aurora | 87996cc12b3919fb370a67e45b037e0b75f1de66df8afcca060f0ac8e3464910

Resubmissions

27-08-2023 06:21

230827-g4ev7ahg6z 10

27-08-2023 05:29

230827-f6wfaahf7w 8

Analysis

max time kernel
718s
max time network
1631s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
27-08-2023 06:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SpyHunter-5.15-6-5285-Installer.exe
Size

6.8MB
MD5

07386184c9f3ab2b533c73c854398805
SHA1

ed43d9745c5f8f91cf90003647ca983d7e0b037e
SHA256

87996cc12b3919fb370a67e45b037e0b75f1de66df8afcca060f0ac8e3464910
SHA512

c4c6caf978e93161c71e1b5391d210210fe35e640ea4bacc1dd3ecc812c71ad0b06fd2d45a2155a35f84803d17114e909b95df18407a9959167d07c7667afad6
SSDEEP

98304:S5lVuh2IHJm4PO1FFGlapRGR+Tj9GsYz40ng7ifP8roXtRCvrUEr7MkHkcZCDbhd:SPI1kt5TAWifPXtwUEX8D9H9

Score

10^/10

aurora dcrat fabookie healer redline nrava aspackv2 dropper evasion infostealer persistence rat spyware stealer trojan upx vmprotect

Malware Config

Extracted

Family

redline

Botnet

nrava

77.91.124.82:19071

Attributes

auth_value
43fe50e9ee6afb85588e03ac9676e2f7

Extracted

Family

aurora

217.195.155.154:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Detect Fabookie payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4200-981-0x0000000140000000-0x0000000140620000-memory.dmp	family_fabookie

Detects Healer an antivirus disabler dropper 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1764-1170-0x0000000000010000-0x000000000001A000-memory.dmp	healer

Fabookie
Fabookie is facebook account info stealer.
spyware stealer fabookie
Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

a6012941.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a6012941.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a6012941.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a6012941.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a6012941.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a6012941.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a6012941.exe

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	520	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4464	520	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1452	520	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4380	520	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1376	520	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1092	520	schtasks.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4000-1178-0x0000000000AA0000-0x0000000000AD0000-memory.dmp	family_redline

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\Malware\c3715b71e4655d0269d6b9e5c82cb7d7d31942ddafdc821c9b85741ebab95529.exe	dcrat
C:\Users\Admin\Desktop\Malware\c3715b71e4655d0269d6b9e5c82cb7d7d31942ddafdc821c9b85741ebab95529.exe	dcrat
behavioral1/memory/3300-989-0x00000000004C0000-0x00000000005E6000-memory.dmp	dcrat
C:\Users\Default\SpyHunter-5.15-6-5285-Installer.exe	dcrat
C:\Users\Default\SpyHunter-5.15-6-5285-Installer.exe	dcrat
C:\Users\Default User\SpyHunter-5.15-6-5285-Installer.exe	dcrat

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Drops file in Drivers directory 1 IoCs

Processes:

ShKernel.exe

description ioc process

File created C:\Windows\system32\Drivers\EnigmaFileMonDriver.sys ShKernel.exe

description	ioc	process
File created	C:\Windows\system32\Drivers\EnigmaFileMonDriver.sys	ShKernel.exe

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\Malware\eef12d5811dd70782bf19cd787641dc8050a564aa9416588a7873f7a41f98dc6.exe	aspack_v212_v242
C:\Users\Admin\Desktop\Malware\eef12d5811dd70782bf19cd787641dc8050a564aa9416588a7873f7a41f98dc6.exe	aspack_v212_v242

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/3144-955-0x0000000010000000-0x00000000100BE000-memory.dmp	upx
behavioral1/memory/3144-958-0x0000000010000000-0x00000000100BE000-memory.dmp	upx
behavioral1/memory/3144-959-0x0000000010000000-0x00000000100BE000-memory.dmp	upx
behavioral1/memory/3144-957-0x0000000010000000-0x00000000100BE000-memory.dmp	upx
behavioral1/memory/3144-960-0x0000000010000000-0x00000000100BE000-memory.dmp	upx
behavioral1/memory/3144-971-0x0000000010000000-0x00000000100BE000-memory.dmp	upx

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\Malware\2446a9cb83a1ed64d738b638a4f62cb3709c92f9002425ebb7cc8639f17a1994.exe	vmprotect
C:\Users\Admin\Desktop\Malware\2446a9cb83a1ed64d738b638a4f62cb3709c92f9002425ebb7cc8639f17a1994.exe	vmprotect
behavioral1/memory/4200-981-0x0000000140000000-0x0000000140620000-memory.dmp	vmprotect

Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

a6012941.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a6012941.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a6012941.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

v1703362.exeef1f88dd4b0035bc9540ac0b1e3668e246ae745446e3670e4f38d606881cc72f.exev5333465.exev9396518.exev1391561.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v1703362.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ef1f88dd4b0035bc9540ac0b1e3668e246ae745446e3670e4f38d606881cc72f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v5333465.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v9396518.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v1391561.exe

Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

3e2703dc1b0f8d18c92f2ba85a99ffd5231362f7022646e84cb4d522b616884d.exe

description ioc process

File opened (read-only) \??\F: 3e2703dc1b0f8d18c92f2ba85a99ffd5231362f7022646e84cb4d522b616884d.exe

description	ioc	process
File opened (read-only)	\??\F:	3e2703dc1b0f8d18c92f2ba85a99ffd5231362f7022646e84cb4d522b616884d.exe

Drops file in System32 directory 13 IoCs

Processes:

ShKernel.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141	ShKernel.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_466BAFE78D4077069B6C3828315C7C8D	ShKernel.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_466BAFE78D4077069B6C3828315C7C8D	ShKernel.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3E3E9689537B6B136ECF210088069D55_A925FAB5FFC3CEDB8E62B2DCCBBBB4F2	ShKernel.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C86BD7751D53F10F65AAAD66BBDF33C7	ShKernel.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C86BD7751D53F10F65AAAD66BBDF33C7	ShKernel.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB	ShKernel.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141	ShKernel.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3E3E9689537B6B136ECF210088069D55_A925FAB5FFC3CEDB8E62B2DCCBBBB4F2	ShKernel.exe
File opened for modification	C:\Windows\system32\sh5native.exe	ShKernel.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB	ShKernel.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_56DB209C155B5A05FCBF555DF7E6D1BB	ShKernel.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_56DB209C155B5A05FCBF555DF7E6D1BB	ShKernel.exe

Drops file in Program Files directory 52 IoCs

Processes:

SpyHunter-5.15-6-5285-Installer.exeShKernel.exec3715b71e4655d0269d6b9e5c82cb7d7d31942ddafdc821c9b85741ebab95529.exeShMonitor.exeSpyHunter5.exe

description	ioc	process
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\Greek.lng	SpyHunter-5.15-6-5285-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\Czech.lng	SpyHunter-5.15-6-5285-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\Danish.lng	SpyHunter-5.15-6-5285-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\German.lng	SpyHunter-5.15-6-5285-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Defs\Rh\full.dat	SpyHunter-5.15-6-5285-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\ShShellExt.dll	SpyHunter-5.15-6-5285-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Temp\2023082603.json.ecf	ShKernel.exe
File opened for modification	C:\Program Files\EnigmaSoft\SpyHunter\Defs\full.def	ShKernel.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Data\CrCache.dat	ShKernel.exe
File created	C:\Program Files\WindowsApps\csrss.exe	c3715b71e4655d0269d6b9e5c82cb7d7d31942ddafdc821c9b85741ebab95529.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Native.exe	SpyHunter-5.15-6-5285-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\Chinese (Traditional).lng	SpyHunter-5.15-6-5285-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\Indonesian.lng	SpyHunter-5.15-6-5285-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\data\acpwl.dat	SpyHunter-5.15-6-5285-Installer.exe
File opened for modification	C:\Program Files\EnigmaSoft\SpyHunter\Data\ScanHistory.dat	ShKernel.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\SpyHunter5.exe	SpyHunter-5.15-6-5285-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\Albanian.lng	SpyHunter-5.15-6-5285-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\Korean.lng	SpyHunter-5.15-6-5285-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\Ukrainian.lng	SpyHunter-5.15-6-5285-Installer.exe
File opened for modification	C:\Program Files\EnigmaSoft\SpyHunter\Data\ScanHistory.dat-journal	ShKernel.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Logs\20230827_063236.krn.log	ShKernel.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\license.txt	SpyHunter-5.15-6-5285-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\Croatian.lng	SpyHunter-5.15-6-5285-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\Dutch.lng	SpyHunter-5.15-6-5285-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\Norwegian.lng	SpyHunter-5.15-6-5285-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\Portuguese (Portugal).lng	SpyHunter-5.15-6-5285-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Defs\full.def	SpyHunter-5.15-6-5285-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\Spanish.lng	SpyHunter-5.15-6-5285-Installer.exe
File opened for modification	C:\Program Files\EnigmaSoft\SpyHunter\Temp\2023082603.json.ecf	ShKernel.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	SpyHunter-5.15-6-5285-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\Bulgarian.lng	SpyHunter-5.15-6-5285-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\Polish.lng	SpyHunter-5.15-6-5285-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\Romanian.lng	SpyHunter-5.15-6-5285-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\Serbian.lng	SpyHunter-5.15-6-5285-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\Slovene.lng	SpyHunter-5.15-6-5285-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Logs\ShMonitor.log	ShMonitor.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\Chinese (Simplified).lng	SpyHunter-5.15-6-5285-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\Finnish.lng	SpyHunter-5.15-6-5285-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\Japanese.lng	SpyHunter-5.15-6-5285-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\Russian.lng	SpyHunter-5.15-6-5285-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\Swedish.lng	SpyHunter-5.15-6-5285-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\Turkish.lng	SpyHunter-5.15-6-5285-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\Lithuanian.lng	SpyHunter-5.15-6-5285-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\Portuguese (Brazil).lng	SpyHunter-5.15-6-5285-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\purl.dat	SpyHunter-5.15-6-5285-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\ShMonitor.exe	SpyHunter-5.15-6-5285-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\English.lng	SpyHunter-5.15-6-5285-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\French.lng	SpyHunter-5.15-6-5285-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\Hungarian.lng	SpyHunter-5.15-6-5285-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\Italian.lng	SpyHunter-5.15-6-5285-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\data\acpdata.dat	SpyHunter-5.15-6-5285-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Logs\20230827_063240.sh5.log	SpyHunter5.exe

Drops file in Windows directory 1 IoCs

Processes:

SpyHunter-5.15-6-5285-Installer.exe

description ioc process

File created C:\Windows\Tasks\EsgInstallerTask83.job SpyHunter-5.15-6-5285-Installer.exe

description	ioc	process
File created	C:\Windows\Tasks\EsgInstallerTask83.job	SpyHunter-5.15-6-5285-Installer.exe

Executes dropped EXE 17 IoCs

Processes:

3e2703dc1b0f8d18c92f2ba85a99ffd5231362f7022646e84cb4d522b616884d.exe2446a9cb83a1ed64d738b638a4f62cb3709c92f9002425ebb7cc8639f17a1994.exec3715b71e4655d0269d6b9e5c82cb7d7d31942ddafdc821c9b85741ebab95529.exeSpyHunter-5.15-6-5285-Installer.exeeef12d5811dd70782bf19cd787641dc8050a564aa9416588a7873f7a41f98dc6.exeef1f88dd4b0035bc9540ac0b1e3668e246ae745446e3670e4f38d606881cc72f.exev5333465.exev9396518.exev1391561.exev1703362.exea6012941.exeb5008354.exec0372219.exef5c68240b5a613533e53476cd20561e57c79d9cf664c48bdbd9380886005a2c8.exeShKernel.exeShMonitor.exeSpyHunter5.exe

pid	process
3144	3e2703dc1b0f8d18c92f2ba85a99ffd5231362f7022646e84cb4d522b616884d.exe
4200	2446a9cb83a1ed64d738b638a4f62cb3709c92f9002425ebb7cc8639f17a1994.exe
3300	c3715b71e4655d0269d6b9e5c82cb7d7d31942ddafdc821c9b85741ebab95529.exe
2060	SpyHunter-5.15-6-5285-Installer.exe
4876	eef12d5811dd70782bf19cd787641dc8050a564aa9416588a7873f7a41f98dc6.exe
1000	ef1f88dd4b0035bc9540ac0b1e3668e246ae745446e3670e4f38d606881cc72f.exe
3600	v5333465.exe
5108	v9396518.exe
1212	v1391561.exe
3356	v1703362.exe
1764	a6012941.exe
3520	b5008354.exe
4000	c0372219.exe
4256	f5c68240b5a613533e53476cd20561e57c79d9cf664c48bdbd9380886005a2c8.exe
4140	ShKernel.exe
3492	ShMonitor.exe
2472	SpyHunter5.exe

Launches sc.exe 8 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

4404 sc.exe
4576 sc.exe
1908 sc.exe
4408 sc.exe
4788 sc.exe
3804 sc.exe
4468 sc.exe
1680 sc.exe

pid	process
4404	sc.exe
4576	sc.exe
1908	sc.exe
4408	sc.exe
4788	sc.exe
3804	sc.exe
4468	sc.exe
1680	sc.exe

Loads dropped DLL 22 IoCs

Processes:

eef12d5811dd70782bf19cd787641dc8050a564aa9416588a7873f7a41f98dc6.exeregsvr32.exe

pid	process
4876	eef12d5811dd70782bf19cd787641dc8050a564aa9416588a7873f7a41f98dc6.exe
4876	eef12d5811dd70782bf19cd787641dc8050a564aa9416588a7873f7a41f98dc6.exe
4876	eef12d5811dd70782bf19cd787641dc8050a564aa9416588a7873f7a41f98dc6.exe
4876	eef12d5811dd70782bf19cd787641dc8050a564aa9416588a7873f7a41f98dc6.exe
4876	eef12d5811dd70782bf19cd787641dc8050a564aa9416588a7873f7a41f98dc6.exe
4876	eef12d5811dd70782bf19cd787641dc8050a564aa9416588a7873f7a41f98dc6.exe
4876	eef12d5811dd70782bf19cd787641dc8050a564aa9416588a7873f7a41f98dc6.exe
4876	eef12d5811dd70782bf19cd787641dc8050a564aa9416588a7873f7a41f98dc6.exe
4876	eef12d5811dd70782bf19cd787641dc8050a564aa9416588a7873f7a41f98dc6.exe
4876	eef12d5811dd70782bf19cd787641dc8050a564aa9416588a7873f7a41f98dc6.exe
4876	eef12d5811dd70782bf19cd787641dc8050a564aa9416588a7873f7a41f98dc6.exe
4876	eef12d5811dd70782bf19cd787641dc8050a564aa9416588a7873f7a41f98dc6.exe
4876	eef12d5811dd70782bf19cd787641dc8050a564aa9416588a7873f7a41f98dc6.exe
4876	eef12d5811dd70782bf19cd787641dc8050a564aa9416588a7873f7a41f98dc6.exe
4876	eef12d5811dd70782bf19cd787641dc8050a564aa9416588a7873f7a41f98dc6.exe
4876	eef12d5811dd70782bf19cd787641dc8050a564aa9416588a7873f7a41f98dc6.exe
4876	eef12d5811dd70782bf19cd787641dc8050a564aa9416588a7873f7a41f98dc6.exe
4876	eef12d5811dd70782bf19cd787641dc8050a564aa9416588a7873f7a41f98dc6.exe
4876	eef12d5811dd70782bf19cd787641dc8050a564aa9416588a7873f7a41f98dc6.exe
4876	eef12d5811dd70782bf19cd787641dc8050a564aa9416588a7873f7a41f98dc6.exe
4876	eef12d5811dd70782bf19cd787641dc8050a564aa9416588a7873f7a41f98dc6.exe
4328	regsvr32.exe

