quasar | 164dc81c3d8ac61c788cf466d83487f5878f96915f4a18939d278e249cbdc949

Analysis

max time kernel
61s
max time network
64s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
28-09-2023 21:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Android Tester.exe
Size

22.7MB
MD5

f39cec8c25192d89cab82d32e2645b98
SHA1

8165bc234cfd0fc6dda711d5c032d7c97bb6ee5d
SHA256

82df477a1e5e4105c96c8820385bcd3c1bd54995967d29d2e639d040db5b1574
SHA512

6f194968ceaad61f43ee5a48e433e916746fc485b6e60eb24c67e98e83ea76e8e57f52e4047007d4b58fba1fc38e447ca4dc2942e140e41e3c985538c713d524
SSDEEP

393216:yQLrjCTVOeSCIRClQ2PfWpeN15t4jpnTxk1ACCWEWI2q5VuDXTlxv9S6V6eX:ykPC0eSZwPtuTx/qU+xv93

Score

10^/10

quasar venomrat office04 discovery evasion rat rootkit spyware stealer trojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Office04

nibiru3.duckdns.org:7777

Mutex

VNM_MUTEX_ubQkq789WptLUo6CNl

Attributes

encryption_key
GaGctuJ4ar1CIDW3hoKN
install_name
Winstep.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Winstep SpeedLaunch
subdirectory
Winstep SpeedLaunch

Signatures

Contains code to disable Windows Defender 6 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral1/files/0x0007000000023266-16.dat	disable_win_def
behavioral1/files/0x0007000000023266-22.dat	disable_win_def
behavioral1/files/0x0007000000023266-26.dat	disable_win_def
behavioral1/memory/2932-41-0x0000000000AB0000-0x0000000000B3C000-memory.dmp	disable_win_def
behavioral1/files/0x0007000000023286-152.dat	disable_win_def
behavioral1/files/0x0007000000023286-157.dat	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

dllhost.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	dllhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	dllhost.exe

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x0007000000023266-16.dat	family_quasar
behavioral1/files/0x0007000000023266-22.dat	family_quasar
behavioral1/files/0x0007000000023266-26.dat	family_quasar
behavioral1/memory/2932-41-0x0000000000AB0000-0x0000000000B3C000-memory.dmp	family_quasar
behavioral1/files/0x0007000000023286-152.dat	family_quasar
behavioral1/files/0x0007000000023286-157.dat	family_quasar

VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
rat rootkit stealer venomrat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dllhost.exeAndroid Tester.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation	Android Tester.exe

Executes dropped EXE 4 IoCs

Processes:

Apktool Installet1.exedllhost.exeAndroidTester v6.4.6.exeWinstep.exe

pid	Process
720	Apktool Installet1.exe
2932	dllhost.exe
1256	AndroidTester v6.4.6.exe
1816	Winstep.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

dllhost.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	dllhost.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
45	ip-api.com

Drops file in Program Files directory 64 IoCs

Processes:

