hxxp://66[.]225[.]246[.]6[:]5678/upsupx3[.]exe

Analysis

max time kernel
1114s
max time network
1116s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
18/11/2023, 01:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://66.225.246.6:5678/upsupx3.exe

Score

8^/10

upx

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
4740	upsupx3.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000022cb6-20.dat	upx
behavioral1/files/0x0008000000022cb6-76.dat	upx
behavioral1/memory/4740-77-0x0000000000270000-0x00000000002E0000-memory.dmp	upx
behavioral1/files/0x0008000000022cb6-78.dat	upx
behavioral1/memory/4740-79-0x0000000000270000-0x00000000002E0000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\taskschd.msc	mmc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133447433040334041"	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	pestudio.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	pestudio.exe
Key created	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings	pestudio.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0 = 5a003100000000007257db0a1000706573747564696f0000420009000400efbe7257db0a7257db0a2e000000032d020000000c00000000000000000000000000000079c8740070006500730074007500640069006f00000018000000	pestudio.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	pestudio.exe
Key created	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell	pestudio.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	pestudio.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 010000000200000000000000ffffffff	pestudio.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	pestudio.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	pestudio.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	pestudio.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	pestudio.exe
Key created	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13	pestudio.exe
Key created	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	pestudio.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	pestudio.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	pestudio.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	pestudio.exe
Key created	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9	pestudio.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	pestudio.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 01000000030000000200000000000000ffffffff	pestudio.exe
Key created	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2	pestudio.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0\MRUListEx = ffffffff	pestudio.exe
Key created	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	pestudio.exe
Key created	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10	pestudio.exe
Key created	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	pestudio.exe
Key created	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0	pestudio.exe
Key created	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	pestudio.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	pestudio.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	pestudio.exe
Key created	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg	pestudio.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	pestudio.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	pestudio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\SniffedFolderType = "Generic"	pestudio.exe
Key created	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell	pestudio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	pestudio.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	pestudio.exe
Key created	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	pestudio.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 020000000100000000000000ffffffff	pestudio.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	pestudio.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	pestudio.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\MRUListEx = 00000000ffffffff	pestudio.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0\NodeSlot = "13"	pestudio.exe
Key created	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\Shell	pestudio.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	pestudio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	pestudio.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	pestudio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	pestudio.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	pestudio.exe
Key created	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	pestudio.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	pestudio.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202020202020202	pestudio.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	pestudio.exe
Key created	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1	pestudio.exe
Key created	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg	pestudio.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	pestudio.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	pestudio.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202020202020202	pestudio.exe
Key created	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	pestudio.exe
Key created	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg	pestudio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\SniffedFolderType = "Downloads"	pestudio.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	pestudio.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	pestudio.exe
Key created	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	pestudio.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4764	chrome.exe
4764	chrome.exe
1332	chrome.exe
1332	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
5076	mmc.exe
4104	pestudio.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe

Suspicious use of FindShellTrayWindow 44 IoCs

pid	Process
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
5076	mmc.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4104	pestudio.exe
4104	pestudio.exe