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D71FC887-4726-44C5-AAE3-A27DE8B8322F}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D71FC887-4726-44C5-AAE3-A27DE8B8322F}\InprocServer32\ = "C:\\Program Files\\EnigmaSoft\\SpyHunter\\ShShellExt.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D71FC887-4726-44C5-AAE3-A27DE8B8322F}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 8 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4108	4256	WerFault.exe	f5c68240b5a613533e53476cd20561e57c79d9cf664c48bdbd9380886005a2c8.exe
3356	4256	WerFault.exe	f5c68240b5a613533e53476cd20561e57c79d9cf664c48bdbd9380886005a2c8.exe
4908	4256	WerFault.exe	f5c68240b5a613533e53476cd20561e57c79d9cf664c48bdbd9380886005a2c8.exe
1156	4256	WerFault.exe	f5c68240b5a613533e53476cd20561e57c79d9cf664c48bdbd9380886005a2c8.exe
232	4256	WerFault.exe	f5c68240b5a613533e53476cd20561e57c79d9cf664c48bdbd9380886005a2c8.exe
4376	4256	WerFault.exe	f5c68240b5a613533e53476cd20561e57c79d9cf664c48bdbd9380886005a2c8.exe
2380	4256	WerFault.exe	f5c68240b5a613533e53476cd20561e57c79d9cf664c48bdbd9380886005a2c8.exe
4056	4256	WerFault.exe	f5c68240b5a613533e53476cd20561e57c79d9cf664c48bdbd9380886005a2c8.exe

Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

1452 schtasks.exe
4380 schtasks.exe
1376 schtasks.exe
1092 schtasks.exe
1912 schtasks.exe
4464 schtasks.exe

pid	process
1452	schtasks.exe
4380	schtasks.exe
1376	schtasks.exe
1092	schtasks.exe
1912	schtasks.exe
4464	schtasks.exe

Modifies data under HKEY_USERS 54 IoCs

Processes:

ShKernel.exechrome.exechrome.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\CRLs	ShKernel.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	ShKernel.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133375908979766648"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	ShKernel.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CRLs	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\CTLs	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Certificates	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CTLs	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	ShKernel.exe

Modifies registry class 19 IoCs

Processes:

regsvr32.exechrome.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{026941B7-ABD1-4F16-ADB7-E811B8BAC354}\1.0\HELPDIR\ = "C:\\Program Files\\EnigmaSoft\\SpyHunter"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\{D71FC887-4726-44C5-AAE3-A27DE8B8322F}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{026941B7-ABD1-4F16-ADB7-E811B8BAC354}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{026941B7-ABD1-4F16-ADB7-E811B8BAC354}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{026941B7-ABD1-4F16-ADB7-E811B8BAC354}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{026941B7-ABD1-4F16-ADB7-E811B8BAC354}\1.0\0\win64\ = "C:\\Program Files\\EnigmaSoft\\SpyHunter\\ShShellExt.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D71FC887-4726-44C5-AAE3-A27DE8B8322F}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\{D71FC887-4726-44C5-AAE3-A27DE8B8322F}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{026941B7-ABD1-4F16-ADB7-E811B8BAC354}\1.0\ = "SH ShellExt Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D71FC887-4726-44C5-AAE3-A27DE8B8322F}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D71FC887-4726-44C5-AAE3-A27DE8B8322F}\InprocServer32\ = "C:\\Program Files\\EnigmaSoft\\SpyHunter\\ShShellExt.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{026941B7-ABD1-4F16-ADB7-E811B8BAC354}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{026941B7-ABD1-4F16-ADB7-E811B8BAC354}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{026941B7-ABD1-4F16-ADB7-E811B8BAC354}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D71FC887-4726-44C5-AAE3-A27DE8B8322F}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D71FC887-4726-44C5-AAE3-A27DE8B8322F}\ = "SHContextMenuExt Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\{D71FC887-4726-44C5-AAE3-A27DE8B8322F}\ = "SH5 Shell Extension"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{026941B7-ABD1-4F16-ADB7-E811B8BAC354}\1.0\0\win64	regsvr32.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

ShKernel.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	ShKernel.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	ShKernel.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	ShKernel.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

Processes:

chrome.exechrome.exec3715b71e4655d0269d6b9e5c82cb7d7d31942ddafdc821c9b85741ebab95529.exeSpyHunter-5.15-6-5285-Installer.exeeef12d5811dd70782bf19cd787641dc8050a564aa9416588a7873f7a41f98dc6.exea6012941.exechrome.exechrome.exeSpyHunter-5.15-6-5285-Installer.exemsedge.exemsedge.exeShKernel.exe

pid	process
1808	chrome.exe
1808	chrome.exe
1784	chrome.exe
1784	chrome.exe
3300	c3715b71e4655d0269d6b9e5c82cb7d7d31942ddafdc821c9b85741ebab95529.exe
2060	SpyHunter-5.15-6-5285-Installer.exe
2060	SpyHunter-5.15-6-5285-Installer.exe
2060	SpyHunter-5.15-6-5285-Installer.exe
2060	SpyHunter-5.15-6-5285-Installer.exe
2060	SpyHunter-5.15-6-5285-Installer.exe
2060	SpyHunter-5.15-6-5285-Installer.exe
2060	SpyHunter-5.15-6-5285-Installer.exe
2060	SpyHunter-5.15-6-5285-Installer.exe
2060	SpyHunter-5.15-6-5285-Installer.exe
2060	SpyHunter-5.15-6-5285-Installer.exe
2060	SpyHunter-5.15-6-5285-Installer.exe
2060	SpyHunter-5.15-6-5285-Installer.exe
2060	SpyHunter-5.15-6-5285-Installer.exe
4876	eef12d5811dd70782bf19cd787641dc8050a564aa9416588a7873f7a41f98dc6.exe
4876	eef12d5811dd70782bf19cd787641dc8050a564aa9416588a7873f7a41f98dc6.exe
1764	a6012941.exe
1764	a6012941.exe
4876	eef12d5811dd70782bf19cd787641dc8050a564aa9416588a7873f7a41f98dc6.exe
4876	eef12d5811dd70782bf19cd787641dc8050a564aa9416588a7873f7a41f98dc6.exe
4876	eef12d5811dd70782bf19cd787641dc8050a564aa9416588a7873f7a41f98dc6.exe
4876	eef12d5811dd70782bf19cd787641dc8050a564aa9416588a7873f7a41f98dc6.exe
3256	chrome.exe
3256	chrome.exe
2316	chrome.exe
2316	chrome.exe
2276	SpyHunter-5.15-6-5285-Installer.exe
2276	SpyHunter-5.15-6-5285-Installer.exe
2276	SpyHunter-5.15-6-5285-Installer.exe
2276	SpyHunter-5.15-6-5285-Installer.exe
2276	SpyHunter-5.15-6-5285-Installer.exe
2276	SpyHunter-5.15-6-5285-Installer.exe
2276	SpyHunter-5.15-6-5285-Installer.exe
2276	SpyHunter-5.15-6-5285-Installer.exe
2276	SpyHunter-5.15-6-5285-Installer.exe
2276	SpyHunter-5.15-6-5285-Installer.exe
1204	msedge.exe
1204	msedge.exe
1720	msedge.exe
1720	msedge.exe
4140	ShKernel.exe
4140	ShKernel.exe
4140	ShKernel.exe
4140	ShKernel.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

SpyHunter-5.15-6-5285-Installer.exe

pid process

2060 SpyHunter-5.15-6-5285-Installer.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

ShKernel.exe

pid process

4140 ShKernel.exe

pid	process
2060	SpyHunter-5.15-6-5285-Installer.exe

pid	process
4140	ShKernel.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 30 IoCs

Processes:

chrome.exechrome.exemsedge.exe

pid	process
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
3256	chrome.exe
3256	chrome.exe
3256	chrome.exe
3256	chrome.exe
3256	chrome.exe
1720	msedge.exe
1720	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

SpyHunter-5.15-6-5285-Installer.exechrome.exe

description	pid	process
Token: SeShutdownPrivilege	2276	SpyHunter-5.15-6-5285-Installer.exe
Token: SeBackupPrivilege	2276	SpyHunter-5.15-6-5285-Installer.exe
Token: SeRestorePrivilege	2276	SpyHunter-5.15-6-5285-Installer.exe
Token: SeDebugPrivilege	2276	SpyHunter-5.15-6-5285-Installer.exe
Token: SeTakeOwnershipPrivilege	2276	SpyHunter-5.15-6-5285-Installer.exe
Token: SeShutdownPrivilege	1808	chrome.exe
Token: SeCreatePagefilePrivilege	1808	chrome.exe
Token: SeShutdownPrivilege	1808	chrome.exe
Token: SeCreatePagefilePrivilege	1808	chrome.exe
Token: SeShutdownPrivilege	1808	chrome.exe
Token: SeCreatePagefilePrivilege	1808	chrome.exe
Token: SeShutdownPrivilege	1808	chrome.exe
Token: SeCreatePagefilePrivilege	1808	chrome.exe
Token: SeShutdownPrivilege	1808	chrome.exe
Token: SeCreatePagefilePrivilege	1808	chrome.exe
Token: SeShutdownPrivilege	1808	chrome.exe
Token: SeCreatePagefilePrivilege	1808	chrome.exe
Token: SeShutdownPrivilege	1808	chrome.exe
Token: SeCreatePagefilePrivilege	1808	chrome.exe
Token: SeShutdownPrivilege	1808	chrome.exe
Token: SeCreatePagefilePrivilege	1808	chrome.exe
Token: SeShutdownPrivilege	1808	chrome.exe
Token: SeCreatePagefilePrivilege	1808	chrome.exe
Token: SeShutdownPrivilege	1808	chrome.exe
Token: SeCreatePagefilePrivilege	1808	chrome.exe
Token: SeShutdownPrivilege	1808	chrome.exe
Token: SeCreatePagefilePrivilege	1808	chrome.exe
Token: SeShutdownPrivilege	1808	chrome.exe
Token: SeCreatePagefilePrivilege	1808	chrome.exe
Token: SeShutdownPrivilege	1808	chrome.exe
Token: SeCreatePagefilePrivilege	1808	chrome.exe
Token: SeShutdownPrivilege	1808	chrome.exe
Token: SeCreatePagefilePrivilege	1808	chrome.exe
Token: SeShutdownPrivilege	1808	chrome.exe
Token: SeCreatePagefilePrivilege	1808	chrome.exe
Token: SeShutdownPrivilege	1808	chrome.exe
Token: SeCreatePagefilePrivilege	1808	chrome.exe
Token: SeShutdownPrivilege	1808	chrome.exe
Token: SeCreatePagefilePrivilege	1808	chrome.exe
Token: SeShutdownPrivilege	1808	chrome.exe
Token: SeCreatePagefilePrivilege	1808	chrome.exe
Token: SeShutdownPrivilege	1808	chrome.exe
Token: SeCreatePagefilePrivilege	1808	chrome.exe
Token: SeShutdownPrivilege	1808	chrome.exe
Token: SeCreatePagefilePrivilege	1808	chrome.exe
Token: SeShutdownPrivilege	1808	chrome.exe
Token: SeCreatePagefilePrivilege	1808	chrome.exe
Token: SeShutdownPrivilege	1808	chrome.exe
Token: SeCreatePagefilePrivilege	1808	chrome.exe
Token: SeShutdownPrivilege	1808	chrome.exe
Token: SeCreatePagefilePrivilege	1808	chrome.exe
Token: SeShutdownPrivilege	1808	chrome.exe
Token: SeCreatePagefilePrivilege	1808	chrome.exe
Token: SeShutdownPrivilege	1808	chrome.exe
Token: SeCreatePagefilePrivilege	1808	chrome.exe
Token: SeShutdownPrivilege	1808	chrome.exe
Token: SeCreatePagefilePrivilege	1808	chrome.exe
Token: SeShutdownPrivilege	1808	chrome.exe
Token: SeCreatePagefilePrivilege	1808	chrome.exe
Token: SeShutdownPrivilege	1808	chrome.exe
Token: SeCreatePagefilePrivilege	1808	chrome.exe
Token: SeShutdownPrivilege	1808	chrome.exe
Token: SeCreatePagefilePrivilege	1808	chrome.exe
Token: SeShutdownPrivilege	1808	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exeSpyHunter-5.15-6-5285-Installer.exe

pid	process
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
2276	SpyHunter-5.15-6-5285-Installer.exe
2276	SpyHunter-5.15-6-5285-Installer.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

chrome.exechrome.exemsedge.exe

pid	process
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
3256	chrome.exe
3256	chrome.exe
3256	chrome.exe
3256	chrome.exe
3256	chrome.exe
3256	chrome.exe
3256	chrome.exe
3256	chrome.exe
3256	chrome.exe
3256	chrome.exe
3256	chrome.exe
3256	chrome.exe
3256	chrome.exe
3256	chrome.exe
3256	chrome.exe
3256	chrome.exe
3256	chrome.exe
3256	chrome.exe
3256	chrome.exe
3256	chrome.exe
3256	chrome.exe
3256	chrome.exe
3256	chrome.exe
3256	chrome.exe
3256	chrome.exe
3256	chrome.exe
3256	chrome.exe
3256	chrome.exe
1720	msedge.exe
1720	msedge.exe
1720	msedge.exe
1720	msedge.exe
1720	msedge.exe
1720	msedge.exe
1720	msedge.exe
1720	msedge.exe
1720	msedge.exe
1720	msedge.exe
1720	msedge.exe
1720	msedge.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

3e2703dc1b0f8d18c92f2ba85a99ffd5231362f7022646e84cb4d522b616884d.exeeef12d5811dd70782bf19cd787641dc8050a564aa9416588a7873f7a41f98dc6.exe