AndroidTester v6.4.6.exe

description	ioc	Process
File opened for modification	C:\Program Files (x86)\SpyNote\AndroidTester\Resources\Icons\Phone\7.png	AndroidTester v6.4.6.exe
File opened for modification	C:\Program Files (x86)\SpyNote\AndroidTester\Resources\Icons\window\win\2.ico	AndroidTester v6.4.6.exe
File opened for modification	C:\Program Files (x86)\SpyNote\AndroidTester\Resources\Icons\ctx_menu\ad.png	AndroidTester v6.4.6.exe
File opened for modification	C:\Program Files (x86)\SpyNote\AndroidTester\Resources\Icons\Flags\kw.png	AndroidTester v6.4.6.exe
File opened for modification	C:\Program Files (x86)\SpyNote\AndroidTester\Resources\Icons\Flags\scotland.png	AndroidTester v6.4.6.exe
File opened for modification	C:\Program Files (x86)\SpyNote\AndroidTester\Resources\Icons\Flags\tk.png	AndroidTester v6.4.6.exe
File opened for modification	C:\Program Files (x86)\SpyNote\AndroidTester\Resources\Icons\FileManager\.mid.png	AndroidTester v6.4.6.exe
File opened for modification	C:\Program Files (x86)\SpyNote\AndroidTester\Resources\Icons\FileManager\.png.png	AndroidTester v6.4.6.exe
File opened for modification	C:\Program Files (x86)\SpyNote\AndroidTester\Resources\Icons\Flags\et.png	AndroidTester v6.4.6.exe
File opened for modification	C:\Program Files (x86)\SpyNote\AndroidTester\Resources\Icons\Battery\b80true.png	AndroidTester v6.4.6.exe
File opened for modification	C:\Program Files (x86)\SpyNote\AndroidTester\Resources\Icons\ctx_menu\b.png	AndroidTester v6.4.6.exe
File opened for modification	C:\Program Files (x86)\SpyNote\AndroidTester\Resources\Icons\ctx_menu\zipF.png	AndroidTester v6.4.6.exe
File opened for modification	C:\Program Files (x86)\SpyNote\AndroidTester\Resources\Icons\FileManager\.doc.png	AndroidTester v6.4.6.exe
File opened for modification	C:\Program Files (x86)\SpyNote\AndroidTester\Resources\Icons\Flags\gb.png	AndroidTester v6.4.6.exe
File opened for modification	C:\Program Files (x86)\SpyNote\AndroidTester\Resources\Icons\Flags\om.png	AndroidTester v6.4.6.exe
File opened for modification	C:\Program Files (x86)\SpyNote\AndroidTester\Resources\Imports\terminal.inf	AndroidTester v6.4.6.exe
File opened for modification	C:\Program Files (x86)\SpyNote\AndroidTester\Resources\Icons\Bar\bluetooth.png	AndroidTester v6.4.6.exe
File opened for modification	C:\Program Files (x86)\SpyNote\AndroidTester\Resources\Icons\Battery\b20true.png	AndroidTester v6.4.6.exe
File opened for modification	C:\Program Files (x86)\SpyNote\AndroidTester\Resources\Icons\Camera\Zoom0.png	AndroidTester v6.4.6.exe
File opened for modification	C:\Program Files (x86)\SpyNote\AndroidTester\Resources\Icons\FileBox\Download.png	AndroidTester v6.4.6.exe
File opened for modification	C:\Program Files (x86)\SpyNote\AndroidTester\Resources\Icons\Flags\ng.png	AndroidTester v6.4.6.exe
File opened for modification	C:\Program Files (x86)\SpyNote\AndroidTester\Resources\Icons\Flags\sy.png	AndroidTester v6.4.6.exe
File opened for modification	C:\Program Files (x86)\SpyNote\AndroidTester\Resources\Icons\Flags\tn.png	AndroidTester v6.4.6.exe
File opened for modification	C:\Program Files (x86)\SpyNote\AndroidTester\Resources\Icons\window\win\22.ico	AndroidTester v6.4.6.exe
File opened for modification	C:\Program Files (x86)\SpyNote\AndroidTester\Resources\Icons\Flags\bo.png	AndroidTester v6.4.6.exe
File opened for modification	C:\Program Files (x86)\SpyNote\AndroidTester\Resources\Icons\Flags\gq.png	AndroidTester v6.4.6.exe
File opened for modification	C:\Program Files (x86)\SpyNote\AndroidTester\Resources\Icons\Flags\ky.png	AndroidTester v6.4.6.exe
File opened for modification	C:\Program Files (x86)\SpyNote\AndroidTester\Resources\Icons\Flags\sc.png	AndroidTester v6.4.6.exe
File opened for modification	C:\Program Files (x86)\SpyNote\AndroidTester\Resources\Icons\Flags\kn.png	AndroidTester v6.4.6.exe
File opened for modification	C:\Program Files (x86)\SpyNote\AndroidTester\Resources\Icons\Flags\mp.png	AndroidTester v6.4.6.exe
File opened for modification	C:\Program Files (x86)\SpyNote\AndroidTester\Resources\Icons\Flags\wf.png	AndroidTester v6.4.6.exe
File opened for modification	C:\Program Files (x86)\SpyNote\AndroidTester\Resources\Icons\Skulls\Attacks.png	AndroidTester v6.4.6.exe
File opened for modification	C:\Program Files (x86)\SpyNote\AndroidTester\Resources\Icons\ctx_menu\loc.png	AndroidTester v6.4.6.exe
File opened for modification	C:\Program Files (x86)\SpyNote\AndroidTester\Resources\Icons\pinf\system.png	AndroidTester v6.4.6.exe
File opened for modification	C:\Program Files (x86)\SpyNote\AndroidTester\Resources\Icons\Flags\aw.png	AndroidTester v6.4.6.exe
File opened for modification	C:\Program Files (x86)\SpyNote\AndroidTester\Resources\Icons\window\win\16.ico	AndroidTester v6.4.6.exe
File opened for modification	C:\Program Files (x86)\SpyNote\AndroidTester\Resources\Icons\Note\Nup.png	AndroidTester v6.4.6.exe
File opened for modification	C:\Program Files (x86)\SpyNote\AndroidTester\Resources\Icons\ToolStrip\0\folder.png	AndroidTester v6.4.6.exe
File opened for modification	C:\Program Files (x86)\SpyNote\AndroidTester\Resources\Icons\FileManager\.php.png	AndroidTester v6.4.6.exe
File opened for modification	C:\Program Files (x86)\SpyNote\AndroidTester\Resources\Icons\Flags\jp.png	AndroidTester v6.4.6.exe
File opened for modification	C:\Program Files (x86)\SpyNote\AndroidTester\Resources\Icons\Flags\nr.png	AndroidTester v6.4.6.exe
File opened for modification	C:\Program Files (x86)\SpyNote\AndroidTester\Resources\Icons\Flags\si.png	AndroidTester v6.4.6.exe
File opened for modification	C:\Program Files (x86)\SpyNote\AndroidTester\Resources\Icons\FileManager\Folder Files.png	AndroidTester v6.4.6.exe
File opened for modification	C:\Program Files (x86)\SpyNote\AndroidTester\Resources\Icons\Flags\ne.png	AndroidTester v6.4.6.exe
File opened for modification	C:\Program Files (x86)\SpyNote\AndroidTester\Resources\Icons\pinf\sim.png	AndroidTester v6.4.6.exe
File opened for modification	C:\Program Files (x86)\SpyNote\AndroidTester\Resources\Icons\window\win\26.ico	AndroidTester v6.4.6.exe
File opened for modification	C:\Program Files (x86)\SpyNote\AndroidTester\Resources\Icons\AccountManager\com.dropbox.android.account.png	AndroidTester v6.4.6.exe
File opened for modification	C:\Program Files (x86)\SpyNote\AndroidTester\Resources\Icons\Flags\cf.png	AndroidTester v6.4.6.exe
File opened for modification	C:\Program Files (x86)\SpyNote\AndroidTester\Resources\Icons\Flags\nu.png	AndroidTester v6.4.6.exe
File opened for modification	C:\Program Files (x86)\SpyNote\AndroidTester\Resources\Icons\SMS\all.png	AndroidTester v6.4.6.exe
File opened for modification	C:\Program Files (x86)\SpyNote\AndroidTester\Resources\Icons\Flags\ao.png	AndroidTester v6.4.6.exe
File opened for modification	C:\Program Files (x86)\SpyNote\AndroidTester\Resources\Icons\Flags\at.png	AndroidTester v6.4.6.exe
File opened for modification	C:\Program Files (x86)\SpyNote\AndroidTester\Resources\Icons\Flags\kg.png	AndroidTester v6.4.6.exe
File opened for modification	C:\Program Files (x86)\SpyNote\AndroidTester\Resources\Icons\Flags\pt.png	AndroidTester v6.4.6.exe
File opened for modification	C:\Program Files (x86)\SpyNote\AndroidTester\Resources\Icons\Flags\mu.png	AndroidTester v6.4.6.exe
File opened for modification	C:\Program Files (x86)\SpyNote\AndroidTester\Resources\Icons\Flags\no.png	AndroidTester v6.4.6.exe
File opened for modification	C:\Program Files (x86)\SpyNote\AndroidTester\Resources\Icons\Battery\b40true.png	AndroidTester v6.4.6.exe
File opened for modification	C:\Program Files (x86)\SpyNote\AndroidTester\Resources\Icons\Flags\bs.png	AndroidTester v6.4.6.exe
File opened for modification	C:\Program Files (x86)\SpyNote\AndroidTester\Resources\Icons\Flags\cv.png	AndroidTester v6.4.6.exe
File opened for modification	C:\Program Files (x86)\SpyNote\AndroidTester\Resources\Icons\Flags\mm.png	AndroidTester v6.4.6.exe
File opened for modification	C:\Program Files (x86)\SpyNote\AndroidTester\Resources\Icons\AccountManager\com.twitter.android.auth.login.png	AndroidTester v6.4.6.exe
File opened for modification	C:\Program Files (x86)\SpyNote\AndroidTester\Resources\Icons\Flags\sn.png	AndroidTester v6.4.6.exe
File opened for modification	C:\Program Files (x86)\SpyNote\AndroidTester\Resources\Icons\Note\Ndown.png	AndroidTester v6.4.6.exe
File opened for modification	C:\Program Files (x86)\SpyNote\AndroidTester\Resources\Imports\platform-tools\plwin.exe	AndroidTester v6.4.6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exe

pid	Process
4508	schtasks.exe
4432	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

Processes:

powershell.exeConhost.exemsedge.exemsedge.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeidentity_helper.exedllhost.exe

pid	Process
4576	powershell.exe
4576	powershell.exe
3524	Conhost.exe
3524	Conhost.exe
3524	Conhost.exe
2540	msedge.exe
2540	msedge.exe
836	msedge.exe
836	msedge.exe
5044	powershell.exe
5044	powershell.exe
5044	powershell.exe
3716	powershell.exe
3716	powershell.exe
3716	powershell.exe
4832	powershell.exe
4832	powershell.exe
4832	powershell.exe
772	powershell.exe
772	powershell.exe
772	powershell.exe
1524	powershell.exe
1524	powershell.exe
1524	powershell.exe
5264	identity_helper.exe
5264	identity_helper.exe
2932	dllhost.exe
2932	dllhost.exe
2932	dllhost.exe
2932	dllhost.exe
2932	dllhost.exe
2932	dllhost.exe
2932	dllhost.exe
2932	dllhost.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid	Process
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

powershell.exeConhost.exepowershell.exedllhost.exepowershell.exepowershell.exepowershell.exeWinstep.exepowershell.exe

description	pid	Process
Token: SeDebugPrivilege	4576	powershell.exe
Token: SeDebugPrivilege	3524	Conhost.exe
Token: SeDebugPrivilege	5044	powershell.exe
Token: SeDebugPrivilege	2932	dllhost.exe
Token: SeDebugPrivilege	3716	powershell.exe
Token: SeDebugPrivilege	4832	powershell.exe
Token: SeDebugPrivilege	772	powershell.exe
Token: SeDebugPrivilege	1816	Winstep.exe
Token: SeDebugPrivilege	1524	powershell.exe
Token: SeDebugPrivilege	1816	Winstep.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

msedge.exe

pid	Process
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	Process
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Winstep.exe

