a23ceea837ead05dbe3b514353

SHA256
e2c9a84309ff9415641b5f03b25f36e198b1670dd753c2d43a0271bc659ff1d1

SHA512
565853a26ff0b7b3b00f284c539469a982409a7d98b63c85d6355a8da575cb96da9c377c23569589b9cdeaea4a455bccd6292d9e5aacd0818f10da85fed945ba

Download Submit
C:\ProgramData\Filestar\dotnetruntime\shared\Microsoft.NETCore.App\6.0.3\netstandard.dll
Filesize
99KB

MD5
df0539e628c25230637a4d9723cd6f8e

SHA1
2be7388e011801de0cdc2871efc9a4b64773ce67

SHA256
b7caaf3acbceaf9b6b0571e8718b6bd626421946601c40cf93dfeeae12f79851

SHA512
6f702b9a63cf9f2db84f58842f3dc9c6f5408aee487cc76ab0b440633a9f26425b6131b8fc6c8f2c7e2a0306a51872aba3136a0792b49cd0e548e5559faead07

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
242B

MD5
62c3f0b766c0f5dc7f4bf4c6797d167c

SHA1
4468a12fa879ce3c0d3d64b8f6032cd5e91d6f66

SHA256
bdcd10f2d1b1e2aa7153226a9ad2c88c619ef820144aecc5df33e2ebe49f9a41

SHA512
10e97308b3f07c30415fc785075b707d1fb522933f645e6e2f849cfe9e2f2ec14fe3abff98d593d20a0a46ebec7a4ceb768042fd2ac87d7a0f7a82f8e7d98faf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
4KB

MD5
281ae9ab00282781bf53e5eabd07fc2b

SHA1
ef207cc20c626f2d4a61ad54a07cddbf0cb9209e

SHA256
678edf668b0d2fa7bd565d5e347b27f4cbe00100f666e395569f53174628a7eb

SHA512
144fbbb3bc5c56b9024859498c2f25b683006637f77d3e2b3000429dc2d4a3bcc65a046307e039b5315dd3f73081b5b8b2ed3c194d36d48e0301424fb95ce935

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
4KB

MD5
4a8bd382fbc0fa223676c4777eff2a9d

SHA1
437baf3e6fe99231f8c9645cdba1bd9a710ca223

SHA256
73fe417333270b2d696c663509abce8ba3490a0d960a5aff5dbacb741e08a1f2

SHA512
89d5a175963a42873afe9fbdc9923f27cdcc3bcfe2f18f46fb673d083a2e6972dec83bb759892dd94de27ce0cdd9c8d322924d42d48f01c07823eb8fe45575df

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000004.dbtmp
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
71KB

MD5
b98972785fe27996eb9ef3e721934e54

SHA1
a1fe44fb51710f42a93e14f2ed7872d9075a6af4

SHA256
fd53e60b172429c23ca1cf08d369f0d26428e72603a8b3a71145f806b3124e34

SHA512
5504f2d6c151f9270bd676b50c1dfdb7fee7bfd81542d9f53bc7e79c04b5b5cf358615dea415f72066579fe42de92c1f89a5a34f1c0f20a4033e2d6f91794493

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA92E.tmp
Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarBA06.tmp
Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JB3DM.tmp\dotnetruntime.zip
Filesize
31.2MB

MD5
3f4993206f808b516676b0e976de9a2e

SHA1
a6210a8eeb75268078454355264a803958293bc8

SHA256
34537333814b61ed3763dd5861a5283050a01a3c9b043e4f1e74614b3faf7df2

SHA512
24bb230a3721a3ea8fbde9f6e648496124b4de0ecba6b58918fc3f7a5bde8d818415e46531dd1bfa399ed3847a7f519fc94cf4d41896ff77652b6a615b79f54e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JB3DM.tmp\unzip.exe
Filesize
164KB

MD5
75375c22c72f1beb76bea39c22a1ed68

SHA1
e1652b058195db3f5f754b7ab430652ae04a50b8

SHA256
8d9b5190aace52a1db1ac73a65ee9999c329157c8e88f61a772433323d6b7a4a

SHA512
1b396e78e189185eefb8c6058aa7e6dfe1b8f2dff8babfe4ffbee93805467bf45760eea6efb8d9bb2040d0eaa56841d457b1976dcfe13ed67931ade01419f55a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JB3DM.tmp\unzip.exe
Filesize
164KB

