hxxps://www[.]tuxlervpn[.]com/fr/download-windows/

Resubmissions

31/05/2024, 13:53

240531-q643jabc58 8

31/05/2024, 13:49

240531-q44c8aaf2t 8

Analysis

max time kernel
128s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
31/05/2024, 13:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.tuxlervpn.com/fr/download-windows/

Score

8^/10

bootkit discovery persistence

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 7 IoCs

pid	Process
1392	GLP_installer_900223150_market.exe
648	tuxlerVPNSetup.exe
2804	tuxlerVPNSetup.tmp
4260	tuxlerVPN.exe
3076	ExtensionHelperAppHelperTuxler.exe
2960	tuxlerVPN.exe
1640	ExtensionHelperAppHelperTuxler.exe

Loads dropped DLL 64 IoCs

pid	Process
1392	GLP_installer_900223150_market.exe
4260	tuxlerVPN.exe
4260	tuxlerVPN.exe
4260	tuxlerVPN.exe
4260	tuxlerVPN.exe
4260	tuxlerVPN.exe
4260	tuxlerVPN.exe
4260	tuxlerVPN.exe
4260	tuxlerVPN.exe
4260	tuxlerVPN.exe
4260	tuxlerVPN.exe
4260	tuxlerVPN.exe
4260	tuxlerVPN.exe
4260	tuxlerVPN.exe
4260	tuxlerVPN.exe
4260	tuxlerVPN.exe
4260	tuxlerVPN.exe
4260	tuxlerVPN.exe
4260	tuxlerVPN.exe
4260	tuxlerVPN.exe
4260	tuxlerVPN.exe
4260	tuxlerVPN.exe
4260	tuxlerVPN.exe
4260	tuxlerVPN.exe
4260	tuxlerVPN.exe
4260	tuxlerVPN.exe
4260	tuxlerVPN.exe
4260	tuxlerVPN.exe
4260	tuxlerVPN.exe
4260	tuxlerVPN.exe
4260	tuxlerVPN.exe
4260	tuxlerVPN.exe
4260	tuxlerVPN.exe
4260	tuxlerVPN.exe
4260	tuxlerVPN.exe
4260	tuxlerVPN.exe
4260	tuxlerVPN.exe
4260	tuxlerVPN.exe
4260	tuxlerVPN.exe
4260	tuxlerVPN.exe
4260	tuxlerVPN.exe
4260	tuxlerVPN.exe
4260	tuxlerVPN.exe
4260	tuxlerVPN.exe
4260	tuxlerVPN.exe
4260	tuxlerVPN.exe
3076	ExtensionHelperAppHelperTuxler.exe
2960	tuxlerVPN.exe
2960	tuxlerVPN.exe
2960	tuxlerVPN.exe
2960	tuxlerVPN.exe
2960	tuxlerVPN.exe
2960	tuxlerVPN.exe
2960	tuxlerVPN.exe
2960	tuxlerVPN.exe
2960	tuxlerVPN.exe
2960	tuxlerVPN.exe
2960	tuxlerVPN.exe
2960	tuxlerVPN.exe
2960	tuxlerVPN.exe
2960	tuxlerVPN.exe
2960	tuxlerVPN.exe
2960	tuxlerVPN.exe
2960	tuxlerVPN.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tuxler = "\"C:\\Program Files (x86)\\tuxlerVPN\\tuxlerVPN.exe\" --auto-start"	tuxlerVPNSetup.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	GLP_installer_900223150_market.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	GLP_installer_900223150_market.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\tuxlerVPN\icuin52.dll	tuxlerVPNSetup.tmp
File opened for modification	C:\Program Files (x86)\tuxlerVPN\imageformats\qjp2.dll	tuxlerVPNSetup.tmp
File opened for modification	C:\Program Files (x86)\tuxlerVPN\sensors\qtsensors_generic.dll	tuxlerVPNSetup.tmp
File created	C:\Program Files (x86)\tuxlerVPN\platforms\is-U8NA8.tmp	tuxlerVPNSetup.tmp
File created	C:\Program Files (x86)\tuxlerVPN\is-OJO0F.tmp	tuxlerVPNSetup.tmp
File created	C:\Program Files (x86)\tuxlerVPN\bearer\is-IRP24.tmp	tuxlerVPNSetup.tmp
File opened for modification	C:\Program Files (x86)\tuxlerVPN\dbghelp.dll	tuxlerVPNSetup.tmp
File opened for modification	C:\Program Files (x86)\tuxlerVPN\libGLESv2.dll	tuxlerVPNSetup.tmp
File opened for modification	C:\Program Files (x86)\tuxlerVPN\imageformats\qdds.dll	tuxlerVPNSetup.tmp
File opened for modification	C:\Program Files (x86)\tuxlerVPN\libeay32MD.dll	tuxlerVPNSetup.tmp
File opened for modification	C:\Program Files (x86)\tuxlerVPN\ssleay32.dll	tuxlerVPNSetup.tmp
File opened for modification	C:\Program Files (x86)\tuxlerVPN\imageformats\qsvg.dll	tuxlerVPNSetup.tmp
File created	C:\Program Files (x86)\tuxlerVPN\is-IS3BS.tmp	tuxlerVPNSetup.tmp
File created	C:\Program Files (x86)\tuxlerVPN\imageformats\is-TI8GV.tmp	tuxlerVPNSetup.tmp
File created	C:\Program Files (x86)\tuxlerVPN\imageformats\is-THN7P.tmp	tuxlerVPNSetup.tmp
File opened for modification	C:\Program Files (x86)\tuxlerVPN\Qt5OpenGL.dll	tuxlerVPNSetup.tmp
File created	C:\Program Files (x86)\tuxlerVPN\is-QLVRG.tmp	tuxlerVPNSetup.tmp
File created	C:\Program Files (x86)\tuxlerVPN\is-PQVR9.tmp	tuxlerVPNSetup.tmp