pid	Process
1816	Winstep.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Android Tester.exeApktool Installet1.execmd.execmd.exemsedge.exe

description	pid	Process	procid_target
PID 2252 wrote to memory of 720	2252	Android Tester.exe	87
PID 2252 wrote to memory of 720	2252	Android Tester.exe	87
PID 2252 wrote to memory of 720	2252	Android Tester.exe	87
PID 2252 wrote to memory of 5076	2252	Android Tester.exe	89
PID 2252 wrote to memory of 5076	2252	Android Tester.exe	89
PID 2252 wrote to memory of 5076	2252	Android Tester.exe	89
PID 2252 wrote to memory of 2932	2252	Android Tester.exe	91
PID 2252 wrote to memory of 2932	2252	Android Tester.exe	91
PID 2252 wrote to memory of 2932	2252	Android Tester.exe	91
PID 720 wrote to memory of 1232	720	Apktool Installet1.exe	92
PID 720 wrote to memory of 1232	720	Apktool Installet1.exe	92
PID 1232 wrote to memory of 368	1232	cmd.exe	93
PID 1232 wrote to memory of 368	1232	cmd.exe	93
PID 1232 wrote to memory of 4576	1232	cmd.exe	95
PID 1232 wrote to memory of 4576	1232	cmd.exe	95
PID 2252 wrote to memory of 1256	2252	Android Tester.exe	94
PID 2252 wrote to memory of 1256	2252	Android Tester.exe	94
PID 2252 wrote to memory of 1256	2252	Android Tester.exe	94
PID 5076 wrote to memory of 836	5076	cmd.exe	97
PID 5076 wrote to memory of 836	5076	cmd.exe	97
PID 1232 wrote to memory of 3524	1232	cmd.exe	122
PID 1232 wrote to memory of 3524	1232	cmd.exe	122
PID 836 wrote to memory of 2188	836	msedge.exe	100
PID 836 wrote to memory of 2188	836	msedge.exe	100
PID 836 wrote to memory of 4804	836	msedge.exe	103
PID 836 wrote to memory of 4804	836	msedge.exe	103
PID 836 wrote to memory of 4804	836	msedge.exe	103
PID 836 wrote to memory of 4804	836	msedge.exe	103
PID 836 wrote to memory of 4804	836	msedge.exe	103
PID 836 wrote to memory of 4804	836	msedge.exe	103
PID 836 wrote to memory of 4804	836	msedge.exe	103
PID 836 wrote to memory of 4804	836	msedge.exe	103
PID 836 wrote to memory of 4804	836	msedge.exe	103
PID 836 wrote to memory of 4804	836	msedge.exe	103
PID 836 wrote to memory of 4804	836	msedge.exe	103
PID 836 wrote to memory of 4804	836	msedge.exe	103
PID 836 wrote to memory of 4804	836	msedge.exe	103
PID 836 wrote to memory of 4804	836	msedge.exe	103
PID 836 wrote to memory of 4804	836	msedge.exe	103
PID 836 wrote to memory of 4804	836	msedge.exe	103
PID 836 wrote to memory of 4804	836	msedge.exe	103
PID 836 wrote to memory of 4804	836	msedge.exe	103
PID 836 wrote to memory of 4804	836	msedge.exe	103
PID 836 wrote to memory of 4804	836	msedge.exe	103
PID 836 wrote to memory of 4804	836	msedge.exe	103
PID 836 wrote to memory of 4804	836	msedge.exe	103
PID 836 wrote to memory of 4804	836	msedge.exe	103
PID 836 wrote to memory of 4804	836	msedge.exe	103
PID 836 wrote to memory of 4804	836	msedge.exe	103
PID 836 wrote to memory of 4804	836	msedge.exe	103
PID 836 wrote to memory of 4804	836	msedge.exe	103
PID 836 wrote to memory of 4804	836	msedge.exe	103
PID 836 wrote to memory of 4804	836	msedge.exe	103
PID 836 wrote to memory of 4804	836	msedge.exe	103
PID 836 wrote to memory of 4804	836	msedge.exe	103
PID 836 wrote to memory of 4804	836	msedge.exe	103
PID 836 wrote to memory of 4804	836	msedge.exe	103
PID 836 wrote to memory of 4804	836	msedge.exe	103
PID 836 wrote to memory of 4804	836	msedge.exe	103
PID 836 wrote to memory of 4804	836	msedge.exe	103
PID 836 wrote to memory of 4804	836	msedge.exe	103
PID 836 wrote to memory of 4804	836	msedge.exe	103
PID 836 wrote to memory of 4804	836	msedge.exe	103
PID 836 wrote to memory of 4804	836	msedge.exe	103

C:\Users\Admin\AppData\Local\Temp\Android Tester.exe
"C:\Users\Admin\AppData\Local\Temp\Android Tester.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2252
- C:\Users\Admin\AppData\Local\Temp\Apktool Installet1.exe
  "C:\Users\Admin\AppData\Local\Temp\Apktool Installet1.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:720
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\7A12.tmp\7A13.tmp\7A23.bat "C:\Users\Admin\AppData\Local\Temp\Apktool Installet1.exe""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1232
  - - C:\Windows\system32\cacls.exe
      "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
      4⤵
      PID:368
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -command "Add-MpPreference -ExclusionExtension ".exe""
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4576
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath '"C:\'"
      4⤵
      PID:3524
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5044
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath '"C:\Users\Admin\appdata\local\temp\svchost.exe'"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3716
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath '"C:\Users\Admin\appdata\roaming\winstep speedlaunch\winstep.exe'"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4832
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath '"C:\program files (x86)\nat host\nathost.exe'"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:772
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\URL.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5076
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://allienhacker.webnode.es/?_ga=2.196494636.1688825314.1654326551-1345156272.1652202048
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:836
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xe4,0x10c,0x7ffeafc846f8,0x7ffeafc84708,0x7ffeafc84718
      4⤵
      PID:2188
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2176,9954020263962182808,11429519360577149553,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2540
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2176,9954020263962182808,11429519360577149553,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2784 /prefetch:8
      4⤵
      PID:4240
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,9954020263962182808,11429519360577149553,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 /prefetch:2
      4⤵
      PID:4804
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,9954020263962182808,11429519360577149553,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
      4⤵
      PID:3748
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,9954020263962182808,11429519360577149553,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:1
      4⤵
      PID:1156
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,9954020263962182808,11429519360577149553,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:1
      4⤵
      PID:3776
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,9954020263962182808,11429519360577149553,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5168 /prefetch:1
      4⤵
      PID:2948
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,9954020263962182808,11429519360577149553,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5720 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5264
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,9954020263962182808,11429519360577149553,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5720 /prefetch:8
      4⤵
      PID:5248
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,9954020263962182808,11429519360577149553,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4632 /prefetch:1
      4⤵
      PID:5364
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,9954020263962182808,11429519360577149553,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4992 /prefetch:1
      4⤵
      PID:5356
- C:\Users\Admin\AppData\Local\Temp\dllhost.exe
  "C:\Users\Admin\AppData\Local\Temp\dllhost.exe"
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Checks computer location settings
  - Executes dropped EXE
  - Windows security modification
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2932
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "Winstep SpeedLaunch" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\dllhost.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:4508
- - C:\Users\Admin\AppData\Roaming\Winstep SpeedLaunch\Winstep.exe
    "C:\Users\Admin\AppData\Roaming\Winstep SpeedLaunch\Winstep.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1816
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "Winstep SpeedLaunch" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Winstep SpeedLaunch\Winstep.exe" /rl HIGHEST /f
      4⤵
      Creates scheduled task(s)
      PID:4432
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Get-MpPreference -verbose
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1524
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
    3⤵
    PID:6076
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
      4⤵
      PID:6136
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WFMBEdKISSqT.bat" "
    3⤵
    PID:2980
- C:\Users\Admin\AppData\Local\Temp\AndroidTester v6.4.6.exe
  "C:\Users\Admin\AppData\Local\Temp\AndroidTester v6.4.6.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:1256