pid	process
3144	3e2703dc1b0f8d18c92f2ba85a99ffd5231362f7022646e84cb4d522b616884d.exe
3144	3e2703dc1b0f8d18c92f2ba85a99ffd5231362f7022646e84cb4d522b616884d.exe
4876	eef12d5811dd70782bf19cd787641dc8050a564aa9416588a7873f7a41f98dc6.exe
4876	eef12d5811dd70782bf19cd787641dc8050a564aa9416588a7873f7a41f98dc6.exe
4876	eef12d5811dd70782bf19cd787641dc8050a564aa9416588a7873f7a41f98dc6.exe
4876	eef12d5811dd70782bf19cd787641dc8050a564aa9416588a7873f7a41f98dc6.exe
4876	eef12d5811dd70782bf19cd787641dc8050a564aa9416588a7873f7a41f98dc6.exe
4876	eef12d5811dd70782bf19cd787641dc8050a564aa9416588a7873f7a41f98dc6.exe
4876	eef12d5811dd70782bf19cd787641dc8050a564aa9416588a7873f7a41f98dc6.exe
4876	eef12d5811dd70782bf19cd787641dc8050a564aa9416588a7873f7a41f98dc6.exe
4876	eef12d5811dd70782bf19cd787641dc8050a564aa9416588a7873f7a41f98dc6.exe
4876	eef12d5811dd70782bf19cd787641dc8050a564aa9416588a7873f7a41f98dc6.exe
4876	eef12d5811dd70782bf19cd787641dc8050a564aa9416588a7873f7a41f98dc6.exe
4876	eef12d5811dd70782bf19cd787641dc8050a564aa9416588a7873f7a41f98dc6.exe
4876	eef12d5811dd70782bf19cd787641dc8050a564aa9416588a7873f7a41f98dc6.exe
4876	eef12d5811dd70782bf19cd787641dc8050a564aa9416588a7873f7a41f98dc6.exe
4876	eef12d5811dd70782bf19cd787641dc8050a564aa9416588a7873f7a41f98dc6.exe
4876	eef12d5811dd70782bf19cd787641dc8050a564aa9416588a7873f7a41f98dc6.exe
4876	eef12d5811dd70782bf19cd787641dc8050a564aa9416588a7873f7a41f98dc6.exe
4876	eef12d5811dd70782bf19cd787641dc8050a564aa9416588a7873f7a41f98dc6.exe
4876	eef12d5811dd70782bf19cd787641dc8050a564aa9416588a7873f7a41f98dc6.exe
4876	eef12d5811dd70782bf19cd787641dc8050a564aa9416588a7873f7a41f98dc6.exe
4876	eef12d5811dd70782bf19cd787641dc8050a564aa9416588a7873f7a41f98dc6.exe
4876	eef12d5811dd70782bf19cd787641dc8050a564aa9416588a7873f7a41f98dc6.exe
4876	eef12d5811dd70782bf19cd787641dc8050a564aa9416588a7873f7a41f98dc6.exe
4876	eef12d5811dd70782bf19cd787641dc8050a564aa9416588a7873f7a41f98dc6.exe
4876	eef12d5811dd70782bf19cd787641dc8050a564aa9416588a7873f7a41f98dc6.exe
4876	eef12d5811dd70782bf19cd787641dc8050a564aa9416588a7873f7a41f98dc6.exe
4876	eef12d5811dd70782bf19cd787641dc8050a564aa9416588a7873f7a41f98dc6.exe
4876	eef12d5811dd70782bf19cd787641dc8050a564aa9416588a7873f7a41f98dc6.exe
4876	eef12d5811dd70782bf19cd787641dc8050a564aa9416588a7873f7a41f98dc6.exe
4876	eef12d5811dd70782bf19cd787641dc8050a564aa9416588a7873f7a41f98dc6.exe
4876	eef12d5811dd70782bf19cd787641dc8050a564aa9416588a7873f7a41f98dc6.exe
4876	eef12d5811dd70782bf19cd787641dc8050a564aa9416588a7873f7a41f98dc6.exe
4876	eef12d5811dd70782bf19cd787641dc8050a564aa9416588a7873f7a41f98dc6.exe
4876	eef12d5811dd70782bf19cd787641dc8050a564aa9416588a7873f7a41f98dc6.exe
4876	eef12d5811dd70782bf19cd787641dc8050a564aa9416588a7873f7a41f98dc6.exe
4876	eef12d5811dd70782bf19cd787641dc8050a564aa9416588a7873f7a41f98dc6.exe
4876	eef12d5811dd70782bf19cd787641dc8050a564aa9416588a7873f7a41f98dc6.exe
4876	eef12d5811dd70782bf19cd787641dc8050a564aa9416588a7873f7a41f98dc6.exe
4876	eef12d5811dd70782bf19cd787641dc8050a564aa9416588a7873f7a41f98dc6.exe
4876	eef12d5811dd70782bf19cd787641dc8050a564aa9416588a7873f7a41f98dc6.exe
4876	eef12d5811dd70782bf19cd787641dc8050a564aa9416588a7873f7a41f98dc6.exe
4876	eef12d5811dd70782bf19cd787641dc8050a564aa9416588a7873f7a41f98dc6.exe
4876	eef12d5811dd70782bf19cd787641dc8050a564aa9416588a7873f7a41f98dc6.exe
4876	eef12d5811dd70782bf19cd787641dc8050a564aa9416588a7873f7a41f98dc6.exe
4876	eef12d5811dd70782bf19cd787641dc8050a564aa9416588a7873f7a41f98dc6.exe
4876	eef12d5811dd70782bf19cd787641dc8050a564aa9416588a7873f7a41f98dc6.exe
4876	eef12d5811dd70782bf19cd787641dc8050a564aa9416588a7873f7a41f98dc6.exe
4876	eef12d5811dd70782bf19cd787641dc8050a564aa9416588a7873f7a41f98dc6.exe
4876	eef12d5811dd70782bf19cd787641dc8050a564aa9416588a7873f7a41f98dc6.exe
4876	eef12d5811dd70782bf19cd787641dc8050a564aa9416588a7873f7a41f98dc6.exe
4876	eef12d5811dd70782bf19cd787641dc8050a564aa9416588a7873f7a41f98dc6.exe
4876	eef12d5811dd70782bf19cd787641dc8050a564aa9416588a7873f7a41f98dc6.exe
4876	eef12d5811dd70782bf19cd787641dc8050a564aa9416588a7873f7a41f98dc6.exe
4876	eef12d5811dd70782bf19cd787641dc8050a564aa9416588a7873f7a41f98dc6.exe
4876	eef12d5811dd70782bf19cd787641dc8050a564aa9416588a7873f7a41f98dc6.exe
4876	eef12d5811dd70782bf19cd787641dc8050a564aa9416588a7873f7a41f98dc6.exe
4876	eef12d5811dd70782bf19cd787641dc8050a564aa9416588a7873f7a41f98dc6.exe
4876	eef12d5811dd70782bf19cd787641dc8050a564aa9416588a7873f7a41f98dc6.exe
4876	eef12d5811dd70782bf19cd787641dc8050a564aa9416588a7873f7a41f98dc6.exe
4876	eef12d5811dd70782bf19cd787641dc8050a564aa9416588a7873f7a41f98dc6.exe
4876	eef12d5811dd70782bf19cd787641dc8050a564aa9416588a7873f7a41f98dc6.exe
4876	eef12d5811dd70782bf19cd787641dc8050a564aa9416588a7873f7a41f98dc6.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 1808 wrote to memory of 2404	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 2404	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 4444	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 4444	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 4444	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 4444	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 4444	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 4444	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 4444	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 4444	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 4444	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 4444	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 4444	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 4444	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 4444	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 4444	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 4444	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 4444	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 4444	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 4444	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 4444	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 4444	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 4444	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 4444	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 4444	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 4444	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 4444	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 4444	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 4444	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 4444	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 4444	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 4444	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 4444	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 4444	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 4444	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 4444	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 4444	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 4444	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 4444	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 4444	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 1584	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 1584	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 2664	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 2664	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 2664	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 2664	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 2664	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 2664	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 2664	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 2664	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 2664	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 2664	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 2664	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 2664	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 2664	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 2664	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 2664	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 2664	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 2664	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 2664	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 2664	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 2664	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 2664	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 2664	1808	chrome.exe	chrome.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

ShKernel.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System ShKernel.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	ShKernel.exe

C:\Users\Admin\AppData\Local\Temp\SpyHunter-5.15-6-5285-Installer.exe
"C:\Users\Admin\AppData\Local\Temp\SpyHunter-5.15-6-5285-Installer.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2276

C:\Windows\System32\sc.exe
C:\Windows\System32\sc.exe create EsgShKernel start= demand binPath= "\"C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe\"" DisplayName= "SpyHunter 5 Kernel"
2⤵
- Launches sc.exe
PID:4408

C:\Windows\System32\sc.exe
C:\Windows\System32\sc.exe description EsgShKernel "SpyHunter 5 Kernel"
2⤵
- Launches sc.exe
PID:4788

C:\Windows\System32\sc.exe
C:\Windows\System32\sc.exe create ShMonitor start= demand binPath= "\"C:\Program Files\EnigmaSoft\SpyHunter\ShMonitor.exe\"" DisplayName= "SpyHunter 5 Kernel Monitor"
2⤵
- Launches sc.exe
PID:3804

C:\Windows\System32\sc.exe
C:\Windows\System32\sc.exe description ShMonitor "SpyHunter 5 Kernel Monitor"
2⤵
- Launches sc.exe
PID:4468

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.enigmasoftware.com/congratulations-spyhunter-installed/?hwx=eb07931fd29689be1687f69815573ec3&lang=EN&purl=https%3A%2F%2Fpurchase%2Eenigmasoftware%2Ecom%2Fshwin&sid=shc
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of SendNotifyMessage
PID:1720

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb351746f8,0x7ffb35174708,0x7ffb35174718
3⤵
PID:4104

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,15003747198050726974,2669491350238543230,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1204

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,15003747198050726974,2669491350238543230,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:2
3⤵
PID:3344

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2164,15003747198050726974,2669491350238543230,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2652 /prefetch:8
3⤵
PID:3440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,15003747198050726974,2669491350238543230,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
3⤵
PID:3796

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,15003747198050726974,2669491350238543230,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
3⤵
PID:3556

C:\Windows\System32\sc.exe
C:\Windows\System32\sc.exe config ShMonitor start= auto
2⤵
- Launches sc.exe
PID:1680

C:\Windows\System32\sc.exe
C:\Windows\System32\sc.exe config EsgShKernel start= auto
2⤵
- Launches sc.exe
PID:4404

C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /s "C:\Program Files\EnigmaSoft\SpyHunter\ShShellExt.dll"
2⤵
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:4328

C:\Windows\System32\sc.exe
C:\Windows\System32\sc.exe start EsgShKernel -tt_on
2⤵
- Launches sc.exe
PID:4576

C:\Windows\System32\sc.exe
C:\Windows\System32\sc.exe start ShMonitor
2⤵
- Launches sc.exe
PID:1908

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1808

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb35469758,0x7ffb35469768,0x7ffb35469778
2⤵
PID:2404

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1668 --field-trial-handle=1792,i,9254748944124374888,17213387760890657646,131072 /prefetch:2
2⤵
PID:4444

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2212 --field-trial-handle=1792,i,9254748944124374888,17213387760890657646,131072 /prefetch:8
2⤵
PID:2664

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=1792,i,9254748944124374888,17213387760890657646,131072 /prefetch:8
2⤵
PID:1584

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2980 --field-trial-handle=1792,i,9254748944124374888,17213387760890657646,131072 /prefetch:1
2⤵
PID:4396

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2972 --field-trial-handle=1792,i,9254748944124374888,17213387760890657646,131072 /prefetch:1
2⤵
PID:2200

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4540 --field-trial-handle=1792,i,9254748944124374888,17213387760890657646,131072 /prefetch:1
2⤵
PID:3700

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4772 --field-trial-handle=1792,i,9254748944124374888,17213387760890657646,131072 /prefetch:8
2⤵
PID:3380

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4924 --field-trial-handle=1792,i,9254748944124374888,17213387760890657646,131072 /prefetch:8
2⤵
PID:3316

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5112 --field-trial-handle=1792,i,9254748944124374888,17213387760890657646,131072 /prefetch:8
2⤵
PID:3504

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5284 --field-trial-handle=1792,i,9254748944124374888,17213387760890657646,131072 /prefetch:8
2⤵
PID:2176

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5208 --field-trial-handle=1792,i,9254748944124374888,17213387760890657646,131072 /prefetch:8
2⤵
PID:3852

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5284 --field-trial-handle=1792,i,9254748944124374888,17213387760890657646,131072 /prefetch:1
2⤵
PID:1008

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4116 --field-trial-handle=1792,i,9254748944124374888,17213387760890657646,131072 /prefetch:1
2⤵
PID:3684

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3036 --field-trial-handle=1792,i,9254748944124374888,17213387760890657646,131072 /prefetch:8
2⤵
PID:3380

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=5440 --field-trial-handle=1792,i,9254748944124374888,17213387760890657646,131072 /prefetch:1
2⤵
PID:1224

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5468 --field-trial-handle=1792,i,9254748944124374888,17213387760890657646,131072 /prefetch:1
2⤵
PID:640

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=5560 --field-trial-handle=1792,i,9254748944124374888,17213387760890657646,131072 /prefetch:1
2⤵
PID:4868

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=4116 --field-trial-handle=1792,i,9254748944124374888,17213387760890657646,131072 /prefetch:1
2⤵
PID:3568

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5640 --field-trial-handle=1792,i,9254748944124374888,17213387760890657646,131072 /prefetch:8
2⤵
PID:4784

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5712 --field-trial-handle=1792,i,9254748944124374888,17213387760890657646,131072 /prefetch:8
2⤵
PID:788

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4016 --field-trial-handle=1792,i,9254748944124374888,17213387760890657646,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1784

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5388 --field-trial-handle=1792,i,9254748944124374888,17213387760890657646,131072 /prefetch:8
2⤵
PID:1732

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=5252 --field-trial-handle=1792,i,9254748944124374888,17213387760890657646,131072 /prefetch:1
2⤵
PID:1280

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=1772 --field-trial-handle=1792,i,9254748944124374888,17213387760890657646,131072 /prefetch:1
2⤵
PID:4132

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=5556 --field-trial-handle=1792,i,9254748944124374888,17213387760890657646,131072 /prefetch:1
2⤵
PID:4244

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --mojo-platform-channel-handle=5088 --field-trial-handle=1792,i,9254748944124374888,17213387760890657646,131072 /prefetch:1
2⤵
PID:2304

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5988 --field-trial-handle=1792,i,9254748944124374888,17213387760890657646,131072 /prefetch:8
2⤵
PID:2280

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --mojo-platform-channel-handle=5576 --field-trial-handle=1792,i,9254748944124374888,17213387760890657646,131072 /prefetch:1
2⤵
PID:5012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --mojo-platform-channel-handle=5408 --field-trial-handle=1792,i,9254748944124374888,17213387760890657646,131072 /prefetch:1
2⤵
PID:3568

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --mojo-platform-channel-handle=5620 --field-trial-handle=1792,i,9254748944124374888,17213387760890657646,131072 /prefetch:1
2⤵
PID:2320

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --mojo-platform-channel-handle=5548 --field-trial-handle=1792,i,9254748944124374888,17213387760890657646,131072 /prefetch:1
2⤵
PID:1348

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1252 --field-trial-handle=1792,i,9254748944124374888,17213387760890657646,131072 /prefetch:8
2⤵
PID:2308

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --mojo-platform-channel-handle=3988 --field-trial-handle=1792,i,9254748944124374888,17213387760890657646,131072 /prefetch:1
2⤵
PID:3884

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --mojo-platform-channel-handle=2196 --field-trial-handle=1792,i,9254748944124374888,17213387760890657646,131072 /prefetch:1
2⤵
PID:1124

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3088 --field-trial-handle=1792,i,9254748944124374888,17213387760890657646,131072 /prefetch:8
2⤵
PID:4784

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --mojo-platform-channel-handle=4568 --field-trial-handle=1792,i,9254748944124374888,17213387760890657646,131072 /prefetch:1
2⤵
PID:3360

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --mojo-platform-channel-handle=5688 --field-trial-handle=1792,i,9254748944124374888,17213387760890657646,131072 /prefetch:1
2⤵
PID:820

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4660 --field-trial-handle=1792,i,9254748944124374888,17213387760890657646,131072 /prefetch:8
2⤵
PID:4648

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --mojo-platform-channel-handle=3076 --field-trial-handle=1792,i,9254748944124374888,17213387760890657646,131072 /prefetch:1
2⤵
PID:3836

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --mojo-platform-channel-handle=4680 --field-trial-handle=1792,i,9254748944124374888,17213387760890657646,131072 /prefetch:1
2⤵
PID:3852

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5368 --field-trial-handle=1792,i,9254748944124374888,17213387760890657646,131072 /prefetch:8
2⤵
PID:2908

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2228

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2916

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\*\" -ad -an -ai#7zMap32321:1130:7zEvent17965
1⤵
PID:4144

C:\Users\Admin\Desktop\Malware\3e2703dc1b0f8d18c92f2ba85a99ffd5231362f7022646e84cb4d522b616884d.exe
"C:\Users\Admin\Desktop\Malware\3e2703dc1b0f8d18c92f2ba85a99ffd5231362f7022646e84cb4d522b616884d.exe"
1⤵
- Enumerates connected drives
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3144

C:\Users\Admin\Desktop\Malware\2446a9cb83a1ed64d738b638a4f62cb3709c92f9002425ebb7cc8639f17a1994.exe
"C:\Users\Admin\Desktop\Malware\2446a9cb83a1ed64d738b638a4f62cb3709c92f9002425ebb7cc8639f17a1994.exe"
1⤵
- Executes dropped EXE
PID:4200

C:\Users\Admin\Desktop\Malware\c3715b71e4655d0269d6b9e5c82cb7d7d31942ddafdc821c9b85741ebab95529.exe
"C:\Users\Admin\Desktop\Malware\c3715b71e4655d0269d6b9e5c82cb7d7d31942ddafdc821c9b85741ebab95529.exe"
1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3300

C:\Users\Default User\SpyHunter-5.15-6-5285-Installer.exe
"C:\Users\Default User\SpyHunter-5.15-6-5285-Installer.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\odt\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\odt\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\odt\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SpyHunter-5.15-6-5285-InstallerS" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\SpyHunter-5.15-6-5285-Installer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SpyHunter-5.15-6-5285-Installer" /sc ONLOGON /tr "'C:\Users\Default User\SpyHunter-5.15-6-5285-Installer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SpyHunter-5.15-6-5285-InstallerS" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\SpyHunter-5.15-6-5285-Installer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1092

C:\Users\Admin\Desktop\Malware\eef12d5811dd70782bf19cd787641dc8050a564aa9416588a7873f7a41f98dc6.exe
"C:\Users\Admin\Desktop\Malware\eef12d5811dd70782bf19cd787641dc8050a564aa9416588a7873f7a41f98dc6.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4876

C:\Users\Admin\Desktop\Malware\ef1f88dd4b0035bc9540ac0b1e3668e246ae745446e3670e4f38d606881cc72f.exe
"C:\Users\Admin\Desktop\Malware\ef1f88dd4b0035bc9540ac0b1e3668e246ae745446e3670e4f38d606881cc72f.exe"
1⤵
- Adds Run key to start application
- Executes dropped EXE
PID:1000

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5333465.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5333465.exe
2⤵
- Adds Run key to start application
- Executes dropped EXE
PID:3600

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9396518.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9396518.exe
3⤵
- Adds Run key to start application
- Executes dropped EXE
PID:5108