File created	C:\Program Files (x86)\tuxlerVPN\is-E0IEE.tmp	tuxlerVPNSetup.tmp
File created	C:\Program Files (x86)\tuxlerVPN\is-H5NCP.tmp	tuxlerVPNSetup.tmp
File created	C:\Program Files (x86)\tuxlerVPN\imageformats\is-HQMGD.tmp	tuxlerVPNSetup.tmp
File opened for modification	C:\Program Files (x86)\tuxlerVPN\imageformats\qico.dll	tuxlerVPNSetup.tmp
File opened for modification	C:\Program Files (x86)\tuxlerVPN\imageformats\qwbmp.dll	tuxlerVPNSetup.tmp
File created	C:\Program Files (x86)\tuxlerVPN\is-7F2DJ.tmp	tuxlerVPNSetup.tmp
File created	C:\Program Files (x86)\tuxlerVPN\is-GN6GS.tmp	tuxlerVPNSetup.tmp
File opened for modification	C:\Program Files (x86)\tuxlerVPN\Qt5Positioning.dll	tuxlerVPNSetup.tmp
File opened for modification	C:\Program Files (x86)\tuxlerVPN\Qt5PrintSupport.dll	tuxlerVPNSetup.tmp
File opened for modification	C:\Program Files (x86)\tuxlerVPN\Qt5Widgets.dll	tuxlerVPNSetup.tmp
File opened for modification	C:\Program Files (x86)\tuxlerVPN\vcamp120.dll	tuxlerVPNSetup.tmp
File created	C:\Program Files (x86)\tuxlerVPN\is-HEES4.tmp	tuxlerVPNSetup.tmp
File created	C:\Program Files (x86)\tuxlerVPN\imageformats\is-2M5KM.tmp	tuxlerVPNSetup.tmp
File opened for modification	C:\Program Files (x86)\tuxlerVPN\unins000.dat	tuxlerVPNSetup.tmp
File opened for modification	C:\Program Files (x86)\tuxlerVPN\Qt5Sensors.dll	tuxlerVPNSetup.tmp
File created	C:\Program Files (x86)\tuxlerVPN\is-216R8.tmp	tuxlerVPNSetup.tmp
File created	C:\Program Files (x86)\tuxlerVPN\imageformats\is-33HRS.tmp	tuxlerVPNSetup.tmp
File created	C:\Program Files (x86)\tuxlerVPN\is-H3L5V.tmp	tuxlerVPNSetup.tmp
File opened for modification	C:\Program Files (x86)\tuxlerVPN\libcryptoMDd.dll	tuxlerVPNSetup.tmp
File opened for modification	C:\Program Files (x86)\tuxlerVPN\libcryptoMD.dll	tuxlerVPNSetup.tmp
File opened for modification	C:\Program Files (x86)\tuxlerVPN\imageformats\qicns.dll	tuxlerVPNSetup.tmp
File created	C:\Program Files (x86)\tuxlerVPN\is-4DGO9.tmp	tuxlerVPNSetup.tmp
File opened for modification	C:\Program Files (x86)\tuxlerVPN\libeay32.dll	tuxlerVPNSetup.tmp
File opened for modification	C:\Program Files (x86)\tuxlerVPN\Qt5Network.dll	tuxlerVPNSetup.tmp
File opened for modification	C:\Program Files (x86)\tuxlerVPN\Qt5Core.dll	tuxlerVPNSetup.tmp
File created	C:\Program Files (x86)\tuxlerVPN\is-PE6K9.tmp	tuxlerVPNSetup.tmp
File created	C:\Program Files (x86)\tuxlerVPN\is-4V48U.tmp	tuxlerVPNSetup.tmp
File opened for modification	C:\Program Files (x86)\tuxlerVPN\Qt5Svg.dll	tuxlerVPNSetup.tmp
File created	C:\Program Files (x86)\tuxlerVPN\is-VOO0D.tmp	tuxlerVPNSetup.tmp
File created	C:\Program Files (x86)\tuxlerVPN\is-IOQIM.tmp	tuxlerVPNSetup.tmp
File created	C:\Program Files (x86)\tuxlerVPN\is-4Q213.tmp	tuxlerVPNSetup.tmp
File created	C:\Program Files (x86)\tuxlerVPN\is-3314D.tmp	tuxlerVPNSetup.tmp
File opened for modification	C:\Program Files (x86)\tuxlerVPN\Qt5MultimediaWidgets.dll	tuxlerVPNSetup.tmp
File opened for modification	C:\Program Files (x86)\tuxlerVPN\Qt5Quick.dll	tuxlerVPNSetup.tmp
File created	C:\Program Files (x86)\tuxlerVPN\is-82IFT.tmp	tuxlerVPNSetup.tmp
File created	C:\Program Files (x86)\tuxlerVPN\is-QP3LR.tmp	tuxlerVPNSetup.tmp
File created	C:\Program Files (x86)\tuxlerVPN\sensors\is-KLGKT.tmp	tuxlerVPNSetup.tmp
File opened for modification	C:\Program Files (x86)\tuxlerVPN\Qt5WebSockets.dll	tuxlerVPNSetup.tmp
File opened for modification	C:\Program Files (x86)\tuxlerVPN\bearer\qgenericbearer.dll	tuxlerVPNSetup.tmp
File created	C:\Program Files (x86)\tuxlerVPN\is-5M80K.tmp	tuxlerVPNSetup.tmp
File created	C:\Program Files (x86)\tuxlerVPN\is-EVJR3.tmp	tuxlerVPNSetup.tmp
File opened for modification	C:\Program Files (x86)\tuxlerVPN\imageformats\qmng.dll	tuxlerVPNSetup.tmp
File created	C:\Program Files (x86)\tuxlerVPN\is-GP0VV.tmp	tuxlerVPNSetup.tmp
File created	C:\Program Files (x86)\tuxlerVPN\imageformats\is-C1AKN.tmp	tuxlerVPNSetup.tmp
