fabookie | a0497dde6d202b7dfe6d1b6b6a0493560bc3fc16a085b46097662aac3a44bd38

Analysis

max time kernel
37s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
13-07-2023 23:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9e02b28216568f0a44c6d8355d8847eddcce37ebd463684620076fed091128ad.exe
Size

4.1MB
MD5

551a3b674dc17c8d882475bae721ca8d
SHA1

e6fb6eceb4bf2336c37352d2766e998217b3d717
SHA256

9e02b28216568f0a44c6d8355d8847eddcce37ebd463684620076fed091128ad
SHA512

788aad12f99df04304980a875638988832cff18ce3c10b80c67ce5ba451805629379dcdb3f2be600d85b5c11671ed3b91c713eae3a68d1d467e6e33fd8919d3e
SSDEEP

98304:dTjMuxcggUh49xEKZJmWTfDAENMI9pkpwjW93GK7aWoaNopr:dvMoVuxDJ1TfMETG79P7+Mo1

Score

10^/10

fabookie ffdroider gcleaner glupteba metasploit onlylogger privateloader smokeloader socelars backdoor dropper evasion loader spyware stealer trojan upx

Malware Config

Extracted

Family

socelars

http://www.iyiqian.com/

http://www.xxhufdc.top/

http://www.uefhkice.xyz/

http://www.znsjis.top/

Extracted

Family

privateloader

http://45.133.1.182/proxies.txt

http://45.133.1.107/server.txt

pastebin.com/raw/A7dSG1te

http://wfsdragon.ru/api/setStats.php

51.178.186.149

Extracted

Family

ffdroider

http://186.2.171.3

Extracted

Family

smokeloader

Version

2020

http://govsurplusstore.com/upload/

http://best-forsale.com/upload/

http://chmxnautoparts.com/upload/

http://kwazone.com/upload/

rc4.i32

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

gcleaner

194.145.227.161

Signatures

Detect Fabookie payload 4 IoCs

resource	yara_rule
behavioral1/files/0x000500000001ef71-533.dat	family_fabookie
behavioral1/files/0x000500000001ef71-607.dat	family_fabookie
behavioral1/files/0x000500000001ef71-623.dat	family_fabookie
behavioral1/files/0x000500000001ef71-624.dat	family_fabookie

FFDroider
Stealer targeting social media platform users first seen in April 2022.
stealer ffdroider

FFDroider payload 2 IoCs

resource	yara_rule
behavioral1/memory/2372-660-0x0000000000B00000-0x00000000010AC000-memory.dmp	family_ffdroider
behavioral1/memory/2416-664-0x0000000000B00000-0x00000000010AC000-memory.dmp	family_ffdroider

Fabookie
Fabookie is facebook account info stealer.
spyware stealer fabookie
GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 22 IoCs

resource	yara_rule
behavioral1/memory/2196-135-0x0000000005210000-0x0000000005AFB000-memory.dmp	family_glupteba
behavioral1/memory/2196-136-0x0000000000400000-0x0000000002F2B000-memory.dmp	family_glupteba
behavioral1/memory/2196-170-0x0000000005210000-0x0000000005AFB000-memory.dmp	family_glupteba
behavioral1/memory/2196-171-0x0000000000400000-0x0000000002F2B000-memory.dmp	family_glupteba
behavioral1/memory/2196-221-0x0000000000400000-0x0000000002F2B000-memory.dmp	family_glupteba
behavioral1/memory/5908-252-0x0000000000400000-0x0000000002F2B000-memory.dmp	family_glupteba
behavioral1/memory/5908-285-0x0000000000400000-0x0000000002F2B000-memory.dmp	family_glupteba
behavioral1/memory/5908-332-0x0000000000400000-0x0000000002F2B000-memory.dmp	family_glupteba
behavioral1/memory/5908-354-0x0000000000400000-0x0000000002F2B000-memory.dmp	family_glupteba
behavioral1/memory/3888-357-0x0000000000400000-0x0000000002F2B000-memory.dmp	family_glupteba
behavioral1/memory/3888-393-0x0000000000400000-0x0000000002F2B000-memory.dmp	family_glupteba
behavioral1/memory/3888-449-0x0000000000400000-0x0000000002F2B000-memory.dmp	family_glupteba
behavioral1/memory/3888-475-0x0000000000400000-0x0000000002F2B000-memory.dmp	family_glupteba
behavioral1/memory/3888-485-0x0000000000400000-0x0000000002F2B000-memory.dmp	family_glupteba
behavioral1/memory/3888-487-0x0000000000400000-0x0000000002F2B000-memory.dmp	family_glupteba
behavioral1/memory/3888-543-0x0000000000400000-0x0000000002F2B000-memory.dmp	family_glupteba
behavioral1/memory/3888-648-0x0000000000400000-0x0000000002F2B000-memory.dmp	family_glupteba
behavioral1/memory/5472-659-0x0000000000400000-0x0000000002F2B000-memory.dmp	family_glupteba
behavioral1/memory/1184-665-0x0000000000400000-0x0000000002FBF000-memory.dmp	family_glupteba
behavioral1/memory/5724-673-0x0000000000400000-0x0000000002FBF000-memory.dmp	family_glupteba
behavioral1/memory/5472-690-0x0000000000400000-0x0000000002F2B000-memory.dmp	family_glupteba
behavioral1/memory/3888-691-0x0000000000400000-0x0000000002F2B000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4188	5068	rUNdlL32.eXe	86

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars payload 5 IoCs

resource	yara_rule
behavioral1/files/0x000200000001eb04-524.dat	family_socelars
behavioral1/files/0x000200000001eb04-595.dat	family_socelars
behavioral1/files/0x000200000001eb04-588.dat	family_socelars
behavioral1/files/0x000200000001eb04-568.dat	family_socelars
behavioral1/files/0x000200000001eb04-605.dat	family_socelars

OnlyLogger payload 2 IoCs

resource	yara_rule
behavioral1/memory/5388-676-0x0000000000400000-0x00000000004BF000-memory.dmp	family_onlylogger
behavioral1/memory/1304-677-0x0000000000400000-0x00000000004BF000-memory.dmp	family_onlylogger

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
2004	netsh.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000b00000001db31-471.dat	upx
behavioral1/files/0x000b00000001db31-472.dat	upx
behavioral1/files/0x000b00000001db31-474.dat	upx
behavioral1/memory/2084-476-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/3824-486-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/3824-594-0x0000000000400000-0x00000000008DF000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
104	ip-api.com

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	9e02b28216568f0a44c6d8355d8847eddcce37ebd463684620076fed091128ad.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5352	sc.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
5704	5908	WerFault.exe	116
552	1052	WerFault.exe	182
5460	5320	WerFault.exe	192