Suspicious use of SendNotifyMessage 26 IoCs

pid	Process
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4104	pestudio.exe
4104	pestudio.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
5076	mmc.exe
5076	mmc.exe
4104	pestudio.exe
4104	pestudio.exe
4104	pestudio.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4764 wrote to memory of 1012	4764	chrome.exe	87
PID 4764 wrote to memory of 1012	4764	chrome.exe	87
PID 4764 wrote to memory of 3044	4764	chrome.exe	90
PID 4764 wrote to memory of 3044	4764	chrome.exe	90
PID 4764 wrote to memory of 3044	4764	chrome.exe	90
PID 4764 wrote to memory of 3044	4764	chrome.exe	90
PID 4764 wrote to memory of 3044	4764	chrome.exe	90
PID 4764 wrote to memory of 3044	4764	chrome.exe	90
PID 4764 wrote to memory of 3044	4764	chrome.exe	90
PID 4764 wrote to memory of 3044	4764	chrome.exe	90
PID 4764 wrote to memory of 3044	4764	chrome.exe	90
PID 4764 wrote to memory of 3044	4764	chrome.exe	90
PID 4764 wrote to memory of 3044	4764	chrome.exe	90
PID 4764 wrote to memory of 3044	4764	chrome.exe	90
PID 4764 wrote to memory of 3044	4764	chrome.exe	90
PID 4764 wrote to memory of 3044	4764	chrome.exe	90
PID 4764 wrote to memory of 3044	4764	chrome.exe	90
PID 4764 wrote to memory of 3044	4764	chrome.exe	90
PID 4764 wrote to memory of 3044	4764	chrome.exe	90
PID 4764 wrote to memory of 3044	4764	chrome.exe	90
PID 4764 wrote to memory of 3044	4764	chrome.exe	90
PID 4764 wrote to memory of 3044	4764	chrome.exe	90
PID 4764 wrote to memory of 3044	4764	chrome.exe	90
PID 4764 wrote to memory of 3044	4764	chrome.exe	90
PID 4764 wrote to memory of 3044	4764	chrome.exe	90
PID 4764 wrote to memory of 3044	4764	chrome.exe	90
PID 4764 wrote to memory of 3044	4764	chrome.exe	90
PID 4764 wrote to memory of 3044	4764	chrome.exe	90
PID 4764 wrote to memory of 3044	4764	chrome.exe	90
PID 4764 wrote to memory of 3044	4764	chrome.exe	90
PID 4764 wrote to memory of 3044	4764	chrome.exe	90
PID 4764 wrote to memory of 3044	4764	chrome.exe	90
PID 4764 wrote to memory of 3044	4764	chrome.exe	90
PID 4764 wrote to memory of 3044	4764	chrome.exe	90
PID 4764 wrote to memory of 3044	4764	chrome.exe	90
PID 4764 wrote to memory of 3044	4764	chrome.exe	90
PID 4764 wrote to memory of 3044	4764	chrome.exe	90
PID 4764 wrote to memory of 3044	4764	chrome.exe	90
PID 4764 wrote to memory of 3044	4764	chrome.exe	90
PID 4764 wrote to memory of 3044	4764	chrome.exe	90
PID 4764 wrote to memory of 4560	4764	chrome.exe	91
PID 4764 wrote to memory of 4560	4764	chrome.exe	91
PID 4764 wrote to memory of 624	4764	chrome.exe	92
PID 4764 wrote to memory of 624	4764	chrome.exe	92
PID 4764 wrote to memory of 624	4764	chrome.exe	92
PID 4764 wrote to memory of 624	4764	chrome.exe	92
PID 4764 wrote to memory of 624	4764	chrome.exe	92
PID 4764 wrote to memory of 624	4764	chrome.exe	92
PID 4764 wrote to memory of 624	4764	chrome.exe	92
PID 4764 wrote to memory of 624	4764	chrome.exe	92
PID 4764 wrote to memory of 624	4764	chrome.exe	92
PID 4764 wrote to memory of 624	4764	chrome.exe	92
PID 4764 wrote to memory of 624	4764	chrome.exe	92
PID 4764 wrote to memory of 624	4764	chrome.exe	92
PID 4764 wrote to memory of 624	4764	chrome.exe	92
PID 4764 wrote to memory of 624	4764	chrome.exe	92
PID 4764 wrote to memory of 624	4764	chrome.exe	92
PID 4764 wrote to memory of 624	4764	chrome.exe	92
PID 4764 wrote to memory of 624	4764	chrome.exe	92
PID 4764 wrote to memory of 624	4764	chrome.exe	92
PID 4764 wrote to memory of 624	4764	chrome.exe	92
PID 4764 wrote to memory of 624	4764	chrome.exe	92
PID 4764 wrote to memory of 624	4764	chrome.exe	92
PID 4764 wrote to memory of 624	4764	chrome.exe	92