File created	C:\Program Files (x86)\tuxlerVPN\imageformats\is-UOPLH.tmp	tuxlerVPNSetup.tmp
File created	C:\Program Files (x86)\tuxlerVPN\sensors\is-B6CMH.tmp	tuxlerVPNSetup.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
2760	taskkill.exe
4660	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133616370071054219"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-540404634-651139247-2967210625-1000\{8CCAC867-2913-481E-B748-ED961152EE7D}	chrome.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	198	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
912	chrome.exe
912	chrome.exe
1392	GLP_installer_900223150_market.exe
1392	GLP_installer_900223150_market.exe
2804	tuxlerVPNSetup.tmp
2804	tuxlerVPNSetup.tmp
2804	tuxlerVPNSetup.tmp
2804	tuxlerVPNSetup.tmp
2804	tuxlerVPNSetup.tmp
2804	tuxlerVPNSetup.tmp
4260	tuxlerVPN.exe
4260	tuxlerVPN.exe
2960	tuxlerVPN.exe
2960	tuxlerVPN.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4260	tuxlerVPN.exe
2960	tuxlerVPN.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	912	chrome.exe
Token: SeCreatePagefilePrivilege	912	chrome.exe
Token: SeShutdownPrivilege	912	chrome.exe
Token: SeCreatePagefilePrivilege	912	chrome.exe
Token: SeShutdownPrivilege	912	chrome.exe
Token: SeCreatePagefilePrivilege	912	chrome.exe
Token: SeShutdownPrivilege	912	chrome.exe
Token: SeCreatePagefilePrivilege	912	chrome.exe
Token: SeShutdownPrivilege	912	chrome.exe
Token: SeCreatePagefilePrivilege	912	chrome.exe
Token: SeShutdownPrivilege	912	chrome.exe
Token: SeCreatePagefilePrivilege	912	chrome.exe
Token: SeShutdownPrivilege	912	chrome.exe
Token: SeCreatePagefilePrivilege	912	chrome.exe
Token: SeShutdownPrivilege	912	chrome.exe
Token: SeCreatePagefilePrivilege	912	chrome.exe
Token: SeShutdownPrivilege	912	chrome.exe
Token: SeCreatePagefilePrivilege	912	chrome.exe
Token: SeShutdownPrivilege	912	chrome.exe
Token: SeCreatePagefilePrivilege	912	chrome.exe
Token: SeShutdownPrivilege	912	chrome.exe
Token: SeCreatePagefilePrivilege	912	chrome.exe
Token: SeShutdownPrivilege	912	chrome.exe
Token: SeCreatePagefilePrivilege	912	chrome.exe
Token: SeShutdownPrivilege	912	chrome.exe
Token: SeCreatePagefilePrivilege	912	chrome.exe
Token: SeShutdownPrivilege	912	chrome.exe
Token: SeCreatePagefilePrivilege	912	chrome.exe
Token: SeShutdownPrivilege	912	chrome.exe
Token: SeCreatePagefilePrivilege	912	chrome.exe
Token: SeShutdownPrivilege	912	chrome.exe
Token: SeCreatePagefilePrivilege	912	chrome.exe
Token: SeShutdownPrivilege	912	chrome.exe
Token: SeCreatePagefilePrivilege	912	chrome.exe
Token: SeShutdownPrivilege	912	chrome.exe
Token: SeCreatePagefilePrivilege	912	chrome.exe
Token: SeShutdownPrivilege	912	chrome.exe
Token: SeCreatePagefilePrivilege	912	chrome.exe
Token: SeShutdownPrivilege	912	chrome.exe
Token: SeCreatePagefilePrivilege	912	chrome.exe
Token: SeShutdownPrivilege	912	chrome.exe
Token: SeCreatePagefilePrivilege	912	chrome.exe
Token: SeShutdownPrivilege	912	chrome.exe
Token: SeCreatePagefilePrivilege	912	chrome.exe
Token: SeShutdownPrivilege	912	chrome.exe
Token: SeCreatePagefilePrivilege	912	chrome.exe
Token: SeShutdownPrivilege	912	chrome.exe
Token: SeCreatePagefilePrivilege	912	chrome.exe
Token: SeShutdownPrivilege	912	chrome.exe
Token: SeCreatePagefilePrivilege	912	chrome.exe
Token: SeShutdownPrivilege	912	chrome.exe
Token: SeCreatePagefilePrivilege	912	chrome.exe
Token: SeShutdownPrivilege	912	chrome.exe
Token: SeCreatePagefilePrivilege	912	chrome.exe
Token: SeShutdownPrivilege	912	chrome.exe
Token: SeCreatePagefilePrivilege	912	chrome.exe
Token: SeShutdownPrivilege	912	chrome.exe
Token: SeCreatePagefilePrivilege	912	chrome.exe
Token: SeShutdownPrivilege	912	chrome.exe
Token: SeCreatePagefilePrivilege	912	chrome.exe
Token: SeShutdownPrivilege	912	chrome.exe
Token: SeCreatePagefilePrivilege	912	chrome.exe
Token: SeShutdownPrivilege	912	chrome.exe
Token: SeCreatePagefilePrivilege	912	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe

Suspicious use of SendNotifyMessage 29 IoCs

pid	Process
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
4260	tuxlerVPN.exe
4260	tuxlerVPN.exe
4260	tuxlerVPN.exe
2960	tuxlerVPN.exe
2960	tuxlerVPN.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
1392	GLP_installer_900223150_market.exe
4260	tuxlerVPN.exe
4260	tuxlerVPN.exe
4260	tuxlerVPN.exe
2960	tuxlerVPN.exe
2960	tuxlerVPN.exe
2960	tuxlerVPN.exe
2960	tuxlerVPN.exe
2960	tuxlerVPN.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 912 wrote to memory of 544	912	chrome.exe	81
PID 912 wrote to memory of 544	912	chrome.exe	81
PID 912 wrote to memory of 2052	912	chrome.exe	83
PID 912 wrote to memory of 2052	912	chrome.exe	83
PID 912 wrote to memory of 2052	912	chrome.exe	83
PID 912 wrote to memory of 2052	912	chrome.exe	83
PID 912 wrote to memory of 2052	912	chrome.exe	83
PID 912 wrote to memory of 2052	912	chrome.exe	83
PID 912 wrote to memory of 2052	912	chrome.exe	83
PID 912 wrote to memory of 2052	912	chrome.exe	83
PID 912 wrote to memory of 2052	912	chrome.exe	83
PID 912 wrote to memory of 2052	912	chrome.exe	83
PID 912 wrote to memory of 2052	912	chrome.exe	83
PID 912 wrote to memory of 2052	912	chrome.exe	83
PID 912 wrote to memory of 2052	912	chrome.exe	83
PID 912 wrote to memory of 2052	912	chrome.exe	83
PID 912 wrote to memory of 2052	912	chrome.exe	83
PID 912 wrote to memory of 2052	912	chrome.exe	83
PID 912 wrote to memory of 2052	912	chrome.exe	83
PID 912 wrote to memory of 2052	912	chrome.exe	83
PID 912 wrote to memory of 2052	912	chrome.exe	83
PID 912 wrote to memory of 2052	912	chrome.exe	83
PID 912 wrote to memory of 2052	912	chrome.exe	83
PID 912 wrote to memory of 2052	912	chrome.exe	83
PID 912 wrote to memory of 2052	912	chrome.exe	83
PID 912 wrote to memory of 2052	912	chrome.exe	83
PID 912 wrote to memory of 2052	912	chrome.exe	83
PID 912 wrote to memory of 2052	912	chrome.exe	83
PID 912 wrote to memory of 2052	912	chrome.exe	83
PID 912 wrote to memory of 2052	912	chrome.exe	83
PID 912 wrote to memory of 2052	912	chrome.exe	83
PID 912 wrote to memory of 2052	912	chrome.exe	83
PID 912 wrote to memory of 2052	912	chrome.exe	83
PID 912 wrote to memory of 1436	912	chrome.exe	84
PID 912 wrote to memory of 1436	912	chrome.exe	84
PID 912 wrote to memory of 632	912	chrome.exe	85
PID 912 wrote to memory of 632	912	chrome.exe	85
PID 912 wrote to memory of 632	912	chrome.exe	85
PID 912 wrote to memory of 632	912	chrome.exe	85
PID 912 wrote to memory of 632	912	chrome.exe	85
PID 912 wrote to memory of 632	912	chrome.exe	85
PID 912 wrote to memory of 632	912	chrome.exe	85
PID 912 wrote to memory of 632	912	chrome.exe	85
PID 912 wrote to memory of 632	912	chrome.exe	85
PID 912 wrote to memory of 632	912	chrome.exe	85
PID 912 wrote to memory of 632	912	chrome.exe	85
PID 912 wrote to memory of 632	912	chrome.exe	85
PID 912 wrote to memory of 632	912	chrome.exe	85
PID 912 wrote to memory of 632	912	chrome.exe	85
PID 912 wrote to memory of 632	912	chrome.exe	85
PID 912 wrote to memory of 632	912	chrome.exe	85
PID 912 wrote to memory of 632	912	chrome.exe	85
PID 912 wrote to memory of 632	912	chrome.exe	85
PID 912 wrote to memory of 632	912	chrome.exe	85
PID 912 wrote to memory of 632	912	chrome.exe	85
PID 912 wrote to memory of 632	912	chrome.exe	85
PID 912 wrote to memory of 632	912	chrome.exe	85
PID 912 wrote to memory of 632	912	chrome.exe	85
PID 912 wrote to memory of 632	912	chrome.exe	85
PID 912 wrote to memory of 632	912	chrome.exe	85
PID 912 wrote to memory of 632	912	chrome.exe	85
PID 912 wrote to memory of 632	912	chrome.exe	85
PID 912 wrote to memory of 632	912	chrome.exe	85
PID 912 wrote to memory of 632	912	chrome.exe	85