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2968	schtasks.exe
5932	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2352	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time"	9e02b28216568f0a44c6d8355d8847eddcce37ebd463684620076fed091128ad.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time"	9e02b28216568f0a44c6d8355d8847eddcce37ebd463684620076fed091128ad.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time"	9e02b28216568f0a44c6d8355d8847eddcce37ebd463684620076fed091128ad.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time"	9e02b28216568f0a44c6d8355d8847eddcce37ebd463684620076fed091128ad.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time"	9e02b28216568f0a44c6d8355d8847eddcce37ebd463684620076fed091128ad.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2631 = "Norfolk Daylight Time"	9e02b28216568f0a44c6d8355d8847eddcce37ebd463684620076fed091128ad.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3141 = "South Sudan Daylight Time"	9e02b28216568f0a44c6d8355d8847eddcce37ebd463684620076fed091128ad.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time"	9e02b28216568f0a44c6d8355d8847eddcce37ebd463684620076fed091128ad.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time"	9e02b28216568f0a44c6d8355d8847eddcce37ebd463684620076fed091128ad.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time"	9e02b28216568f0a44c6d8355d8847eddcce37ebd463684620076fed091128ad.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time"	9e02b28216568f0a44c6d8355d8847eddcce37ebd463684620076fed091128ad.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time"	9e02b28216568f0a44c6d8355d8847eddcce37ebd463684620076fed091128ad.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time"	9e02b28216568f0a44c6d8355d8847eddcce37ebd463684620076fed091128ad.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time"	9e02b28216568f0a44c6d8355d8847eddcce37ebd463684620076fed091128ad.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time"	9e02b28216568f0a44c6d8355d8847eddcce37ebd463684620076fed091128ad.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time"	9e02b28216568f0a44c6d8355d8847eddcce37ebd463684620076fed091128ad.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time"	9e02b28216568f0a44c6d8355d8847eddcce37ebd463684620076fed091128ad.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time"	9e02b28216568f0a44c6d8355d8847eddcce37ebd463684620076fed091128ad.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time"	9e02b28216568f0a44c6d8355d8847eddcce37ebd463684620076fed091128ad.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time"	9e02b28216568f0a44c6d8355d8847eddcce37ebd463684620076fed091128ad.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time"	9e02b28216568f0a44c6d8355d8847eddcce37ebd463684620076fed091128ad.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time"	9e02b28216568f0a44c6d8355d8847eddcce37ebd463684620076fed091128ad.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time"	9e02b28216568f0a44c6d8355d8847eddcce37ebd463684620076fed091128ad.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time"	9e02b28216568f0a44c6d8355d8847eddcce37ebd463684620076fed091128ad.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time"	9e02b28216568f0a44c6d8355d8847eddcce37ebd463684620076fed091128ad.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time"	9e02b28216568f0a44c6d8355d8847eddcce37ebd463684620076fed091128ad.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time"	9e02b28216568f0a44c6d8355d8847eddcce37ebd463684620076fed091128ad.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time"	9e02b28216568f0a44c6d8355d8847eddcce37ebd463684620076fed091128ad.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time"	9e02b28216568f0a44c6d8355d8847eddcce37ebd463684620076fed091128ad.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time"	9e02b28216568f0a44c6d8355d8847eddcce37ebd463684620076fed091128ad.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)"	9e02b28216568f0a44c6d8355d8847eddcce37ebd463684620076fed091128ad.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time"	9e02b28216568f0a44c6d8355d8847eddcce37ebd463684620076fed091128ad.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time"	9e02b28216568f0a44c6d8355d8847eddcce37ebd463684620076fed091128ad.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time"	9e02b28216568f0a44c6d8355d8847eddcce37ebd463684620076fed091128ad.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time"	9e02b28216568f0a44c6d8355d8847eddcce37ebd463684620076fed091128ad.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133337642284759719"	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time"	9e02b28216568f0a44c6d8355d8847eddcce37ebd463684620076fed091128ad.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time"	9e02b28216568f0a44c6d8355d8847eddcce37ebd463684620076fed091128ad.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time"	9e02b28216568f0a44c6d8355d8847eddcce37ebd463684620076fed091128ad.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time"	9e02b28216568f0a44c6d8355d8847eddcce37ebd463684620076fed091128ad.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time"	9e02b28216568f0a44c6d8355d8847eddcce37ebd463684620076fed091128ad.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time"	9e02b28216568f0a44c6d8355d8847eddcce37ebd463684620076fed091128ad.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time"	9e02b28216568f0a44c6d8355d8847eddcce37ebd463684620076fed091128ad.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time"	9e02b28216568f0a44c6d8355d8847eddcce37ebd463684620076fed091128ad.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time"	9e02b28216568f0a44c6d8355d8847eddcce37ebd463684620076fed091128ad.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time"	9e02b28216568f0a44c6d8355d8847eddcce37ebd463684620076fed091128ad.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time"	9e02b28216568f0a44c6d8355d8847eddcce37ebd463684620076fed091128ad.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time"	9e02b28216568f0a44c6d8355d8847eddcce37ebd463684620076fed091128ad.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 41 IoCs

pid	Process
3232	powershell.exe
3232	powershell.exe
1800	chrome.exe
1800	chrome.exe
5400	taskmgr.exe
5400	taskmgr.exe
2196	Process not Found
2196	Process not Found
5400	taskmgr.exe
5400	taskmgr.exe
5400	taskmgr.exe
5244	powershell.exe
5244	powershell.exe
5400	taskmgr.exe
5400	taskmgr.exe
5244	powershell.exe
5400	taskmgr.exe
5400	taskmgr.exe
5400	taskmgr.exe
5400	taskmgr.exe
5400	taskmgr.exe
5400	taskmgr.exe
5400	taskmgr.exe
5400	taskmgr.exe
5908	9e02b28216568f0a44c6d8355d8847eddcce37ebd463684620076fed091128ad.exe
5908	9e02b28216568f0a44c6d8355d8847eddcce37ebd463684620076fed091128ad.exe
5908	9e02b28216568f0a44c6d8355d8847eddcce37ebd463684620076fed091128ad.exe
5908	9e02b28216568f0a44c6d8355d8847eddcce37ebd463684620076fed091128ad.exe
5908	9e02b28216568f0a44c6d8355d8847eddcce37ebd463684620076fed091128ad.exe
5908	9e02b28216568f0a44c6d8355d8847eddcce37ebd463684620076fed091128ad.exe
5908	9e02b28216568f0a44c6d8355d8847eddcce37ebd463684620076fed091128ad.exe
5908	9e02b28216568f0a44c6d8355d8847eddcce37ebd463684620076fed091128ad.exe
5908	9e02b28216568f0a44c6d8355d8847eddcce37ebd463684620076fed091128ad.exe
5908	9e02b28216568f0a44c6d8355d8847eddcce37ebd463684620076fed091128ad.exe
5400	taskmgr.exe
5108	powershell.exe
5108	powershell.exe
5400	taskmgr.exe
5108	powershell.exe
5400	taskmgr.exe
5400	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe

Suspicious use of AdjustPrivilegeToken 58 IoCs

description	pid	Process
Token: SeDebugPrivilege	3232	powershell.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeCreatePagefilePrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeCreatePagefilePrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeCreatePagefilePrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeCreatePagefilePrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeCreatePagefilePrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeCreatePagefilePrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeCreatePagefilePrivilege	1800	chrome.exe
Token: SeDebugPrivilege	5400	taskmgr.exe
Token: SeSystemProfilePrivilege	5400	taskmgr.exe
Token: SeCreateGlobalPrivilege	5400	taskmgr.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeCreatePagefilePrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeCreatePagefilePrivilege	1800	chrome.exe
Token: SeDebugPrivilege	2196	Process not Found
Token: SeImpersonatePrivilege	2196	Process not Found
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeCreatePagefilePrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeCreatePagefilePrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeCreatePagefilePrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeCreatePagefilePrivilege	1800	chrome.exe
Token: SeDebugPrivilege	5244	powershell.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeCreatePagefilePrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeCreatePagefilePrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeCreatePagefilePrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeCreatePagefilePrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeCreatePagefilePrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeCreatePagefilePrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeCreatePagefilePrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeCreatePagefilePrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeCreatePagefilePrivilege	1800	chrome.exe
Token: SeDebugPrivilege	5108	powershell.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeCreatePagefilePrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeCreatePagefilePrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeCreatePagefilePrivilege	1800	chrome.exe

Suspicious use of FindShellTrayWindow 56 IoCs

pid	Process
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
5400	taskmgr.exe
5400	taskmgr.exe
5400	taskmgr.exe
5400	taskmgr.exe
5400	taskmgr.exe
5400	taskmgr.exe
5400	taskmgr.exe
5400	taskmgr.exe
5400	taskmgr.exe
5400	taskmgr.exe
5400	taskmgr.exe
5400	taskmgr.exe
5400	taskmgr.exe
5400	taskmgr.exe
5400	taskmgr.exe
5400	taskmgr.exe
5400	taskmgr.exe
5400	taskmgr.exe
5400	taskmgr.exe
5400	taskmgr.exe
5400	taskmgr.exe
5400	taskmgr.exe
5400	taskmgr.exe
5400	taskmgr.exe
5400	taskmgr.exe
5400	taskmgr.exe
5400	taskmgr.exe
5400	taskmgr.exe
5400	taskmgr.exe
5400	taskmgr.exe