MD5
75375c22c72f1beb76bea39c22a1ed68

SHA1
e1652b058195db3f5f754b7ab430652ae04a50b8

SHA256
8d9b5190aace52a1db1ac73a65ee9999c329157c8e88f61a772433323d6b7a4a

SHA512
1b396e78e189185eefb8c6058aa7e6dfe1b8f2dff8babfe4ffbee93805467bf45760eea6efb8d9bb2040d0eaa56841d457b1976dcfe13ed67931ade01419f55a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RLSAL.tmp\Filestar.23.0.13.0.win-x64.DvgQL.tmp
Filesize
2.9MB

MD5
34c5e8d40362deb6f6bf4ec83a795c51

SHA1
03c10464a4dda1ade923e580f8c9735361efff3c

SHA256
95d5c0cebe63100ebcdf0418446c22ab03038d819dc4e350319872947ba6a6f3

SHA512
c56ef3ab91bd32a435404dec7fc94966c97f2480dc31516fa491de5278b2487f65c9a064ecfd7c636359b9eaf1e42c73c39ee1d892ee375d36fb115ac5b6f4a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RLSAL.tmp\Filestar.23.0.13.0.win-x64.DvgQL.tmp
Filesize
2.9MB

MD5
34c5e8d40362deb6f6bf4ec83a795c51

SHA1
03c10464a4dda1ade923e580f8c9735361efff3c

SHA256
95d5c0cebe63100ebcdf0418446c22ab03038d819dc4e350319872947ba6a6f3

SHA512
c56ef3ab91bd32a435404dec7fc94966c97f2480dc31516fa491de5278b2487f65c9a064ecfd7c636359b9eaf1e42c73c39ee1d892ee375d36fb115ac5b6f4a6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
Filesize
20KB

MD5
edc31c1ad9ed265a1e8a1b94f7d2727a

SHA1
f0e4daa4593b20014fc982cf4249e4ec894c73a4

SHA256
b59ddaae2bc072b0e07b3d4cb814a9523af8d7724044ace1b8b066ec706da5a1

SHA512
7c434d8cd4816db9c81f0e4fac8a439b130cff521d1bc126146ab9ad0116d784df230aa6f1d594604a931dc73cc0cd6ff2a686afb54aadc4c37a0cd03ad8398a

Download Submit
\Program Files\Filestar\Filestar.dll
Filesize
1.1MB

MD5
d434f71f18173022115863169d7b3305

SHA1
053d4bea2640b2af98ad6baf6867ca4c571d941e

SHA256
1b3b5c4190e22823df2e204a6e15613748c92870b2b02e288537897aa6714736

SHA512
dbfede921357754bed624367a83b6cf77591a49b70d4beea5adb0e0bc7e4010e3fb67697fb2883501190cee71ce1889b17fbd8391d9fce802c741fbb930357f9

Download Submit
\Program Files\Filestar\Filestar.exe
Filesize
202KB

MD5
6f0caefb33150b91de5bed7cabfe2985

SHA1
60b86515ec185789a0c91a21bc7b99de2a9df893

SHA256
4fd67cae90acf0f95d72cea69881d87f060521f6deaee88e5079d46ba6a46ecd

SHA512
61dbf5c33c347b5b8bb3964b8588eb621722ed4db0225ae28a5a48c65e488e8427cfb8e1ea646fa226c0ad4717d8c27c28d9e33923403e4fbbc1e542e2736462

Download Submit
\Program Files\Filestar\Filestar.exe
Filesize
202KB

MD5
6f0caefb33150b91de5bed7cabfe2985

SHA1
60b86515ec185789a0c91a21bc7b99de2a9df893

SHA256
4fd67cae90acf0f95d72cea69881d87f060521f6deaee88e5079d46ba6a46ecd

SHA512
61dbf5c33c347b5b8bb3964b8588eb621722ed4db0225ae28a5a48c65e488e8427cfb8e1ea646fa226c0ad4717d8c27c28d9e33923403e4fbbc1e542e2736462

Download Submit
\Program Files\Filestar\Filestar.exe
Filesize
202KB

MD5
6f0caefb33150b91de5bed7cabfe2985

SHA1
60b86515ec185789a0c91a21bc7b99de2a9df893

SHA256
4fd67cae90acf0f95d72cea69881d87f060521f6deaee88e5079d46ba6a46ecd

SHA512
61dbf5c33c347b5b8bb3964b8588eb621722ed4db0225ae28a5a48c65e488e8427cfb8e1ea646fa226c0ad4717d8c27c28d9e33923403e4fbbc1e542e2736462

