hxxps://sf-helper[.]net/dist/2023-06-08/SF-Helper[.]exe?vid=403&uid=c441b10ea578c4d2&t=1688971604692049056

Resubmissions

10/07/2023, 09:44

230710-lqyhlaaf2t 1

10/07/2023, 09:30

230710-lgwbwahf27 1

10/07/2023, 08:51

230710-kr6d6aac5x 8

10/07/2023, 08:20

230710-j8sc7ahc68 8

Analysis

max time kernel
210s
max time network
215s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
10/07/2023, 08:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://sf-helper.net/dist/2023-06-08/SF-Helper.exe?vid=403&uid=c441b10ea578c4d2&t=1688971604692049056

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
1592	SF-Helper-[c441b10ea578c4d2_403_].exe
4188	AppHelper.exe

Loads dropped DLL 14 IoCs

pid	Process
1592	SF-Helper-[c441b10ea578c4d2_403_].exe
1592	SF-Helper-[c441b10ea578c4d2_403_].exe
1592	SF-Helper-[c441b10ea578c4d2_403_].exe
1592	SF-Helper-[c441b10ea578c4d2_403_].exe
1592	SF-Helper-[c441b10ea578c4d2_403_].exe
1592	SF-Helper-[c441b10ea578c4d2_403_].exe
1592	SF-Helper-[c441b10ea578c4d2_403_].exe
1592	SF-Helper-[c441b10ea578c4d2_403_].exe
1592	SF-Helper-[c441b10ea578c4d2_403_].exe
1592	SF-Helper-[c441b10ea578c4d2_403_].exe
1592	SF-Helper-[c441b10ea578c4d2_403_].exe
1592	SF-Helper-[c441b10ea578c4d2_403_].exe
1592	SF-Helper-[c441b10ea578c4d2_403_].exe
1592	SF-Helper-[c441b10ea578c4d2_403_].exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = b899acd6cfadd901	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 33 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{050A1A7B-1EFF-11EE-874D-C2B18B3BE9C0} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000\Software\Microsoft\Internet Explorer\RepId\PublicId = "{F879D2CA-3C91-44AC-9ED4-9619A369D9A0}"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3682386986"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3689886791"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3682386986"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "395744092"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3689886791"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000\Software\Microsoft\Internet Explorer\RepId	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31044363"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31044363"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31044363"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31044363"	iexplore.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133332884818672649"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1644	chrome.exe
1644	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe

Suspicious use of FindShellTrayWindow 31 IoCs

pid	Process
3384	iexplore.exe
3384	iexplore.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
3384	iexplore.exe
3384	iexplore.exe
4412	IEXPLORE.EXE
4412	IEXPLORE.EXE
4188	AppHelper.exe
4188	AppHelper.exe
4188	AppHelper.exe
4188	AppHelper.exe
4188	AppHelper.exe
4188	AppHelper.exe
4188	AppHelper.exe
4188	AppHelper.exe
4188	AppHelper.exe
4188	AppHelper.exe
4188	AppHelper.exe
4188	AppHelper.exe
4188	AppHelper.exe
4188	AppHelper.exe
4188	AppHelper.exe
4188	AppHelper.exe
4188	AppHelper.exe
4188	AppHelper.exe
4188	AppHelper.exe
4188	AppHelper.exe
4188	AppHelper.exe
4188	AppHelper.exe
4188	AppHelper.exe
4188	AppHelper.exe
4188	AppHelper.exe
4188	AppHelper.exe
4188	AppHelper.exe
4188	AppHelper.exe
4188	AppHelper.exe
4188	AppHelper.exe
4188	AppHelper.exe
4188	AppHelper.exe
4188	AppHelper.exe
4188	AppHelper.exe
4188	AppHelper.exe
4188	AppHelper.exe
4188	AppHelper.exe
4188	AppHelper.exe
4188	AppHelper.exe
4188	AppHelper.exe
4188	AppHelper.exe
4188	AppHelper.exe
4188	AppHelper.exe
4188	AppHelper.exe
4188	AppHelper.exe
4188	AppHelper.exe
4188	AppHelper.exe
4188	AppHelper.exe
4188	AppHelper.exe
4188	AppHelper.exe
4188	AppHelper.exe
4188	AppHelper.exe
4188	AppHelper.exe
4188	AppHelper.exe
4188	AppHelper.exe
4188	AppHelper.exe
4188	AppHelper.exe
4188	AppHelper.exe
4188	AppHelper.exe
4188	AppHelper.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3384 wrote to memory of 4412	3384	iexplore.exe	70
PID 3384 wrote to memory of 4412	3384	iexplore.exe	70
PID 3384 wrote to memory of 4412	3384	iexplore.exe	70
PID 3384 wrote to memory of 1592	3384	iexplore.exe	71
PID 3384 wrote to memory of 1592	3384	iexplore.exe	71
PID 3384 wrote to memory of 1592	3384	iexplore.exe	71
PID 1592 wrote to memory of 4188	1592	SF-Helper-[c441b10ea578c4d2_403_].exe	74
PID 1592 wrote to memory of 4188	1592	SF-Helper-[c441b10ea578c4d2_403_].exe	74
PID 1592 wrote to memory of 4188	1592	SF-Helper-[c441b10ea578c4d2_403_].exe	74
PID 4188 wrote to memory of 1644	4188	AppHelper.exe	76
PID 4188 wrote to memory of 1644	4188	AppHelper.exe	76
PID 1644 wrote to memory of 648	1644	chrome.exe	77
PID 1644 wrote to memory of 648	1644	chrome.exe	77
PID 1644 wrote to memory of 2212	1644	chrome.exe	81
PID 1644 wrote to memory of 2212	1644	chrome.exe	81
PID 1644 wrote to memory of 2212	1644	chrome.exe	81
PID 1644 wrote to memory of 2212	1644	chrome.exe	81
PID 1644 wrote to memory of 2212	1644	chrome.exe	81
PID 1644 wrote to memory of 2212	1644	chrome.exe	81
PID 1644 wrote to memory of 2212	1644	chrome.exe	81
PID 1644 wrote to memory of 2212	1644	chrome.exe	81
PID 1644 wrote to memory of 2212	1644	chrome.exe	81
PID 1644 wrote to memory of 2212	1644	chrome.exe	81
PID 1644 wrote to memory of 2212	1644	chrome.exe	81
PID 1644 wrote to memory of 2212	1644	chrome.exe	81
PID 1644 wrote to memory of 2212	1644	chrome.exe	81
PID 1644 wrote to memory of 2212	1644	chrome.exe	81
PID 1644 wrote to memory of 2212	1644	chrome.exe	81
PID 1644 wrote to memory of 2212	1644	chrome.exe	81
PID 1644 wrote to memory of 2212	1644	chrome.exe	81
PID 1644 wrote to memory of 2212	1644	chrome.exe	81
PID 1644 wrote to memory of 2212	1644	chrome.exe	81
PID 1644 wrote to memory of 2212	1644	chrome.exe	81
PID 1644 wrote to memory of 2212	1644	chrome.exe	81
PID 1644 wrote to memory of 2212	1644	chrome.exe	81
PID 1644 wrote to memory of 2212	1644	chrome.exe	81
PID 1644 wrote to memory of 2212	1644	chrome.exe	81
PID 1644 wrote to memory of 2212	1644	chrome.exe	81
PID 1644 wrote to memory of 2212	1644	chrome.exe	81
PID 1644 wrote to memory of 2212	1644	chrome.exe	81
PID 1644 wrote to memory of 2212	1644	chrome.exe	81
PID 1644 wrote to memory of 2212	1644	chrome.exe	81
PID 1644 wrote to memory of 2212	1644	chrome.exe	81
PID 1644 wrote to memory of 2212	1644	chrome.exe	81
PID 1644 wrote to memory of 2212	1644	chrome.exe	81
PID 1644 wrote to memory of 2212	1644	chrome.exe	81
PID 1644 wrote to memory of 2212	1644	chrome.exe	81
PID 1644 wrote to memory of 2212	1644	chrome.exe	81
PID 1644 wrote to memory of 2212	1644	chrome.exe	81
PID 1644 wrote to memory of 2212	1644	chrome.exe	81
PID 1644 wrote to memory of 2212	1644	chrome.exe	81
PID 1644 wrote to memory of 1360	1644	chrome.exe	79
PID 1644 wrote to memory of 1360	1644	chrome.exe	79
PID 1644 wrote to memory of 1848	1644	chrome.exe	80
PID 1644 wrote to memory of 1848	1644	chrome.exe	80
PID 1644 wrote to memory of 1848	1644	chrome.exe	80
PID 1644 wrote to memory of 1848	1644	chrome.exe	80
PID 1644 wrote to memory of 1848	1644	chrome.exe	80
PID 1644 wrote to memory of 1848	1644	chrome.exe	80
PID 1644 wrote to memory of 1848	1644	chrome.exe	80
PID 1644 wrote to memory of 1848	1644	chrome.exe	80
PID 1644 wrote to memory of 1848	1644	chrome.exe	80
PID 1644 wrote to memory of 1848	1644	chrome.exe	80
PID 1644 wrote to memory of 1848	1644	chrome.exe	80