Suspicious use of SendNotifyMessage 54 IoCs

pid	Process
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
5400	taskmgr.exe
5400	taskmgr.exe
5400	taskmgr.exe
5400	taskmgr.exe
5400	taskmgr.exe
5400	taskmgr.exe
5400	taskmgr.exe
5400	taskmgr.exe
5400	taskmgr.exe
5400	taskmgr.exe
5400	taskmgr.exe
5400	taskmgr.exe
5400	taskmgr.exe
5400	taskmgr.exe
5400	taskmgr.exe
5400	taskmgr.exe
5400	taskmgr.exe
5400	taskmgr.exe
5400	taskmgr.exe
5400	taskmgr.exe
5400	taskmgr.exe
5400	taskmgr.exe
5400	taskmgr.exe
5400	taskmgr.exe
5400	taskmgr.exe
5400	taskmgr.exe
5400	taskmgr.exe
5400	taskmgr.exe
5400	taskmgr.exe
5400	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 3232	2196	Process not Found	89
PID 2196 wrote to memory of 3232	2196	Process not Found	89
PID 2196 wrote to memory of 3232	2196	Process not Found	89
PID 1800 wrote to memory of 2036	1800	chrome.exe	94
PID 1800 wrote to memory of 2036	1800	chrome.exe	94
PID 1800 wrote to memory of 5036	1800	chrome.exe	96
PID 1800 wrote to memory of 5036	1800	chrome.exe	96
PID 1800 wrote to memory of 5036	1800	chrome.exe	96
PID 1800 wrote to memory of 5036	1800	chrome.exe	96
PID 1800 wrote to memory of 5036	1800	chrome.exe	96
PID 1800 wrote to memory of 5036	1800	chrome.exe	96
PID 1800 wrote to memory of 5036	1800	chrome.exe	96
PID 1800 wrote to memory of 5036	1800	chrome.exe	96
PID 1800 wrote to memory of 5036	1800	chrome.exe	96
PID 1800 wrote to memory of 5036	1800	chrome.exe	96
PID 1800 wrote to memory of 5036	1800	chrome.exe	96
PID 1800 wrote to memory of 5036	1800	chrome.exe	96
PID 1800 wrote to memory of 5036	1800	chrome.exe	96
PID 1800 wrote to memory of 5036	1800	chrome.exe	96
PID 1800 wrote to memory of 5036	1800	chrome.exe	96
PID 1800 wrote to memory of 5036	1800	chrome.exe	96
PID 1800 wrote to memory of 5036	1800	chrome.exe	96
PID 1800 wrote to memory of 5036	1800	chrome.exe	96
PID 1800 wrote to memory of 5036	1800	chrome.exe	96
PID 1800 wrote to memory of 5036	1800	chrome.exe	96
PID 1800 wrote to memory of 5036	1800	chrome.exe	96
PID 1800 wrote to memory of 5036	1800	chrome.exe	96
PID 1800 wrote to memory of 5036	1800	chrome.exe	96
PID 1800 wrote to memory of 5036	1800	chrome.exe	96
PID 1800 wrote to memory of 5036	1800	chrome.exe	96
PID 1800 wrote to memory of 5036	1800	chrome.exe	96
PID 1800 wrote to memory of 5036	1800	chrome.exe	96
PID 1800 wrote to memory of 5036	1800	chrome.exe	96
PID 1800 wrote to memory of 5036	1800	chrome.exe	96
PID 1800 wrote to memory of 5036	1800	chrome.exe	96
PID 1800 wrote to memory of 5036	1800	chrome.exe	96
PID 1800 wrote to memory of 5036	1800	chrome.exe	96
PID 1800 wrote to memory of 5036	1800	chrome.exe	96
PID 1800 wrote to memory of 5036	1800	chrome.exe	96
PID 1800 wrote to memory of 5036	1800	chrome.exe	96
PID 1800 wrote to memory of 5036	1800	chrome.exe	96
PID 1800 wrote to memory of 5036	1800	chrome.exe	96
PID 1800 wrote to memory of 5036	1800	chrome.exe	96
PID 1800 wrote to memory of 4872	1800	chrome.exe	97
PID 1800 wrote to memory of 4872	1800	chrome.exe	97
PID 1800 wrote to memory of 992	1800	chrome.exe	98
PID 1800 wrote to memory of 992	1800	chrome.exe	98
PID 1800 wrote to memory of 992	1800	chrome.exe	98
PID 1800 wrote to memory of 992	1800	chrome.exe	98
PID 1800 wrote to memory of 992	1800	chrome.exe	98
PID 1800 wrote to memory of 992	1800	chrome.exe	98
PID 1800 wrote to memory of 992	1800	chrome.exe	98
PID 1800 wrote to memory of 992	1800	chrome.exe	98
PID 1800 wrote to memory of 992	1800	chrome.exe	98
PID 1800 wrote to memory of 992	1800	chrome.exe	98
PID 1800 wrote to memory of 992	1800	chrome.exe	98
PID 1800 wrote to memory of 992	1800	chrome.exe	98
PID 1800 wrote to memory of 992	1800	chrome.exe	98
PID 1800 wrote to memory of 992	1800	chrome.exe	98
PID 1800 wrote to memory of 992	1800	chrome.exe	98
PID 1800 wrote to memory of 992	1800	chrome.exe	98
PID 1800 wrote to memory of 992	1800	chrome.exe	98
PID 1800 wrote to memory of 992	1800	chrome.exe	98
PID 1800 wrote to memory of 992	1800	chrome.exe	98

C:\Users\Admin\AppData\Local\Temp\9e02b28216568f0a44c6d8355d8847eddcce37ebd463684620076fed091128ad.exe
"C:\Users\Admin\AppData\Local\Temp\9e02b28216568f0a44c6d8355d8847eddcce37ebd463684620076fed091128ad.exe"
1⤵
PID:2196
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell -nologo -noprofile
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3232
- C:\Users\Admin\AppData\Local\Temp\9e02b28216568f0a44c6d8355d8847eddcce37ebd463684620076fed091128ad.exe
  "C:\Users\Admin\AppData\Local\Temp\9e02b28216568f0a44c6d8355d8847eddcce37ebd463684620076fed091128ad.exe"
  2⤵
  - Checks for VirtualBox DLLs, possible anti-VM trick
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:5908
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5244
- - C:\Windows\system32\cmd.exe
    C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
    3⤵
    PID:2344
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:2004
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5108
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    PID:3712
- - C:\Windows\rss\csrss.exe
    C:\Windows\rss\csrss.exe
    3⤵
    PID:3888
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:4004
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:2968
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /delete /tn ScheduledUpdate /f
      4⤵
      PID:4420
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:4680
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:5428
  - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
      4⤵
      PID:4156
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:5932
  - - C:\Windows\windefender.exe
      "C:\Windows\windefender.exe"
      4⤵
      PID:2084
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        5⤵
        
        PID:5964
      - C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        6⤵
        Launches sc.exe
        
        PID:5352
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5908 -s 824
    3⤵
    - Program crash
    PID:5704

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa3c719758,0x7ffa3c719768,0x7ffa3c719778
  2⤵
  PID:2036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1600 --field-trial-handle=1884,i,8087929619300426059,5705320009440619259,131072 /prefetch:2
  2⤵
  PID:5036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=1884,i,8087929619300426059,5705320009440619259,131072 /prefetch:8
  2⤵
  PID:4872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2216 --field-trial-handle=1884,i,8087929619300426059,5705320009440619259,131072 /prefetch:8
  2⤵
  PID:992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3128 --field-trial-handle=1884,i,8087929619300426059,5705320009440619259,131072 /prefetch:1
  2⤵
  PID:4328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3160 --field-trial-handle=1884,i,8087929619300426059,5705320009440619259,131072 /prefetch:1
  2⤵
  PID:2568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4712 --field-trial-handle=1884,i,8087929619300426059,5705320009440619259,131072 /prefetch:1
  2⤵
  PID:2176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4908 --field-trial-handle=1884,i,8087929619300426059,5705320009440619259,131072 /prefetch:8
  2⤵
  PID:2100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4692 --field-trial-handle=1884,i,8087929619300426059,5705320009440619259,131072 /prefetch:8
  2⤵
  PID:3824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5056 --field-trial-handle=1884,i,8087929619300426059,5705320009440619259,131072 /prefetch:8
  2⤵
  PID:4608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4904 --field-trial-handle=1884,i,8087929619300426059,5705320009440619259,131072 /prefetch:8
  2⤵
  PID:536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5596 --field-trial-handle=1884,i,8087929619300426059,5705320009440619259,131072 /prefetch:8
  2⤵
  PID:5128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5304 --field-trial-handle=1884,i,8087929619300426059,5705320009440619259,131072 /prefetch:8
  2⤵
  PID:5384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4772 --field-trial-handle=1884,i,8087929619300426059,5705320009440619259,131072 /prefetch:8
  2⤵
  PID:6060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=2324 --field-trial-handle=1884,i,8087929619300426059,5705320009440619259,131072 /prefetch:1
  2⤵
  PID:1692

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4340

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5400

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5908 -ip 5908
1⤵
PID:5692

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:3824

C:\Users\Admin\Desktop\installer.exe
"C:\Users\Admin\Desktop\installer.exe"
1⤵
PID:6000
- C:\Users\Admin\Desktop\md9_1sjm.exe
  "C:\Users\Admin\Desktop\md9_1sjm.exe"
  2⤵
  PID:2416
- C:\Users\Admin\Desktop\FoxSBrowser.exe
  "C:\Users\Admin\Desktop\FoxSBrowser.exe"
  2⤵
  PID:3188
- C:\Users\Admin\Desktop\Folder.exe
  "C:\Users\Admin\Desktop\Folder.exe"
  2⤵
  PID:5148
- - C:\Users\Admin\Desktop\Folder.exe
    "C:\Users\Admin\Desktop\Folder.exe" -a
    3⤵
    PID:4724
- C:\Users\Admin\Desktop\pub2.exe
  "C:\Users\Admin\Desktop\pub2.exe"
  2⤵
  PID:2260
- C:\Users\Admin\Desktop\File.exe
  "C:\Users\Admin\Desktop\File.exe"
  2⤵
  PID:4520
- C:\Users\Admin\Desktop\Install.exe
  "C:\Users\Admin\Desktop\Install.exe"
  2⤵
  PID:2600
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c taskkill /f /im chrome.exe
    3⤵
    PID:1400
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im chrome.exe
      4⤵
      Kills process with taskkill
      PID:2352
- C:\Users\Admin\Desktop\Updbdate.exe
  "C:\Users\Admin\Desktop\Updbdate.exe"
  2⤵
  PID:1804
- C:\Users\Admin\Desktop\Graphics.exe
  "C:\Users\Admin\Desktop\Graphics.exe"
  2⤵
  PID:1184
- C:\Users\Admin\Desktop\Details.exe
  "C:\Users\Admin\Desktop\Details.exe"
  2⤵
  PID:5388
- C:\Users\Admin\Desktop\Files.exe
  "C:\Users\Admin\Desktop\Files.exe"
  2⤵
  PID:2016