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1391561.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1391561.exe
4⤵
- Adds Run key to start application
- Executes dropped EXE
PID:1212

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1703362.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1703362.exe
5⤵
- Adds Run key to start application
- Executes dropped EXE
PID:3356

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6012941.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6012941.exe
6⤵
- Modifies Windows Defender Real-time Protection settings
- Windows security modification
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1764

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5008354.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5008354.exe
6⤵
- Executes dropped EXE
PID:3520

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0372219.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0372219.exe
5⤵
- Executes dropped EXE
PID:4000

C:\Users\Admin\Desktop\Malware\f5c68240b5a613533e53476cd20561e57c79d9cf664c48bdbd9380886005a2c8.exe
"C:\Users\Admin\Desktop\Malware\f5c68240b5a613533e53476cd20561e57c79d9cf664c48bdbd9380886005a2c8.exe"
1⤵
- Executes dropped EXE
PID:4256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4256 -s 536
2⤵
- Program crash
PID:4108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4256 -s 540
2⤵
- Program crash
PID:3356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4256 -s 540
2⤵
- Program crash
PID:4908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4256 -s 616
2⤵
- Program crash
PID:1156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4256 -s 640
2⤵
- Program crash
PID:232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4256 -s 608
2⤵
- Program crash
PID:4376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4256 -s 648
2⤵
- Program crash
PID:2380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4256 -s 656
2⤵
- Program crash
PID:4056

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" a -i#7zMap21381:1202:7zEvent28319 -tzip -sae -- "C:\Users\Admin\Desktop\Malware\Malware.zip"
1⤵
PID:4992

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of SendNotifyMessage
PID:3256

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb35469758,0x7ffb35469768,0x7ffb35469778
2⤵
PID:3776

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1976 --field-trial-handle=2424,i,6975519255184032200,2752771030146679381,131072 /prefetch:8
2⤵
PID:3700

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1884 --field-trial-handle=2424,i,6975519255184032200,2752771030146679381,131072 /prefetch:8
2⤵
PID:1292

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1744 --field-trial-handle=2424,i,6975519255184032200,2752771030146679381,131072 /prefetch:2
2⤵
PID:4968

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3132 --field-trial-handle=2424,i,6975519255184032200,2752771030146679381,131072 /prefetch:1
2⤵
PID:5056

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3140 --field-trial-handle=2424,i,6975519255184032200,2752771030146679381,131072 /prefetch:1
2⤵
PID:3604

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4108 --field-trial-handle=2424,i,6975519255184032200,2752771030146679381,131072 /prefetch:1
2⤵
PID:4572

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4784 --field-trial-handle=2424,i,6975519255184032200,2752771030146679381,131072 /prefetch:8
2⤵
PID:4616

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4936 --field-trial-handle=2424,i,6975519255184032200,2752771030146679381,131072 /prefetch:8
2⤵
PID:2280

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4832 --field-trial-handle=2424,i,6975519255184032200,2752771030146679381,131072 /prefetch:8
2⤵
PID:3180

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5308 --field-trial-handle=2424,i,6975519255184032200,2752771030146679381,131072 /prefetch:8
2⤵
PID:1996

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=5408 --field-trial-handle=2424,i,6975519255184032200,2752771030146679381,131072 /prefetch:1
2⤵
PID:544

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3360 --field-trial-handle=2424,i,6975519255184032200,2752771030146679381,131072 /prefetch:1
2⤵
PID:5096

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5196 --field-trial-handle=2424,i,6975519255184032200,2752771030146679381,131072 /prefetch:8
2⤵
PID:628

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3188 --field-trial-handle=2424,i,6975519255184032200,2752771030146679381,131072 /prefetch:8
2⤵
PID:4476

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4876 --field-trial-handle=2424,i,6975519255184032200,2752771030146679381,131072 /prefetch:8
2⤵
PID:3596

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4028 --field-trial-handle=2424,i,6975519255184032200,2752771030146679381,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2316

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4256 -ip 4256
1⤵
PID:4468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4256 -ip 4256
1⤵
PID:3940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4256 -ip 4256
1⤵
PID:1792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4256 -ip 4256
1⤵
PID:2648

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4f8 0x514
1⤵
PID:2688

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:732

C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe
"C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe"
1⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Program Files directory
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- System policy modification
PID:4140

C:\Program Files\EnigmaSoft\SpyHunter\SpyHunter5.exe
"C:\Program Files\EnigmaSoft\SpyHunter\SpyHunter5.exe" /hide
2⤵
- Drops file in Program Files directory
- Executes dropped EXE
PID:2472

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4700

C:\Program Files\EnigmaSoft\SpyHunter\ShMonitor.exe
"C:\Program Files\EnigmaSoft\SpyHunter\ShMonitor.exe"
1⤵
- Drops file in Program Files directory
- Executes dropped EXE
PID:3492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4256 -ip 4256
1⤵
PID:924

C:\Users\Default User\SpyHunter-5.15-6-5285-Installer.exe
"C:\Users\Default User\SpyHunter-5.15-6-5285-Installer.exe"
1⤵
PID:4560

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4256 -ip 4256
1⤵
PID:740

C:\odt\sihost.exe
C:\odt\sihost.exe
1⤵
PID:1744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4256 -ip 4256
1⤵
PID:3060

C:\Users\Default User\SpyHunter-5.15-6-5285-Installer.exe
"C:\Users\Default User\SpyHunter-5.15-6-5285-Installer.exe"
1⤵
PID:4860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4256 -ip 4256
1⤵
PID:4336

C:\Users\Default User\SpyHunter-5.15-6-5285-Installer.exe
"C:\Users\Default User\SpyHunter-5.15-6-5285-Installer.exe"
1⤵
PID:5044

C:\odt\sihost.exe
C:\odt\sihost.exe
1⤵
PID:2532

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\EnigmaSoft\SpyHunter\Defs\2023082603.json.ecf
Filesize
54.9MB

MD5
96cf6beb7b7a29132f08a9150faf9b91

SHA1
044a6e2d9102ffe9a590834ff74fff738ea09a9a

SHA256
689768bbd27ac8463aec8fbbe1079314a9e514b8be0fa55c23e5db217f96540b

SHA512
59dcc9981ebe63804b237dff048cf4b6b2f221f5f0f034eb5d6f77a2e250ae89c98e90c6fa3c085333be18858ad840f6d0ea39c550cba6c4161091a48ee36288

Download Submit
C:\Program Files\EnigmaSoft\SpyHunter\SpyHunter5.exe
Filesize
18.5MB

MD5
e0499e7a801e014086a504a2a6d7c0f8

SHA1
5c368d8cb7990ee35db64970b247c03043940d88

SHA256
677fff764eccfde328350b45c5eba4b77c66a816f80d3f413318f0a66cd4d9f8

SHA512
55262e30ed73a2c58b028a874c0df992cd208a34e0241869245fab5d5bb11bb3192c408849f3712db1cc637ba49de145f4e7f424adf05d36c0f97c2cf37e5ebd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
f083bcd6a0628fa4aca1d134179c94f7

SHA1
dad1bdfa0fa12bbf89581b0f2349d34d5e48c412

SHA256
598abb8646aa2b6371f79de998960b5bc7a28e195a594ad15d8da9e86995892d

SHA512
33d2a799420f46ee769a83499852bf7a62f4f0887a036a7a1989c096fd977763685c230616429a4840636d0f0cc9eb9f19c415271fade01a10eab5d92d2d3e8b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000016
Filesize
22KB

MD5
3b5537dce96f57098998e410b0202920

SHA1
7732b57e4e3bbc122d63f67078efa7cf5f975448

SHA256
a1c54426705d6cef00e0ae98f5ad1615735a31a4e200c3a5835b44266a4a3f88

SHA512
c038c334db3a467a710c624704eb5884fd40314cd57bd2fd154806a59c0be954c414727628d50e41cdfd86f5334ceefcf1363d641b2681c1137651cbbb4fd55d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000017
Filesize
30KB

MD5
888c5fa4504182a0224b264a1fda0e73

SHA1
65f058a7dead59a8063362241865526eb0148f16

SHA256
7d757e510b1f0c4d44fd98cc0121da8ca4f44793f8583debdef300fb1dbd3715

SHA512
1c165b9cf4687ff94a73f53624f00da24c5452a32c72f8f75257a7501bd450bff1becdc959c9c7536059e93eb87f2c022e313f145a41175e0b8663274ae6cc36

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000018
Filesize
77KB

MD5
b15db15f746f29ffa02638cb455b8ec0

SHA1
75a88815c47a249eadb5f0edc1675957f860cca7

SHA256
7f4d3fd0a705dbf8403298aad91d5de6972e6b5d536068eba8b24954a5a0a8c7

SHA512
84e621ac534c416cf13880059d76ce842fa74bb433a274aa5d106adbda20354fa5ed751ed1d13d0c393d54ceb37fe8dbd2f653e4cb791e9f9d3d2a50a250b05f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000019
Filesize
81KB

MD5
deae851a27cbd206145e686f7dd46465

SHA1
e2da8359e5a21284c43a7ab09da02b2047e4ce8d

SHA256
d807ded67f863301aee85b95200d9afc1a2fa4f862ae73444710770a8858722d

SHA512
41258c84e781e846618b2dbb51accc2cd3789f83617ee1a43f6c868a97ce487f133e2501a3c2c8bdd0966d519ba26fd55a9413742e85d440fb83e96420972e9e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001c
Filesize
180KB

MD5
497835d373e12af4cd257487dd5d3612

SHA1
425950e9427926ac0aa7940c4a18a44ab59df47a

SHA256
e11ff08dff0a884b311133e2469146b2a54319cf60094511e098df0c3677c4e0

SHA512
aa05611f56185e02289345f9c286ca98f96d5e1d24c8d152605e866e60013dc2945fc60f826e81459003ca9c2b7d439c0f6fdd173cbee57cd751ee51b18d2bf7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000030
Filesize
24KB

MD5
b82ca47ee5d42100e589bdd94e57936e

SHA1
0dad0cd7d0472248b9b409b02122d13bab513b4c

SHA256
d3c59060e591b3839ec59cad150c0a38a2a2a6ba4cc4dc5530f68be54f14ef1d

SHA512
58840a773a3a6cb0913e6a542934daecaef9c0eeab626446a29a70cd6d063fdb012229ff2ccfa283e3c05bc2a91a7cac331293965264715bdb9020f162dc7383

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\02aecf8da6f8f2af_0
Filesize
246B

MD5
5dfb4f09aee15accef52c20decada095

SHA1
ddb031c0ac3fc15c106904c3cb1c3cd427a2dbcc

SHA256
62ff81024e81af11428f86d9ddccb4f1e7b9ada23a6a16617752cea868fcab10

SHA512
84f221417e41eecd4c3509a666a9859f1a46c68ff1652884930bc0aa2f72f728126b5753499ae6ec8dd1e4557febbcaff3edcdd15911d3e76f8aff8e11de1b4c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\24a37706d3ab219b_0
Filesize
249B

MD5
7c9cf452de6036207309154a67dd2f32

SHA1
dfeaaffad4e5f68cfb087711b5ab4e351aa74493

SHA256
1342d579d919ec41bcf18e6f4f5aeda31a52639d97c125eae773ffb3734ecea5

SHA512
ef0587c3837ce3ae137959dd81858d4f72c54de17101aba8b0d9e2ae14a1bb1fbaef69b9382504ffe162c29b1b18d9380e9ff3de66736aa96f560e990341e8a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\41a4ebffd069515d_0
Filesize
259B

MD5
11527a7ec5c2bd9e5e96f42d9ea1aa9a

SHA1
3a1d147dbd1036de4198c46452c36130cd76d6ee

SHA256
e2a405cbc6d2dbad58e96b027b24fd15b009118bb3bcaa0059e031e2c21646f8

SHA512
8b085969efe0f51650bd60123214029e4b91aaad084be1ca52f9e23c57f576de0136b08997be36d1a072ef526a992e723ee28e83c4b0c2d43a27611f2e04537b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\b35436143e7a28a0_0
Filesize
49KB

MD5
8620e293f807b53143f5bce8b18a6de7

SHA1
8bd5738746b0b561df1986c979227ceb357e5608

SHA256
a7e28fd46171e70eb99d4ba7aab7529155de6924c8848838960784781bdd4d23

SHA512
857c1dd4c39e50fcaf93e3f5c7c6651032f332b2c575a918f011a6726c6ec85ea9ae49f29b73b12d43194274d7e24d5f3c142a0e1a5a1af20915f4194599f80d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\b9aca2f5df61f70d_0
Filesize
105KB

MD5
4e9d199ee4f4d2ebdb27544d9362cff8

SHA1
d7b0ad7a21989bf9abe20f5b676d41ae48e3281d

SHA256
539eafe12fbfb4609cef2df8c6eb918226a8998b61cdd3e041e54d97e77fd4e1

SHA512
38dcd5dd7a38651eceb3684b29d1ae0dcd1a5c549c1bdf4dac6c3605579653e27ddd2e4d0b44b7a3b4314ed917143437537fb0443ca5af44af81834cde3a50b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\f1905d73affcc808_0
Filesize
368KB

MD5
243d16ab9549f1ca389eb8e421663ac2

SHA1
b051d26b4bec9dbccc9b4c3914ba29c2026a3f19

SHA256
dc5218e2aef31dd900051a69208902244a900e7671cbbda2dfbfaecd135bd68d

SHA512
6263ba695ee8553a1d7df63f48cd7e1ecc33af4414f2c6fcdeaeeead9800f13556d4073599b652cdc4875bd00d20c14fda63f73b19446bd1a0eb658f1968e9f9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\temp-index
Filesize
1KB

MD5
b75207fd4629514743d704dcd4605909

SHA1
c4ee89d911bfed143f26bca2e11d02c9aa66fdab

SHA256
7f799451cc3a29a4bd9a321b857211581d4c66b66f04ac960496f96265077564

SHA512
d3dffdfa1936d6377a86db95fb127c2be721414822e41d47b8b44f7a57f7a536ea1d07a4e27b9ad0ce16df58ad54e06440a3dd3c937d6136027d603c63925614

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\temp-index
Filesize
744B

MD5
64d74372f0636154a066f910d25db55c

SHA1
d4b41b61ad4a6ec2993ab8f2b8e318e31a30670c

SHA256
758887fe722ebee85288772391cebc882b7314d55d869f29f538d15eb495ebea

SHA512
04b83ed52355b59ae9ba5849d468afde49663f3554093bc68b4f4f1783cb1a4ca2706c5238cf3550131711513183ab7255e8c8f742a2166a5d6276aecb06a2a8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
768B

MD5
5b11079ff5bc1056f1460f90918cf797

SHA1
9690469ce147804e079182d5afb901e3012f9e0f

SHA256
360504f5a817f65037419cf16d395ff6e1a99af08bce92a04fd9b0d7f1132590

SHA512
a321cd0de01e732c9370cdebdb8a9d3155b567a316a2229949ca25cb851100d4b854d2d863989c7a6044fc916ebcce47913386fa3210a4cb24cb392b3cda95ad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
768B

MD5
b4fc2da98ac33817a06d50c88f238d2c

SHA1
6e1be9fa67ceead97d0e6ac46af414215da61969

SHA256
68688cf4faae1167dbdd022872b4b9068fde993019eee4509d7a4505df94d5e3

SHA512
56712004ffe3079748ec84e45696d2e95f3867d866d42a6fb33889a692b9005b3818223c251461922a869042d1cdbcce926b28623727990da6a92698484db479

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
768B

MD5
94dd087e6c94b390fa73dd328d8db8a8

SHA1
9ac471b30493337dd0870c580e7a66f012c69905

SHA256
99ff077e689089405d5d6918589718968d1e4fc23d78ef406a69a8dd557668d6

SHA512
90a1fe6418a256f40981c849dabad54dcf0c77888f45b459733e9e88423e4c79ac1309d7bbb410b9677fea370792a069ee09291428e20d4026b11cafd9179990

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
d2d62eff753840f9789fe1c2ee8b27be

SHA1
1f93c929f00783c1c1ae9e4c5cbab090ee5511c7

SHA256
c8cad837ac19b9066520f2ff17d2cc785f9b28eb141c4e89a89156263c7b0489

SHA512
4bf11fe74f87db8cdd79d565745e7e9c734f90a3419cffdc74ccc94edb474439fc9b99dcfc961efd7a7e4a355a3bf0dfc5d7d7529eaefc50032512ea9ddc9a21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
768B