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://www.tuxlervpn.com/fr/download-windows/
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd5e2dab58,0x7ffd5e2dab68,0x7ffd5e2dab78
  2⤵
  PID:544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1588 --field-trial-handle=1912,i,8353794631115868527,17940044951808858639,131072 /prefetch:2
  2⤵
  PID:2052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=1912,i,8353794631115868527,17940044951808858639,131072 /prefetch:8
  2⤵
  PID:1436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2216 --field-trial-handle=1912,i,8353794631115868527,17940044951808858639,131072 /prefetch:8
  2⤵
  PID:632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3004 --field-trial-handle=1912,i,8353794631115868527,17940044951808858639,131072 /prefetch:1
  2⤵
  PID:3936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3024 --field-trial-handle=1912,i,8353794631115868527,17940044951808858639,131072 /prefetch:1
  2⤵
  PID:3168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4572 --field-trial-handle=1912,i,8353794631115868527,17940044951808858639,131072 /prefetch:1
  2⤵
  PID:1644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4696 --field-trial-handle=1912,i,8353794631115868527,17940044951808858639,131072 /prefetch:1
  2⤵
  PID:2364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4160 --field-trial-handle=1912,i,8353794631115868527,17940044951808858639,131072 /prefetch:1
  2⤵
  PID:4060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5036 --field-trial-handle=1912,i,8353794631115868527,17940044951808858639,131072 /prefetch:8
  2⤵
  PID:3920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5024 --field-trial-handle=1912,i,8353794631115868527,17940044951808858639,131072 /prefetch:8
  2⤵
  - Modifies registry class
  PID:3948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5428 --field-trial-handle=1912,i,8353794631115868527,17940044951808858639,131072 /prefetch:8
  2⤵
  PID:3392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5208 --field-trial-handle=1912,i,8353794631115868527,17940044951808858639,131072 /prefetch:8
  2⤵
  PID:2088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4360 --field-trial-handle=1912,i,8353794631115868527,17940044951808858639,131072 /prefetch:1
  2⤵
  PID:5048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5180 --field-trial-handle=1912,i,8353794631115868527,17940044951808858639,131072 /prefetch:8
  2⤵
  PID:1488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5776 --field-trial-handle=1912,i,8353794631115868527,17940044951808858639,131072 /prefetch:8
  2⤵
  PID:4664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5920 --field-trial-handle=1912,i,8353794631115868527,17940044951808858639,131072 /prefetch:1
  2⤵
  PID:3336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=3040 --field-trial-handle=1912,i,8353794631115868527,17940044951808858639,131072 /prefetch:1
  2⤵
  PID:4088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2688 --field-trial-handle=1912,i,8353794631115868527,17940044951808858639,131072 /prefetch:8
  2⤵
  PID:2696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3116 --field-trial-handle=1912,i,8353794631115868527,17940044951808858639,131072 /prefetch:8
  2⤵
  PID:4020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5136 --field-trial-handle=1912,i,8353794631115868527,17940044951808858639,131072 /prefetch:8
  2⤵
  PID:1444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4584 --field-trial-handle=1912,i,8353794631115868527,17940044951808858639,131072 /prefetch:8
  2⤵
  PID:4356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4640 --field-trial-handle=1912,i,8353794631115868527,17940044951808858639,131072 /prefetch:8
  2⤵
  PID:1236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4640 --field-trial-handle=1912,i,8353794631115868527,17940044951808858639,131072 /prefetch:8
  2⤵
  PID:4364
- C:\Users\Admin\Downloads\GLP_installer_900223150_market.exe
  "C:\Users\Admin\Downloads\GLP_installer_900223150_market.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Writes to the Master Boot Record (MBR)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1884 --field-trial-handle=1912,i,8353794631115868527,17940044951808858639,131072 /prefetch:8
  2⤵
  PID:444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3412 --field-trial-handle=1912,i,8353794631115868527,17940044951808858639,131072 /prefetch:8
  2⤵
  PID:2960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4752 --field-trial-handle=1912,i,8353794631115868527,17940044951808858639,131072 /prefetch:8
  2⤵
  PID:3220
- C:\Users\Admin\Downloads\tuxlerVPNSetup.exe
  "C:\Users\Admin\Downloads\tuxlerVPNSetup.exe"
  2⤵
  - Executes dropped EXE
  PID:648
- - C:\Users\Admin\AppData\Local\Temp\is-9IP9Q.tmp\tuxlerVPNSetup.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-9IP9Q.tmp\tuxlerVPNSetup.tmp" /SL5="$70150,28751889,184832,C:\Users\Admin\Downloads\tuxlerVPNSetup.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    PID:2804
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ExtensionHelperAppHelperTuxler.exe
      4⤵
      Kills process with taskkill
      PID:4660
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im TuxlerFreeResidentialVPN.exe
      4⤵
      Kills process with taskkill
      PID:2760
  - - C:\Program Files (x86)\tuxlerVPN\tuxlerVPN.exe
      "C:\Program Files (x86)\tuxlerVPN\tuxlerVPN.exe" --install "--UNIQUE_ID=C:\Users\Admin\Downloads\tuxlerVPNSetup.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      PID:4260
    - - C:\Program Files (x86)\tuxlerVPN\ExtensionHelperAppHelperTuxler.exe
        
        C:\Program Files (x86)\tuxlerVPN\ExtensionHelperAppHelperTuxler.exe --wait_for_parent=4260 --port_inc=7070 --port_start=1700 --port_max=65000 --app-name=tux_desktop_app_hlp --username= --password=
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3076

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3804

C:\Program Files (x86)\tuxlerVPN\tuxlerVPN.exe
"C:\Program Files (x86)\tuxlerVPN\tuxlerVPN.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2960
- C:\Program Files (x86)\tuxlerVPN\ExtensionHelperAppHelperTuxler.exe
  C:\Program Files (x86)\tuxlerVPN\ExtensionHelperAppHelperTuxler.exe --wait_for_parent=2960 --port_inc=7070 --port_start=1700 --port_max=65000 --app-name=tux_desktop_app_hlp --username= --password=
  2⤵
  - Executes dropped EXE
  PID:1640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\tuxlerVPN\Qt5Core.dll

Filesize
3.9MB

MD5
2609fb688d1465a051afd692082f6f9b

SHA1
11842a28cd57ed728f809bc740c97579f9204239

SHA256
2aec6ea04da919909b19f07934db99f745302397ec7d190be43d82b05ef8d257

SHA512
102cc3afb054f0119dbb44a73653596825eb74d8575021489ece69451875257b5eeae965c187f1bf2225b0fb7e866fb51e28951b861af0db915b6815aa2a64d1

Download Submit
C:\Program Files (x86)\tuxlerVPN\Qt5Gui.dll

Filesize
3.1MB

MD5
04e733bf70993d7ee5dc56048c1fb132

SHA1
eefa2a31e06eb37d49bf5f23315d4bf421a4447e

SHA256
cda1f62442e0bdb654ed47a8be9a20bd7d665f6a538ed25f10bd88e420af15c0

SHA512
b827a9e2ac7570f83746432ff77e3fc6516c881a3ba3bb1e84e49efd72eddf6f2d3f3b19c9d9d4444d4d0a36db843432c9b4d8253718bd2f6c31ef69eaa533b4

Download Submit
C:\Program Files (x86)\tuxlerVPN\Qt5Multimedia.dll

Filesize
532KB

MD5
e8292ff46166b85f749cb93d0a015077

SHA1
c900ae9349ed3dcd9b632d7f07637636ab1e0244

SHA256
13c3ad77e03f488da4bf0c207a86b52f5c21fe39cf4c3becfddb60ea1683801d

SHA512
fa4cc96e0e225ffa23a62f0db813d599aac11c544a38271e1b0f8febf0bd4a485b23a67dfbaa08c7a8bf0a1cdc6634af5f54f3ca9413d6d29506694aa387c16c