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://66.225.246.6:5678/upsupx3.exe
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbe1309758,0x7ffbe1309768,0x7ffbe1309778
  2⤵
  PID:1012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1708 --field-trial-handle=1868,i,2514905358803217791,14813194317659388204,131072 /prefetch:2
  2⤵
  PID:3044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2112 --field-trial-handle=1868,i,2514905358803217791,14813194317659388204,131072 /prefetch:8
  2⤵
  PID:4560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2216 --field-trial-handle=1868,i,2514905358803217791,14813194317659388204,131072 /prefetch:8
  2⤵
  PID:624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2184 --field-trial-handle=1868,i,2514905358803217791,14813194317659388204,131072 /prefetch:1
  2⤵
  PID:4544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3076 --field-trial-handle=1868,i,2514905358803217791,14813194317659388204,131072 /prefetch:1
  2⤵
  PID:3640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3848 --field-trial-handle=1868,i,2514905358803217791,14813194317659388204,131072 /prefetch:8
  2⤵
  PID:1464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4512 --field-trial-handle=1868,i,2514905358803217791,14813194317659388204,131072 /prefetch:8
  2⤵
  PID:768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4664 --field-trial-handle=1868,i,2514905358803217791,14813194317659388204,131072 /prefetch:8
  2⤵
  PID:1396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4704 --field-trial-handle=1868,i,2514905358803217791,14813194317659388204,131072 /prefetch:8
  2⤵
  PID:3572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4984 --field-trial-handle=1868,i,2514905358803217791,14813194317659388204,131072 /prefetch:8
  2⤵
  PID:3052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4692 --field-trial-handle=1868,i,2514905358803217791,14813194317659388204,131072 /prefetch:8
  2⤵
  PID:4984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4508 --field-trial-handle=1868,i,2514905358803217791,14813194317659388204,131072 /prefetch:8
  2⤵
  PID:4508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4708 --field-trial-handle=1868,i,2514905358803217791,14813194317659388204,131072 /prefetch:8
  2⤵
  PID:3444
- C:\Users\Admin\Downloads\upsupx3.exe
  "C:\Users\Admin\Downloads\upsupx3.exe"
  2⤵
  - Executes dropped EXE
  PID:4740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3840 --field-trial-handle=1868,i,2514905358803217791,14813194317659388204,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=1464 --field-trial-handle=1868,i,2514905358803217791,14813194317659388204,131072 /prefetch:1
  2⤵
  PID:4812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4804 --field-trial-handle=1868,i,2514905358803217791,14813194317659388204,131072 /prefetch:8
  2⤵
  PID:4108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=5324 --field-trial-handle=1868,i,2514905358803217791,14813194317659388204,131072 /prefetch:1
  2⤵
  PID:2912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=5504 --field-trial-handle=1868,i,2514905358803217791,14813194317659388204,131072 /prefetch:1
  2⤵
  PID:2320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=5784 --field-trial-handle=1868,i,2514905358803217791,14813194317659388204,131072 /prefetch:1
  2⤵
  PID:4592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=3264 --field-trial-handle=1868,i,2514905358803217791,14813194317659388204,131072 /prefetch:1
  2⤵
  PID:4700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3632 --field-trial-handle=1868,i,2514905358803217791,14813194317659388204,131072 /prefetch:8
  2⤵
  PID:4980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4944 --field-trial-handle=1868,i,2514905358803217791,14813194317659388204,131072 /prefetch:8
  2⤵
  PID:388

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3444

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4268

C:\Windows\system32\mmc.exe
"C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc" /s
1⤵
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:5076

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:3896
- C:\Windows\system32\schtasks.exe
  schtasks
  2⤵
  PID:396

C:\Users\Admin\Desktop\pestudio\pestudio.exe
"C:\Users\Admin\Desktop\pestudio\pestudio.exe"
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
408B

MD5
3d639940dfedc9dee3e3ca1da8a096f4

SHA1
3adb383662ba06b300dcbd66d5f8b879627a610c

SHA256
7d972233be3916f6e7d9071e87652576a22a46dc17513db866ce45b881e9e475

SHA512
813714f7dbbde641f0363996044953cc56efde327f8e9aa7c5c722ca17b3c1d20df30bf88bae7cd15ffe4b2bf328a981992657489f2875d0cb1ae3ef00b4c7ef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
15c982223e56667fba20b27cd0e427b4

SHA1
cfa5effcb63c75058404bbf761acb2eaa533ba35

SHA256
3d4e0afdaa2973d999b4f1500ac7439b62867f1e7984b5880c9b5f43023603a7

SHA512
4119a843dcc419825c410a1c5c0356db11cba798f0a4089efa2106efdf8f99bba62502401ed88f612eca3d22b12413f0f97651670c64e1900c773242fbf4c32c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
a49bf06a38e7fca8bd5fe37e73c84f59