MD5
c3678475df4277c205f0da8299bda323

SHA1
62f33f78063b7617d45c4e774d3083a7a63f0137

SHA256
228aea2d877c5c75304d73af5b6a9106a7ebd3c8fb62e1fcbe3c0e6bd5cee6a9

SHA512
4549216df226af557acc665b58d3beb52b25a1813b6a03d30506f06cb4c5307a18911b6519d2b994ead037c4fdef69c8ec9a8ae4c41b141c1231b8785ceae710

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
1869d8c73fd3f9c6be5d7ba601ed2559

SHA1
0a1aa0ca3f97ee23c09cde426dc68b1dc4636744

SHA256
f7b372166837a4682d47de2d6d88fe08bdcdf54948413340d73160c534617de4

SHA512
e4f36a0d8631ee20f3731519503fe23d801ae608eb076f3987e67ac37594a033e2bccefe792db0d58a9d158e2fa42ce0c0726d9387c85e29371a7abfc8f966e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
bd91e434cc1fc7014680bfd16e5d38a8

SHA1
990af6dfd8a5d68a17a9e5512b5ed66ee1a44510

SHA256
be739712a342abaad1800a86127bf5ee75d6458adfd904a653cc9d830d401c09

SHA512
52fafa814d280cd7b1a7d7498ef04da0da4095ff13f6de86725995c494d81159262e06d6261dd21d030fd94069ecf9bbadfb8187210eeee57c29afdddfc88f1e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\JumpListIconsRecentClosed\ad13ba92-793a-4f9a-b486-d6712473c3e1.tmp
Filesize
27KB

MD5
2bcbbcf34a9480cfb0a7b00041f41283

SHA1
802058d337343fe841b42dd9e75134817e097088

SHA256
16f200c0c0bbc13d6038b5d722b469f4920f40d89024aa6f645cdd5b3173b4fc

SHA512
0aec6fe4950d952d145d69bab3c90d061e1c485c07b235140d7a286e8be3a9fc83ac832be6c371572156f17efc2fc000d47457ed4e6102ec1c4cbf46a86ab1f9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Filesize
20KB

MD5
1752e1b9cfaafb40dbbbf543b87c8c43

SHA1
0f14a962e4e70534b5a595647e7359c187234a66

SHA256
ad96393b2df73e4d7e6881aa678753039902566c4374a604ad103fb3d2ec25bb

SHA512
281c494fd2796fc8ccbbede2ecda6689687c698bb875f8f94d6ab72a2f2e2b17b7310521df83c40330e617f8ba003e6850d8c2b68e0eb030103e825602033188

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
7618796d5ed8ce233acb0c7383e82388

SHA1
02e9a5f23aad34d794a115e000f157e16d78c0a9

SHA256
094213a3f8e47e7f7320d4673cdde3089f98ad5bbef59a6ac2fe8c5d23db4b1f

SHA512
b36c69bb2d803367b65294a19fc39b072043362e86a593ca9c94a89e34cd675c29568956d9d8eb6c6072a25a5af28d92586e4f28dcfb05f22f27f80903617870

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
a17a8ad218b512495f342c4bb992421d

SHA1
ddd137a1d145f1fd19d94176a1b5dab07e9029fd

SHA256
324f60dfd6574d7a49e54b9520525d609b458a82ad0f93635ae5701ad1eb468d

SHA512
06fe35a2bb59d161bf8ded291a777bc584e17b4106e834bf876e0a073f4e6bb57a8195fd18cbe22496c8e5a9f95f409879020460ff505ed53fcfe2e812b56838

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
4KB

MD5
efe6c6ca9bd9333a529b636dd32cb503

SHA1
6fc2951dcf18fe1355da367633e215715353bc50

SHA256
12d8ee9ef137d530a46f4286e400cb69de27bb476924a104ffca64d327decc3c

SHA512
c40613cbde46ff32f77fcab54e0303821f2d6e63cdd3ae504fcf85e8e5427b440d613fcef21da425e837dca070ac5ef244a2f7c062abfa866a0eaf8f915d9f2b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
3KB

MD5
ad6be93b70a0b8444e283433d2263ece

SHA1
7970aae7d44488d692540d915665124feeb30ad9

SHA256
5d7b39d83606a4149e23bc542cedbb6279b4433c7862484ac1e3502dcbf48a17

SHA512
abf55ad21e4d13e11cb3679eb850a2fa6f6647fef922051e8eb1279587affc28caf32bb7d3015edb3930f920a52f07b90af97efa38b3b02462c2e0e1c9598732

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
4KB

MD5
01c92b3145424ad0c55e6ae158e077d2

SHA1
2854a2bb7d946622050754dede38933f179b11fe

SHA256
100975516466f08d947d345c17c76da58c9de488553f2afe0ae5be32837daf11

SHA512
55987b2485a3fd972356fa6ce44d668c5dac4d229ead18692f669e817c4f99946695274cecaf2cc85cb0311c96a11454765afba77280571bcf5554e4afe019d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
4KB

MD5
1121bbc29394676af31bcdbb51e16719

SHA1
fde158cd2129c46cb9143de89cfac3307465230b

SHA256
0c2fcf20af297166a7261c3fed519449e8638af603930e69c79dd899621f9dbe

SHA512
967fa9b424ab022b48d927669a9ef0bb920ff08d63a472eb6535dde1726fc3365aab2c4ea886266b67b404d40432705d73e273354ac5a511e4d07a7e0fce9880

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
a614833ce8f27f382facb1c8543d34e2

SHA1
deef15891c5efd4f3404710d4f6cd59633fbb874

SHA256
834903da06558b830b1f189bbd93356a7484762927aa898160a0cae6b2931d40

SHA512
3f61293424bc084c6f72acdec11297b6c468b417938bb3e2b2e376c8b8defc35446712db9637f57f40734aa568ced753f13d9478c9dfa54adef476b04061439e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
4KB

MD5
8c7dd0de2d57abde3f367f4af26e47a3

SHA1
d208b407b90abf5107c34a2c08153c84234e39db

SHA256
78ce295feb54b51ee012d95671d0cddccf3287d3b623170f1322780d9e2cae3c

SHA512
9edd4850776a397b5793c9dc8dfafa9289b6ee460f97971db3263b1009194ddf57777ab1cf1a8740b6d3d85e4696bad8ce6aff66bbfebe270a31d50a69ba173c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
4KB

MD5
a59a988865678c5a7f35fb6d6b95f57b

SHA1
1222b3863c278f4036bee13aff5975560af8a70d

SHA256
4530246764069f0499b9b5665ad2e16a3f3248b8001eb56f66969fb69afdce35

SHA512
686b84a414e20e5231275faf638ca007927fb89dbfea5688e46b5685366f3210c26fece6961f3f649ce3abb8a5f9e90e7fff8395e07093f1175843a270fe8d36

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
4KB

MD5
cdb37eb6a514782d0bbed9ee13151abd

SHA1
7639d886155daccaf6c54f9389b2d5ad617fe79a

SHA256
89bd31aa59354429f6bff881dcca812b35b78cf7ee0e66da92fc0e1712ff8040

SHA512
20bb7cf1da39287eeec7837e5558d7c1549b90f01829e810f48d16bc852a97b60678135e4e39f2e9a4b4da49264dd190787ca0d84d2b88c4e6444d095f19b2f2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
705B

MD5
b9fc12668b4efd661491b95e7b91469e

SHA1
0b554449b7fd8426fbc5c6eddd29b8677366e346

SHA256
1a5d909ff0d8936d40df780080daaab449b482c47ff77efb710b23b121e98a4b

SHA512
67c07dd4690634fe63ae33b3782bf9dce26b41611ba7ff1a2af9d4d9221d0ee95a9d98bda0ec6dca78f5f76918dfc211f7136738b9ff0e0cae097204742283b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
703B

MD5
cbce1de57bb91b89d20f942642cce731

SHA1
06956a1517bd1bc0e8877f80d1c1a30ecc202a95

SHA256
7b4fa98d9ca2d5c36b60beaacdcc3f15df55d9eb6989a8030b65332c87089c11

SHA512
05cbb7eb474da32733a9b3959a362a2e55964f206a3c061ffa249325b907ede4abfcdfbe7b45759928abb1830e6b0301fd8d479eab45d34522e732485895d7f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
703B

MD5
55431ece6251c22ad494bf8c664965b0

SHA1
c8c4f6f76bd0e7ad78a1dc7b19fb8f529bf137a8

SHA256
2088bd0fc6029d94625b01ce7dde02aa3bd837e59e6227859f5df8e30b032e64

SHA512
1496afe2e47eb4458fc11b6d7ecb112569a45d23149ce0c24e4cffc6b2a94bc2fdcbc6e4f51beba39b1924e6af192654398489dbe87b905a1837f32eef85204e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
703B

MD5
2f8a7f19ed09d47b867164a4d2c67ae7

SHA1
035107c60ed3e57baea1a44677a6fefc78a707ed

SHA256
5d94cbd2db9a5df31898020609dc6e673d60f9f069120e9ab1f2198c51ee47e0

SHA512
d459d98b659916d778bf262197d3f3a75af11791310663809737af353b99a17ef566c8bdcb5fde196e54ac0cbdf7095b35ffb9fc4cdbb175ced22eaeea7bbc76

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
371B

MD5
c6c2b4aaa0d09eb6950242c88416e263

SHA1
69b9e45affd105d09b0a2e3f8caf817a1c66cc4c

SHA256
e425ec6ed2979d7c442d32472b63135a9fb48b9b6ff451b0e69458e29f5e5ffe

SHA512
15ab56b2239122419f7a8baaf2e4a42819221e8385125ee4d7ffd2ff6718b17b4104dfa3514cf9656791ccd42ca12d3b871ac4db1007818df18dfc59e1bbedb4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
705B

MD5
38c1091b6edfa2f219e8110a61a7631e

SHA1
71442b2fdf5d51d88e5de3aaa493f5d2cab6951c

SHA256
f31287e0c72b6305d770a48a161bbbdb4833b74a1a473f6c5e9cd81ee2010c56

SHA512
20fdd7e2a5137a8f47c4bd48790dc2464e992970520363528bb532e8f15bb790d94174483fe50d4ee9f8c14a2a0ae27b50f884f93747871f2637200e115204f4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
705B

MD5
eefbcfeca4d0a1df1542949eb13dc01e

SHA1
4b7485406c5359ef18eda6d3b0d86cbd72b07a7f

SHA256
087fbff473588574ce8343bfc095b15a259cbbaf434c1b0edaf298ef14e05979

SHA512
3f722ce07265ee0f70501eb397f536b29b0118c541922101aca3701906bb561bf3e71a69b32865fd295fa3a411a1c8d7ca01373a0da27696755f9a7940114eb2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
705B

MD5
1a88568e91f90cd829ee6fb376baef09

SHA1
522309b70d6df15849ecf0d3993dee15ac21705d

SHA256
a512241c667ab56cf113314f56f2ab94cd529f8baec4b90d076c60f0e840bfe0

SHA512
69b77974881662efbf0210b45e131da7ceee334639f5870d437771086c490af0f7d14c7aeadae76e54fcdf2912e152a21230ac285e031945a74ca02069dd931b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
705B

MD5
ae1a3511bd5113e00c3f5921b64d0b88

SHA1
b3e7bfd31f45e95cc3bcb5571833e21efba57141

SHA256
ad11cedf0496029d7368bb97fb2fd97ae9ee1ed1735663df3c02922cc8d06020

SHA512
a624ce511a6cb70902775435a3e2c50dc65d487b877aa8bd22d82fe0f6d27dc599ad17b429a3d07f114dc3feb5c6c7bb97f31a313e779396d561feba3a72c238

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
872B

MD5
f7298aef7c63556967071a89c5b8d322

SHA1
e8a863784e58fddd7c139cb937c935ffad5ba5ca

SHA256
2ec98e5c9261228ea0c1e4b24b7ea806790e03f2aca038ebfa3a3a9e42d4830c

SHA512
14dec37886832c3428214bceff03960e4a0f30c96ae7fd39aa0bffda7b14b2cdafc0657178a22346a87ae559ff1d422dff892721d9368dba68f2dff4a77049ea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
705B

MD5
f37fef3913c2e007bfcda697c7c649c8

SHA1
385f248e25c88e607083af437ed1678ccc42ea7c

SHA256
c9757030e5cc7ed97dfb738aec69ec6a3ba08683da529619bd030faa6d885aa8

SHA512
3ddc0799d7536f66ada4ee7921d9fac96a9f87328dc7c5a3a5e46d4c912a104f93f04b3cee11526bc9da5554c3dcab11b90d7ca0cf8a74d5ca83cdbc37f80984

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
705B

MD5
519bcef3961affe625e0f78dbf7b90f0

SHA1
888e25cf0c7bc82b7d085dc13d805991dc2e08ec

SHA256
b3fbcfc9cbf87fa9cf747ffd78537007127b46bd447addc8f026c1de1ffb0f94

SHA512
9379a45beba5d2e9585199f45d19f5c15050c321430c0bb98095c88afdba7a8d10d377cc1279eb48db8e9c75eeedb989759ef0bd25c69d5b5f9b49cfac7fdf80

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
705B

MD5
6c90b59be8c833db12ef0ab834dfc891

SHA1
1070732ff8b82185f182f9b7fd9e8ef36668a15d

SHA256
520f3ad97994fbf1526399e917ef42982f4199ffdb0e139b03c4015fd5374137

SHA512
736d527ee4da8bec81e883962e12bfd337679009d5d60834dc8acafc4c1101e5b61f9f19bb1859475528bd74ad61a4f7941a89d7734b5d1d767be4b82aac454f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
e9f59bfcfc1e5d3de3038ebb735a9876

SHA1
f42a3dbf7314bad58d4bbafab6456a0125db3de2

SHA256
c089d28604c18cb585920d392f2a946fd763b2a090681c2947f63a68e9da05fe

SHA512
408bc03c2b57a77cbfe5f076e67ad2bc74a958b111dff022d29cb58d8ba95d717ecfe9d6be9a484fb3c35e41024838b60d379bbd379fcdb1cf4b27c08b8a4e6a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
7e5c96f8dee8030dd68ac4eb43f4fbe7

SHA1
0a8c5ccf73d48de62ccc81a60d693fa307bb23ce

SHA256
b23a76d57a48b9da38acd320dcb3429bec80bd469a28d77c2977e457ba310837

SHA512
73840f6fd8b85471845fef3cd1ce6c0ee56c2b23db3b9f9f8cd730431b1b85e9de2b0174fdf32eb68539221a186fbe1bcdf0e2282b34d338c85a9c58d22e8a46

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
7fe3ca73d1aa2db9d5df88b01956a0be

SHA1
311a857ddfcbafb554a90b93865ace7f8ab8f1ef

SHA256
c531069ef9982da33a6a05b559dbedc22ada1059e91aaff777be473c35d694b5

SHA512
61a127ca175e179888db0e766a50ec16edde9cbb34af3244c44aea8a336ce87b1741196f2a32cfbeb237c57c2c56f6be640df3e611ef0f340a773593900a115f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
6cd0b2b721df6dae9d4e108c156e0bc3

SHA1
8cf982ee559a343c759967f06df5e8e1bc3feee1

SHA256
a8e027bfa08b3c187f3309fb49861f40df14f22db6c5d73a21e4c5c1f459e5e4

SHA512
17cb5509426714a0e7e78c814dc525f63ce14107e7425e99dfa94ebc54aa5f54e0ded4bebce44553468b3cca634067ac0fd040c6dfdc67bd606f30dbc6dcf439

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
8KB

MD5
b3716ad59d3d3451649d6d4bccf5e05e

SHA1
92375c9d2928b568a44097cad88afd8e2ce3d514

SHA256
9a82d103fcdc937832232e874d5d9e3d0327b6aa8d031d67641c2ed3e9266479

SHA512
60cd712a2e1de1278de85e5f40e3988b22a067ac066b4e75cf8b7b14c2e83da8548bd071b2db155b0cbbf358a76848c5486e0417b8fc72d7a849ec8555250ad5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
8a0fb7ad60ea4220b8518f3c8f4f3efa