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://sf-helper.net/dist/2023-06-08/SF-Helper.exe?vid=403&uid=c441b10ea578c4d2&t=1688971604692049056
1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3384
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3384 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:4412
- C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\SA5PKX1P\SF-Helper-[c441b10ea578c4d2_403_].exe
  "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\SA5PKX1P\SF-Helper-[c441b10ea578c4d2_403_].exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1592
- - C:\Users\Admin\AppData\Local\Programs\AppHelper\Bin\AppHelper.exe
    "C:\Users\Admin\AppData\Local\Programs\AppHelper\Bin\AppHelper.exe" install sf_helper_chrome
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4188
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-renderer-accessibility --start-maximized https://savefrom.net/userjs-for-google-chrome.php
      4⤵
      Enumerates system info in registry
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:1644
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffe7ffe9758,0x7ffe7ffe9768,0x7ffe7ffe9778
        5⤵
        
        PID:648
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1836 --field-trial-handle=1756,i,7825191905883211248,8683849787009904862,131072 /prefetch:8
        5⤵
        
        PID:1360
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2076 --field-trial-handle=1756,i,7825191905883211248,8683849787009904862,131072 /prefetch:8
        5⤵
        
        PID:1848
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1660 --field-trial-handle=1756,i,7825191905883211248,8683849787009904862,131072 /prefetch:2
        5⤵
        
        PID:2212
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2984 --field-trial-handle=1756,i,7825191905883211248,8683849787009904862,131072 /prefetch:1
        5⤵
        
        PID:4656
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=1832 --field-trial-handle=1756,i,7825191905883211248,8683849787009904862,131072 /prefetch:1
        5⤵
        
        PID:4460
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4228 --field-trial-handle=1756,i,7825191905883211248,8683849787009904862,131072 /prefetch:1
        5⤵
        
        PID:316
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3232 --field-trial-handle=1756,i,7825191905883211248,8683849787009904862,131072 /prefetch:1
        5⤵
        
        PID:4448
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3716 --field-trial-handle=1756,i,7825191905883211248,8683849787009904862,131072 /prefetch:8
        5⤵
        
        PID:4160
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4580 --field-trial-handle=1756,i,7825191905883211248,8683849787009904862,131072 /prefetch:8
        5⤵
        
        PID:2236
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4596 --field-trial-handle=1756,i,7825191905883211248,8683849787009904862,131072 /prefetch:1
        5⤵
        
        PID:4168
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4812 --field-trial-handle=1756,i,7825191905883211248,8683849787009904862,131072 /prefetch:1
        5⤵
        
        PID:5076
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5112 --field-trial-handle=1756,i,7825191905883211248,8683849787009904862,131072 /prefetch:8
        5⤵
        
        PID:4932
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5108 --field-trial-handle=1756,i,7825191905883211248,8683849787009904862,131072 /prefetch:8
        5⤵
        
        PID:2720
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=5352 --field-trial-handle=1756,i,7825191905883211248,8683849787009904862,131072 /prefetch:1
        5⤵
        
        PID:4536
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=4504 --field-trial-handle=1756,i,7825191905883211248,8683849787009904862,131072 /prefetch:1
        5⤵
        
        PID:3948
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=688 --field-trial-handle=1756,i,7825191905883211248,8683849787009904862,131072 /prefetch:8
        5⤵
        
        PID:4192
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5856 --field-trial-handle=1756,i,7825191905883211248,8683849787009904862,131072 /prefetch:8
        5⤵
        
        PID:3304
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=1496 --field-trial-handle=1756,i,7825191905883211248,8683849787009904862,131072 /prefetch:8
        5⤵
        
        PID:4280
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5756 --field-trial-handle=1756,i,7825191905883211248,8683849787009904862,131072 /prefetch:8
        5⤵
        
        PID:4656
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5844 --field-trial-handle=1756,i,7825191905883211248,8683849787009904862,131072 /prefetch:8
        5⤵
        
        PID:316

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4648

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
f861ffcb9b3526e7ee24c38ab675e58a

SHA1
e3987086779a67e0b6ee225b243c7316e7c41490

SHA256
a02ed0cf35c58f1d72a46fc55e86e724ae797505c2f47a7e7fe51f58bab06906

SHA512
fd3e2acbee33afd9c32e43ac3ae163b51d8f35a57a28b3956a745c7dbd25932a54d9a4d480a2f730683f807e37f2bfb230ddc6851671caffbeddc7eb4c66ec03