Download Submit
\Program Files\Filestar\Filestar.exe
Filesize
202KB

MD5
6f0caefb33150b91de5bed7cabfe2985

SHA1
60b86515ec185789a0c91a21bc7b99de2a9df893

SHA256
4fd67cae90acf0f95d72cea69881d87f060521f6deaee88e5079d46ba6a46ecd

SHA512
61dbf5c33c347b5b8bb3964b8588eb621722ed4db0225ae28a5a48c65e488e8427cfb8e1ea646fa226c0ad4717d8c27c28d9e33923403e4fbbc1e542e2736462

Download Submit
\Program Files\Filestar\Filestar.exe
Filesize
202KB

MD5
6f0caefb33150b91de5bed7cabfe2985

SHA1
60b86515ec185789a0c91a21bc7b99de2a9df893

SHA256
4fd67cae90acf0f95d72cea69881d87f060521f6deaee88e5079d46ba6a46ecd

SHA512
61dbf5c33c347b5b8bb3964b8588eb621722ed4db0225ae28a5a48c65e488e8427cfb8e1ea646fa226c0ad4717d8c27c28d9e33923403e4fbbc1e542e2736462

Download Submit
\Program Files\Filestar\Filestar.exe
Filesize
202KB

MD5
6f0caefb33150b91de5bed7cabfe2985

SHA1
60b86515ec185789a0c91a21bc7b99de2a9df893

SHA256
4fd67cae90acf0f95d72cea69881d87f060521f6deaee88e5079d46ba6a46ecd

SHA512
61dbf5c33c347b5b8bb3964b8588eb621722ed4db0225ae28a5a48c65e488e8427cfb8e1ea646fa226c0ad4717d8c27c28d9e33923403e4fbbc1e542e2736462

Download Submit
\Program Files\Filestar\Filestar.exe
Filesize
202KB

MD5
6f0caefb33150b91de5bed7cabfe2985

SHA1
60b86515ec185789a0c91a21bc7b99de2a9df893

SHA256
4fd67cae90acf0f95d72cea69881d87f060521f6deaee88e5079d46ba6a46ecd

SHA512
61dbf5c33c347b5b8bb3964b8588eb621722ed4db0225ae28a5a48c65e488e8427cfb8e1ea646fa226c0ad4717d8c27c28d9e33923403e4fbbc1e542e2736462

Download Submit
\Program Files\Filestar\Filestar.exe
Filesize
202KB

MD5
6f0caefb33150b91de5bed7cabfe2985

SHA1
60b86515ec185789a0c91a21bc7b99de2a9df893

SHA256
4fd67cae90acf0f95d72cea69881d87f060521f6deaee88e5079d46ba6a46ecd

SHA512
61dbf5c33c347b5b8bb3964b8588eb621722ed4db0225ae28a5a48c65e488e8427cfb8e1ea646fa226c0ad4717d8c27c28d9e33923403e4fbbc1e542e2736462

Download Submit
\ProgramData\Filestar\dotnetruntime\host\fxr\6.0.3\hostfxr.dll
Filesize
366KB

MD5
cc31dc8b7046570d73e759861eebb155

SHA1
1ca53e4dcbb1c605d2d067b6e5c38e0f08ce7ef3

SHA256
f089f933eec4cecd2bb570d85bb857e380120c250d81b871cb3927e301bbaf4f

SHA512
518d54594d91a6df042a39a44ed773058e539961a81e4ef553e8c568a723f67b3fd350174d58484f6edefd9922b45e248ba89bf42854cbc44d44977b75574ef1

Download Submit
\ProgramData\Filestar\dotnetruntime\shared\Microsoft.NETCore.App\6.0.3\System.Collections.dll
Filesize
258KB

MD5
0e84eb681939e3ac44f4b73682135d85

SHA1
25e786e779eb557bedb5b0d3e9936a9a69cd1846

SHA256
e0319a6fc8c7da9ecd44a60503d9da2654aa1b7177b9a91406dc2f71e1de13c3

SHA512
27de4e6cfb62e6d08e555e252db23694d34cc367585e96aa83c2865368c0ef758871e6f1dbd5f67ab39ca2337b78c3907602179dff4384ab2075174e0001ec8c