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2392

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3024

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\SpyNote\AndroidTester\Android Tester.exe

Filesize
1.3MB

MD5
ebb558b873c86429b7cf468046824b94

SHA1
9d058bbdbe7277508f4afdaa0a00fcba453b459d

SHA256
a4e32e3c0a375db9163be23c3378d666a9bdd0ba950097de679ec496a3c7d3ff

SHA512
504e9689d6ca4343bf1a8131950a28eb2e2be939f6ba2fa88d5e730c3c5b8d15c463c39ffcc5f51d8dc6afbdbb0182078064d9d71693aadbefc3948e7b0ff956

Download Submit
C:\Program Files (x86)\SpyNote\AndroidTester\Resources\Icons\AccountManager\com.bbm.contacts.png

Filesize
433B

MD5
5343892a5aebba75ad7485437151a5da

SHA1
9af94cc2d5e577d2920e9ac00cef9eb3e8e4cabc

SHA256
35bbb89ec6aceeaf456c11e00ffcc8b9b08a642f22ba136b2e16ae49a2ca4767

SHA512
6252e1cc4bc5ed5666dc4d141cdda89fb953310a64687837f2e7c2a27dcc524e6ced953bd47ef175def7cbde08e0fd44bb17bc3252f4073116244d85c8f489a3

Download Submit
C:\Program Files (x86)\SpyNote\AndroidTester\Resources\Icons\AccountManager\com.twitter.android.auth.login.png

Filesize
391B

MD5
911fa3fe86e280e9594b17d1c49cabfe

SHA1
c4aa3f022aae5a487aa7373751170a39940684c6

SHA256
b22a3b32746acf7e778308f4a894c95151bd4c8d728cbb4180bbc025c543663d

SHA512
73dddacf96290355f1267093eaf4a48272a451f18cbf12422440ab518b5b8c5b70b40bac9f16574503b2b1492adb40cbe536693b0d371482b81cc0cd28822c8e

Download Submit
C:\Program Files (x86)\SpyNote\AndroidTester\Resources\Icons\AccountManager\org.telegram.plus.png

Filesize
377B

MD5
7501198ae01a5ddb14d6bcca6cb8063a

SHA1
585632c16aa67bab1bf7a37ec73c788d14b17c22

SHA256
6913959595d510db620cfead0d1240c6415082dc5c5405a573c8410033d6d2ef

SHA512
0fb4377b21bca7b13eb7fed082f6c9c4bee7a792100574631a3a8233fb9e06999bde53b659efdeb5a778ece1828c253de43563df3358ff8fa2254dd4bab7070f

Download Submit
C:\Program Files (x86)\SpyNote\AndroidTester\Resources\Icons\FileBox\Documents.png

Filesize
213B

MD5
2d063af0235b8b00ff985892ba09cc80

SHA1
f61f9f32ac8c5abd53b0316769afeba5374e79d3

SHA256
31c6ccfe385844bb62d20876a599addafaeb7e53299d4c481c0cdefbf7599f8a

SHA512
c13d668a3f62f9fa463735b8c2d48527671a1141c4a355c03d2ef5dd889aaff6e6eebd520a0ee187b8a115b319247d0aca4cf33be310fd781afbf9c1e1027a77

Download Submit
C:\Program Files (x86)\SpyNote\AndroidTester\Resources\Icons\FileManager\.avi.png

Filesize
318B

MD5
1fe9e7c9b54198110e55376074966fd6

SHA1
c07ad95af36dc363023489ade4ac4f8418ff8c45

SHA256
d3158f452be08061c6c558bda2acd24fc621fadef48ff65e4b1a38555c412438

SHA512
b416a2349d725a68696e58b15a5d54adc58ade122d31bcab19a1acbe670748979f1c6edda87d95c97c643479ce703e5652164047f0079c338e8f0e7fada063e5

Download Submit
C:\Program Files (x86)\SpyNote\AndroidTester\Resources\Icons\FileManager\.flac.png

Filesize
307B

MD5
ded8c7514fff2c655678e5d972091f68

SHA1
df0eed69289e2cf1aa2199a7e481ad75edc77e96

SHA256
67855916347feef5403c65be95c7782e43aa54bc816cdba6fba629268fae5dcf

SHA512
351d94384752995b259ad894b621adf9c6fa7a628029beac26f0d6fa605b527969fbfd542693e7ae567d4c8800be200dd3eab7a44bc09e1c6cf17023510f20c2

Download Submit
C:\Program Files (x86)\SpyNote\AndroidTester\Resources\Icons\FileManager\.gif.png

Filesize
371B

MD5
1599dd804230f5749666f27853e2242b

SHA1
95b1b1891204422f13d08fce052d77595d457a82

SHA256
757e61f6cbb0010be9fb615d221e0cba62d3d5f6edb5ccfb770875d5bed0ff1f

SHA512
1e074489a3b55ce1bfe5bfa3f4b166e8cd847d711a062eeb94a0935e2c137175b320ce02ba438ba12e4fa6250989846a47e66af25df507a3b78431501833e495

Download Submit
C:\Program Files (x86)\SpyNote\AndroidTester\Resources\Icons\FileManager\.htm.png

Filesize
350B

MD5
0b0142846b368838009adb8e0ca5728b

SHA1
f588ffee0e694ed0dd1cff29a7bb2f35e244f0da

SHA256
e91e1941c2bd0c5c73a04a9bf3c218f15fb0cc0ee5538e449a93d4dcb4659853

SHA512
129ed4c70168aec2b26a9c5d4127c1fc83e38201b231a5969b41f7fd1270a72f87350f4e3fa75b77ab10792e52427cb8a2ef03a5e8babafe03fda2958dcd56f8

Download Submit
C:\Program Files (x86)\SpyNote\AndroidTester\Resources\Icons\FileManager\.txt.png

Filesize
308B

MD5
bd141a1e2e88ca6c63e0f42d4cb62713

SHA1
c42b74c61c93fdda07ac65f56bbea56ab0cf066b

SHA256
97209e02204195c4851b735cc88e4618df344fe7ee7f3da272f5e569b8e315ee

SHA512
c68aa57986c50b06369a46fcb7fbc324fae1bd0180b40aba3693061c49e5c35206a47843c89bd9512a1abc49e4a21b7b0119f7d60610dc91d6ab07fea62f7cae

Download Submit
C:\Program Files (x86)\SpyNote\AndroidTester\Resources\Icons\FileManager\.zip.png

Filesize
201B

MD5
cc5e91a016dbf28b6343ddf9f3d05f0f

SHA1
a163601d9de3b95bebd0d2cd1c9b59b98e449442

SHA256
a05b5c4506df85f023dd7fa2bcb68dd1aef7b33711ded8278abd87e282659b23

SHA512
24873b927f182d51e0cde60ace271bd9eb9ffd53f5d975a65f6856deb9df9492021f350378292182885afcc318811a56ca5122433fac2d46f41cb4ec28bd40e9

Download Submit
C:\Program Files (x86)\SpyNote\AndroidTester\Resources\Icons\FileManager\Folder Files.png

Filesize
216B

MD5
dfb32f74e4a91f72ae9abe8c2eff21b8

SHA1
97c2f6a545ece37a5bb89d7b3e394f936ccec70b

SHA256
311037d89c1f321ac0ffc5ab9c149e7c5639a1188ab6e2b15556fc157192be48

SHA512
900fb3523393487c00566439b689589822b520392425f952b55783bd47ad9cdd2547162c1e938dded1041702c37a3585b010900e4479c5accf3af723519120aa