Download Submit
C:\Program Files (x86)\tuxlerVPN\Qt5MultimediaWidgets.dll

Filesize
76KB

MD5
c649f3dacecd0a4164040177e1042d58

SHA1
e7fc669a955131c503a11e05d1755e089a67e0c5

SHA256
e88b24b473ca0ab655a0469e73ffd4d0ff44555839832583680040890464d50c

SHA512
3c0496731b602ccc7b70e87be530c1c220c42f3f0a09319b6c1d03a6c1989590ae7db539c2a8489f4864729e9ebf20c0b8cce9affd7f24c55db73c435f1f6000

Download Submit
C:\Program Files (x86)\tuxlerVPN\Qt5Network.dll

Filesize
819KB

MD5
970cf10f8d18a6c56525188fd7a20198

SHA1
fc2e9371e933651436191e268ce1fcf1b9bb9e2b

SHA256
b1e5512df617942b6c089f0c57bb5c9ead165ec0e28c16b21722e8dc346c9a94

SHA512
efe470934f158327863d91504be9a3ca8d83fed54210a9f872ef0ded46ff2adda87c3c03dc66a208c85afa434fc30277033857d211a86bd060f530c6bc07ed8f

Download Submit
C:\Program Files (x86)\tuxlerVPN\Qt5OpenGL.dll

Filesize
245KB

MD5
5a86040f9da6d0b291ec5bcfa00afc57

SHA1
765a304effc4e5e0b79a6668352c395edd11ab37

SHA256
01d0322640eb9a16e0d0a3aed413f28ef8889ad914dbc4637140a8b6bcbfdecc

SHA512
d2dd4a49b1c918fab3eba2fb0d743e00da78acb4a32bc68130d531e2f1e8a2d4b268bf3b669a4094bb0e214407a250754855c9107590c81f36d64a3f4ce0b7c5

Download Submit
C:\Program Files (x86)\tuxlerVPN\Qt5PrintSupport.dll

Filesize
257KB

MD5
4a16c61977726b87b1bc52f53a9424b4

SHA1
bdfaa52eef9e6c7abb712499522226ddb62770af

SHA256
39fd2c8b8dcc75cae5dfc4c9f1bc2f9ef215b79d6dc7458e0a2745e58203314a

SHA512
ad7a8e1290505396b30d3765f324936c85b17979774bd8b7bf6b236b2e5b6d0903fbebdfd118b94d62754fbfa09aae6037a040d951c81de5da154438c054a596

Download Submit
C:\Program Files (x86)\tuxlerVPN\Qt5Sensors.dll

Filesize
144KB

MD5
196f3c8257a6ce93e7b92a931f9585ce

SHA1
5bbafa17a335069bd47b314cd190c18470b8f3d4

SHA256
a795be8a25c1f4810f6ae1bfceebd19c330edd7350779d1eb1a1eace96412e20

SHA512
7f3b4ff912b8a08b1fa8e23612df80b098a67e9453dd14914998d5a4f64bda9b11f6a80e65ec2dab16ed6bd2ff81ad251f6be56dbf042bf11e3158ba0b6edf25

Download Submit
C:\Program Files (x86)\tuxlerVPN\Qt5WebKit.dll

Filesize
16.6MB

MD5
6db5eab87338a136c5058ec7818c672c

SHA1
ddbc1bd16937ee0ad66fecb06466cf94bb18cd3d

SHA256
31c5addb5b97ae0026b992a436a3c1f8247425d623a17dd08ca8978269781327

SHA512
4b2dc26ce9986b416698e35edc5ab4178bc6c35e5d898e620a6ff3c61c81de732135376144d340446372ba2f4ba524c902803a583c5cb63ab0fa9dca8c97d046

Download Submit
C:\Program Files (x86)\tuxlerVPN\Qt5WebKitWidgets.dll

Filesize
188KB

MD5
434d789d7d471048f5843348474aede2

SHA1
8b365a0a4aedf046732380545cbaad4c409b25bc

SHA256
ced57c1634054d2951757e3166db139e74a1e0d5ac31379061eea09fa59156e3

SHA512
4087686617118e8e52f6865b5b68bfc930d076cf6051ff91f81e360b80c0753762d44b15f06d1dc66685605dac03bfdab3fc3f2e716d974f9996994b375cd458

Download Submit
C:\Program Files (x86)\tuxlerVPN\Qt5WebSockets.dll

Filesize
99KB

MD5
6d4396f2f20c49daffd8f04b9da6acca

SHA1
1cd200f98ba9c558cbefd027a25c974aff14e5d9

SHA256
1e31c3795e9cc33c59b0381b8501c4ea09e6b2fdbf63dd5e4f0c5b2029ebedd7

SHA512
5e78a7ca7502683f1b75374680c85c1aaa353a6bfcbe916b5e99aee198cebdbd62965c2b6b8ef93398935a2d741d614ebd3d212b0bfbeab27f00781ac86eb179

Download Submit
C:\Program Files (x86)\tuxlerVPN\Qt5Widgets.dll

Filesize
4.1MB

MD5
8119e367c356776f61b63bfcb0c745aa

SHA1
c0e878c0830e191dfc7c0f549fbf7d9107565a18

SHA256
dda892c5c1f716614c91dca1920b5c55ef410c262b1396612cbac801de7551e6

SHA512
d8e46561c0f0499088385b5133c268dafd19545022908d2f39cecadf129dd566f210c6d6d5a5d353e55ec27042a63b07771d44a07bffd95e3507edf3c3d9e51a

Download Submit
C:\Program Files (x86)\tuxlerVPN\WinSparkle.dll

Filesize
1.8MB

MD5
1e1f8765992bfc5b7326a03fbe7ee9ad

SHA1
af44a147f18ddf073414d22a550379f5233e414b

SHA256
14d9ada9fd17ad089d7dea3a4b6e7117f132b23cd150323c60df5ffda5c72b6f

SHA512
4ecadc62edc1525b4d3f4183b14b79cc7959e4b6134da8e359686003f963ea1a0b993c24a944f2e703ba1db8e73c366b0351e0f3953b0d82131237953eff7cba