Download Submit
\ProgramData\Filestar\dotnetruntime\shared\Microsoft.NETCore.App\6.0.3\System.ComponentModel.Primitives.dll
Filesize
73KB

MD5
b702c752fa9fb6a841bf47176a87f803

SHA1
a603df01a434ab527e3f11c7f6b421872cda8a44

SHA256
e7823d9e2dd9159e3f203a2da4b4cc622a928263f7e551009ae1ecafae1e1699

SHA512
4eff5ace6a226f74ff5fc33d8d20c8dbc014cf4e21dba4d170bbbbb74fbf61e34224532773cf261753d2bc65c4f0d5927f909f3ad74ead7518e699e225791daf

Download Submit
\ProgramData\Filestar\dotnetruntime\shared\Microsoft.NETCore.App\6.0.3\System.Linq.dll
Filesize
525KB

MD5
bf7f629a2413598cfee66263be25e5de

SHA1
ba94ecd077ba880cc7b76f7dc5a9a02896c2d15b

SHA256
82f89d35a84f8de9363312cec89936d154968a265d46cc01e68b1fa68bde0b77

SHA512
5cf6c98bc945812726c03a1beb8e1df1752acdb7027c4e9b7353c30321a97c54bee9d7f891174235632aaa9012a22f858e1b2fc611c969ebbe67de967b249dc0

Download Submit
\ProgramData\Filestar\dotnetruntime\shared\Microsoft.NETCore.App\6.0.3\System.ObjectModel.dll
Filesize
89KB

MD5
282d4495ac9a1aba8790bbe1a67ba132

SHA1
d3f713985f0cd59902a274a32389ee62720b9b43

SHA256
3a0ce000db5f70d709cbb8bffca1d01e319ebf2745a619f6ba95beb15f026553

SHA512
2ae954760416bfed932a6f6c0ae32869cf80de4e1144d3ab692200007e26f84318adb99607be09a41fad6351fde0dc2cd9869d565eee78d78472c3270c2c3161

Download Submit
\ProgramData\Filestar\dotnetruntime\shared\Microsoft.NETCore.App\6.0.3\System.Private.CoreLib.dll
Filesize
10.1MB

MD5
879185455e611d24bda7ef5a108e0dee

SHA1
d29fcd719fe6554ab25509c8e12bb47e0f3d405a

SHA256
1088114a032fb108d8d6e1becf3e5e6de63f102e2dfa3b5bc861fe7bc698472f

SHA512
0881826e162416ba586d84ed94f9d92a26cb62937fce54df393572c430a78b309fe631f225d1147484b5d39152f7b013e8a4644320d5bed0dedbc30d57bb1768

Download Submit
\ProgramData\Filestar\dotnetruntime\shared\Microsoft.NETCore.App\6.0.3\System.Threading.dll
Filesize
77KB

MD5
022a8543017d8a94954b481da5710185

SHA1
8e9a2f2493f031f4d97603a4c6e8dbdf5c2aa103

SHA256
11f45946611e6dc0ce3ce897bc518fa87bbfffd8c916a5ebe8fdf4d20778154c

SHA512
b9a1567a6fcd8362b43e9a162e7a8c8394a4edbc4767921f9917e60d63c751189fb16db8965ee5d1138ee62ee70ee8593b08b9f4fc4abe3d4f0b7fe8104fb1ce

Download Submit
\ProgramData\Filestar\dotnetruntime\shared\Microsoft.NETCore.App\6.0.3\api-ms-win-crt-utility-l1-1-0.dll
Filesize
20KB

MD5
fcd6b29932d6fb307964b2d3f94e6b48

SHA1
be560f8a63c8e36a7b3fa48ff384f99f69a5d4f7

SHA256
cfb2ee4e426bb00b76163c1a66cf8cfef8d7450cbf9bbce3bc9eb2053f51e0e5

SHA512
3edfcf559f1e21870277358e6d266a1a0cea68b163b11c73108f3b6a56006d20b51410a3b4ea39bf80906bf6c9d573e1072697cfcd6a3d37e3679ea54757c69f

Download Submit
\ProgramData\Filestar\dotnetruntime\shared\Microsoft.NETCore.App\6.0.3\clrjit.dll
Filesize
1.4MB