Download Submit
C:\Program Files (x86)\SpyNote\AndroidTester\Resources\Icons\Flags\gf.png

Filesize
545B

MD5
c1cf1874c3305e5663547a48f6ad2d8c

SHA1
0f67f12d76a0543772a3259a3b38935381349e01

SHA256
79a39793efbf8217efbbc840e1b2041fe995363a5f12f0c01dd4d1462e5eb842

SHA512
c00e202e083f703e39cafbb86f3e3f6b330359906e3a6c7a6a78364d6adeb489f8b8ab1b2d6a1b8d9ef1a17702cfc8fc17219cf1aae3e5a7c18833f028037843

Download Submit
C:\Program Files (x86)\SpyNote\AndroidTester\Resources\Icons\Flags\hm.png

Filesize
673B

MD5
2fba49c88880e9ffcff947015cb7ab9c

SHA1
20361b7e4d3cf488c5e6330b6abdb1efcaa9e866

SHA256
a7f9683bc4240ef940ee3d4aaf127515add30d25b0b2179a6cdec23944635603

SHA512
6d826ac84a3ba2f845a1092c75a4416f170fca0e74122de5d031095942d51f2c1b53604589a8960a3d48319f3040361d9b66f1733de19a5fd2b18f07fe6a29ff

Download Submit
C:\Program Files (x86)\SpyNote\AndroidTester\Resources\Icons\Flags\no.png

Filesize
512B

MD5
559ce5baaee373db8da150a5066c1062

SHA1
ee80e5f63c986d04f46bff10f639113c88107ced

SHA256
f8dc302371c809ebda3e9183c606264601f8dd851d2b1878fd25f0f6abe2988c

SHA512
c0ca7595cdd2dcef0385ccb1c0d15bb74accaea63b9531233bddf14c1791ffc9712dff660292706cfa269a975d29d7a189885cd09046ac6d8ed39a57ec9557ca

Download Submit
C:\Program Files (x86)\SpyNote\AndroidTester\Resources\Icons\Location\Zoom0.png

Filesize
2KB

MD5
86aa4f47782e42c5589324a1c0a145b0

SHA1
3db52f5cdd65d606cd44ce8d4b0d7b928598ebe5

SHA256
7f2236c5321469a6752f8b6a1a89da6a1fb1bdeb840e237c421852b74c293589

SHA512
b44e1de03c8dedd6efc38b3437030d85017674e5fa3f2a58341b3e9e29dc3a591b1ff2a735511bfd8c4ddc501f0b0fe3fa673c3d6a39d119ab6f365509865847

Download Submit
C:\Program Files (x86)\SpyNote\AndroidTester\Resources\Icons\Location\Zoom1.png

Filesize
2KB

MD5
72d9d560c9a49d932c7fd91d58397083

SHA1
3ce5a7ffbe38613f58d60b633ac811ae3cd857f1

SHA256
b519d1794a016f91318d498e411c7261fb2c9bcbb7743c0de98e8175762b3a1b

SHA512
5acfd542b0f241829dcf185ca2f1b9859dcccba6538bb23bd4c7e8abefcaf4189a9ff61a9cca6240cb5cd7467fa623b58427f3757335ae6a2a6570b7faf1b34f

Download Submit
C:\Program Files (x86)\SpyNote\AndroidTester\Resources\Icons\Screen\ScreenOff.png

Filesize
287B

MD5
c286856963cd9666a7a49ffb2e671e7e

SHA1
330c3d6286128e893fd079711b14251bbc653278

SHA256
78be3699f1d4ed7df8246f310dc55f0edff51e2ab62a81336809ab4876524567

SHA512
95cb60f9200b965c7fffaa5b41fcc3b000b3eac5ca57d5e7d933099151fb890b5bce111f69aa80a9d47d2e2f90e135304c924ce94143da84b8607dfe7500ae99

Download Submit
C:\Program Files (x86)\SpyNote\AndroidTester\Resources\Icons\ToolStrip\Refresh.png

Filesize
2KB

MD5
3d7830e1f145dcd9f7f20e74249fa8b2

SHA1
500e8959d2e519db4daa112b7a2680f6ca8006bb

SHA256
2cf2c3f43b8a70ea258944033d21410cc358be6e6114f48db7d5fdc3aaaccc9f

SHA512
cb948775495990f953ba89958317254a68204f7a93fb16ccfea8c0e825e200438e44ba75e734a9b873bcec7e579652b69e448b805a27c2f12603af1fe62ce7a9

Download Submit
C:\Program Files (x86)\SpyNote\AndroidTester\Resources\Icons\ctx_menu\flash.png

Filesize
2KB

MD5
4e7b607aecec3064172332dd939f1681

SHA1
262f5b43da28533f51a3c42632396415ca420eba

SHA256
b8f94184d0b928a8d7699a608f452389d56f87d92a222fdcb55e651664d56b7c

SHA512
a3759a8f745034a06f500938a9f01b0e81509ca1ae34e1e50f1bbfeafcb0776b4369a38e60c59dadf053972ab3b8b22f01eceaf5363effb451df9f782057d387

Download Submit
C:\Program Files (x86)\SpyNote\AndroidTester\Resources\Icons\ctx_menu\foc.png

Filesize
2KB

MD5
860e0f49e0f1cfc8782b74c4ccfdac7a

SHA1
748d0174731183a8e20598b96e7674f9ab867e2a

SHA256
84ca841cd3a9217a8a5036961da0642ce99e13acacfb08b65a6c9f79ebf43f7f

SHA512
fd7d380b3fb96dcf067eacbf0f7a6102ffdc2a7911f0aac601bcf57d96e1f4422bad1e3a12cc0ceffef680ab043060591f856904cf8425db116113e2f8d0d235

Download Submit
C:\Program Files (x86)\SpyNote\AndroidTester\Resources\Icons\pinf\battery.png

Filesize
2KB

MD5
653ff96be7bf4631c7436765f502a4bb

SHA1
da8a7f568a49161ce474c061c5da58e140fe91fc

SHA256
9691da6d394d51e879ea5db12042e8da1ba078335691c7ddf504813737a214ec

SHA512
2c5233590b2e372b33999a78325ae86ac377aa9d5943424a431ea7040aed2ba3f713ce403db0d4940e80de4e94c0c69c0fb7ada6d86142df8b3f673438f5f711

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f95638730ec51abd55794c140ca826c9

SHA1
77c415e2599fbdfe16530c2ab533fd6b193e82ef

SHA256
106137874d86d602d1f4af7dac605f3470ec7a5d69b644b99d502bb38925bbd3

SHA512
0eb01b446d876886066783242381d214a01e2d282729a69b890ae2b6d74d0e1325a6bd4671738ebe3b6ecadc22ceb00f42348bad18d2352896ed3344cc29f78a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
9bc65bb32605a23a5a24fb0b33f68b67

SHA1
903aff260159a203d709f2744cf3ea1453a68dd1

SHA256
5b927b0e6874b620195b5f90ba20cff523f6e9dd0b3f7fc6f20855d147068f75

SHA512
fe9cce5990b9e1a996283791e7c38bc57adb197633affd09dba665ca8557dcaf63bf4f3e576dd2601b751aa0e06af271733ffadefde3aa558720cd7a3911dca5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
876B

MD5
71f21e1df7f554dfb42f1c9cec9b29bf

SHA1
aa0c3012514eedbf928327f8b12aab937f5e3257

SHA256
68cee5c28112079b04ff373cdb2bf02122bdfb42d9a0dea973fd39a6385e38ea

SHA512
5b5a894b244994cad3a23afc151dff71a5e2bd81bdfc2d2a93399008fd9d793588ef56e836f821e3b0246fa008088144da98b60bb385fbd415f152d0ad6cea33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d98ca6cd29e29cb6505a025c785ae88b