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Filesize
4KB

MD5
f7dcb24540769805e5bb30d193944dce

SHA1
e26c583c562293356794937d9e2e6155d15449ee

SHA256
6b88c6ac55bbd6fea0ebe5a760d1ad2cfce251c59d0151a1400701cb927e36ea

SHA512
cb5ad678b0ef642bf492f32079fe77e8be20c02de267f04b545df346b25f3e4eb98bb568c4c2c483bb88f7d1826863cb515b570d620766e52476c8ee2931ea94

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
ee506fa7bdf7fefc2fd542f17598a6f4

SHA1
baec970b7466690313709075270e656645f9b1f2

SHA256
a5428480729db6fb43e80cc8b9ad0e0b2af9577472d704055a0a1e8b4207f4c0

SHA512
ff705192e1895448df572b19de1d96303b3aed17e01ebaed30720e8dd9fd3dedac15e512945149612aa26b7d81a725e7cf6b77cd7c19f669474d742f522ffe32

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
724B

MD5
cfbc16e33dcbef6f773f0f79af528f45

SHA1
ecb8d5e8107bc671dd57fb2a137c00bffa419f1f

SHA256
f0937890fb1053069baac97b7992c6d22cb74cae20317fc05d51070d96950ffa

SHA512
59ac2ead1eb84edffb06867850beb1e63f72c5b5415abd2fd4e7c2a1922c368f612d2a0288c00e32d5da47c4a77968ffbe72660a8d1f577f44fb20df9c11a4af

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
344d57888a9273eb3a71afceeb3acc4d

SHA1
2391dc46019bb657a6ab0b729a8a96673922e48e

SHA256
46f01892ba6ab129df4d1c9030ccb96297d8448029c7103a8bd4c6434f169162

SHA512
c2c78268e156a84a4d59214c176766a37fdf57c130dfe1d07838757e860905c4d9a9eca65b7139a7f72accc66341b0aea91d720fc86851693fa36bb57e3ffe58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Filesize
340B

MD5
9901f4c3102bd3cefe00804479bee64d

SHA1
db61117f7f0668bddc3965c3f45c75c04ea93a56

SHA256
8f10b5cc4e69e58864aac28a8e6f98653751b76d11b43603e93af05dc5ebab2f

SHA512
114c6ddd038400292971273fae7091596be18f6474fa3cf630bca6f8dca33ca6f0bd6acee817c501ce27373e40db6ab221881ae2aee60137b9a0fb652dfd18f3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
edce7d0f8536fa52c9b9404c17ab932a

SHA1
f0eeb703222838fd01aa33249829076a8f935fc9

SHA256
a8bd447787830be167ffaff7fff3a552cec2148a2b0a1f398601922374f579f5

SHA512
43eb81383796d65b70956d27815f5b1852b5c9c73f0e320339f894ad8d78ae975685198a2fa3188646aa688d617f651c35a0e23d2e6385c3bd3960517fb89c0a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
392B

MD5
76a71ca042c429402c42644786584a6f

SHA1
16658a5c240dda5d65cfd86b57cdc9e09e7b6da5

SHA256
87a8605e02f347178b059dd55afdc8eed5f989a1834072fa26d1effa38af4f9f

SHA512
38769932f60800a341a59afddbc69b84f6a6f3d60785abbb2cb7202833942af9ec695243a764d24d46ea4fd61248334d96158c629e743294405347dfb2ff70ad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
bb4568da7bed2f3e303ffd5ca57a2bf2

SHA1
2cefed96447e6cd98304aafd11113faf515876ea

SHA256
e53a3c82603d5dca4a01de84a311ddd53563f90d875c939e834844a518915bdd

SHA512
3dd1cc9d1577fb9cd729a6b149364d95ff1e62201a4655849e39cc6b30dbcfd97d4f82578fdc8f16f1a890a0f395591b66654909ba7a890cb85fb748042114dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
865937a2d726d4fc58cc3091d1b37946

SHA1
68a08efa0a54c71c4d8eb64f0cf7259b4a376a29

SHA256
42f792910f2901129d5d6fbd40a68020439c3a49d4237871b09a440d2ea6e63a

SHA512
699ccd20ea540e729524bec3eaf0bde1df7da91c81fbd74438e41fa7c4f5dafcaa46bf9d5ba8255fcc2ac0612b9079d102224b5a4c1adef1e35baccd600c0df9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
8e0e85464751d62bc73161786082adc1