C:\Users\Admin\Desktop\installerexe.exe
"C:\Users\Admin\Desktop\installerexe.exe"
1⤵
PID:2216
- C:\Users\Admin\Desktop\md9_1sjm.exe
  "C:\Users\Admin\Desktop\md9_1sjm.exe"
  2⤵
  PID:2372
- C:\Users\Admin\Desktop\Install.exe
  "C:\Users\Admin\Desktop\Install.exe"
  2⤵
  PID:5828
- C:\Users\Admin\Desktop\Updbdate.exe
  "C:\Users\Admin\Desktop\Updbdate.exe"
  2⤵
  PID:1996
- C:\Users\Admin\Desktop\Graphics.exe
  "C:\Users\Admin\Desktop\Graphics.exe"
  2⤵
  PID:5724
- C:\Users\Admin\Desktop\Folder.exe
  "C:\Users\Admin\Desktop\Folder.exe"
  2⤵
  PID:5320
- - C:\Users\Admin\Desktop\Folder.exe
    "C:\Users\Admin\Desktop\Folder.exe" -a
    3⤵
    PID:2220
- C:\Users\Admin\Desktop\FoxSBrowser.exe
  "C:\Users\Admin\Desktop\FoxSBrowser.exe"
  2⤵
  PID:5308
- C:\Users\Admin\Desktop\File.exe
  "C:\Users\Admin\Desktop\File.exe"
  2⤵
  PID:5352
- C:\Users\Admin\Desktop\pub2.exe
  "C:\Users\Admin\Desktop\pub2.exe"
  2⤵
  PID:1052
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1052 -s 340
    3⤵
    - Program crash
    PID:552
- C:\Users\Admin\Desktop\Files.exe
  "C:\Users\Admin\Desktop\Files.exe"
  2⤵
  PID:6128
- C:\Users\Admin\Desktop\Details.exe
  "C:\Users\Admin\Desktop\Details.exe"
  2⤵
  PID:1304

C:\Users\Admin\Desktop\9e02b28216568f0a44c6d8355d8847eddcce37ebd463684620076fed091128ad.exe
"C:\Users\Admin\Desktop\9e02b28216568f0a44c6d8355d8847eddcce37ebd463684620076fed091128ad.exe"
1⤵
PID:5472
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell -nologo -noprofile
  2⤵
  PID:5740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1052 -ip 1052
1⤵
PID:5824

C:\Windows\system32\rUNdlL32.eXe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
1⤵
- Process spawned unexpected child process
PID:4188
- C:\Windows\SysWOW64\rundll32.exe
  rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
  2⤵
  PID:5320
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5320 -s 608
    3⤵
    - Program crash
    PID:5460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 5320 -ip 5320
1⤵
PID:4760

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
52921a3a4d8fd765f74ce9893900cef8

SHA1
cc0b7ef2dbbe8d28bef2b4b178de04ff6b7c1fef

SHA256
173b09551184783cbeebb59fa9fcc38fab56e83cab71e8eebb2756fa0d2379e4

SHA512
43d29d5816f76f6f0c08473f853cfb5021e322953a331ca83939526ac33d072c8a947aa06d17efaabfb6d9db684217004b18707f24e429ce2e37dc63b65dc420

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
c17bb3d97fd28048b0ba72605b453cce

SHA1
19ebfbc7571f310e138836f829c97f08fce4ec71

SHA256
7201edae67eb7517ec2b3d9f9da75106b27338cac6c04b437c419bdbc7b8744c

SHA512
0157e637917bd77d55ddf4066fc6df4cdf957943490dc2a1cc177ac2de5564449cf348871da7946dc24ea11ea05480715453a9e50d971b2f606c92a1c0380bbe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
071ad04ef592274d31d45f9883d73873

SHA1
fffce061f7c2a01c7a67bb8f64d6e8b60e4f02a5

SHA256
89d0761374eb49a24100c67ad2840775d482dcbead6038f2709b10e135537645

SHA512
984f702f74b6776759e85dc019f5a7e994b6214afa5b6c6ae9aa0833373b4c6c5924e481bd797e7f375834a50f1e0f97e1e6eca92432724143561661bdf82103

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
cba8587d556b726cb969b4baaac64b1d

SHA1
4c41fb502101744ca7a5ef06c57b5628d6cdba9f

SHA256
37432b0a955e99264419b81a8eb4d4f15adcf1934be3b9a5b023b004b7fb2107

SHA512
57bc65e402684b9a06b5b70cccc953e693b7a078310c43e9448afb9f9ba447242e702dd0639da849af8281a82101e5993610408f7cd5330c8edf4ef45d51a2cb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
91a3efdf5c2a6a07ba6dd9df1e4ca2d8

SHA1
67de756f2f942541639c519aaea8d8ae6aec592d

SHA256
6b94339b059b50c1328f0c6b734c48c5dc3a39b8192c6513adde04ca0b2ab314

SHA512
423ad9af71d8a56d339113da385c0f401300aea33cefe81cf7b0088a7b78c8499dd71313516a8d66f8d4bb48b10fc3c203e96500db59a594b7b8b9ebea7a0831

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
de3af31a0c33acbd81785035b0a7643f

SHA1
962ecca5837c4a311e719d03f0242d1fd739a5de

SHA256
f63baed9b0af6e87d95759769de94207248e16761b0b9a942012494ba08bfae5

SHA512
4281b14bb51a0a03d8a895f6bc8eedec6ce70755519f58acf21ae7ed19ce795cf92a810153f940c5cc294a39a956325ee24696269636d7a1847399afeef59ec9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
173KB

MD5
fca1545b9cce3409ff4df8bd21313a04

SHA1
f276ac1879dadbcd7f15d85b5ee83d99018c74d5

SHA256
958d066ab87fde8243405c81df796d63a74fde8cb2101b035bafbae4edff99c0

SHA512
a879431ade1d41fcd8b6dd273cd555d78fb4b64dc46969c4ca15573b494bedba7c5bdb7a597f30a8c49b245ae48007513fb656fa0204b378fc564ba6befa7451

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tpqwtagw.chm.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

Filesize
99KB

MD5
09031a062610d77d685c9934318b4170

SHA1
880f744184e7774f3d14c1bb857e21cc7fe89a6d

SHA256
778bd69af403df3c4e074c31b3850d71bf0e64524bea4272a802ca9520b379dd

SHA512
9a276e1f0f55d35f2bf38eb093464f7065bdd30a660e6d1c62eed5e76d1fb2201567b89d9ae65d2d89dc99b142159e36fb73be8d5e08252a975d50544a7cda27

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

Filesize
99KB

MD5
09031a062610d77d685c9934318b4170

SHA1
880f744184e7774f3d14c1bb857e21cc7fe89a6d

SHA256
778bd69af403df3c4e074c31b3850d71bf0e64524bea4272a802ca9520b379dd

SHA512
9a276e1f0f55d35f2bf38eb093464f7065bdd30a660e6d1c62eed5e76d1fb2201567b89d9ae65d2d89dc99b142159e36fb73be8d5e08252a975d50544a7cda27

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\Desktop\Details.exe

Filesize
224KB

MD5
913fcca8aa37351d548fcb1ef3af9f10

SHA1
8955832408079abc33723d48135f792c9930b598

SHA256
2f59e661904f9a4c62123f024eb7968cdc234f826bab077914ad8896ebf001c9

SHA512
0283e875dfbc7b04eb5ce5a82e66fb99e945626ed7e2ed4f2bc90e54e4ef99c065e2f98464f0aec24c921bae020ff3a6f1b3a01bfd8bdcea8459113670519c2b

Download Submit
C:\Users\Admin\Desktop\Details.exe

Filesize
224KB

MD5
913fcca8aa37351d548fcb1ef3af9f10

SHA1
8955832408079abc33723d48135f792c9930b598

SHA256
2f59e661904f9a4c62123f024eb7968cdc234f826bab077914ad8896ebf001c9

SHA512
0283e875dfbc7b04eb5ce5a82e66fb99e945626ed7e2ed4f2bc90e54e4ef99c065e2f98464f0aec24c921bae020ff3a6f1b3a01bfd8bdcea8459113670519c2b

Download Submit
C:\Users\Admin\Desktop\Details.exe

Filesize
224KB

MD5
913fcca8aa37351d548fcb1ef3af9f10

SHA1
8955832408079abc33723d48135f792c9930b598

SHA256
2f59e661904f9a4c62123f024eb7968cdc234f826bab077914ad8896ebf001c9

SHA512
0283e875dfbc7b04eb5ce5a82e66fb99e945626ed7e2ed4f2bc90e54e4ef99c065e2f98464f0aec24c921bae020ff3a6f1b3a01bfd8bdcea8459113670519c2b

Download Submit
C:\Users\Admin\Desktop\File.exe

Filesize
426KB

MD5
ece476206e52016ed4e0553d05b05160

SHA1
baa0dc4ed3e9d63384961ad9a1e7b43e8681a3c5

SHA256
ebc2784e2648e4ff72f48a6251ff28eee69003c8bd4ab604f5b43553a4140f4b

SHA512
2b51d406c684a21ad4d53d8f6c18cbc774cf4eacae94f48868e7ac64db1878792840fc3eea9bb27f47849b85382604492400e60b0f9536cf93ca78d7be7c3b3a