SHA1
6d99f5465836a90dbd0a7b781a8e6b10dc32270d

SHA256
a7770defe3cda4c100016c666a316c29c9b33505513b890b6ca943e2005b21a6

SHA512
fd7ba227e270637440e26e4cc552a99dc16da2e1fd58a39a4bbabc17c2bc9af8643f2777eb23b7859435f7b9b20645f6ef26c46ade8e0d65d5ff7540c834337f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
2d5c9f0a2a79c504bd66b70423dfe8ef

SHA1
9b1347da58f0d61634cd82badbc7e922a757e9cd

SHA256
5fa11ae5b0e3c1633419f46de92ec0629dc704f1d68ddc7cde919a5ac12ba9c5

SHA512
b469e084d3e3887380da135fe681a3d4fec2f0d5cbfb4b52420398d6681c3b002e0352bfef93df5e65b6b6c64dbd0b41a14646ce3da3d7df257068b7bb8f9814

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
3aa6aec5f238d0d88aa99e8176b1ecc1

SHA1
3942ec2a55cb32ef7b4762d0c5c99bf333c1d095

SHA256
886253329a29be2006b548ca5cbb76d3067482b5c2956b7b2f373a058b34da76

SHA512
75d7f2f78ea5536bad5873f51d86ebb5de5bbe47c1a8c506ec922807890c00e20188653d31257e9a71b2d7800accc5fb3754a652a2c7cff860e551a4bee963b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
4a078fb8a7c67594a6c2aa724e2ac684

SHA1
92bc5b49985c8588c60f6f85c50a516fae0332f4

SHA256
c225fb924400745c1cd7b56fffaee71dce06613c91fbbb9aa247401ccb49e1ee

SHA512
188270df5243186d00ca8cc457f8ab7f7b2cd6368d987c3673f9c8944a4be6687b30daf8715429bd1b335391118d0ce840e3cb919ff4138c6273b286fb57b2b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
b352d899d3f23a153ce4c01cecf5186b

SHA1
f30b20d6d1d2cee54324cc6f4b35266eea94a52b

SHA256
b3558d078c84955ec2d116d75233a20b8473b3e44b863cfe589ef226c09bab10

SHA512
a8975ddaaa42c9bea1c4cc15b0daef6c53930866f4f8e911961e2b3b1c78f5306938d411a51bb38589952398b5b19fc7707df21912eaf8208beab5108a7be94c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
d88754cc96c3a3c8c3b7084aa7fa12c4

SHA1
e33c2280cdf1597cf2d480c05ba71b573275046e

SHA256
2f19ab170c12aca990343beeb2c751138121bde400566e18acfd2ee2502d7c65

SHA512
23ca9b8e41bb54d2c8111b0ca0a8f07872a6820694bd7c110661a404862e5eca20c0de7e9b4f62cc7b847e5456828559650fc68aa11f508c9005421b1140144d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
7e246fea5b287c900660a0a775f73244

SHA1
111bd9dc805e01098805f59b0fa47c75dac3a630

SHA256
5d0cc6c417c49acbbb12947a988e4c4a7c44756a76d2cbad57b4fedbf4538885

SHA512
243851a2363d98da786575b2626fd907496886a3a8da95ba3ec4f3896f6fe0d7424cc66abd6a0a5680a5ee130141b5fab6a24a6652c03c0b6d6b23b70cb098b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Temp\$inst\0002.tmp

Filesize
6.2MB

MD5
d8fc02bb4d3783bd610db82ce59fe4ec

SHA1
6ab15f56f1bf420ff60a931dab8f234549cf5944

SHA256
0c0c7d1e32c57222f601146eeded3cc330908d9c974aab26e6c7412273412a45

SHA512
da9e2a6f00f4a19a67919636db29f218fddafec531355fd48a451b53ba7413dd59100c8bfce68f29a874e6ecfafd802de0f478458fd3cf7fd4ae0c5a49a6cf53

Download Submit
C:\Users\Admin\AppData\Local\Temp\$inst\2.tmp

Filesize
35KB

MD5
f47e18888b06410a0c6c35e240ca44b5

SHA1
1bfa6dad3130beec81d2fb34457e306f35906c0a

SHA256
d49c6ef633f0f76a6826f52c08c927645d12f5f45ccaf0390e8504740a47a034

SHA512
4182274b27977eb82fd4ed36735e5d317ee7dd2bb8bfdc3f4615e99a4958ea35ca0bf98e82a33e759af4efd07c9bf9bac218724d0986d710420729b212a6112c

Download Submit
C:\Users\Admin\AppData\Local\Temp\$inst\4.tmp

Filesize
4KB

MD5
0d8dbe5cd39f3369265d93195e5c6449

SHA1
3332c1b711e5dca17d11538c8e6c208c870363bc

SHA256
fd17ca05fa0587fbf2d1ab722ebbf4a4b254f2ec0048e9cdae20655f7de06a39

SHA512
e3caddc18ee6f53bfe2b61b3eb14fc662e37f6f2fa05b35a4665ec37016209b1ade9a458b93193bd264eaeeddd2e0dba11d0c85b96c4cfdd71c8ea329d717467

Download Submit
C:\Users\Admin\AppData\Local\Temp\$inst\5.tmp

Filesize
51KB

MD5
ab2021e67e0e08657288d880abfbaa72

SHA1
ffcf7956d5aaad47f4801b32b5fc893dc78a6dbc

SHA256
331d997e586cba40d4da0587887fc4caa4cc44e53421737dafa67e67445e6753

SHA512
e2975814169efe247b2f8954d60f331eea9340419f96255e4d0ce3c19ff9ddd3b98ec87f51d73ce3dae045142c2c40e600ad7d5dca3eeb156e038eba1a21bac9

Download Submit
C:\Users\Admin\AppData\Local\Temp\$inst\7.tmp

Filesize
2KB

MD5
696641d2325e8b142b6c16d1183aca43

SHA1
d8e2a1f5e3280d8d5315f3e434ae13f0a36fa783

SHA256
4a56ffce0e414f3495f70e9c2960837df25423b0dbafd21a073dbdbaa461bc90

SHA512
4cbe6360e6c4bab65179d661b07d81011fba89fd51ee81a99bacbb51f65ade2dab0808ecbd63db24e20820b711df8f52e0eb35c01b52a78ca22e5740ab6f9f45

Download Submit
C:\Users\Admin\AppData\Local\Temp\$inst\8.tmp

Filesize
2KB

MD5
bac172b887bc7d09db5e14ce26a4943e

SHA1
5e2e3d9537d8c2097135887da2cbe333c05e5218

SHA256
aaa3bee9ebd3640c05b8a70f22c9fbdb8ea0e61ca3762db5a4583e94d46a5c79

SHA512
2d741fa0d02a597a36e1712e3ef1f96f60f460bdd6f752b3eb37d1a891448a5f78917d15222258533367d67c63faac9fe4755f44770ce56ae4243a455692a69a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7A12.tmp\7A13.tmp\7A23.bat

Filesize
1KB

MD5
bcd21aeb88d121e122e032bf667a75ec

SHA1
32269670e39bb393f918c8ef7b57ddceaf6e27b1

SHA256
cb7ed31c658bf88e133e1e1397ee0dbbd56bb7629895a9ccf6dc558c747b18a8

SHA512
2c03bbe713c0fdb4faf5df5d5d54f057ee5df13776fb56f12565c597738ae7d81e6f2dd06c2a6eae583eab40698d2c870c9a349d74f4061b0b41d5387e7bef5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\AndroidTester v6.4.6.exe