SHA1
cf1935a89d892dc1b140c8bfc2160bf630d8e603

SHA256
b62245b6b911a5ee3dd437fedb62eef0ac746064d57ba55833fd825025f0dd52

SHA512
77b29eb0bbe4fe5ce9a06dafeb44f42bada5b62d7eb60c25ec0c48f56fd00db59065578e98c9227236aa9d07a70a8cc0961c62839a6e94ef640f5b55b034b031

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
92b3bf1aaa4477edee310918ada6c693

SHA1
8631c8ed36646367b2f5f152fd4e950a79bfc380

SHA256
2dca0155bb3244338c6e9801683da0ace8b2d7c9243a3616dbe0ae1f06d275be

SHA512
b32663bf877aaaf02f18f34a9e9cc38de7cd86de81afcf144d6a3b4e1ebcce9de440499f334acec35c4d8aa41eaf91464c525c638fcac8da45d4acf094c8ddee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
a4690606f71281ecb3c0fc56d45639f1

SHA1
d3298858e799f89946c8caad5d5ce0e57c5289c3

SHA256
e1fd116cd1d7a4719aa8d105c29b12365114790990e1e6ff7d724bd09ca7bb77

SHA512
71e5f0289a5e3871154e751865c68a3ddd7544e7946421fabe8b5cc9799896e901d8224c391207bd0307d6f5bc88f9dff4721c2eb35e9dceb84455a853ae7613

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
48678a4997024b64e900819fb66ed376

SHA1
8137ac2f1570e2141bb4dd1fbeb1da0aa82c5f56

SHA256
b6ff89b9917ee1ec5f7fe49d0180649f83e6df07a27fc46ef9d981f3dc0fba06

SHA512
0d6b6909a24561a11d2d5d60a0778e9bd8eba82a9eacceb8ab13456ca909c45db4d8d254f60b7c19914c726e31f03fc06ecaa5406831cf04587b03045ced12d0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
abaad234f8f4fb828f11be4d5a7f3919

SHA1
ca67623efb9013be74f23c0c2ac8bbf613b65b52

SHA256
64c6b5bbd2d9100f48aef136c75a8dd42c4d64e5845c2b1e3c01d683d8949cee

SHA512
8ef3c390b40d928eee4fc4c448cd683721f95bf7441586833e2b1d839d2370aee714848507ac8573902535a86a6254830d8d61913fd3c6f59ed97083c8201270

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
df8311c6db2923e1edf272dfadbf91a4

SHA1
79f651bba7e71f553ccf24fd9fe8e1e6244905f5

SHA256
791ef16b9cbc38488ef3ec3890d268d2e0479f8e8770e7651115eabfa5d06788

SHA512
f78950e16e392ee72d1c388e337916b03f163516ee442e66c6490d95ce51e95ec7675074b45c63afdb5e3cc9c49a9b6fedc8e7e1dbd92681acfa6667a2b803ce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
6d62ff48667007a20516761f393ad1d3

SHA1
6eb7a06cd99a1e8927e1a14b3f6428f4d7821ea9

SHA256
9a0974dcd901d7539f8157bd83df7462febe6c826ee13bc00a61b57703b452a0

SHA512
46d35141b3e9c93f57e93811b00732766ee380eeb807629ab1bfada1f683b759451ed3e557fafce19604b428c5c15e45673bd12c5f3deaa9c5fec2fd22d6b070

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
c76306de3886d017cc00ea21ef726a00

SHA1
cc7e8ed989cfac8588dc8cbaac602873d777233c

SHA256
164cb963232fab8e8ab35348b07805d335b434e1ff0df24cd97e34d17611f064

SHA512
d24131879fef8942d5ef32aeef3dbaba75ea9843bfae1106a6d04ec214844c135163d67921e125dfe7643bab8bb8bf18eb64e9b606f8a229484f9c86a0ba79ec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
7626ef946a2df6ed13dbae0e9b24a3b4