Download Submit
C:\Users\Admin\Desktop\File.exe

Filesize
426KB

MD5
ece476206e52016ed4e0553d05b05160

SHA1
baa0dc4ed3e9d63384961ad9a1e7b43e8681a3c5

SHA256
ebc2784e2648e4ff72f48a6251ff28eee69003c8bd4ab604f5b43553a4140f4b

SHA512
2b51d406c684a21ad4d53d8f6c18cbc774cf4eacae94f48868e7ac64db1878792840fc3eea9bb27f47849b85382604492400e60b0f9536cf93ca78d7be7c3b3a

Download Submit
C:\Users\Admin\Desktop\File.exe

Filesize
426KB

MD5
ece476206e52016ed4e0553d05b05160

SHA1
baa0dc4ed3e9d63384961ad9a1e7b43e8681a3c5

SHA256
ebc2784e2648e4ff72f48a6251ff28eee69003c8bd4ab604f5b43553a4140f4b

SHA512
2b51d406c684a21ad4d53d8f6c18cbc774cf4eacae94f48868e7ac64db1878792840fc3eea9bb27f47849b85382604492400e60b0f9536cf93ca78d7be7c3b3a

Download Submit
C:\Users\Admin\Desktop\File.exe

Filesize
426KB

MD5
ece476206e52016ed4e0553d05b05160

SHA1
baa0dc4ed3e9d63384961ad9a1e7b43e8681a3c5

SHA256
ebc2784e2648e4ff72f48a6251ff28eee69003c8bd4ab604f5b43553a4140f4b

SHA512
2b51d406c684a21ad4d53d8f6c18cbc774cf4eacae94f48868e7ac64db1878792840fc3eea9bb27f47849b85382604492400e60b0f9536cf93ca78d7be7c3b3a

Download Submit
C:\Users\Admin\Desktop\File.exe

Filesize
426KB

MD5
ece476206e52016ed4e0553d05b05160

SHA1
baa0dc4ed3e9d63384961ad9a1e7b43e8681a3c5

SHA256
ebc2784e2648e4ff72f48a6251ff28eee69003c8bd4ab604f5b43553a4140f4b

SHA512
2b51d406c684a21ad4d53d8f6c18cbc774cf4eacae94f48868e7ac64db1878792840fc3eea9bb27f47849b85382604492400e60b0f9536cf93ca78d7be7c3b3a

Download Submit
C:\Users\Admin\Desktop\Files.exe

Filesize
1.3MB

MD5
37db6db82813ddc8eeb42c58553da2de

SHA1
9425c1937873bb86beb57021ed5e315f516a2bed

SHA256
65302460bbdccb8268bc6c23434bcd7d710d0e800fe11d87a1597fdedfc2a9c7

SHA512
0658f3b15a4084ae292a6c0640f4e88fe095a2b2471633ca97c78998ee664631156e9cea1bee3d5ac5428ca600c52495437468770fbda6143e11651e797298c9

Download Submit
C:\Users\Admin\Desktop\Files.exe

Filesize
1.3MB

MD5
37db6db82813ddc8eeb42c58553da2de

SHA1
9425c1937873bb86beb57021ed5e315f516a2bed

SHA256
65302460bbdccb8268bc6c23434bcd7d710d0e800fe11d87a1597fdedfc2a9c7

SHA512
0658f3b15a4084ae292a6c0640f4e88fe095a2b2471633ca97c78998ee664631156e9cea1bee3d5ac5428ca600c52495437468770fbda6143e11651e797298c9

Download Submit
C:\Users\Admin\Desktop\Files.exe

Filesize
1.3MB

MD5
37db6db82813ddc8eeb42c58553da2de

SHA1
9425c1937873bb86beb57021ed5e315f516a2bed

SHA256
65302460bbdccb8268bc6c23434bcd7d710d0e800fe11d87a1597fdedfc2a9c7

SHA512
0658f3b15a4084ae292a6c0640f4e88fe095a2b2471633ca97c78998ee664631156e9cea1bee3d5ac5428ca600c52495437468770fbda6143e11651e797298c9

Download Submit
C:\Users\Admin\Desktop\Folder.exe

Filesize
712KB

MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\Desktop\Folder.exe

Filesize
712KB

MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\Desktop\Folder.exe

Filesize
712KB

MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\Desktop\Folder.exe

Filesize
712KB

MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\Desktop\Folder.exe

Filesize
712KB

MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\Desktop\FoxSBrowser.exe

Filesize
153KB

MD5
849b899acdc4478c116340b86683a493

SHA1
e43f78a9b9b884e4230d009fafceb46711125534

SHA256
5f5eed76da09dc92090a6501de1f2a6cc7fb0c92e32053163b28f380f3b06631

SHA512
bdff9dbac1de6e1af7807a233c4e8c36ae8c45e0b277d78b636124b6ffe0df6ed16c78f2f3222eeb383501b2f3eec90c8736da540017b8b35592fa49eb3f720c

Download Submit
C:\Users\Admin\Desktop\FoxSBrowser.exe

Filesize
153KB

MD5
849b899acdc4478c116340b86683a493

SHA1
e43f78a9b9b884e4230d009fafceb46711125534

SHA256
5f5eed76da09dc92090a6501de1f2a6cc7fb0c92e32053163b28f380f3b06631

SHA512
bdff9dbac1de6e1af7807a233c4e8c36ae8c45e0b277d78b636124b6ffe0df6ed16c78f2f3222eeb383501b2f3eec90c8736da540017b8b35592fa49eb3f720c

Download Submit
C:\Users\Admin\Desktop\FoxSBrowser.exe

Filesize
153KB

MD5
849b899acdc4478c116340b86683a493

SHA1
e43f78a9b9b884e4230d009fafceb46711125534

SHA256
5f5eed76da09dc92090a6501de1f2a6cc7fb0c92e32053163b28f380f3b06631

SHA512
bdff9dbac1de6e1af7807a233c4e8c36ae8c45e0b277d78b636124b6ffe0df6ed16c78f2f3222eeb383501b2f3eec90c8736da540017b8b35592fa49eb3f720c

Download Submit
C:\Users\Admin\Desktop\FoxSBrowser.exe

Filesize
153KB

MD5
849b899acdc4478c116340b86683a493

SHA1
e43f78a9b9b884e4230d009fafceb46711125534

SHA256
5f5eed76da09dc92090a6501de1f2a6cc7fb0c92e32053163b28f380f3b06631

SHA512
bdff9dbac1de6e1af7807a233c4e8c36ae8c45e0b277d78b636124b6ffe0df6ed16c78f2f3222eeb383501b2f3eec90c8736da540017b8b35592fa49eb3f720c

Download Submit
C:\Users\Admin\Desktop\Graphics.exe

Filesize
4.5MB

MD5
c23ba92b5c4996521a91125351a93067

SHA1
6cbd88b68f7b0e7342ff7595da62cf917299119d

SHA256
7fd016993b6dfdfb7c11b6c6d364b4ba84096bf816de3e3e07cbce0f5ec83224

SHA512
b0df65c1ececbe03c9755dd1dc4df27a5f66090bdc00ec38c747448b0201d4dd5dba053242be47a730cd9d8034b910b39db87c353fa85022a4b59bfa27ce33fe

Download Submit
C:\Users\Admin\Desktop\Graphics.exe

Filesize
4.5MB

MD5
7c20b40b1abca9c0c50111529f4a06fa

SHA1
5a367dbc0473e6f9f412fe52d219525a5ff0d8d2

SHA256
5caae6f11abc0a10481f56f9e598f98332b6144e24bf6efa67b63becc7debd36

SHA512
f1afdb5d0c396e4929dfc22f205079cdbea2eccbd19c90c20cc87990c0cb11f29f392eb62e9218341965c4358e79b5d7f8ee216eba915f712a6d3578e1818473

Download Submit
C:\Users\Admin\Desktop\Graphics.exe

Filesize
4.5MB

MD5
7c20b40b1abca9c0c50111529f4a06fa

SHA1
5a367dbc0473e6f9f412fe52d219525a5ff0d8d2

SHA256
5caae6f11abc0a10481f56f9e598f98332b6144e24bf6efa67b63becc7debd36

SHA512
f1afdb5d0c396e4929dfc22f205079cdbea2eccbd19c90c20cc87990c0cb11f29f392eb62e9218341965c4358e79b5d7f8ee216eba915f712a6d3578e1818473

Download Submit
C:\Users\Admin\Desktop\Graphics.exe

Filesize
4.5MB

MD5
7c20b40b1abca9c0c50111529f4a06fa

SHA1
5a367dbc0473e6f9f412fe52d219525a5ff0d8d2

SHA256
5caae6f11abc0a10481f56f9e598f98332b6144e24bf6efa67b63becc7debd36

SHA512
f1afdb5d0c396e4929dfc22f205079cdbea2eccbd19c90c20cc87990c0cb11f29f392eb62e9218341965c4358e79b5d7f8ee216eba915f712a6d3578e1818473