Download Submit
C:\Program Files (x86)\tuxlerVPN\libGLESv2.dll

Filesize
708KB

MD5
88ca814144f7cb248d602ec5e07b9621

SHA1
33d1b933813fbd08128c37277708c7afd709cccc

SHA256
fe80bb8ab6e95e9a7439c67f1286f466fea079f1e19dbb594a34c9d119458e95

SHA512
d269fc7d17bc25eaa3b4c9b6cd564a4e63dcbe0b856fa22b4f9627231f45e3267ee1477f2c4b1f61de0197db5ab713146fcfaeae18ef86dd62c57dfc4f455216

Download Submit
C:\Program Files (x86)\tuxlerVPN\msvcp120.dll

Filesize
444KB

MD5
fd5cabbe52272bd76007b68186ebaf00

SHA1
efd1e306c1092c17f6944cc6bf9a1bfad4d14613

SHA256
87c42ca155473e4e71857d03497c8cbc28fa8ff7f2c8d72e8a1f39b71078f608

SHA512
1563c8257d85274267089cd4aeac0884a2a300ff17f84bdb64d567300543aa9cd57101d8408d0077b01a600ddf2e804f7890902c2590af103d2c53ff03d9e4a5

Download Submit
C:\Program Files (x86)\tuxlerVPN\msvcr120.dll

Filesize
948KB

MD5
034ccadc1c073e4216e9466b720f9849

SHA1
f19e9d8317161edc7d3e963cc0fc46bd5e4a55a1

SHA256
86e39b5995af0e042fcdaa85fe2aefd7c9ddc7ad65e6327bd5e7058bc3ab615f

SHA512
5f11ef92d936669ee834a5cef5c7d0e7703bf05d03dc4f09b9dcfe048d7d5adfaab6a9c7f42e8080a5e9aad44a35f39f3940d5cca20623d9cafe373c635570f7

Download Submit
C:\Program Files (x86)\tuxlerVPN\tuxlerVPN.exe

Filesize
2.4MB

MD5
6e76e1de644759a34ab3f7d738078d4e

SHA1
62ad0e1a0fd1293c19dc8b81ff83e18767403f02

SHA256
a1549175221de9eaeb23ace5e3c29c728017bd9ac94e5ad6014dcec07e44c4b2

SHA512
39795b3f3b7432f08942aad49459f5a4452173c08265a7987cd70884d790e09ed8bea37ef81cb11472e11fed0fdbfb25ee987f2d63c9948007ddc9e719cd2957

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001b

Filesize
206KB

MD5
f998b8f6765b4c57936ada0bb2eb4a5a

SHA1
13fb29dc0968838653b8414a125c124023c001df

SHA256
374db366966d7b48782f352c78a0b3670ffec33ed046d931415034d6f93dcfef

SHA512
d340ae61467332f99e4606ef022ff71c9495b9d138a40cc7c58b3206be0d080b25f4e877a811a55f4320db9a7f52e39f88f1aa426ba79fc5e78fc73dacf8c716

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
6c4280e3ebbc233ccd72f551950f9a36

SHA1
b70cef2417d9bf47c8e217838170215c35ab40fc

SHA256
1549a6daad21a4135277b1ff34f24cde927ef0b0ed24e817bfd7f2b22c0727e2

SHA512
40d9ef3be82f65652faecbbf39226509500844043381a14a657873c8011dd66d95415bead35c1177ddc6766e420a918f38ccae597404e96cbc5768263dc6927b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
2ce41cea42dade2c62821053f5b91ae2

SHA1
2a691a9eef9cdff036b52f6d613cec94b453d88b

SHA256
9fac676152c1a9149a07906a35305cff1a80e29ecd262684631054f7a8616da2

SHA512
b9ae3c506dab67daa0e93a065299844ca6435d8061c949a57b066d284f75afe0d94df8b745a04307290a8126baec8ee4b490c261e432e421902bd8ad83db4fa9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
b1dd6e07170f9683ce156634a8c13f44

SHA1
c36c26762778236282f2bf76648001f85a520ee9

SHA256
a74d25c201c309968c9d1fbd767d42c3640437677496bbc5688b9349be15bec1

SHA512
beb97ea2874fdd7e0d0ebf677228cd86d80c86316318ee50f23b7ae39287b854ba1ff4c009abe3189716b2b217a82434b0fc78a4d0301ee2c299f138c6c73a45

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.gameloop.com_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.gameloop.com_0.indexeddb.leveldb\MANIFEST-000001

Filesize
23B

MD5
3fd11ff447c1ee23538dc4d9724427a3

SHA1
1335e6f71cc4e3cf7025233523b4760f8893e9c9

SHA256
720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed

SHA512
10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
ad5dda45a01467d26c7f80ec2ab16e86

SHA1
975fe3775a08fcf34b3a6f9efa4c49717cceaa77

SHA256
2e646590355e3c46407f58a9189bc91c6f108c36048355269884d037b0f1840b

SHA512
a8e9b56325a5bc0971bd312eaf5619431727cc966304415fa12a2abcd80824181d52527bfba8c6c7d4e06fac651737c84eb835733c9e8a417f6e6046b32a9f85

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
014a6cd60aaaaa6956f454376ebbfb24

SHA1
f9a76bcad3978ab81eae74f238de73d409e126ac

SHA256
c36fc41f49b8e3773c67531336f6b8403e526b0fdf6cd424bf7b6adceb4b9153

SHA512
2ca7a259cf754afef8d1b15a8555bfb338403ef385fcf36431bcab4efcb89793392dce14361fd4e0ee593eb8f627732fe78d1295491b576550f00330f6db2bc1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
5b435327c01a70569ac798e854651bc4

SHA1
6d60b1bd8527dc0a5f85ed2d1705fd0a6a5f5d28

SHA256
33c838995f24f3b9abf8369e9f600f8d498c60d5ea48a1186eed2615442afdca

SHA512
4bcb2f08cfd9598a1d2648710d68b1a35edaffd3df4f361b97f4ccd7afbf680171f70e8dec88189e444e0fdf4c88fa4fd6ccc84aaf4671a52df1d198defd578a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
7f5c69d9094b3aa944b558b99f86121f