SHA1
3be647ded33617f5504b0dfb6e3c8feef34b2992

SHA256
6e37674595bd23693c8c829bd3e16eb80a047392d35fa3654d9c478bb3722ed4

SHA512
7bd0ca56853462a5f8b41817dba78e2a34abf350d069bf1bd91b324639d41a00af71338e01dce6fe661ad6ebff932e604441a99d9c988a3735e7ab690de3b4e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
9985fde41279c9621d3d36903024f57b

SHA1
18cbeb3c61baed25d7adc3322dc7e24f7d56e078

SHA256
1b39dd3bc2c5845dd5ce9b56bc501386c96722fa957bf5ff41dc4f079318542f

SHA512
26513fa503fe632ab6db9c3378792b4ff48c42579e87b34f02fffcbdc544ae9e0832078e0768524591f2bfa6b502952cdf005aae1f918c3a3d99fd585a1a419b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
5ff31420315690e730994e78e6d69768

SHA1
65225af081bfdbc5f0b742574419b397a9fea9f4

SHA256
e4574f9c16145dbd773570aa475a798893ff427927e80f80364dc04eaf1136c3

SHA512
55a91509a9f29437b6a680c38aa80d4de54503cee78dc69e8f2fcf60cb23bf064d1d4a3d3cd4cd0ce0dd0f049fc1032dc86cc64aad6eba9e99a75749bb592b89

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
109KB

MD5
beccabe6848d1ceda6d711dccc9a2ac9

SHA1
1af7dbb53496c825dbd63f13830a34de252b81ee

SHA256
25fb8c2f52f67ebac22a672d2865d897cb5616781851defddfe8355e23c142a0

SHA512
a190226c2b651d9a3a2ff38563aba6188e1124ddde56915065f7dc7bd629eb5b823edf4446ab9f298baa9bc9abf1b22dafc5054adc711bcb5afda1b9796afa80

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
108KB

MD5
9d28acb048a48595a8cc57fe9a940c2d

SHA1
bbc8e015d26cf70496658e9d7de75cf27207e1ce

SHA256
2c69d465bbc8112c6716fc239c69a4e87c660ee40dcaf0699e6f7eb411ffe793

SHA512
86d27834ead4b2b9d9be2f0cf081b79880d83b585f7c9302f18b7a6df3162f0e861ebb2a0ad110943eb06b553b82a0689e624825bd4ffb370298ce1e8b2d8867

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
114KB

MD5
7196f66df89e7b798e1d2746a8dbe75c

SHA1
10adbf5dc334d74a79dc34d2bf3e4d92daabc7c6

SHA256
d7426393aed1fa472263e7ece1d088923d4fdcb875f9db0dd678a16a3f0a44d1

SHA512
38c19d60d9cecdceccdc6829563931921545c4c2ce0a3961cad53939e16b97e3abaefde3af5b60240c9af4e1534a423984080ced27e9281e0be38a8e6205b846

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
114KB

MD5
a04843ae80f67ca32a6cee8419a0a4e5

SHA1
ce6f4796551b027732ba42cb84d5daa8e5ade4ff

SHA256
fbfb99d0e8909c87544a45daad477df05fcae148d96d9a845f950349608ac62e

SHA512
763e7a6f107dd12fa994084a6c15ba75704e1c3e25f277faa39ad462195197a2b28845ab5979447c53c714230da5f419e672efd06b2662afd39902060e8af807

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe589ff4.TMP

Filesize
101KB

MD5
fbeeecb1c0995d4e7d19d6addc1e6f03

SHA1
605355bcad82be29d0cdc02859fa7af63022b6bc

SHA256
01a69ba0b17d4031dbc449e9bf2c5cfee16fb9ea6e4d9a2f96386d9d2d0943eb

SHA512
e48e150c1383c78bd0516e4e6385db5e77a3bf971d4412b4c807110ec0ba5861c8b7c320a5fa3e3b0152f37cd872f9665e31a908b7f7ad3a7660931c8b21b402

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 361084.crdownload

Filesize
187KB

MD5
bb98715760f7f034b22ba742604f8210

SHA1
2ecf4a3ed14dd7ac58096c10792b1b15f6afd47c

SHA256
026891e0c22027a4faec0530c922ea7e16a995cc267eacce75d5f206964127a5

SHA512
5612632abba6e3d9c9f77d0788e11a140a05afc076d93b1754ceaeeda42c6f594c8a888a31a055655771d792e999f38cdd431e806dd75c730811eb82f5e57ad7