Filesize
22.5MB

MD5
341dc6721fbc232343b78df9ec9c87b0

SHA1
41efee2cc4d040ac8b636496d652e641f0b18dac

SHA256
d791d092f6dbdb56f9986e9d4560aaecc229fbf6af829608007ea74175711f4b

SHA512
48c4aec0a45913dbd12d4e4070a475be2b4d86dfab91fcb9594affeea85cbf4a00a99fff99090ed8c76e250bddb1f2d1147623d6c450bb3aa1223d799346cdf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\AndroidTester v6.4.6.exe

Filesize
22.5MB

MD5
341dc6721fbc232343b78df9ec9c87b0

SHA1
41efee2cc4d040ac8b636496d652e641f0b18dac

SHA256
d791d092f6dbdb56f9986e9d4560aaecc229fbf6af829608007ea74175711f4b

SHA512
48c4aec0a45913dbd12d4e4070a475be2b4d86dfab91fcb9594affeea85cbf4a00a99fff99090ed8c76e250bddb1f2d1147623d6c450bb3aa1223d799346cdf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\AndroidTester v6.4.6.exe

Filesize
22.5MB

MD5
341dc6721fbc232343b78df9ec9c87b0

SHA1
41efee2cc4d040ac8b636496d652e641f0b18dac

SHA256
d791d092f6dbdb56f9986e9d4560aaecc229fbf6af829608007ea74175711f4b

SHA512
48c4aec0a45913dbd12d4e4070a475be2b4d86dfab91fcb9594affeea85cbf4a00a99fff99090ed8c76e250bddb1f2d1147623d6c450bb3aa1223d799346cdf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Apktool Installet1.exe

Filesize
90KB

MD5
8f020103ca37c36f67a7d4ac20ad2ab8

SHA1
1d63f71056e1e8a934cc7ad3dbaed6a217f7ddac

SHA256
a49d9ea46e96ac378518dee631197a8868da81599441c32e9d33057c2bfef2a2

SHA512
0b03656871ee2f4ca76386ab119675765bc6dbf6271fd5d80a1652cae7c2302cf34241e78f41e8c67214f9f3ed125174edcdd831d06db2490d661306d228e79c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Apktool Installet1.exe

Filesize
90KB

MD5
8f020103ca37c36f67a7d4ac20ad2ab8

SHA1
1d63f71056e1e8a934cc7ad3dbaed6a217f7ddac

SHA256
a49d9ea46e96ac378518dee631197a8868da81599441c32e9d33057c2bfef2a2

SHA512
0b03656871ee2f4ca76386ab119675765bc6dbf6271fd5d80a1652cae7c2302cf34241e78f41e8c67214f9f3ed125174edcdd831d06db2490d661306d228e79c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Apktool Installet1.exe

Filesize
90KB

MD5
8f020103ca37c36f67a7d4ac20ad2ab8

SHA1
1d63f71056e1e8a934cc7ad3dbaed6a217f7ddac

SHA256
a49d9ea46e96ac378518dee631197a8868da81599441c32e9d33057c2bfef2a2

SHA512
0b03656871ee2f4ca76386ab119675765bc6dbf6271fd5d80a1652cae7c2302cf34241e78f41e8c67214f9f3ed125174edcdd831d06db2490d661306d228e79c

Download Submit
C:\Users\Admin\AppData\Local\Temp\URL.bat

Filesize
109B

MD5
ae2b368ac1a2180aa6307c913aba5713

SHA1
9ed2a7fe126d48cbd53c5a3b89cd2dc86b81f921

SHA256
b5d3420d52ea0fe34905cb9269f11b964dd7c2b3a31d58620131194fcd2bf992

SHA512
839f3dff0ddf5ad0bfd8f7fa0d6a98fb7bbc0c0b0baa8b58eb6621c011ac175fb34f1a44587b4fc8a0119ca0491d44109b12ae050eb66cf4dca5a2d75a1113fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\WFMBEdKISSqT.bat

Filesize
204B

MD5
b540488359837ef65dbb45087d5e5f38

SHA1
20d2e032040b01ba7c0259e2daa7bb6bc9b66878

SHA256
3081e6fd72658458ecd0fd357bae1af0dfbaba52049f097b91aca973547c2102

SHA512
701e474a485375e4f50537c7eb328b8343937d372ca1839bebe6dd5371a20c037158096c2946758a64d0cbce87572017509d2ef9a55053a5b53de01fa748c40d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nk0nl5tm.v4s.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\dllhost.exe

Filesize
534KB

MD5
3929b52ee76c8c5480e4209cb7f70d5c

SHA1
74ff90a0f1a7561aef81da6202c7355c6b170413

SHA256
53a4d73780e05e99c62c732f3950ac68bbc86c74a90b32b9f9a54590b85be5cc

SHA512
e96374483bbf62ce32e4c75bd3e2ba39f130aa42332f80b71568c01a6a8ea756c8aca53838ac8050d28997ed1181ce7a9923028bba9687d0fcd2c1170a5d6e34

Download Submit
C:\Users\Admin\AppData\Local\Temp\dllhost.exe

Filesize
534KB

MD5
3929b52ee76c8c5480e4209cb7f70d5c

SHA1
74ff90a0f1a7561aef81da6202c7355c6b170413

SHA256
53a4d73780e05e99c62c732f3950ac68bbc86c74a90b32b9f9a54590b85be5cc

SHA512
e96374483bbf62ce32e4c75bd3e2ba39f130aa42332f80b71568c01a6a8ea756c8aca53838ac8050d28997ed1181ce7a9923028bba9687d0fcd2c1170a5d6e34

Download Submit
C:\Users\Admin\AppData\Local\Temp\dllhost.exe

Filesize
534KB

MD5
3929b52ee76c8c5480e4209cb7f70d5c

SHA1
74ff90a0f1a7561aef81da6202c7355c6b170413

SHA256
53a4d73780e05e99c62c732f3950ac68bbc86c74a90b32b9f9a54590b85be5cc

SHA512
e96374483bbf62ce32e4c75bd3e2ba39f130aa42332f80b71568c01a6a8ea756c8aca53838ac8050d28997ed1181ce7a9923028bba9687d0fcd2c1170a5d6e34

Download Submit
C:\Users\Admin\AppData\Roaming\Winstep SpeedLaunch\Winstep.exe

Filesize
534KB

MD5
3929b52ee76c8c5480e4209cb7f70d5c

SHA1
74ff90a0f1a7561aef81da6202c7355c6b170413

SHA256
53a4d73780e05e99c62c732f3950ac68bbc86c74a90b32b9f9a54590b85be5cc

SHA512
e96374483bbf62ce32e4c75bd3e2ba39f130aa42332f80b71568c01a6a8ea756c8aca53838ac8050d28997ed1181ce7a9923028bba9687d0fcd2c1170a5d6e34

Download Submit
C:\Users\Admin\AppData\Roaming\Winstep SpeedLaunch\Winstep.exe

Filesize
534KB

MD5
3929b52ee76c8c5480e4209cb7f70d5c

SHA1
74ff90a0f1a7561aef81da6202c7355c6b170413

SHA256
53a4d73780e05e99c62c732f3950ac68bbc86c74a90b32b9f9a54590b85be5cc

SHA512
e96374483bbf62ce32e4c75bd3e2ba39f130aa42332f80b71568c01a6a8ea756c8aca53838ac8050d28997ed1181ce7a9923028bba9687d0fcd2c1170a5d6e34

Download Submit
\??\pipe\LOCAL\crashpad_836_JROOUSHCUHJVXMKU

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/772-207-0x0000020D1EE50000-0x0000020D1EE60000-memory.dmp