MD5
5c84b3607a2f0d68a941768de1039fcf

SHA1
858299df8e0f927cca55e32d135ad6e75b145f19

SHA256
485ffda975e0b7856040d4689c14797b774c16991d8ebeceb60e1ee84d4e98f1

SHA512
0f590a265dc22281533b38d3bbecefdccae57e10d9680055357d4e3c48f01fe47d33c956fdde43be8e7514a543318e22ffefd2ceb0b83b7dd087e9fb74f705eb

Download Submit
\ProgramData\Filestar\dotnetruntime\shared\Microsoft.NETCore.App\6.0.3\coreclr.dll
Filesize
4.9MB

MD5
780f40bc43b6241ce07cc44054f507a6

SHA1
9a6194f9a4b73b295d9bed1a644eff402b3256da

SHA256
d079840280b152d04132b91c8b620fede520691529f10e4e756aeed8a9953327

SHA512
ee4e770de08ff7f8f17eed6095d399176311fadf0eb35cc029563f5ba85c1eeb8df546edeef59a68387772bd258eaf73badd8b3ed5cef41b358c650adba6162e

Download Submit
\ProgramData\Filestar\dotnetruntime\shared\Microsoft.NETCore.App\6.0.3\hostpolicy.dll
Filesize
381KB

MD5
e6abf192d5420dd6062cfd1284ef7c13

SHA1
4afa426df5254265b9f7c4b157e3ebeb46cf1f34

SHA256
ee5c213d1b9a9be67909b2dace4898c1a836a441177030f349cc79231612cf73

SHA512
831c0077809c4f9a20faf1a6b04a6352a83b47d9baa020da6aea4dfdd494bcf8631a23740da290cdf2bf2985a74b5a8fd3bc24b806bf0d19d438aa5fa58705ea

Download Submit
\Users\Admin\AppData\Local\Temp\is-JB3DM.tmp\idp.dll
Filesize
228KB

MD5
9a83f220bf8ca569e3cfa654539a47a4

SHA1
9d1fb7087c12512d5f66d9d75f2fbae8e1196544

SHA256
b1c4c9b2dd6a40974fa8789b218b52d967f5ccd1b47e95b4f6bda4b6ce864d0d

SHA512
9b6460aca9720a4762a28e78a0e5f3e7358f73383926caf7f4a071e66c79f1032abd131432387f108de27894c147e2f34f01b094b6688826ce78f007d9dafbc5

Download Submit
\Users\Admin\AppData\Local\Temp\is-JB3DM.tmp\unzip.exe
Filesize
164KB

MD5
75375c22c72f1beb76bea39c22a1ed68

SHA1
e1652b058195db3f5f754b7ab430652ae04a50b8

SHA256
8d9b5190aace52a1db1ac73a65ee9999c329157c8e88f61a772433323d6b7a4a

SHA512
1b396e78e189185eefb8c6058aa7e6dfe1b8f2dff8babfe4ffbee93805467bf45760eea6efb8d9bb2040d0eaa56841d457b1976dcfe13ed67931ade01419f55a

Download Submit
\Users\Admin\AppData\Local\Temp\is-JB3DM.tmp\unzip.exe
Filesize
164KB

MD5
75375c22c72f1beb76bea39c22a1ed68

SHA1
e1652b058195db3f5f754b7ab430652ae04a50b8

SHA256
8d9b5190aace52a1db1ac73a65ee9999c329157c8e88f61a772433323d6b7a4a

SHA512
1b396e78e189185eefb8c6058aa7e6dfe1b8f2dff8babfe4ffbee93805467bf45760eea6efb8d9bb2040d0eaa56841d457b1976dcfe13ed67931ade01419f55a

Download Submit
\Users\Admin\AppData\Local\Temp\is-RLSAL.tmp\Filestar.23.0.13.0.win-x64.DvgQL.tmp
Filesize
2.9MB

MD5
34c5e8d40362deb6f6bf4ec83a795c51

SHA1
03c10464a4dda1ade923e580f8c9735361efff3c

SHA256
95d5c0cebe63100ebcdf0418446c22ab03038d819dc4e350319872947ba6a6f3

SHA512
c56ef3ab91bd32a435404dec7fc94966c97f2480dc31516fa491de5278b2487f65c9a064ecfd7c636359b9eaf1e42c73c39ee1d892ee375d36fb115ac5b6f4a6