Download Submit
C:\Users\Admin\Desktop\Graphics.exe

Filesize
4.5MB

MD5
7c20b40b1abca9c0c50111529f4a06fa

SHA1
5a367dbc0473e6f9f412fe52d219525a5ff0d8d2

SHA256
5caae6f11abc0a10481f56f9e598f98332b6144e24bf6efa67b63becc7debd36

SHA512
f1afdb5d0c396e4929dfc22f205079cdbea2eccbd19c90c20cc87990c0cb11f29f392eb62e9218341965c4358e79b5d7f8ee216eba915f712a6d3578e1818473

Download Submit
C:\Users\Admin\Desktop\Install.exe

Filesize
1.4MB

MD5
deeb8730435a83cb41ca5679429cb235

SHA1
c4eb99a6c3310e9b36c31b9572d57a210985b67d

SHA256
002f4696f089281a8c82f3156063cee84249d1715055e721a47618f2efecf150

SHA512
4235fa18fcc183ef02a1832790af466f7fdeda69435ebc561cb11209e049e890917b2c72be38fa8e1039493ae20fdbbe93776895b27a021d498f81d3e00c7379

Download Submit
C:\Users\Admin\Desktop\Install.exe

Filesize
1.4MB

MD5
deeb8730435a83cb41ca5679429cb235

SHA1
c4eb99a6c3310e9b36c31b9572d57a210985b67d

SHA256
002f4696f089281a8c82f3156063cee84249d1715055e721a47618f2efecf150

SHA512
4235fa18fcc183ef02a1832790af466f7fdeda69435ebc561cb11209e049e890917b2c72be38fa8e1039493ae20fdbbe93776895b27a021d498f81d3e00c7379

Download Submit
C:\Users\Admin\Desktop\Install.exe

Filesize
1.4MB

MD5
deeb8730435a83cb41ca5679429cb235

SHA1
c4eb99a6c3310e9b36c31b9572d57a210985b67d

SHA256
002f4696f089281a8c82f3156063cee84249d1715055e721a47618f2efecf150

SHA512
4235fa18fcc183ef02a1832790af466f7fdeda69435ebc561cb11209e049e890917b2c72be38fa8e1039493ae20fdbbe93776895b27a021d498f81d3e00c7379

Download Submit
C:\Users\Admin\Desktop\Install.exe

Filesize
1.4MB

MD5
deeb8730435a83cb41ca5679429cb235

SHA1
c4eb99a6c3310e9b36c31b9572d57a210985b67d

SHA256
002f4696f089281a8c82f3156063cee84249d1715055e721a47618f2efecf150

SHA512
4235fa18fcc183ef02a1832790af466f7fdeda69435ebc561cb11209e049e890917b2c72be38fa8e1039493ae20fdbbe93776895b27a021d498f81d3e00c7379

Download Submit
C:\Users\Admin\Desktop\Install.exe

Filesize
1.4MB

MD5
deeb8730435a83cb41ca5679429cb235

SHA1
c4eb99a6c3310e9b36c31b9572d57a210985b67d

SHA256
002f4696f089281a8c82f3156063cee84249d1715055e721a47618f2efecf150

SHA512
4235fa18fcc183ef02a1832790af466f7fdeda69435ebc561cb11209e049e890917b2c72be38fa8e1039493ae20fdbbe93776895b27a021d498f81d3e00c7379

Download Submit
C:\Users\Admin\Desktop\Updbdate.exe

Filesize
359KB

MD5
3d09b651baa310515bb5df3c04506961

SHA1
e1e1cff9e8a5d4093dbdabb0b83c886601141575

SHA256
2599fed90469c6c2250883f90d1c9d20fe41755b9da670a306a884797dbd7df6

SHA512
8f8499c73297be7c1743361dfcb352a3ce93aca4e81c0355f1814f9eedf92d22b40104d32eb4dbd776ccc9051613eee9b8ff57178c6240a787815e0dc8dc6889

Download Submit
C:\Users\Admin\Desktop\Updbdate.exe

Filesize
359KB

MD5
3d09b651baa310515bb5df3c04506961

SHA1
e1e1cff9e8a5d4093dbdabb0b83c886601141575

SHA256
2599fed90469c6c2250883f90d1c9d20fe41755b9da670a306a884797dbd7df6

SHA512
8f8499c73297be7c1743361dfcb352a3ce93aca4e81c0355f1814f9eedf92d22b40104d32eb4dbd776ccc9051613eee9b8ff57178c6240a787815e0dc8dc6889

Download Submit
C:\Users\Admin\Desktop\Updbdate.exe

Filesize
359KB

MD5
3d09b651baa310515bb5df3c04506961

SHA1
e1e1cff9e8a5d4093dbdabb0b83c886601141575

SHA256
2599fed90469c6c2250883f90d1c9d20fe41755b9da670a306a884797dbd7df6

SHA512
8f8499c73297be7c1743361dfcb352a3ce93aca4e81c0355f1814f9eedf92d22b40104d32eb4dbd776ccc9051613eee9b8ff57178c6240a787815e0dc8dc6889

Download Submit
C:\Users\Admin\Desktop\Updbdate.exe

Filesize
359KB

MD5
3d09b651baa310515bb5df3c04506961

SHA1
e1e1cff9e8a5d4093dbdabb0b83c886601141575

SHA256
2599fed90469c6c2250883f90d1c9d20fe41755b9da670a306a884797dbd7df6

SHA512
8f8499c73297be7c1743361dfcb352a3ce93aca4e81c0355f1814f9eedf92d22b40104d32eb4dbd776ccc9051613eee9b8ff57178c6240a787815e0dc8dc6889

Download Submit
C:\Users\Admin\Desktop\Updbdate.exe

Filesize
359KB

MD5
3d09b651baa310515bb5df3c04506961

SHA1
e1e1cff9e8a5d4093dbdabb0b83c886601141575

SHA256
2599fed90469c6c2250883f90d1c9d20fe41755b9da670a306a884797dbd7df6

SHA512
8f8499c73297be7c1743361dfcb352a3ce93aca4e81c0355f1814f9eedf92d22b40104d32eb4dbd776ccc9051613eee9b8ff57178c6240a787815e0dc8dc6889

Download Submit
C:\Users\Admin\Desktop\md9_1sjm.exe

Filesize
2.1MB

MD5
3b3d48102a0d45a941f98d8aabe2dc43

SHA1
0dae4fd9d74f24452b2544e0f166bf7db2365240

SHA256
f4fdf9842d2221eb8910e6829b8467d867e346b7f73e2c3040f16eb77630b8f0

SHA512
65ae273b5ea434b268bbd8d38fe325cf62ed3316950796fa90defbc8a74c55fba0a99100f2ae674206335a08e8ea827d01eeccf26adf84ebfeebb0f17cfb7ba8

Download Submit
C:\Users\Admin\Desktop\md9_1sjm.exe

Filesize
2.1MB

MD5
3b3d48102a0d45a941f98d8aabe2dc43

SHA1
0dae4fd9d74f24452b2544e0f166bf7db2365240

SHA256
f4fdf9842d2221eb8910e6829b8467d867e346b7f73e2c3040f16eb77630b8f0

SHA512
65ae273b5ea434b268bbd8d38fe325cf62ed3316950796fa90defbc8a74c55fba0a99100f2ae674206335a08e8ea827d01eeccf26adf84ebfeebb0f17cfb7ba8

Download Submit
C:\Users\Admin\Desktop\md9_1sjm.exe

Filesize
2.1MB

MD5
3b3d48102a0d45a941f98d8aabe2dc43

SHA1
0dae4fd9d74f24452b2544e0f166bf7db2365240

SHA256
f4fdf9842d2221eb8910e6829b8467d867e346b7f73e2c3040f16eb77630b8f0

SHA512
65ae273b5ea434b268bbd8d38fe325cf62ed3316950796fa90defbc8a74c55fba0a99100f2ae674206335a08e8ea827d01eeccf26adf84ebfeebb0f17cfb7ba8

Download Submit
C:\Users\Admin\Desktop\md9_1sjm.exe

Filesize
2.1MB

MD5
3b3d48102a0d45a941f98d8aabe2dc43

SHA1
0dae4fd9d74f24452b2544e0f166bf7db2365240

SHA256
f4fdf9842d2221eb8910e6829b8467d867e346b7f73e2c3040f16eb77630b8f0

SHA512
65ae273b5ea434b268bbd8d38fe325cf62ed3316950796fa90defbc8a74c55fba0a99100f2ae674206335a08e8ea827d01eeccf26adf84ebfeebb0f17cfb7ba8

Download Submit
C:\Users\Admin\Desktop\pub2.exe

Filesize
285KB

MD5
f9d940ab072678a0226ea5e6bd98ebfa

SHA1
853c784c330cbf88ab4f5f21d23fa259027c2079

SHA256
0be77f05a9c4d30f2ec4f5636179f0e2f85e3f5441f5854a0872de4f63aceffd

SHA512
6766488893d9975ce44e1cdba427f0e65adba47dec26f6d16708be4efeb7f431da9a76647e8ec2ecd00bfb8d5d7e37c5a168b9de3cca45cc8c9b144bc650a1ef