Filesize
64KB

Download
memory/772-234-0x00007FFEB2A50000-0x00007FFEB3511000-memory.dmp

Filesize
10.8MB

Download
memory/772-206-0x00007FFEB2A50000-0x00007FFEB3511000-memory.dmp

Filesize
10.8MB

Download
memory/1256-442-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1256-169-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1256-281-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1524-300-0x0000000007410000-0x000000000741E000-memory.dmp

Filesize
56KB

Download
memory/1524-293-0x0000000006490000-0x00000000064AE000-memory.dmp

Filesize
120KB

Download
memory/1524-159-0x00000000048E0000-0x0000000004916000-memory.dmp

Filesize
216KB

Download
memory/1524-244-0x0000000005F10000-0x0000000005F5C000-memory.dmp

Filesize
304KB

Download
memory/1524-228-0x0000000005820000-0x0000000005886000-memory.dmp

Filesize
408KB

Download
memory/1524-235-0x0000000005A00000-0x0000000005D54000-memory.dmp

Filesize
3.3MB

Download
memory/1524-243-0x0000000005ED0000-0x0000000005EEE000-memory.dmp

Filesize
120KB

Download
memory/1524-171-0x0000000004980000-0x0000000004990000-memory.dmp

Filesize
64KB

Download
memory/1524-218-0x0000000004FC0000-0x00000000055E8000-memory.dmp

Filesize
6.2MB

Download
memory/1524-173-0x0000000004980000-0x0000000004990000-memory.dmp

Filesize
64KB

Download
memory/1524-265-0x0000000004980000-0x0000000004990000-memory.dmp

Filesize
64KB

Download
memory/1524-220-0x0000000004F20000-0x0000000004F42000-memory.dmp

Filesize
136KB

Download
memory/1524-266-0x0000000004980000-0x0000000004990000-memory.dmp

Filesize
64KB

Download
memory/1524-272-0x0000000073640000-0x0000000073DF0000-memory.dmp

Filesize
7.7MB

Download
memory/1524-175-0x0000000073640000-0x0000000073DF0000-memory.dmp

Filesize
7.7MB

Download
memory/1524-280-0x0000000004980000-0x0000000004990000-memory.dmp

Filesize
64KB

Download
memory/1524-282-0x0000000006E90000-0x0000000006EC2000-memory.dmp

Filesize
200KB

Download
memory/1524-299-0x00000000073E0000-0x00000000073F1000-memory.dmp

Filesize
68KB

Download
memory/1524-283-0x000000006F350000-0x000000006F39C000-memory.dmp

Filesize
304KB

Download
memory/1524-298-0x0000000007460000-0x00000000074F6000-memory.dmp

Filesize
600KB

Download
memory/1524-294-0x0000000006ED0000-0x0000000006F73000-memory.dmp

Filesize
652KB

Download
memory/1524-295-0x0000000007830000-0x0000000007EAA000-memory.dmp

Filesize
6.5MB

Download
memory/1524-296-0x00000000071E0000-0x00000000071FA000-memory.dmp

Filesize
104KB

Download
memory/1524-297-0x0000000007250000-0x000000000725A000-memory.dmp

Filesize
40KB

Download
memory/1816-158-0x0000000073640000-0x0000000073DF0000-memory.dmp

Filesize
7.7MB

Download
memory/1816-222-0x00000000062D0000-0x00000000062DA000-memory.dmp

Filesize
40KB

Download
memory/1816-236-0x0000000073640000-0x0000000073DF0000-memory.dmp

Filesize
7.7MB

Download
memory/2932-67-0x0000000073640000-0x0000000073DF0000-memory.dmp

Filesize
7.7MB

Download
memory/2932-66-0x00000000055D0000-0x0000000005662000-memory.dmp

Filesize
584KB

Download
memory/2932-65-0x0000000005AE0000-0x0000000006084000-memory.dmp

Filesize
5.6MB

Download
memory/2932-108-0x0000000005970000-0x00000000059D6000-memory.dmp

Filesize
408KB

Download
memory/2932-143-0x0000000073640000-0x0000000073DF0000-memory.dmp

Filesize
7.7MB

Download
memory/2932-41-0x0000000000AB0000-0x0000000000B3C000-memory.dmp

Filesize
560KB

Download
memory/2932-145-0x0000000006AD0000-0x0000000006B0C000-memory.dmp

Filesize
240KB

Download
memory/2932-68-0x00000000054E0000-0x00000000054F0000-memory.dmp

Filesize
64KB

Download
memory/2932-144-0x0000000006690000-0x00000000066A2000-memory.dmp

Filesize
72KB

Download
memory/2932-148-0x00000000054E0000-0x00000000054F0000-memory.dmp

Filesize
64KB

Download
memory/3524-93-0x000001C745AC0000-0x000001C745AD0000-memory.dmp

Filesize
64KB

Download
memory/3524-111-0x00007FFEB2A50000-0x00007FFEB3511000-memory.dmp

Filesize
10.8MB

Download
memory/3524-75-0x000001C745AC0000-0x000001C745AD0000-memory.dmp

Filesize
64KB

Download
memory/3524-76-0x000001C745AC0000-0x000001C745AD0000-memory.dmp

Filesize
64KB

Download
memory/3524-74-0x00007FFEB2A50000-0x00007FFEB3511000-memory.dmp

Filesize
10.8MB

Download
memory/3716-190-0x00007FFEB2A50000-0x00007FFEB3511000-memory.dmp

Filesize
10.8MB

Download
memory/3716-168-0x00007FFEB2A50000-0x00007FFEB3511000-memory.dmp

Filesize
10.8MB

Download
memory/3716-172-0x00000204332D0000-0x00000204332E0000-memory.dmp

Filesize
64KB

Download
memory/3716-170-0x00000204332D0000-0x00000204332E0000-memory.dmp

Filesize
64KB

Download
memory/3716-188-0x00000204332D0000-0x00000204332E0000-memory.dmp

Filesize
64KB

Download
memory/4576-64-0x000001E1D5B40000-0x000001E1D5B62000-memory.dmp

Filesize
136KB

Download
memory/4576-43-0x00007FFEB2A50000-0x00007FFEB3511000-memory.dmp

Filesize
10.8MB

Download
memory/4576-44-0x000001E1D5B70000-0x000001E1D5B80000-memory.dmp

Filesize
64KB

Download
memory/4576-45-0x000001E1D5B70000-0x000001E1D5B80000-memory.dmp

Filesize
64KB

Download
memory/4576-72-0x00007FFEB2A50000-0x00007FFEB3511000-memory.dmp

Filesize
10.8MB

Download
memory/4576-69-0x000001E1D5B70000-0x000001E1D5B80000-memory.dmp

Filesize
64KB

Download
memory/4832-191-0x00007FFEB2A50000-0x00007FFEB3511000-memory.dmp

Filesize
10.8MB

Download
memory/4832-192-0x000001A82CF70000-0x000001A82CF80000-memory.dmp

Filesize
64KB

Download
memory/4832-205-0x00007FFEB2A50000-0x00007FFEB3511000-memory.dmp

Filesize
10.8MB

Download
memory/4832-193-0x000001A82CF70000-0x000001A82CF80000-memory.dmp

Filesize
64KB

Download
memory/5044-126-0x00007FFEB2A50000-0x00007FFEB3511000-memory.dmp

Filesize
10.8MB

Download
memory/5044-149-0x00007FFEB2A50000-0x00007FFEB3511000-memory.dmp

Filesize
10.8MB

Download
memory/5044-128-0x00000273D6040000-0x00000273D6050000-memory.dmp

Filesize
64KB

Download
memory/5044-127-0x00000273D6040000-0x00000273D6050000-memory.dmp

Filesize
64KB

Download