SHA1
5d2b91f623ac66e6f7107397c2547bc1c5efb21f

SHA256
02a3f7627d274e3a252850257dc24c1cdad5f472a0a4c674e509c5c650f7a93b

SHA512
f912e27854b6df24dada98bc193a4fb78052fd4bb19b57c2d6e014db3934716f2bf3ca1e48b7de014104a51edfdd7ce129f529644e0243e219a384e6d262c041

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
460a4882f99a553c1a55e6d9dded2fe0

SHA1
a0fb3c44058dc13f0d08a8e24996b28f982dbcf0

SHA256
cdd907c2e84346896f826a70ca26564daee670db0b52481961aa63de09679fd0

SHA512
161c58985ae981065e293e41e991f5b826b04003147d25c5e68db249d3cce9af767437542d9f251227174477daebd0b0ad75ff6a5947de34406f0f8c8490cabc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
3cdeeef0d0c026cd64e949ed883595d3

SHA1
71eec36b70921aedd4f560f3be564d0689d40b11

SHA256
4d92bb3cabfbd2e79d7569c1895431e7658bb00bcad40e3e82a91ad0aa0156f1

SHA512
a9a744ee5192f40c2466c0af48b11071590d17b5f9d81fcbd62cd4db9131f108449f944904479504379bf6b41361b675ed0bb84140adb7e0c327963bd13ed340

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
538B

MD5
22413583ea3f7d87f40d43ed57009346

SHA1
0ae3fcede14b2ca5d98f579498709fc13a5d00fb

SHA256
e3ad3670db11515d002b274e6b429f6ee2f5c5d98c55f99aac1dce6d1e26b744

SHA512
2db7430c81f50e0b76dd23d513b390c4046bf7616f36a8d5d219fe491a7d0a27aacf4b352296f74775f1c99960aa698a47d6ed44ae2b00516e96066c9084f3f9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
4be16af279f678135509536565644590

SHA1
48e4ecde0b9338a01087f3f351483b399b16d4a9

SHA256
4f46044718d80590a17cd86dd75781864f4d3ff859e49d25af3733c3b805b7d9

SHA512
52dc81fb28612f7a5d859d110b37d9827ea6f57519fe164e81a263f6bab9ebf12616b7a7c0720d5505b6472a2baec3ec8a47e63302e3b8898ecc2238dc2b843a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
1dffb5184fdc578618deecbc23ebd613

SHA1
a4461d319863d8c0e6060c90c3819acf99f37485

SHA256
ab5795ea0f15a1a63797b6514caa3cc84932adbb3419bc3faff131205a787efa

SHA512
bb6dd7e06a90d4a6a8384d08d5383ab25be851881f291abec4d18e1c958edf3d86ea04aa2c0471cc24a5f9877ca442db90ba1b9d74ed9d7a3d2544009c412cef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
6ef387bf9d81352a47ab08c97bfe9301

SHA1
e5635bbdfc627240d1c915f80080593dce8def3f

SHA256
6a347fd1ca97191e08a11367bfa5496dced93e7058c7a7c85b667cbe99fe205c

SHA512
1c0442ad4d14eb12356cf23dadd64addff0bc8fb9358aa42d67cab5c52a1d57a79f0acd28125366f349688e6446b4eacadb1819e7e2e03bf414118007ba1730d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
3e2207e8199d9c3917d5317694571f52

SHA1
5e59c776147a6f87959d6ee34f3410a2db31e671

SHA256
03feb11dc9bd81f77e6448cefb35f629562ec189f2698629805ea32fc416c46c

SHA512
f13eb31cc608bdfef0c727b6a2083a86bd90c8de31058de16d40ffa1c570d91cf54e995b336c809ab9c3a0832b213b79e38305b0cec3198cbb299162bdaf9c14

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
cadd4a9a3e126b714a8bef1d742b3ce0

SHA1
270214c484488a1f21773a167995aacdc9f2dab0

SHA256
070e3de10b14b4014f1ea04f19e2a1b702386d5f74ce527abc31188faefc725f

SHA512
eff2a7da48bb177a44e26f237750da6ae4563ddfa5083bf586a8bc103ddf512b17f57ced57e00e9b4254cf2be14c533e6adeaf5ebc3b0ad273737590d7a3fa5c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
172KB