Download Submit
C:\Users\Admin\Desktop\pub2.exe

Filesize
285KB

MD5
f9d940ab072678a0226ea5e6bd98ebfa

SHA1
853c784c330cbf88ab4f5f21d23fa259027c2079

SHA256
0be77f05a9c4d30f2ec4f5636179f0e2f85e3f5441f5854a0872de4f63aceffd

SHA512
6766488893d9975ce44e1cdba427f0e65adba47dec26f6d16708be4efeb7f431da9a76647e8ec2ecd00bfb8d5d7e37c5a168b9de3cca45cc8c9b144bc650a1ef

Download Submit
C:\Users\Admin\Desktop\pub2.exe

Filesize
285KB

MD5
f9d940ab072678a0226ea5e6bd98ebfa

SHA1
853c784c330cbf88ab4f5f21d23fa259027c2079

SHA256
0be77f05a9c4d30f2ec4f5636179f0e2f85e3f5441f5854a0872de4f63aceffd

SHA512
6766488893d9975ce44e1cdba427f0e65adba47dec26f6d16708be4efeb7f431da9a76647e8ec2ecd00bfb8d5d7e37c5a168b9de3cca45cc8c9b144bc650a1ef

Download Submit
C:\Users\Admin\Desktop\pub2.exe

Filesize
285KB

MD5
f9d940ab072678a0226ea5e6bd98ebfa

SHA1
853c784c330cbf88ab4f5f21d23fa259027c2079

SHA256
0be77f05a9c4d30f2ec4f5636179f0e2f85e3f5441f5854a0872de4f63aceffd

SHA512
6766488893d9975ce44e1cdba427f0e65adba47dec26f6d16708be4efeb7f431da9a76647e8ec2ecd00bfb8d5d7e37c5a168b9de3cca45cc8c9b144bc650a1ef

Download Submit
C:\Users\Admin\Documents\VlcpVideoV1.0.1\md9_1sjm.exe

Filesize
2.1MB

MD5
3b3d48102a0d45a941f98d8aabe2dc43

SHA1
0dae4fd9d74f24452b2544e0f166bf7db2365240

SHA256
f4fdf9842d2221eb8910e6829b8467d867e346b7f73e2c3040f16eb77630b8f0

SHA512
65ae273b5ea434b268bbd8d38fe325cf62ed3316950796fa90defbc8a74c55fba0a99100f2ae674206335a08e8ea827d01eeccf26adf84ebfeebb0f17cfb7ba8

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
705b7fd6c7783016d4230442aeab74bb

SHA1
c6eb89cf8318342f9770303ae33545e742950a9a

SHA256
06063bf8f07b5be3a67c107e20f50852d6878c80f1f3b3667736d2e92ddc5cbe

SHA512
c4494701e96403798b16da130690ea216fbf3024d6ff2a15ab331ff34b16c0ab228288013e7994c88199020c0ee360fa66abee0d4fd95ab965af7a5fa22a17b4

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
504af6456a097a01a9b6f05a7a7359ac

SHA1
3a098831a0a81633d8ac0b43dc6e10e08d1c1ea3

SHA256
9317e26cb8a9b45d330d1d72b007487b611073b40622291ac0c723c1744b7ffb

SHA512
d528b70c4b6dc97cf7f1d8f003b5ff38a21d8e5f2389744d0d5ffaa238127c7b29e7e77aae242b0d6749013cb21018525961b3316e4385d43e53fb15fc92a4ee

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
148b2b47d0cdc8db51d3ea9250c55a54

SHA1
3a757586b278c9df3ec8d68754c7dc0cbe891f71

SHA256
543176daf8b44476dd1f3fb7df197f58c538551e40bc92658cf51402ff8ee561

SHA512
24d162e518b33d72028997f4e34884340900b78bb188495db23f04e47f2e8ba459f5618de373a034bcd78af5a4b33b489ed51559cc63584bc2689af1dbe6a7c1

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
6f334ba7cec6234488398a69d4c589c1

SHA1
227399735064615843b782f724284c156a42755d

SHA256
ac2241c60e2c96d4fde6808a4f1104f45714456d0bedc4bed60c08ae5ae98095

SHA512
265bab88a2d52b419eb8ef4f402c0722a74debc37f9c3c6798fc67bcd7ba61e19f7f673d783c66f148e131cceb52d8ceafb3397c8628c0c318ad47adde6b7845

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
a2c39d76ac70e170e32ddea6f6491d61

SHA1
45046c53273209c6cc0cc8be07b993e7e14b5efe

SHA256
14bf27d81e02c71ab8a7633a30483bab54ba6f61ed4c96c1d2055253725c105d

SHA512
8987b997eea82a88f1f3ee28ab8fe95fe7f6da79dcc2f628b4c63df80c920cc555b32d5ddd817090b49b13c0bb0b71db302f8ec46d0c98f68b2804c587606c39

Download Submit
C:\Windows\rss\csrss.exe

Filesize
4.1MB

MD5
551a3b674dc17c8d882475bae721ca8d

SHA1
e6fb6eceb4bf2336c37352d2766e998217b3d717

SHA256
9e02b28216568f0a44c6d8355d8847eddcce37ebd463684620076fed091128ad

SHA512
788aad12f99df04304980a875638988832cff18ce3c10b80c67ce5ba451805629379dcdb3f2be600d85b5c11671ed3b91c713eae3a68d1d467e6e33fd8919d3e

Download Submit
C:\Windows\rss\csrss.exe

Filesize
4.1MB

MD5
551a3b674dc17c8d882475bae721ca8d

SHA1
e6fb6eceb4bf2336c37352d2766e998217b3d717

SHA256
9e02b28216568f0a44c6d8355d8847eddcce37ebd463684620076fed091128ad

SHA512
788aad12f99df04304980a875638988832cff18ce3c10b80c67ce5ba451805629379dcdb3f2be600d85b5c11671ed3b91c713eae3a68d1d467e6e33fd8919d3e

Download Submit
C:\Windows\windefender.exe

Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
C:\Windows\windefender.exe

Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
C:\Windows\windefender.exe

Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
\??\c:\users\admin\desktop\files.exe

Filesize
1.3MB

MD5
37db6db82813ddc8eeb42c58553da2de

SHA1
9425c1937873bb86beb57021ed5e315f516a2bed

SHA256
65302460bbdccb8268bc6c23434bcd7d710d0e800fe11d87a1597fdedfc2a9c7

SHA512
0658f3b15a4084ae292a6c0640f4e88fe095a2b2471633ca97c78998ee664631156e9cea1bee3d5ac5428ca600c52495437468770fbda6143e11651e797298c9

Download Submit
memory/1052-668-0x0000000000400000-0x0000000002B8F000-memory.dmp

Filesize
39.6MB

Download
memory/1184-665-0x0000000000400000-0x0000000002FBF000-memory.dmp

Filesize
43.7MB

Download
memory/1304-677-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/1804-669-0x0000000000400000-0x0000000002BA2000-memory.dmp

Filesize
39.6MB

Download
memory/1996-675-0x0000000000400000-0x0000000002BA2000-memory.dmp

Filesize
39.6MB

Download
memory/2084-476-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2196-171-0x0000000000400000-0x0000000002F2B000-memory.dmp