Download Submit
C:\Users\Admin\Downloads\pestudio-9.56.zip

Filesize
1.1MB

MD5
18a99a95a5442e7446536480f9c38b04

SHA1
b7156a442ba2ed735816e0216608db1e9b8d6625

SHA256
57f55e9e6c0db64dc28517efacc919e53dc6afef91ea1e6aa1fbd7be1ec35cbd

SHA512
ada99f3edce6f750da8eb34ae35a71988889f8da8810eef12e857894eb3b24b42e60cb59046ef3a7cbaf7dc90dedb7967d03df671d0719c2d7391149afdbecc4

Download Submit
C:\Users\Admin\Downloads\upsupx3.exe

Filesize
187KB

MD5
bb98715760f7f034b22ba742604f8210

SHA1
2ecf4a3ed14dd7ac58096c10792b1b15f6afd47c

SHA256
026891e0c22027a4faec0530c922ea7e16a995cc267eacce75d5f206964127a5

SHA512
5612632abba6e3d9c9f77d0788e11a140a05afc076d93b1754ceaeeda42c6f594c8a888a31a055655771d792e999f38cdd431e806dd75c730811eb82f5e57ad7

Download Submit
C:\Users\Admin\Downloads\upsupx3.exe

Filesize
187KB

MD5
bb98715760f7f034b22ba742604f8210

SHA1
2ecf4a3ed14dd7ac58096c10792b1b15f6afd47c

SHA256
026891e0c22027a4faec0530c922ea7e16a995cc267eacce75d5f206964127a5

SHA512
5612632abba6e3d9c9f77d0788e11a140a05afc076d93b1754ceaeeda42c6f594c8a888a31a055655771d792e999f38cdd431e806dd75c730811eb82f5e57ad7

Download Submit
memory/4740-77-0x0000000000270000-0x00000000002E0000-memory.dmp

Filesize
448KB

Download
memory/4740-79-0x0000000000270000-0x00000000002E0000-memory.dmp

Filesize
448KB

Download
memory/5076-120-0x0000000002E20000-0x0000000002E30000-memory.dmp

Filesize
64KB

Download
memory/5076-110-0x00007FFBD0F40000-0x00007FFBD1A01000-memory.dmp

Filesize
10.8MB

Download
memory/5076-124-0x0000000002E20000-0x0000000002E30000-memory.dmp

Filesize
64KB

Download
memory/5076-125-0x0000000002E20000-0x0000000002E30000-memory.dmp

Filesize
64KB

Download
memory/5076-131-0x000000001E440000-0x000000001E540000-memory.dmp

Filesize
1024KB

Download
memory/5076-134-0x00007FFBD0F40000-0x00007FFBD1A01000-memory.dmp

Filesize
10.8MB

Download
memory/5076-113-0x0000000002E20000-0x0000000002E30000-memory.dmp

Filesize
64KB

Download
memory/5076-112-0x0000000002E20000-0x0000000002E30000-memory.dmp

Filesize
64KB

Download
memory/5076-111-0x0000000002E20000-0x0000000002E30000-memory.dmp

Filesize
64KB

Download
memory/5076-123-0x0000000002E20000-0x0000000002E30000-memory.dmp

Filesize
64KB

Download
memory/5076-122-0x0000000002E20000-0x0000000002E30000-memory.dmp

Filesize
64KB

Download
memory/5076-121-0x0000000002E20000-0x0000000002E30000-memory.dmp

Filesize
64KB

Download
memory/5076-114-0x0000000002E20000-0x0000000002E30000-memory.dmp

Filesize
64KB

Download
memory/5076-119-0x0000000002E20000-0x0000000002E30000-memory.dmp

Filesize
64KB

Download
memory/5076-118-0x000000001E440000-0x000000001E540000-memory.dmp

Filesize
1024KB

Download
memory/5076-117-0x00007FFBD0F40000-0x00007FFBD1A01000-memory.dmp

Filesize
10.8MB

Download
memory/5076-116-0x0000000002E20000-0x0000000002E30000-memory.dmp

Filesize
64KB

Download
memory/5076-115-0x0000000002E20000-0x0000000002E30000-memory.dmp

Filesize
64KB

Download