MD5
82c9a81427f9b6b2e60a6a1d77615b6f

SHA1
5c517c993dad9e4e6c55d0c5522d054500f697c7

SHA256
54ef9022fa2728995ed97946ec5bf273e83a67c667e2eddaeb24d26f6e9dfc0b

SHA512
870e90516f7e4a70bdfb4032b16d00af515ae82f7f42bdf6f249017da6589933a27a265b11688b03e667a4f0a1b2e4de1c2031d4ec00ad1d30def2da3e73fc3b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
172KB

MD5
133fa4c6df1d3c76961a5f6c38c06b79

SHA1
b836c17baadf9398145914084ded0b0e9274b372

SHA256
a14371f6d316e62d4e6cb866f6623844a77022c67fc849a0115a65fe42e31dd5

SHA512
e6245504c9f8157535e89d98d720bd296b58f0e9d2cca4c2c9b7e448ca591e2302eb4384197b9cd76d74f7f4e892697ce3dc6ca767ace8de6baa48774f506022

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
95KB

MD5
f3740be6fd945f47347a24b37a5c2975

SHA1
4921588fcc42197ec1e791aed9231bace1d19518

SHA256
0c763eb411d656f527be7ab7ad4ebcd242a510e68f4912f8907321e2eba8a8f6

SHA512
cfea489a47ba85d7cca0ccdad5bc6bf5e6b3144c57a257f66f00326e34910b945bee759bb8972b7015f605ffa57ceb34a4a2b8cb7abfb61103163cba69680c07

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe5ab23a.TMP

Filesize
93KB

MD5
b6c5ee5b9cfc10515e1d41d2a79d870b

SHA1
67e572de08985e2dff19434d2cf49a1ee69f86ca

SHA256
1d6757bf5afac24e062d6c82c9bee44b030b599757c8ec49aad82816e1021e87

SHA512
e84985aa0f6217700e971f9c19cb177282d12dff63d7cf9a7fd2fadf04fbd2739ef30d1524e49ae840bae92c1a43e2162a49ee666c6cba67f4a4ef0b8766096b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver2C1C.tmp

Filesize
15KB

MD5
1a545d0052b581fbb2ab4c52133846bc

SHA1
62f3266a9b9925cd6d98658b92adec673cbe3dd3

SHA256
557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

SHA512
bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FDF7X92I\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\SA5PKX1P\SF-Helper-[c441b10ea578c4d2_403_].exe

Filesize
293KB

MD5
cb7540975a2d1643707fa30760b36c7b

SHA1
5ae5cd61058dd0979e2c898bda1b07d26d041f3f

SHA256
9c44660a837beaed12beb9cb626ee2886910adefe044f269240a1e2db1ee6dbf

SHA512
730d22fcf5228f7c03eb757d786e7bceebf362f63bec6d2a1c3307675bca87af580bbd0b0002f7a1cdc559928137d5e58512d90a29023b8aeb22cac2ba1d8717

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\SA5PKX1P\SF-Helper-[c441b10ea578c4d2_403_].exe.hkbrdhw.partial

Filesize
293KB

MD5
cb7540975a2d1643707fa30760b36c7b

SHA1
5ae5cd61058dd0979e2c898bda1b07d26d041f3f

SHA256
9c44660a837beaed12beb9cb626ee2886910adefe044f269240a1e2db1ee6dbf

SHA512
730d22fcf5228f7c03eb757d786e7bceebf362f63bec6d2a1c3307675bca87af580bbd0b0002f7a1cdc559928137d5e58512d90a29023b8aeb22cac2ba1d8717

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\T5JYCXSS\SF-Helper-[c441b10ea578c4d2_403_][1].exe

Filesize
293KB

MD5
cb7540975a2d1643707fa30760b36c7b

SHA1
5ae5cd61058dd0979e2c898bda1b07d26d041f3f

SHA256
9c44660a837beaed12beb9cb626ee2886910adefe044f269240a1e2db1ee6dbf

SHA512
730d22fcf5228f7c03eb757d786e7bceebf362f63bec6d2a1c3307675bca87af580bbd0b0002f7a1cdc559928137d5e58512d90a29023b8aeb22cac2ba1d8717

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\BTVN31EJ.cookie

Filesize
615B

MD5
fecfe34b512991972d914270903f16b1

SHA1
0495216ddd85005c9e1735bf9d6c61c52fae6187

SHA256
b8a66a519710f1a396ba4e102cf962c213f5baba87c05aebd93b14b8d692faf5

SHA512
c01397d5332dc24a8dbe4f92fdbfdd2b53da587b493c4d03f9dacc4e059c170e4e1b295ab6c25e38729b7a8648bb05ff44d0d9c0d47b5d6c98514a8d1d7b5aec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\PJ9M9ZPL.cookie