Filesize
43.2MB

Download
memory/2196-221-0x0000000000400000-0x0000000002F2B000-memory.dmp

Filesize
43.2MB

Download
memory/2196-134-0x0000000004E00000-0x0000000005207000-memory.dmp

Filesize
4.0MB

Download
memory/2196-135-0x0000000005210000-0x0000000005AFB000-memory.dmp

Filesize
8.9MB

Download
memory/2196-170-0x0000000005210000-0x0000000005AFB000-memory.dmp

Filesize
8.9MB

Download
memory/2196-136-0x0000000000400000-0x0000000002F2B000-memory.dmp

Filesize
43.2MB

Download
memory/2196-165-0x0000000004E00000-0x0000000005207000-memory.dmp

Filesize
4.0MB

Download
memory/2260-670-0x0000000000400000-0x0000000002B8F000-memory.dmp

Filesize
39.6MB

Download
memory/2372-660-0x0000000000B00000-0x00000000010AC000-memory.dmp

Filesize
5.7MB

Download
memory/2372-693-0x0000000003120000-0x0000000003130000-memory.dmp

Filesize
64KB

Download
memory/2416-664-0x0000000000B00000-0x00000000010AC000-memory.dmp

Filesize
5.7MB

Download
memory/2604-666-0x0000000008E10000-0x0000000008E25000-memory.dmp

Filesize
84KB

Download
memory/3232-138-0x0000000004910000-0x0000000004946000-memory.dmp

Filesize
216KB

Download
memory/3232-220-0x0000000074440000-0x0000000074BF0000-memory.dmp

Filesize
7.7MB

Download
memory/3232-155-0x0000000005EF0000-0x0000000005F0E000-memory.dmp

Filesize
120KB

Download
memory/3232-183-0x0000000074440000-0x0000000074BF0000-memory.dmp

Filesize
7.7MB

Download
memory/3232-184-0x00000000702E0000-0x000000007032C000-memory.dmp

Filesize
304KB

Download
memory/3232-185-0x00000000706B0000-0x0000000070A04000-memory.dmp

Filesize
3.3MB

Download
memory/3232-195-0x0000000007470000-0x000000000748E000-memory.dmp

Filesize
120KB

Download
memory/3232-196-0x00000000075B0000-0x00000000075BA000-memory.dmp

Filesize
40KB

Download
memory/3232-197-0x0000000007670000-0x0000000007706000-memory.dmp

Filesize
600KB

Download
memory/3232-143-0x0000000005620000-0x0000000005686000-memory.dmp

Filesize
408KB

Download
memory/3232-142-0x0000000004F00000-0x0000000004F22000-memory.dmp

Filesize
136KB

Download
memory/3232-141-0x0000000004F80000-0x00000000055A8000-memory.dmp

Filesize
6.2MB

Download
memory/3232-140-0x0000000004900000-0x0000000004910000-memory.dmp

Filesize
64KB

Download
memory/3232-139-0x0000000004900000-0x0000000004910000-memory.dmp

Filesize
64KB

Download
memory/3232-207-0x0000000004900000-0x0000000004910000-memory.dmp

Filesize
64KB

Download
memory/3232-208-0x0000000007610000-0x000000000761E000-memory.dmp

Filesize
56KB

Download
memory/3232-209-0x0000000007710000-0x000000000772A000-memory.dmp

Filesize
104KB

Download
memory/3232-210-0x0000000007650000-0x0000000007658000-memory.dmp

Filesize
32KB

Download
memory/3232-181-0x000000007F050000-0x000000007F060000-memory.dmp

Filesize
64KB

Download
memory/3232-182-0x0000000007490000-0x00000000074C2000-memory.dmp

Filesize
200KB

Download
memory/3232-144-0x0000000005790000-0x00000000057F6000-memory.dmp

Filesize
408KB

Download
memory/3232-180-0x00000000070D0000-0x00000000070EA000-memory.dmp

Filesize
104KB

Download
memory/3232-179-0x0000000007730000-0x0000000007DAA000-memory.dmp

Filesize
6.5MB

Download
memory/3232-173-0x0000000004900000-0x0000000004910000-memory.dmp

Filesize
64KB

Download
memory/3232-137-0x0000000074440000-0x0000000074BF0000-memory.dmp

Filesize
7.7MB

Download
memory/3232-172-0x0000000007030000-0x00000000070A6000-memory.dmp

Filesize
472KB

Download
memory/3232-164-0x0000000006470000-0x00000000064B4000-memory.dmp

Filesize
272KB

Download
memory/3712-333-0x00000000044E0000-0x00000000044F0000-memory.dmp

Filesize
64KB

Download
memory/3712-320-0x00000000044E0000-0x00000000044F0000-memory.dmp

Filesize
64KB

Download
memory/3712-349-0x00000000744E0000-0x0000000074C90000-memory.dmp

Filesize
7.7MB

Download
memory/3712-321-0x00000000044E0000-0x00000000044F0000-memory.dmp

Filesize
64KB

Download
memory/3712-336-0x0000000070B80000-0x0000000070ED4000-memory.dmp

Filesize
3.3MB

Download
memory/3712-319-0x00000000744E0000-0x0000000074C90000-memory.dmp

Filesize
7.7MB

Download
memory/3712-335-0x00000000703E0000-0x000000007042C000-memory.dmp

Filesize
304KB

Download
memory/3712-334-0x000000007F370000-0x000000007F380000-memory.dmp

Filesize
64KB

Download
memory/3824-486-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/3824-594-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/3888-475-0x0000000000400000-0x0000000002F2B000-memory.dmp

Filesize
43.2MB

Download
memory/3888-485-0x0000000000400000-0x0000000002F2B000-memory.dmp

Filesize
43.2MB

Download
memory/3888-691-0x0000000000400000-0x0000000002F2B000-memory.dmp

Filesize
43.2MB

Download
memory/3888-487-0x0000000000400000-0x0000000002F2B000-memory.dmp

Filesize
43.2MB

Download
memory/3888-449-0x0000000000400000-0x0000000002F2B000-memory.dmp

Filesize
43.2MB

Download
memory/3888-648-0x0000000000400000-0x0000000002F2B000-memory.dmp

Filesize
43.2MB

Download
memory/3888-356-0x0000000005200000-0x0000000005600000-memory.dmp

Filesize
4.0MB

Download
memory/3888-393-0x0000000000400000-0x0000000002F2B000-memory.dmp

Filesize
43.2MB

Download
memory/3888-357-0x0000000000400000-0x0000000002F2B000-memory.dmp

Filesize
43.2MB

Download
memory/3888-543-0x0000000000400000-0x0000000002F2B000-memory.dmp

Filesize
43.2MB

Download
memory/4004-358-0x00000000046F0000-0x0000000004700000-memory.dmp

Filesize
64KB

Download
memory/4004-380-0x00000000046F0000-0x0000000004700000-memory.dmp

Filesize
64KB

Download
memory/4004-360-0x00000000046F0000-0x0000000004700000-memory.dmp

Filesize
64KB

Download
memory/4004-359-0x0000000074440000-0x0000000074BF0000-memory.dmp

Filesize
7.7MB

Download
memory/4004-381-0x0000000070340000-0x000000007038C000-memory.dmp

Filesize
304KB

Download
memory/5108-292-0x00000000024E0000-0x00000000024F0000-memory.dmp

Filesize
64KB

Download
memory/5108-290-0x00000000744E0000-0x0000000074C90000-memory.dmp

Filesize
7.7MB

Download
memory/5108-318-0x00000000744E0000-0x0000000074C90000-memory.dmp

Filesize
7.7MB

Download
memory/5108-305-0x0000000070B80000-0x0000000070ED4000-memory.dmp

Filesize
3.3MB

Download
memory/5108-304-0x00000000703E0000-0x000000007042C000-memory.dmp

Filesize
304KB

Download
memory/5108-303-0x00000000024E0000-0x00000000024F0000-memory.dmp

Filesize
64KB

Download
memory/5108-291-0x00000000024E0000-0x00000000024F0000-memory.dmp

Filesize
64KB

Download
memory/5244-272-0x0000000005120000-0x0000000005130000-memory.dmp

Filesize
64KB

Download
memory/5244-254-0x0000000005120000-0x0000000005130000-memory.dmp

Filesize
64KB

Download
memory/5244-288-0x00000000744E0000-0x0000000074C90000-memory.dmp

Filesize
7.7MB

Download
memory/5244-275-0x0000000070B60000-0x0000000070EB4000-memory.dmp

Filesize
3.3MB

Download
memory/5244-274-0x00000000703E0000-0x000000007042C000-memory.dmp

Filesize
304KB

Download
memory/5244-253-0x00000000744E0000-0x0000000074C90000-memory.dmp

Filesize
7.7MB

Download
memory/5244-255-0x0000000005120000-0x0000000005130000-memory.dmp

Filesize
64KB

Download
memory/5388-676-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/5400-229-0x00000164956E0000-0x00000164956E1000-memory.dmp

Filesize
4KB

Download
memory/5400-228-0x00000164956E0000-0x00000164956E1000-memory.dmp

Filesize
4KB

Download
memory/5400-238-0x00000164956E0000-0x00000164956E1000-memory.dmp

Filesize
4KB

Download
memory/5400-222-0x00000164956E0000-0x00000164956E1000-memory.dmp

Filesize
4KB

Download
memory/5400-244-0x00000164956E0000-0x00000164956E1000-memory.dmp

Filesize
4KB

Download
memory/5400-242-0x00000164956E0000-0x00000164956E1000-memory.dmp

Filesize
4KB

Download
memory/5400-243-0x00000164956E0000-0x00000164956E1000-memory.dmp

Filesize
4KB

Download
memory/5400-241-0x00000164956E0000-0x00000164956E1000-memory.dmp

Filesize
4KB

Download
memory/5400-240-0x00000164956E0000-0x00000164956E1000-memory.dmp

Filesize
4KB

Download
memory/5400-239-0x00000164956E0000-0x00000164956E1000-memory.dmp

Filesize
4KB

Download
memory/5472-690-0x0000000000400000-0x0000000002F2B000-memory.dmp

Filesize
43.2MB

Download
memory/5472-659-0x0000000000400000-0x0000000002F2B000-memory.dmp

Filesize
43.2MB

Download
memory/5724-673-0x0000000000400000-0x0000000002FBF000-memory.dmp

Filesize
43.7MB

Download
memory/5908-354-0x0000000000400000-0x0000000002F2B000-memory.dmp

Filesize
43.2MB

Download
memory/5908-246-0x0000000004B80000-0x0000000004F83000-memory.dmp

Filesize
4.0MB

Download
memory/5908-252-0x0000000000400000-0x0000000002F2B000-memory.dmp

Filesize
43.2MB

Download
memory/5908-332-0x0000000000400000-0x0000000002F2B000-memory.dmp

Filesize
43.2MB

Download
memory/5908-273-0x0000000004B80000-0x0000000004F83000-memory.dmp

Filesize
4.0MB

Download
memory/5908-285-0x0000000000400000-0x0000000002F2B000-memory.dmp

Filesize
43.2MB

Download