SHA1
b14b2b0ae6a6a76c65979f086e0b5fcfc66eb136

SHA256
461529c6bd586ee82a669ded1a124f97aa018a09dcba7eb623c7e918a702a820

SHA512
fe9798159065f5c185a2407dbc3033a7f37bc85cf29a7b378389325bf8ed2ef4e325f0d21f6d4dc1a0f75ef2cfc6a8cdeb761ee8799cd13e0cc8fdd57e906e34

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
49561bc9f2b042040465fe7a13edba67

SHA1
eb80df438c3dbbe257abc6e76018862a91184ee5

SHA256
115d03aeeb133c74b2c6211319e54d3f507fde450d44ea9572448c739ad49dec

SHA512
36bdbbec456007442d0425cf29c8c24daaf8f84b93c8d6d06ab40251dfafa7674015147f25bca8477ceb9684dbc165297f1ca657392d57e2cf84b23f963474df

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
f1528cf12e194e005bb2ff55ed3c0214

SHA1
8d4fd38bb0445f6cc52afea5bf4dd0d7e009e305

SHA256
65b4a2a4136227b130b22bd1d652ea7d8f23ed0f8ed87e8e45ac8c920aa4c990

SHA512
6d77844320867f0f887f71b1a82a6e7e480b71d38a8a93934f6cb9066531d9142374d3bfa5f2084d7a5cc9d4c86f7240368009eebe6d8e47612d3f341daf65ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
47eacdedd169826b14eda6609bb1fb70

SHA1
6999d3fba8e857226a04ad6c1ab14f5fac5e737c

SHA256
8964b9f874e394c642f1867b94a9c8c3b32f01954b9cd523b2fa319ea950197d

SHA512
d5196adbe2361ea56aa00e965d700bac53146bdd61c32f6163ac17acdedcbd5d989405710730b201bbf298015ee77a8bd33f7fa9f4e1e2021198bf1a405b87e7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
6f465b2853e66aecaae00771d64b3414

SHA1
8c48327580551a353bc84cddde51539cbcf77ecd

SHA256
5658debe9fececc2eb0dcde3badf9ffedb2b398f99c1a91b68dccecaed97f41f

SHA512
1bb48b0c4259f07e7280f4f202c2a0e10a07abe9a4be2de603315d7a84d8c55cf2578a43ebf864aaf0f0c7a1cf88ef01b8d823ad05cfdeeed20b370150715607

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
15KB

MD5
c40c919945a15cd2935771bcc87ed222

SHA1
fbd05847078c997766ef77a3aa98fa284f05645b

SHA256
5c9ca2e6f44ec0cd60b5ac61f32c692e28e2d6726c76b066b419c2f465b0596f

SHA512
b065cac76c9d2b67ed69567f5de861a0ec1b99eb749862d4ba4240132dda7fb49b74c085f7f8c884423a64ab7742935a9a156fe4a4d5f057b6815fc92fdf3c8d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize
72B

MD5
9332726751d9a11c6c33b29dbfadacf9

SHA1
1e1d856bee87d6f32a27c380f5876a515063a843

SHA256
04a692bfb520b314d687cf3d07bdaecc2cb41ae20232ff83517bb6e31aefe946

SHA512
d19f72d07c67361eac68d5eef29de0daa3c97929d9d36691ca925f7045b8787dd54379cfb126a5ed538945c1938d786a6f1a082030f54ea6035fc23b3eace193

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5eeed2.TMP
Filesize
48B

MD5
c387c764f91ca16f5e0c16050a15c62a

SHA1
2f788b468a4d1d2923ed34d3dc3b313bbc02c513

SHA256
c65b8d842410f20eceada70aa683af6e19fd3b28d0a815ec68aa54b25bb35905

SHA512
ae2977984bf50632d69ce5fe116b06ad50ae1ba353d191aa3079aa67dae6aa8240c03c71a009659a120b26324e01ce659a7e74d514377a0d27cad204e8c65200

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
178KB

MD5
1ac228203329654fe9892f1142521473

SHA1
0647f7efc84a1c2d0558c15615c5fe255f0cd327

SHA256
0c2e149a1bb1c1b1083ac862581f5d1b1c275528415dffeb78fd0d807c705384

SHA512
f1568e17e1cd3bdfd6fcdf3659b6b8eae31dfd75235e365caa6444a6e4e3822a95f68525906f6300fd23db74bd566cedd07fd5a4eab601ca83a5a2872cb5d23d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
178KB

MD5
81b48e4fd75bbe085da5fb1d83ef5026

SHA1
db908237cdb897fbdf2d577ba7deb2fefc77f8ee

SHA256
6f7e8d6fe9759c05ad879ad77cbadce3768d46baf4781f547337db06a3168e98

SHA512
8ef8db9cae2b841493f69e4200dfff8f5861a7364e2ff22da2ca87a6900de842877e01011bb19e4bb4d2c795f2dbd1ba5e89944d33b7249669874ed803f95ce2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
178KB

MD5
80bf246abbf1c4778546401d9aea4dae

SHA1
6dd24291b6a5a5838d72e73a3dc45df9b1033fa3

SHA256
356d7b6152b7773b6a2a79a68db811d8643bae1d77a102fdb4d675e9354628ce

SHA512
e6196af51c92e7541d73b915ce82ce67b74e68b1c94425498d6c23690f45121eebadf126440fc3348f8f17a5f4ca12b42cf4b98b9890f9b96ad4f8e9effc66c9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
178KB

MD5
af68dfb44a93da4d99b9095679b66c6f

SHA1
b8efbd6287731b4c948048fb22341d700c51415b

SHA256
8272fe39387ab6e90b827e1f9028dbc4f375d3850e328d964cd234b0ee8cb803

SHA512
5216423b18ccfc0e36ab084a215a8ce01c4b5d24f2d9a871b36c107b6ab43c4f20034ecfbe9eb5ca0f7a8146c5af664e7eb058df95597035b2d509c55681548d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
178KB

MD5
4c13151f15411b3a0432c24349a99eca

SHA1
d40790cb497f033b48e6778074c5dcb1afed26c7

SHA256
63e71ed194b6ec4c630c24ad3d097ad898ba3e36b5830dd11c2039d9f360939d

SHA512
de15556567233a021aef3fb7b0a083474e9194de8be3f11cdb3b7c9a8ff0cb7dcadee4b1cf4c4dd5787428ed12555151ad072e19318cbbe564ed8dda0d90c177

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
178KB

MD5
73a36d2aa025b3bd7d246e3df82dd4db

SHA1
cea83de2ac1b4c6dba137819dc3caa79897b8dae

SHA256
14857b4070fe0428101974f9cb2fba60cb0a8fc1463b065364fb75bf64c52e5d

SHA512
bd1ab81c12aa6880dbab7fb52983a7b487a24d1e782856c15897d0e08a9dcaa2e92ccaefd7061ab2c994cd7de578feb83ef436ba74f33edf7386a98316bca29f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
94KB

MD5
b3d15d7e40f2006ead83163919157373

SHA1
66a170af67cf151ddcbb49d11762533b833c08a7

SHA256
23fff10338b79dc18967aa02869f2aee49cd4b12036239ba6d0a776f916dfdad

SHA512
6d33053b16c1be9aa9bb213572ba84d92201d1526cc5d30d9019fb4a415190e8d6642486e21d936216f3ee9f3e865eb5d0ec991cb150d229547e9b96174a5340

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
178KB

MD5
0c5941f958f2a8b3f5b5bf3d77281a6a

SHA1
7cb9c908d6fcd8a7c009cbd66d2e5d8262f5f294

SHA256
e8f0727f2f940a756e1e427358c5e6786fcd2bc4437d9fd3e6290b2e3b8327cf

SHA512
df7bf57a68c992e610a674b4483c8af340512e5eea3f5b7d8457c2e89cacfa0e566c9b8717e9b2d7a669d988515fd8a24e7dbd158f45c754ac45b0a610f67d90

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
178KB

MD5
4cb178689e71e3f8a598048b5162dd0d

SHA1
8f2c61e3cae0946a6cf685e1bf577219e8d153fb

SHA256
577bea04b15e14a70f0f40672cd8d627663aff50da826bd9d6839697963a089f

SHA512
1f5abcb5970f1480e9ef3aabb2c9d0a1f6af2c42180c323168e00f278a3e5cfe7bca224e697fd79854a40703cd54dfbe041379c9d5064532830718545164d37a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
178KB

MD5
4b32d12a819bfd83d49f8120786b9f9a

SHA1
8d05d821af9c3f71d0624c30eaaaf60c4c9a5242

SHA256
aa10b5c931588d87135c95fce60f5297056a00b53b868d6908c8a2125bf50405

SHA512
08964cf8f95952074961451cb92c39689d9862c7f0741aa3d99bf631469f23df8010e0102fffd13a761b966830f28703a1148ca6223b2d128c705569852d77c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
178KB

MD5
41918ebd688688c10ad801bb833d3ba8

SHA1
231cd031f6a778cc39b47438bdb0589e30523a0d

SHA256
ba4410aaeeb1f45c567c7dcb97d672ec486aab41e312238c31e526130350ab23

SHA512
54dd8c742ea4a083065fc84d0ffd7791425a9746046e53b974beef59403e082ef7cedd001cff9ec1554b1454c192b5b9e8ce7bb34d14721e79fa992743d4e5e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
178KB

MD5
4b32d12a819bfd83d49f8120786b9f9a

SHA1
8d05d821af9c3f71d0624c30eaaaf60c4c9a5242

SHA256
aa10b5c931588d87135c95fce60f5297056a00b53b868d6908c8a2125bf50405

SHA512
08964cf8f95952074961451cb92c39689d9862c7f0741aa3d99bf631469f23df8010e0102fffd13a761b966830f28703a1148ca6223b2d128c705569852d77c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
178KB

MD5
4c7de211b762326f19551fb75300e868

SHA1
8f4b9113b62c0f8accb3e1158209cd93e1cc4bba

SHA256
85c8481a4bd7026082d5b57eefdc30322b74a68fd39fa71d5bb4c57f6304a331

SHA512
8b27d0a9d72e8eae6b9d49221d8049c089c618c194aa8a07a065e3e8e8e7b041f22a1bca445608ce2dfde10647ac2032bca667339edbb77a32171bec6bf14a6a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
110KB

MD5
5b6ed6373cd904c387b96137211e5298

SHA1
3c8b5580611924481a18bd0049f0a9893ae7170f

SHA256
4a22a24aa3fcd587f1acd5a7818041c45c86d8d37bb8f189f108d2fb52aa989d

SHA512
9320e268682af3c4cc50d1906320dfc278473244f9470a2610f1380331fdcf160625060ac0522c7ea41b5548cda530e0cd90aae2be97077e90bc1f1978a1a054

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
115KB

MD5
5941ea12374a9d5d6c888a76c29a7b00

SHA1
280d7fcb1881707fcca456c096b34db174cf07ac

SHA256
70937da89c819391c76172ad672499527c22562679fb09d94a04fe583e874a18

SHA512
d682c70a68b49ce463f113410a4a2fd4fdc6ff75d4189a3ddc9fae9e09c00b373f519bcb9308a90677decbda87d609e4deb858aa942a76eb2d9829c5b24a6f7b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
114KB

MD5
086be5185cc44507554953eeb34e9101

SHA1
2e1db8f9dfb07d6fb6a803f08fd3f744d7d7d0ae

SHA256
1c10c2634003394c3bce9807c36db0b9bc6758c2320fc2cf017f4c4873abb9b6

SHA512
99ac86f32f8b99f49b94295b7b2e22fd2e6860450d6fe4ea0087dc8c4ae7284ac29c9ec1d07cb7369ec89d7bd7bf990ec1297d1a60b17db471c18422c7e60fcd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
101KB

MD5
f333ea9474575b4d252d9693cf9e51c5

SHA1
d13f42baccd4eec5cd73c3d3a3aa820191ccab94

SHA256
9f929e44ca0fce90c037866a5acca2bf07c38c12ef5883c1551b2a91fcf66472

SHA512
db87401da7627a89f01ea95fc6a60238c68b9126385a27876db94bbb42a67712255fe8539a5333598e4c916ee13f370a8259ef508080ccb509c2cbb82ad8673b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe581be0.TMP
Filesize
97KB

MD5
47ec9de0ac8e72104f547c4aedde59f0

SHA1
9e5945cb1d824afbd493ab9de10020e2a33768e2

SHA256
ada39b0bba234a16c88b879cb64f00a9dfec056bb98904c08b1a3a75fd7a9220

SHA512
8316553e9fb5f4836b216b5f40316abe4eb5937cf6705b74b7ee4cce44e1b2ec348d1e153f4bed8d2a566d03f110a0edb17ea1451fb1575aae4e06a99508a4c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1
Filesize
264KB

MD5
6402118819a31492b9b49d050849e747

SHA1
ea39615999e4ee20157c3d4c39440081ff857589

SHA256
f2d75ab6ce9930617bc59c9c9694695294bf0220ee97aca0eadb59bf6a6d29b9

SHA512
c75fb6f1aa6f3d6375a4807586a442c7d9499c8133c175856d00477063915a4be52c24ed7cde65c4a56a686e66f725b1c310aa81542b0591b8828d6c7262ba2c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
b5f5369274e3bfbc449588bbb57bd383

SHA1
58bb46d57bd70c1c0bcbad619353cbe185f34c3b

SHA256
4190bd2ec2c0c65a2b8b97782cd3ae1d6cead80242f3595f06ebc6648c3e3464

SHA512
04a3816af6c5a335cde99d97019a3f68ade65eba70e4667c4d7dd78f78910481549f1dad23a46ccf9efa2e25c6e7a7c78c592b6ace951e1aab106ba06a10fcd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\6201c4da-1ddf-4a48-bffa-a60cba64508b.tmp
Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
624B

MD5
05693fc684ea9f81ec87ef855dba28f1

SHA1
72ac3946e20751271a9bc513482b18d384a3ba4a

SHA256
4ab4a7d73f7c69e0be961dcbd1682dc9f9a8b0fe31386e44f7009f1a621aaa3b

SHA512
ae1a6e3aab1b1ab104eb5370f075faf637d7e7f3f370e79565b56beaea6debf27666429cb2bf4fa56fc0ea09c2c66f5186f42dbc5734f954ee5bce9222c1599a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
1KB

MD5
cf5021c1cf3f034d493a2c08802abf22

SHA1
d3cc0e7892a5b65b201552d772b01bf1f5fc7922

SHA256
729d041def9e7bf82bc5cf5f37789d7575aa9481d53bed7927c5e85eb75a79d6

SHA512
d8340c64b95e88235eccad8694370788adc85f9d1c4089912d117c94223abecc8b518fd4c11506c0833dbb4ce57220c9864789036d3280998dfcb22893c21c43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
8KB

MD5
af903c9f3ff51b971c41cae0d358354f

SHA1
be73bd3a4af182ce8daa54148d4372b8ed50e678

SHA256
f759011cbe14b55cd52b09c05b5726184662f5dff565b9bf35860e676caf5b6d

SHA512
770ade414025d917d1fbca5c7c8a52053efa906a75a10ef2d7101b46e3c85aeb0c7630dd950e2b10d38f050f5873763d905e0d3444fe2feb00b6f28ace7a6e90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
9321b84ab404390911970b51b1a82b80

SHA1
9cc8904e16492a3f77d9a7d9caea1c4e259e3997

SHA256
506852fa120219591f027eb3ee364cf2b918faeb2391264cd68db04f9e4168b6

SHA512
721ea310965bb0179e789aeaae659927491d3cf784582af1643e6a2f37c6807cc7924de453f3c09818d7cf00271e5802e6a6d3a0ca9b1f3228769e4a460aa68a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
24KB

MD5
dae65409211ef96638ba0e65150f2de1

SHA1
80ac05ea5b4245efbdb2b75cb65644248fd61c49

SHA256
8e4caf28b68b8532fec86170e947fb75080519c654563eedc7d0884321e6ee3f

SHA512
e82fa7e0ec7299bb27aadbad91c2684d3a67ebe8346ecf15349cd47f534a13381eb72e6182f5c5d0f5f140539e35121dc53c078749b35d5cb23297b868b66630

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
7bca0e0888fd0b3ef8394841b8df2056

SHA1
92bc22373c716c21b6a40e0a3058416c93ce7e89

SHA256
9479f4e083c0b222dc34b6d2c2be387c3bbfac0521b7fcd00d84dbef2c1bf106

SHA512
42352753a2e6b961c698ee653f3634876ae0c1115633c30506a88faeb0b5276f876b89de04fb3490e2400fdf73ee2223b68344469315ebcf2f181bb7017dcad7