Filesize
614B

MD5
dd2f50ad020c6aa582447af9058a506f

SHA1
b745a9f3e2a436b7b9ead747ccd873917d9bef61

SHA256
627c22a2ea62500d46887604a4720f05df73dd771966e6400a41b686134f19c6

SHA512
edabde71176a357c3c8a48f66faf5df1ff9b0b7738768a14a3ba2ef378dd6d60bde47eaf491185635a15d3e8fc9bfe64b9987c707c1ec4f3ae78421260d853b7

Download Submit
C:\Users\Admin\AppData\Local\Programs\AppHelper\Bin\AppHelper.exe

Filesize
505KB

MD5
5a9fab8505e5274670f303ae643e4142

SHA1
85443a89b956b48bb7b9b1d34a7caa535aceb4fe

SHA256
b85ddc10b75b0bdb5c7c5d7fcba3a574ded439bcfb1bc41340be7a58e16b9f01

SHA512
df8009d9654f3ff20835412c31f2bb1469b340bd9155d8c28e0f820d8ef401162acf147bd206644cda4447a239a7dfce853cf20d7b2cd9d0534026670489a34a

Download Submit
C:\Users\Admin\AppData\Local\Programs\AppHelper\Bin\AppHelper.exe

Filesize
505KB

MD5
5a9fab8505e5274670f303ae643e4142

SHA1
85443a89b956b48bb7b9b1d34a7caa535aceb4fe

SHA256
b85ddc10b75b0bdb5c7c5d7fcba3a574ded439bcfb1bc41340be7a58e16b9f01

SHA512
df8009d9654f3ff20835412c31f2bb1469b340bd9155d8c28e0f820d8ef401162acf147bd206644cda4447a239a7dfce853cf20d7b2cd9d0534026670489a34a

Download Submit
C:\Users\Admin\AppData\Local\Programs\AppHelper\Tools\sf-helper-default\sf-helper-default-installer.log

Filesize
1KB

MD5
7b97253fe032455d04c080cd46641d4c

SHA1
9fb81da39fd8fe6d2a4c6f0b1381a2bb391ce9a7

SHA256
bbc6d9459973a408c40f214fb34c98f69d3b26435885ff53f870cc40bd0aa927

SHA512
7e356d3137388e6a4d4926c9f68b16c809a67c079967cc3cf4f0c02bcfe91699fe48f82f8329eb5eee3d6356e1111d3eb8e7187467f59e525621de1dba3938b9

Download Submit
C:\Users\Admin\AppData\Local\Programs\AppHelper\Tools\sf-helper-default\sf-helper-default-installer.log

Filesize
5KB

MD5
af93ba73727e099c995590b97da5365c

SHA1
478bc43d63d1454785c87a7921d9572d4475c9cd

SHA256
5c576cc38f6e1ba49c941b9e4e651e9ba56ffabb535fdf6fac2db5ae85194b14

SHA512
ab791494f724b7d13571ef2bfba03090e43aed84e6e59158ed2bc3fb98694f37970288494456cf6ca66ffa977f6005802759a56a09cbbe45b657e0aa86b988bb

Download Submit
C:\Users\Admin\AppData\Local\Programs\AppHelper\Tools\sf-helper-default\sf-helper-default-uninstaller.ini

Filesize
273B

MD5
8b4748cb86950933087ec0ba2adf697b

SHA1
74a9e22968be39824470a96741341856286f8fc6

SHA256
c02ee386eaa656e64e9f7a4fe2ec63e0700072e18e56cec1971058e1b134466a

SHA512
06660a542fd7bcdfaf6bf97794738123a47831119f41acce922206f185fe58859b568468369eb1c013cbdbf46c9a2ee89ab240e8c0f1361153d61b9717f16e83

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoFF22.tmp

Filesize
35B

MD5
28d6814f309ea289f847c69cf91194c6

SHA1
0f4e929dd5bb2564f7ab9c76338e04e292a42ace

SHA256
8337212354871836e6763a41e615916c89bac5b3f1f0adf60ba43c7c806e1015

SHA512
1d68b92e8d822fe82dc7563edd7b37f3418a02a89f1a9f0454cca664c2fc2565235e0d85540ff9be0b20175be3f5b7b4eae1175067465d5cca13486aab4c582c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszE77E.tmp\INetC.dll