Download Submit
memory/844-375-0x000007FEF6450000-0x000007FEF6461000-memory.dmp

Filesize
68KB

Download
memory/844-1050-0x000007FEF6410000-0x000007FEF644F000-memory.dmp

Filesize
252KB

Download
memory/844-438-0x000007FEF4F70000-0x000007FEF601B000-memory.dmp

Filesize
16.7MB

Download
memory/844-979-0x000007FEF6020000-0x000007FEF62D4000-memory.dmp

Filesize
2.7MB

Download
memory/844-237-0x000000013FB60000-0x000000013FC58000-memory.dmp

Filesize
992KB

Download
memory/844-987-0x000007FEF4F70000-0x000007FEF601B000-memory.dmp

Filesize
16.7MB

Download
memory/844-366-0x000007FEF6470000-0x000007FEF648D000-memory.dmp

Filesize
116KB

Download
memory/844-1127-0x000007FEF4BC0000-0x000007FEF4C16000-memory.dmp

Filesize
344KB

Download
memory/844-1125-0x000007FEF4C20000-0x000007FEF4C31000-memory.dmp

Filesize
68KB

Download
memory/844-1098-0x000007FEF4C40000-0x000007FEF4CAF000-memory.dmp

Filesize
444KB

Download
memory/844-261-0x000007FEFA740000-0x000007FEFA774000-memory.dmp

Filesize
208KB

Download
memory/844-321-0x000007FEF6730000-0x000007FEF6741000-memory.dmp

Filesize
68KB

Download
memory/844-288-0x000007FEF6790000-0x000007FEF67A7000-memory.dmp

Filesize
92KB

Download
memory/844-287-0x000007FEFA720000-0x000007FEFA738000-memory.dmp

Filesize
96KB

Download
memory/844-316-0x000007FEF6750000-0x000007FEF6767000-memory.dmp

Filesize
92KB

Download
memory/844-1095-0x000007FEF4CB0000-0x000007FEF4D17000-memory.dmp

Filesize
412KB

Download
memory/844-284-0x000007FEF6020000-0x000007FEF62D4000-memory.dmp

Filesize
2.7MB

Download
memory/844-289-0x000007FEF6770000-0x000007FEF6781000-memory.dmp

Filesize
68KB

Download
memory/844-988-0x000007FEF4D70000-0x000007FEF4F70000-memory.dmp

Filesize
2.0MB

Download
memory/844-1081-0x000007FEF4D50000-0x000007FEF4D68000-memory.dmp

Filesize
96KB

Download
memory/844-1051-0x000007FEF63E0000-0x000007FEF6401000-memory.dmp

Filesize
132KB

Download
memory/844-1053-0x000007FEF63C0000-0x000007FEF63D8000-memory.dmp

Filesize
96KB

Download
memory/844-1055-0x000007FEF63A0000-0x000007FEF63B1000-memory.dmp

Filesize
68KB

Download
memory/844-1058-0x000007FEF6380000-0x000007FEF6391000-memory.dmp

Filesize
68KB

Download
memory/844-1061-0x000007FEF6360000-0x000007FEF6371000-memory.dmp

Filesize
68KB

Download
memory/844-1065-0x000007FEF6340000-0x000007FEF635B000-memory.dmp

Filesize
108KB

Download
memory/844-1067-0x000007FEF6320000-0x000007FEF6331000-memory.dmp

Filesize
68KB

Download
memory/844-1094-0x000007FEF4D20000-0x000007FEF4D50000-memory.dmp

Filesize
192KB

Download
memory/1080-74-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1080-108-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1336-110-0x0000000000400000-0x00000000006EF000-memory.dmp

Filesize
2.9MB

Download
memory/1336-61-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1336-62-0x0000000003560000-0x0000000003561000-memory.dmp

Filesize
4KB

Download
memory/1336-69-0x0000000000400000-0x00000000006EF000-memory.dmp

Filesize
2.9MB

Download
memory/1336-70-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1336-71-0x0000000003560000-0x0000000003561000-memory.dmp

Filesize
4KB

Download
memory/1336-73-0x0000000000400000-0x00000000006EF000-memory.dmp

Filesize
2.9MB

Download
memory/1336-139-0x0000000000400000-0x00000000006EF000-memory.dmp

Filesize
2.9MB

Download
memory/1764-68-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/1764-54-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download