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N60005\dp1.fne
Filesize
128KB

MD5
07201b1fd5f8925dd49a4556ac3b5bab

SHA1
a76afbb44376912f823f2b461507c28d2585a96c

SHA256
abebbb0981d3d51eb63abcfa68be98da0cae4e6e3b143dd431fc845d1457dbd2

SHA512
0cf673ce1b6cad38f0211231e876f00f6a8397a5f3e71680046f4a216bbe0f47f4541e5f5b49364310e41a04cce14703459725c3d9f052f9da13624e73753e12

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N60005\eAPI.fne
Filesize
308KB

MD5
7c1ff88991f5eafab82b1beaefc33a42

SHA1
5ea338434c4c070aaf4e4e3952b4b08b551267bc

SHA256
53483523c316ad8c022c2b07a5cabfff3339bc5cb5e4ac24c3260eea4f4d9731

SHA512
310c90c82b545160420375c940b4d6176400e977f74048bfe2e0d0784bc167b361dc7aac149b8379f6e24050a253f321a6606295414ea9b68a563d59d0d17a48

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N60005\iext.fnr
Filesize
204KB

MD5
856495a1605bfc7f62086d482b502c6f

SHA1
86ecc67a784bc69157d664850d489aab64f5f912

SHA256
8c8254cb49f7287b97c7f952c81edabc9f11f3fa3f02f265e67d5741998cf0bf

SHA512
35a6e580cd362c64f1e1f9c3439660bd980ec437bd8cabbdc49479ceb833cd8cb6c82d2fb747516d5cfcf2af0ba540bc01640171fbe3b4d0e0a3eeeaa69dd1d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N60005\iext.fnr
Filesize
204KB

MD5
856495a1605bfc7f62086d482b502c6f

SHA1
86ecc67a784bc69157d664850d489aab64f5f912

SHA256
8c8254cb49f7287b97c7f952c81edabc9f11f3fa3f02f265e67d5741998cf0bf

SHA512
35a6e580cd362c64f1e1f9c3439660bd980ec437bd8cabbdc49479ceb833cd8cb6c82d2fb747516d5cfcf2af0ba540bc01640171fbe3b4d0e0a3eeeaa69dd1d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N60005\iext.fnr
Filesize
204KB

MD5
856495a1605bfc7f62086d482b502c6f

SHA1
86ecc67a784bc69157d664850d489aab64f5f912

SHA256
8c8254cb49f7287b97c7f952c81edabc9f11f3fa3f02f265e67d5741998cf0bf

SHA512
35a6e580cd362c64f1e1f9c3439660bd980ec437bd8cabbdc49479ceb833cd8cb6c82d2fb747516d5cfcf2af0ba540bc01640171fbe3b4d0e0a3eeeaa69dd1d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N60005\iext2.fne
Filesize
492KB

MD5
dba5fdbe7ec94463b3f6fdf2162c9f95

SHA1
a97137b4f2b77166b2a23da1f58e0bdb7365f4f2

SHA256
a8b14f31098a191631696db5ddc77e029b48999542e0ec15b63df02220c66d37

SHA512
325439bb5fe0e18e08cd547e9e9d505aa5b1ee51a436cb155254cfb04d318679e7a016cc2e72ffaba49bed20e15e85b26fd2a22e726e211650317218dde53ba6

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N60005\iext3.fne
Filesize
384KB

MD5
d2a9c02acb735872261d2abc6aff7e45

SHA1
fce6c2cf2465856168ea55ccd806155199a6f181

SHA256
0216a0f6d6d5360ab487e696b26a39eb81a1e2c8cd7f59c054c90ab99a858daf

SHA512
c29a0669630ddf217d0a0dcd88272d1ec05b6e5cd7ab2eb9379bdc16efbc40a6c17cfd8a5dba21ce07060d54a2a3d8944aaa36a3b92e8025112a751d264a897d

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N60005\iext3.fne
Filesize
384KB

MD5
d2a9c02acb735872261d2abc6aff7e45

SHA1
fce6c2cf2465856168ea55ccd806155199a6f181

SHA256
0216a0f6d6d5360ab487e696b26a39eb81a1e2c8cd7f59c054c90ab99a858daf

SHA512
c29a0669630ddf217d0a0dcd88272d1ec05b6e5cd7ab2eb9379bdc16efbc40a6c17cfd8a5dba21ce07060d54a2a3d8944aaa36a3b92e8025112a751d264a897d

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N60005\iext3.fne
Filesize
384KB

MD5
d2a9c02acb735872261d2abc6aff7e45

SHA1
fce6c2cf2465856168ea55ccd806155199a6f181

SHA256
0216a0f6d6d5360ab487e696b26a39eb81a1e2c8cd7f59c054c90ab99a858daf

SHA512
c29a0669630ddf217d0a0dcd88272d1ec05b6e5cd7ab2eb9379bdc16efbc40a6c17cfd8a5dba21ce07060d54a2a3d8944aaa36a3b92e8025112a751d264a897d

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N60005\iext6.fne
Filesize
232KB

MD5
4f28d54f86a2a65476c1fd404d766757

SHA1
8dfaa7f2f5e0b74c66cc72817a73b584f6cd5ab3

SHA256
fdd8b6fe63316d94fac544356dd3237c376c79ed6011b2032aa926a92e5b6dd9

SHA512
e5857e8f5bf97a40d479e6528af1fa0c05f2a0794e19cf97b84786d037e78ff9ac3e05ffcc89b8fee85757dd3cff474215a1cdca81799f271908654312abcbe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N60005\internet.fne
Filesize
188KB

MD5
7b129c5916896c845752f93b9635fc4c

SHA1
e3fc632af5e1f36e8022e651f64eb8f8381c73c3

SHA256
adc45970f4a0eafd2f372302f64836802380c253096a99ca964677a70a7128f8

SHA512
c72dd4043e7cdc0ccefe26ce8a6d05701b4c610f88ab827e6731296da76b8cbe5b63c0970954ec7616369172b8b8f9cb546545271be3e86c18c54d0b9cad8f95

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N60005\krnln.fnr
Filesize
1.2MB

MD5
142aeebfe85bde2a411116e39d8fd505

SHA1
d42b401d32a7141e592096bb68b6e029a1b13eae

SHA256
c77a0f67c3392dee0fb04f0544d8fd8a3b6ef072d371303afd3a2c468dda7a35

SHA512
afd98e398bfca447bf7df3c4899a30cbef981402283989c6b03956f4d51561410bd6fc319ee900a17ca5842f3ef9102d9b4bc3635082fd2978d57137202b27ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N60005\shell.fne
Filesize
60KB

MD5
98174c8c2995000efbda01e1b86a1d4d

SHA1
7e71a5a029a203e4ab0afc68eee18c39f4ab4097

SHA256
90284c2ead0598faa715cc90c1f53b83b916099c918ce7f816f0b4550ff55ac6

SHA512
a37059062a99cd2a9fae15850b49068752ccf0be9f1d86c3f812a689b7c4d024771ec2b66adf9ce950bc5b8b117d457aba87d586cf112a1a30239531bfc8cd06

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N60005\spec.fne
Filesize
72KB

MD5
bd6eef5ea9a52a412a8f57490d8bd8e4

SHA1
ab61ad7f66c5f6dfb8d28eba1833591469951870

SHA256
0c9e6eb8648f4bf5c585d5344035e91c3249bb9686a302503b4681b7ba828dc0

SHA512
1c43e50270eed071c8ef35e1c4695a93b9f98e668d4aebb44eb3b620efd2624b381554d2daf2d017f764b485e060abd589216043adea19eac94028ce66cc2025

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N60005\xplib.fne
Filesize
80KB

MD5
8f385e7c8cf1f8ebdae0448473977cc7

SHA1
942bf465e29a5e5f85580eb30aa9510b92f802d7

SHA256
d1a1c6bac6a498adccdafab9d600a372aa9d5b826a33cfa06aaa9f75357c5b23

SHA512
2372a8857591b829763cacbdfc0cf3d4884598c5f1c43f0815257cb7fb3b2c93b60b1027480e1d5a93bbc6eba054328d8d2b4997c7d81a5360811f8f1eecafa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\XSZDfrP1gS
Filesize
92KB

MD5
177a22c98c534acd52888246c3f0f644

SHA1
1833b4be7410406286bb9e1080b60c2f5a322d0d

SHA256
76a6000f961322e7ddaad2590ff023579151528b83f3b65c54b643f9c531982f

SHA512
161da0587923bb97d1be61700e7be7ceaeff890d5805eb6de853ff7766faf67a2bc5453b45ab8c864d9c4fd19ef5bb22e35245147aceb944ad416a14b9c05fcf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5d696d521de238c3.customDestinations-ms
Filesize
8KB

MD5
c41e23baa1d91bd828f7df6176e3b74c

SHA1
f65fe887ced5890fc543507b90bae899c083655e

SHA256
70281780fb25ab9e37ee02a2710348286bb406ef2e01a9def48ee83e83bfd2ce

SHA512
08ac5ff54a8a670219553e0542f47fc01ebc06f3078278f2c1f7da5e827cc60f8a23da0596f615a82a481a334a51e2d33dc996fef6b6ad9a17c024c96fe866af

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5d696d521de238c3.customDestinations-ms
Filesize
10KB

MD5
586961aae9467ddbbd8dbce44e2fbe10

SHA1
9d175dddda081140c4fe039be5c5d1d52904b4c5

SHA256
15866f67edfa737d7808521a8351f25edb2a3acc84be42175ac55fb15bd20f8e

SHA512
48bb216c62a8d2a264deb569a0e1e6c3e1a61a79425c585be1e13ee59ec587a1be39c50fa00921b94e1cbffe8e678b454244ec8d01b33ba9128548ce043ecc99

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5d696d521de238c3.customDestinations-ms
Filesize
10KB

MD5
76cc27ce6d38a8044a05095d85f4f923

SHA1
5530b2223a20df014d042cfedc0d31695ffc0210

SHA256
145e398ad639ce7c4aebac8cba2d728576c162e71c2afad104410481cd31008b

SHA512
1b57ba6f73ce0b2d17e069ca946cc0ea8e1fc6d468c563600376694cfa608965f4ca9b61939a66906f40a14c80893aabd2d7fce8d3982a3cf015af39698e7ee7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5d696d521de238c3.customDestinations-ms
Filesize
10KB

MD5
d55499fb35ed1c56d5a3eb2dfd392bc4

SHA1
286d82a9e11432b116a5016845cb9d3469f1683c

SHA256
dd00cd2aa205bcc371b936246fe36315480af23466bcc857c6eba849a8347c23

SHA512
03f4168726597f53edebcf755e4020d41720a00af8369c3cb5a18f7c2c95e1e0d984a713851210132f0e3969953ae6fc95af4630b05fd17ec42bbc92892ff56c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5d696d521de238c3.customDestinations-ms
Filesize
10KB

MD5
74234aef8ab6f4e3798ebc469723b9e7

SHA1
5a69608dd982a2b0a4f9a9cf8bc306d6c05cfcf6

SHA256
8858fa9550c9d328aac3fec371ccef4aefd56208d790732ccbe33f6a49cf3b89

SHA512
2f12eb4500ce8cb116f9ef9ae1ab21990852ac456d303e2afd415d5c31ad63ab8e975bea3f6af5503dee1cd416f94b5e87c11aeff9cde13d47a2a4fa00a98fc9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5d696d521de238c3.customDestinations-ms
Filesize
10KB

MD5
8fd30fd74e33e3f5d6b3464c31dfd131

SHA1
54095c53f62c33944616d2c20996222e3094c3dd

SHA256
15d0dd3ef50d95270a22fc0479d5efcfc96d8c55c381e45171733a327dc48b5b

SHA512
b6c3965f78248d8ac652473aa15237dde6b7644e68a4de91ef34878ac0c37e22cd6234bbc0e4eb358469c97127cee0c1bcb0c4eb6e70c7f4bcd63b3f005ce158

Download Submit
C:\Users\Admin\Desktop\Malware\1.exe
Filesize
1KB

MD5
8363acaeab9cbb099b59b78a44127ca6

SHA1
aef448ce5500e3734059ec285cf6ec0b547075f2

SHA256
9b342ae7f25d65bdb817d8c995f3211ac398e41575fc5d149d994c1dcb008f0a

SHA512
a431f7ee4cdc3c7c6edf43736e007e314a0f8c4d05706dbdf75b629b15bee335d173abc071568f447d78b4c43aba02017c1993d6da86a1acdde904eb287cb30c

Download Submit
C:\Users\Admin\Desktop\Malware\2446a9cb83a1ed64d738b638a4f62cb3709c92f9002425ebb7cc8639f17a1994.exe
Filesize
3.5MB

MD5
f36efe2b971c544e1ef1916596786160

SHA1
9ff8104e488940b8b3be262ff74d0d7984ceebbc

SHA256
2446a9cb83a1ed64d738b638a4f62cb3709c92f9002425ebb7cc8639f17a1994

SHA512
7fafc89faa0d46d6252dda7acd3d38c90ebfa97665bc00b8e53a2fd3a883280c7538e39f17ddbb515cbb16a77821bb700c82bdb303b05496105f5d4d114fcccc

Download Submit
C:\Users\Admin\Desktop\Malware\2446a9cb83a1ed64d738b638a4f62cb3709c92f9002425ebb7cc8639f17a1994.exe
Filesize
3.5MB

MD5
f36efe2b971c544e1ef1916596786160

SHA1
9ff8104e488940b8b3be262ff74d0d7984ceebbc

SHA256
2446a9cb83a1ed64d738b638a4f62cb3709c92f9002425ebb7cc8639f17a1994

SHA512
7fafc89faa0d46d6252dda7acd3d38c90ebfa97665bc00b8e53a2fd3a883280c7538e39f17ddbb515cbb16a77821bb700c82bdb303b05496105f5d4d114fcccc

Download Submit
C:\Users\Admin\Desktop\Malware\3e2703dc1b0f8d18c92f2ba85a99ffd5231362f7022646e84cb4d522b616884d.exe
Filesize
5.8MB

MD5
53aa0c8429220348b51e743251721762

SHA1
14a463ecd0d0951b400d96fd448269400821c034

SHA256
3e2703dc1b0f8d18c92f2ba85a99ffd5231362f7022646e84cb4d522b616884d

SHA512
066a79ba19bf1e3f3674316c1ad2ffb4d0ce36bc84d8afa10bf1fd560d3bcd6667a8f3c28e0ed68f4f5cccb76ac6f48f187f1f8127f5161023035b49ed9690f3

Download Submit
C:\Users\Admin\Desktop\Malware\3e2703dc1b0f8d18c92f2ba85a99ffd5231362f7022646e84cb4d522b616884d.exe
Filesize
5.8MB

MD5
53aa0c8429220348b51e743251721762

SHA1
14a463ecd0d0951b400d96fd448269400821c034

SHA256
3e2703dc1b0f8d18c92f2ba85a99ffd5231362f7022646e84cb4d522b616884d

SHA512
066a79ba19bf1e3f3674316c1ad2ffb4d0ce36bc84d8afa10bf1fd560d3bcd6667a8f3c28e0ed68f4f5cccb76ac6f48f187f1f8127f5161023035b49ed9690f3

Download Submit
C:\Users\Admin\Desktop\Malware\c3715b71e4655d0269d6b9e5c82cb7d7d31942ddafdc821c9b85741ebab95529.exe
Filesize
1.1MB

MD5
3e5807d3ec9608d1accd41b5ad57f934

SHA1
23b898b51d03cc59595d40a95fee659be211d8a5

SHA256
c3715b71e4655d0269d6b9e5c82cb7d7d31942ddafdc821c9b85741ebab95529

SHA512
02c9486ed3cea806aef8d6064cd6112359e05c73ede0c2366f79d3b485eb5b8cb35b45e7fc87feb039f4262596545efb46d183ecf40b43d8bfe73ee2714b0fb3

Download Submit
C:\Users\Admin\Desktop\Malware\c3715b71e4655d0269d6b9e5c82cb7d7d31942ddafdc821c9b85741ebab95529.exe
Filesize
1.1MB

MD5
3e5807d3ec9608d1accd41b5ad57f934

SHA1
23b898b51d03cc59595d40a95fee659be211d8a5

SHA256
c3715b71e4655d0269d6b9e5c82cb7d7d31942ddafdc821c9b85741ebab95529

SHA512
02c9486ed3cea806aef8d6064cd6112359e05c73ede0c2366f79d3b485eb5b8cb35b45e7fc87feb039f4262596545efb46d183ecf40b43d8bfe73ee2714b0fb3