Filesize
25KB

MD5
40d7eca32b2f4d29db98715dd45bfac5

SHA1
124df3f617f562e46095776454e1c0c7bb791cc7

SHA256
85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

SHA512
5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

Download Submit
\Users\Admin\AppData\Local\Temp\nszE77E.tmp\INetC.dll

Filesize
25KB

MD5
40d7eca32b2f4d29db98715dd45bfac5

SHA1
124df3f617f562e46095776454e1c0c7bb791cc7

SHA256
85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

SHA512
5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

Download Submit
\Users\Admin\AppData\Local\Temp\nszE77E.tmp\INetC.dll

Filesize
25KB

MD5
40d7eca32b2f4d29db98715dd45bfac5

SHA1
124df3f617f562e46095776454e1c0c7bb791cc7

SHA256
85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

SHA512
5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

Download Submit
\Users\Admin\AppData\Local\Temp\nszE77E.tmp\INetC.dll

Filesize
25KB

MD5
40d7eca32b2f4d29db98715dd45bfac5

SHA1
124df3f617f562e46095776454e1c0c7bb791cc7

SHA256
85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

SHA512
5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

Download Submit
\Users\Admin\AppData\Local\Temp\nszE77E.tmp\INetC.dll

Filesize
25KB

MD5
40d7eca32b2f4d29db98715dd45bfac5

SHA1
124df3f617f562e46095776454e1c0c7bb791cc7

SHA256
85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

SHA512
5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

Download Submit
\Users\Admin\AppData\Local\Temp\nszE77E.tmp\INetC.dll

Filesize
25KB

MD5
40d7eca32b2f4d29db98715dd45bfac5

SHA1
124df3f617f562e46095776454e1c0c7bb791cc7

SHA256
85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

SHA512
5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

Download Submit
\Users\Admin\AppData\Local\Temp\nszE77E.tmp\INetC.dll

Filesize
25KB

MD5
40d7eca32b2f4d29db98715dd45bfac5

SHA1
124df3f617f562e46095776454e1c0c7bb791cc7

SHA256
85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

SHA512
5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

Download Submit
\Users\Admin\AppData\Local\Temp\nszE77E.tmp\INetC.dll

Filesize
25KB

MD5
40d7eca32b2f4d29db98715dd45bfac5

SHA1
124df3f617f562e46095776454e1c0c7bb791cc7

SHA256
85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

SHA512
5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

Download Submit
\Users\Admin\AppData\Local\Temp\nszE77E.tmp\INetC.dll

Filesize
25KB

MD5
40d7eca32b2f4d29db98715dd45bfac5

SHA1
124df3f617f562e46095776454e1c0c7bb791cc7

SHA256
85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

SHA512
5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

Download Submit
\Users\Admin\AppData\Local\Temp\nszE77E.tmp\INetC.dll

Filesize
25KB

MD5
40d7eca32b2f4d29db98715dd45bfac5

SHA1
124df3f617f562e46095776454e1c0c7bb791cc7

SHA256
85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

SHA512
5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

Download Submit
\Users\Admin\AppData\Local\Temp\nszE77E.tmp\INetC.dll

Filesize
25KB

MD5
40d7eca32b2f4d29db98715dd45bfac5

SHA1
124df3f617f562e46095776454e1c0c7bb791cc7

SHA256
85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

SHA512
5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

Download Submit
\Users\Admin\AppData\Local\Temp\nszE77E.tmp\INetC.dll

Filesize
25KB

MD5
40d7eca32b2f4d29db98715dd45bfac5

SHA1
124df3f617f562e46095776454e1c0c7bb791cc7

SHA256
85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

SHA512
5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

Download Submit
\Users\Admin\AppData\Local\Temp\nszE77E.tmp\INetC.dll

Filesize
25KB

MD5
40d7eca32b2f4d29db98715dd45bfac5

SHA1
124df3f617f562e46095776454e1c0c7bb791cc7

SHA256
85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

SHA512
5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

Download Submit
\Users\Admin\AppData\Local\Temp\nszE77E.tmp\System.dll

Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
\Users\Admin\AppData\Local\Temp\nszE77E.tmp\nsExec.dll

Filesize
7KB

MD5
675c4948e1efc929edcabfe67148eddd

SHA1
f5bdd2c4329ed2732ecfe3423c3cc482606eb28e

SHA256
1076ca39c449ed1a968021b76ef31f22a5692dfafeea29460e8d970a63c59906

SHA512
61737021f86f54279d0a4e35db0d0808e9a55d89784a31d597f2e4b65b7bbeec99aa6c79d65258259130eeda2e5b2820f4f1247777a3010f2dc53e30c612a683

Download Submit