Download Submit
C:\Users\Admin\Desktop\Malware\eef12d5811dd70782bf19cd787641dc8050a564aa9416588a7873f7a41f98dc6.exe
Filesize
3.2MB

MD5
1507563c31ecaaf29c4b168da58d27f7

SHA1
f0452a3e200c84a8c89ea2098d7a19047496ce26

SHA256
eef12d5811dd70782bf19cd787641dc8050a564aa9416588a7873f7a41f98dc6

SHA512
e093fef66001ef08e0fe93eb380fb0bc503e2f7471a1234a299d88e5100030dc14cdf34321e22e879800d5ecb7ad6426ef198fb25add5cb47eca9e8288a72ee9

Download Submit
C:\Users\Admin\Desktop\Malware\eef12d5811dd70782bf19cd787641dc8050a564aa9416588a7873f7a41f98dc6.exe
Filesize
3.2MB

MD5
1507563c31ecaaf29c4b168da58d27f7

SHA1
f0452a3e200c84a8c89ea2098d7a19047496ce26

SHA256
eef12d5811dd70782bf19cd787641dc8050a564aa9416588a7873f7a41f98dc6

SHA512
e093fef66001ef08e0fe93eb380fb0bc503e2f7471a1234a299d88e5100030dc14cdf34321e22e879800d5ecb7ad6426ef198fb25add5cb47eca9e8288a72ee9

Download Submit
C:\Users\Admin\Downloads\2446a9cb83a1ed64d738b638a4f62cb3709c92f9002425ebb7cc8639f17a1994.zip
Filesize
3.2MB

MD5
2d5f98a28648e47e045583c856a6f894

SHA1
155d43b7c85dd536fa6cea7757d3e862e866274b

SHA256
4363011f6c377e35a3cf2957bdbcb36d4c1de2c02f34ae94142c5f6d532c9129

SHA512
f8fa0e126896673ac0e97b60c9e428e333a1ff04b7c4da151be6436269abe09d169ef8fed29028b6a786626d5ed98234e029497fb9b7b5fa909641a91a93b750

Download Submit
C:\Users\Admin\Downloads\3e2703dc1b0f8d18c92f2ba85a99ffd5231362f7022646e84cb4d522b616884d.zip
Filesize
4.9MB

MD5
d1087aa52d347d82b53d6630a40b68aa

SHA1
ac137d4b98567ef21dcf321e4ff763704aa1ab0b

SHA256
df15b45c06d749ab7e7ef1f56ad666e08c779e106fb731a3aec6799bec9951af

SHA512
ec96cc145e09aef791f67e86ba2cb8bd72d5fc26dd2e005f27c82903317b921a179d2a25ce304412dee86b39eddfabe3183ea6b2e8afecc519d8ad2fffd91621

Download Submit
C:\Users\Admin\Downloads\c3715b71e4655d0269d6b9e5c82cb7d7d31942ddafdc821c9b85741ebab95529.zip
Filesize
730KB

MD5
260c62da14d2109bdb1e98609ccc1af2

SHA1
c0dc167e1ffdad8fc64949d3767f64010e1c5c16

SHA256
85c14ae2be8793f8e8b92ec9d3574775d365add578a1cd1f5e8a944e4ee7756a

SHA512
96c34efbe5eaac60a3183cedae726ee93f84c5932ec0d713aebb78f9a3aebb7cb6dd3f6669683b266c89c9f63b5a09db1034e379d3e914d59e4a134855034ee4

Download Submit
C:\Users\Admin\Downloads\c3715b71e4655d0269d6b9e5c82cb7d7d31942ddafdc821c9b85741ebab95529.zip
Filesize
730KB

MD5
260c62da14d2109bdb1e98609ccc1af2

SHA1
c0dc167e1ffdad8fc64949d3767f64010e1c5c16

SHA256
85c14ae2be8793f8e8b92ec9d3574775d365add578a1cd1f5e8a944e4ee7756a

SHA512
96c34efbe5eaac60a3183cedae726ee93f84c5932ec0d713aebb78f9a3aebb7cb6dd3f6669683b266c89c9f63b5a09db1034e379d3e914d59e4a134855034ee4

Download Submit
C:\Users\Admin\Downloads\eef12d5811dd70782bf19cd787641dc8050a564aa9416588a7873f7a41f98dc6.zip
Filesize
3.2MB

MD5
271701566cfc948863177cd8b3ed141d

SHA1
eef8e4a4e9d5cb735cfaf5f127614620fe639976

SHA256
b7586d3d7edd9b865ba825c8944a5897642c429ae6af5830b82a860f79f71013

SHA512
959d56001cbb4576e914dff5e38dd877a667a7db15db26f61ddfa1f9fb5c5ed5df0ae35ea66d539db06772fdbea468c01e1befb0abc0204ad3865e70ac2f4de3

Download Submit
C:\Users\Admin\Downloads\ef1f88dd4b0035bc9540ac0b1e3668e246ae745446e3670e4f38d606881cc72f.zip
Filesize
785KB

MD5
718b57ba6e6712838288f38b7cbb3235

SHA1
d9af41a90dd8aab1ca9e6babc86c11a292b9558f

SHA256
9c90cad91465846af5c1a1f806a36fe253bb2f7f1f76b91618a4459652e57b21

SHA512
c0e7a073617ffcee581dfde1b5bc9202058c84d70bbdddd4cef22883e9e1a6114103c3e831fcaf8f935da91a18e4477c875af704ecfef7f6fd20c78b95e3ef00

Download Submit
C:\Users\Admin\Downloads\f5c68240b5a613533e53476cd20561e57c79d9cf664c48bdbd9380886005a2c8.zip
Filesize
3.2MB

MD5
3bdbf287acd677e2e0a2209f0fb5ceb5

SHA1
7de32a06f23014648679d7289a101e3e35248c35

SHA256
2c3dd3c84556a0be17f9c7295c4f07dc8e98228f575d34502f9f32047f2f1401

SHA512
62beea9d5125a4174e70790ad4fc6ec057a269ff35c299f8afee7ce9ac1d23c6814b0565cdd49a168699835940501e880cec96fe0988870f3bc707f669abf601

Download Submit
C:\Users\Default User\SpyHunter-5.15-6-5285-Installer.exe
Filesize
1.1MB

MD5
3e5807d3ec9608d1accd41b5ad57f934

SHA1
23b898b51d03cc59595d40a95fee659be211d8a5

SHA256
c3715b71e4655d0269d6b9e5c82cb7d7d31942ddafdc821c9b85741ebab95529

SHA512
02c9486ed3cea806aef8d6064cd6112359e05c73ede0c2366f79d3b485eb5b8cb35b45e7fc87feb039f4262596545efb46d183ecf40b43d8bfe73ee2714b0fb3

Download Submit
C:\Users\Default\SpyHunter-5.15-6-5285-Installer.exe
Filesize
1.1MB

MD5
3e5807d3ec9608d1accd41b5ad57f934

SHA1
23b898b51d03cc59595d40a95fee659be211d8a5

SHA256
c3715b71e4655d0269d6b9e5c82cb7d7d31942ddafdc821c9b85741ebab95529

SHA512
02c9486ed3cea806aef8d6064cd6112359e05c73ede0c2366f79d3b485eb5b8cb35b45e7fc87feb039f4262596545efb46d183ecf40b43d8bfe73ee2714b0fb3

Download Submit
C:\Users\Default\SpyHunter-5.15-6-5285-Installer.exe
Filesize
1.1MB

MD5
3e5807d3ec9608d1accd41b5ad57f934

SHA1
23b898b51d03cc59595d40a95fee659be211d8a5

SHA256
c3715b71e4655d0269d6b9e5c82cb7d7d31942ddafdc821c9b85741ebab95529

SHA512
02c9486ed3cea806aef8d6064cd6112359e05c73ede0c2366f79d3b485eb5b8cb35b45e7fc87feb039f4262596545efb46d183ecf40b43d8bfe73ee2714b0fb3

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BAEBE581FCB73249406FC21094EA252E_BC0CE803EF41A748738619ED7838EEFC
Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Windows\System32\drivers\EnigmaFileMonDriver.sys
Filesize
82KB

MD5
35023b3cf6e48d1a4cc9901afd8da844

SHA1
e50576e17e472f27d057a2f52986116fffbf4b19

SHA256
029b8d7749b9f904919710a787ebcffbe0b1960310cc7c2bb65f4c0f3453fc4b

SHA512
ea41f31efd7ff272ff0803ecd459cf5712afa41472a26252dc2e9cf042bee981f1b037f43e35d8e4599df144eaad44b8d1a29846c9c23cad5fc4a7cd7dd57562

Download Submit
\??\pipe\crashpad_1808_JHFATVZRUGXTFXKZ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1744-2142-0x00007FFB33AD0000-0x00007FFB34591000-memory.dmp

Filesize
10.8MB

Download
memory/1744-2151-0x00007FFB33AD0000-0x00007FFB34591000-memory.dmp

Filesize
10.8MB

Download
memory/1744-2148-0x000000001B7C0000-0x000000001B7D0000-memory.dmp

Filesize
64KB

Download
memory/1764-1174-0x00007FFB33AD0000-0x00007FFB34591000-memory.dmp

Filesize
10.8MB

Download
memory/1764-1171-0x00007FFB33AD0000-0x00007FFB34591000-memory.dmp

Filesize
10.8MB

Download
memory/1764-1170-0x0000000000010000-0x000000000001A000-memory.dmp

Filesize
40KB

Download
memory/2060-1057-0x00007FFB33AD0000-0x00007FFB34591000-memory.dmp

Filesize
10.8MB

Download
memory/2060-1072-0x000000001B6F0000-0x000000001B700000-memory.dmp

Filesize
64KB

Download
memory/2060-1009-0x00007FFB33AD0000-0x00007FFB34591000-memory.dmp

Filesize
10.8MB

Download
memory/2060-1011-0x000000001B6F0000-0x000000001B700000-memory.dmp

Filesize
64KB

Download
memory/2532-2288-0x00007FFB33AD0000-0x00007FFB34591000-memory.dmp

Filesize
10.8MB

Download
memory/3144-960-0x0000000010000000-0x00000000100BE000-memory.dmp

Filesize
760KB

Download
memory/3144-971-0x0000000010000000-0x00000000100BE000-memory.dmp

Filesize
760KB

Download
memory/3144-958-0x0000000010000000-0x00000000100BE000-memory.dmp

Filesize
760KB

Download
memory/3144-957-0x0000000010000000-0x00000000100BE000-memory.dmp

Filesize
760KB

Download
memory/3144-959-0x0000000010000000-0x00000000100BE000-memory.dmp

Filesize
760KB

Download
memory/3144-955-0x0000000010000000-0x00000000100BE000-memory.dmp

Filesize
760KB

Download
memory/3300-992-0x000000001B160000-0x000000001B1B0000-memory.dmp

Filesize
320KB

Download
memory/3300-991-0x000000001B330000-0x000000001B340000-memory.dmp

Filesize
64KB

Download
memory/3300-990-0x00007FFB33AD0000-0x00007FFB34591000-memory.dmp

Filesize
10.8MB

Download
memory/3300-1010-0x00007FFB33AD0000-0x00007FFB34591000-memory.dmp

Filesize
10.8MB

Download
memory/3300-989-0x00000000004C0000-0x00000000005E6000-memory.dmp

Filesize
1.1MB

Download
memory/4000-1207-0x0000000072190000-0x0000000072940000-memory.dmp

Filesize
7.7MB

Download
memory/4000-1184-0x0000000005490000-0x00000000054CC000-memory.dmp

Filesize
240KB

Download
memory/4000-1182-0x0000000005420000-0x0000000005432000-memory.dmp

Filesize
72KB

Download
memory/4000-1178-0x0000000000AA0000-0x0000000000AD0000-memory.dmp

Filesize
192KB

Download
memory/4000-1208-0x0000000005480000-0x0000000005490000-memory.dmp

Filesize
64KB

Download
memory/4000-1179-0x0000000072190000-0x0000000072940000-memory.dmp

Filesize
7.7MB

Download
memory/4000-1180-0x0000000005AB0000-0x00000000060C8000-memory.dmp

Filesize
6.1MB

Download
memory/4000-1181-0x00000000055A0000-0x00000000056AA000-memory.dmp

Filesize
1.0MB

Download
memory/4000-1183-0x0000000005480000-0x0000000005490000-memory.dmp

Filesize
64KB

Download
memory/4200-981-0x0000000140000000-0x0000000140620000-memory.dmp

Filesize
6.1MB

Download
memory/4256-1499-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/4256-1227-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/4256-1451-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/4256-1209-0x0000000000B90000-0x0000000000B91000-memory.dmp

Filesize
4KB

Download
memory/4256-1402-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/4256-1394-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/4256-1546-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/4256-1211-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/4256-1212-0x0000000000B90000-0x0000000000B91000-memory.dmp

Filesize
4KB

Download
memory/4256-1378-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/4256-1370-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/4256-1359-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/4256-1966-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/4256-1321-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/4256-1947-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/4256-1239-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/4256-1896-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/4256-1777-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/4256-1411-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/4256-1808-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/4256-1870-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/4256-1816-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/4256-1835-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/4256-1238-0x0000000002FD0000-0x0000000003417000-memory.dmp

Filesize
4.3MB

Download
memory/4560-1948-0x00007FFB33AD0000-0x00007FFB34591000-memory.dmp

Filesize
10.8MB

Download
memory/4560-2099-0x00007FFB33AD0000-0x00007FFB34591000-memory.dmp

Filesize
10.8MB

Download
memory/4560-2002-0x000000001B130000-0x000000001B140000-memory.dmp

Filesize
64KB

Download
memory/4560-2001-0x00007FFB33AD0000-0x00007FFB34591000-memory.dmp

Filesize
10.8MB

Download
memory/4560-1950-0x000000001B130000-0x000000001B140000-memory.dmp

Filesize
64KB

Download
memory/4860-2190-0x00007FFB33AD0000-0x00007FFB34591000-memory.dmp

Filesize
10.8MB

Download
memory/4860-2155-0x00007FFB33AD0000-0x00007FFB34591000-memory.dmp

Filesize
10.8MB

Download
memory/4860-2192-0x000000001B510000-0x000000001B520000-memory.dmp

Filesize
64KB

Download
memory/4876-1137-0x00000000042E0000-0x00000000042F4000-memory.dmp

Filesize
80KB

Download
memory/4876-1015-0x0000000000400000-0x00000000005A4000-memory.dmp

Filesize
1.6MB

Download
memory/4876-1059-0x00000000030C0000-0x000000000311D000-memory.dmp

Filesize
372KB

Download
memory/4876-1053-0x0000000002A50000-0x0000000002A99000-memory.dmp

Filesize
292KB

Download
memory/4876-1016-0x0000000000400000-0x00000000005A4000-memory.dmp

Filesize
1.6MB

Download
memory/4876-1041-0x0000000000400000-0x00000000005A4000-memory.dmp

Filesize
1.6MB

Download
memory/4876-1064-0x0000000003120000-0x0000000003137000-memory.dmp

Filesize
92KB

Download
memory/4876-1068-0x0000000003140000-0x000000000317E000-memory.dmp

Filesize
248KB

Download
memory/4876-1097-0x0000000004280000-0x00000000042AE000-memory.dmp

Filesize
184KB

Download
memory/4876-1014-0x0000000000400000-0x00000000005A4000-memory.dmp

Filesize
1.6MB

Download
memory/4876-1048-0x0000000002470000-0x00000000024DF000-memory.dmp

Filesize
444KB

Download
memory/4876-1141-0x0000000004320000-0x00000000043AB000-memory.dmp

Filesize
556KB

Download
memory/4876-1040-0x00000000023F0000-0x0000000002431000-memory.dmp

Filesize
260KB

Download
memory/4876-1186-0x0000000002600000-0x0000000002615000-memory.dmp

Filesize
84KB

Download
memory/5044-2238-0x000000001B430000-0x000000001B440000-memory.dmp

Filesize
64KB

Download
memory/5044-2259-0x00007FFB33AD0000-0x00007FFB34591000-memory.dmp

Filesize
10.8MB

Download
memory/5044-2236-0x00007FFB33AD0000-0x00007FFB34591000-memory.dmp

Filesize
10.8MB

Download