SHA1
4c92411a0aa588eb79f7202c361ab26ca5edb69a

SHA256
ad23f412c65403a82bbf00da1b71c4a1735cdffb9c1bb4d6918c7fed1e9fa518

SHA512
0436f998c9cbee1b68005a43d5e9fea6670232504b0e5a8600e98970835cca3c1fdb5758ad280905bc95bf46466bb5a18b09cbd1a6ec556de573d019e52aa38b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
9144831bcf6477d79c3774e05fc7c6d6

SHA1
b043c5348be046108b56b5dc3780aa513fee1ed4

SHA256
50a4cd19126ffb6562c3e5f3bb91edcaf9b1b3fb7ec28c14adbed03305c76d7d

SHA512
602996d9733aa98066e54aaddd1934232934443faa4b3b5270664f2b0ae15d091d1bdf8f2b89b58ac27075a38bbd1ab7c63d0aa6837e5132939724663eda6d3f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
8efd7f366f4551f0baa820d6600f903d

SHA1
147998ddb4c10f5a43cb4900af3f9faf0eb763c4

SHA256
f5e16a0c1e1db06f8e158e53fd487688c7dfca5338bdadbf7a3c0c03374fbcd3

SHA512
c4c419e605349a750ef70f842139fe8cfd114ac668132e296b34518b249009546351b63cfd1e4dc093d243c246e514e1cda985d78104f2f4379320a58d32d8ec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
5f8230ca24c52f63991e5eef79da32b7

SHA1
b0f9e27b413d178ed386960860787a810335c8a5

SHA256
4fb088072951ca5da9702b88f9172ca548de7b124cd30b4d65e0834385de2e76

SHA512
1a8ac99b288740fbb5242e996053d16a8d0c8d07715147feabdde27567b6bd645c223283fcac31d73df76c4cbea11601cdd9b4a152a8482fd07e0a91d2a58b41

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
216607fa7791dc6d55ea607d51c50645

SHA1
430294a9b5cf3a663a4dea76f2e862fec91b89f4

SHA256
dc6e745c7078bef500acb2d1ba46bf2d26b46f08ba475b805a3a052a9c6bd557

SHA512
1ff40c2fbb0e18b397b2b081629646682d28aaf6619bbd49876a6d82bdc9b77aeddc7833fa07122d94de876cd60de3608ba545ea0af57d83690d96b493be68ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
56B

MD5
94275bde03760c160b707ba8806ef545

SHA1
aad8d87b0796de7baca00ab000b2b12a26427859

SHA256
c58cb79fa4a9ade48ed821dd9f98957b0adfda7c2d267e3d07951c2d371aa968

SHA512
2aabd49bc9f0ed3a5c690773f48a92dbbbd60264090a0db2fe0f166f8c20c767a74d1e1d7cc6a46c34cfbd1587ddb565e791d494cd0d2ca375ab8cc11cd8f930

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe574391.TMP

Filesize
120B

MD5
b780cb1659bec9dcd090786b0ef5bc4b

SHA1
0a1c3bf38ee9890af5f12cbb1f9ab96408cddc54

SHA256
52d5da35bc96429270dc6d7722fd31f0dfdbbbd11fcce72adc7455f29397b736

SHA512
2d74a727049f3d307554a0e6bb609f5c9b938d2583dbf4da840124edd8b0ea435567b4adfac2b1a10eaafd084484b96f942dd7816af380933981b41786b6a4b3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
540817f1bf1227318093a0fcab24cf4c

SHA1
1cda3a5a2f54ec7b4a24802844677375313b4b5e

SHA256
ab5e3fa7c36ee72a700f24929e3f6e35c1b409b850bca66f1a7869be79897bde

SHA512
b4be68b76f56300d7f7717130c65517bc08719dc623b49fd74348090fb64a4db695325051d33d901736918b2be08f9799e774e0460a250ab885d15dfa171135a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
8ce018f664c7e97e831fb090e937dba5

SHA1
44ce4b5b74754fcc47ebde1ba051a9ba3765f8ee

SHA256
30aed51d404f520fbf7db4c7f8ff8c4002b6bae4f16b269dd437a78017e75acc

SHA512
17be8d6832d638c0e218629d44dfc2ddbaf73d3bc1d871b662964c30e06dbc776f39d7bfb8ca522ad315b39efb3d923015902384cbbfcaf191a1011f8c142342

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
7e2d79499409151956e1967a2a876ead

SHA1
0935aca560f7995400cfb26a09593553ff122262

SHA256
6db3ad5d7d5aac60e7bdd1b682a04953168470a7459016003d4d82d9cc7f3a6c

SHA512
f221223e8cef10e78a8edb2371f80c0ab6b353da1ad8b813e64d49a011aaa091978f3cf215dc1158504816be6c0bebff99c47ca45d82dec166bad488aca42fc6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
372186cdaa2ada81947d42047604ce04

SHA1
0fcec240015d367bb933c6b66fd94ca56c2ea0ab

SHA256
be10f6a8bee13283945ba1d71028f8f9a29978e9a3215bf81d7654aa8e0663da

SHA512
c4dcec10eecf39c36c6afc8405c6602e58b39a39a7f9e375d6bfff5406632d5099c82c08c0479df1166acb34087f2b6aa43d4a177d4a6c4aa9daeeee140a225a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-9IP9Q.tmp\tuxlerVPNSetup.tmp

Filesize
821KB

MD5
805bfbce579cd210bd8f130a0d95d47c

SHA1
c677fc6fd9fc799e2fb5134b87f7892918667453

SHA256
f50e379d35c7a6f4530ee1ad74bc55cce0851bcee15986da4d30ccce54a2c19c

SHA512
af751e40c7b830f64b5a597e5c9bbc1a68ab0ce2a3aefcb71d211d6337e933cfa0495e5bdb4f731dc048f0372ba9f78f40f6aa83ab657977bc40d5689699b59d

Download Submit
C:\Users\Admin\AppData\Local\Tencent\TxGameAssistant\TGBDownloader\dr.dll

Filesize
74KB

MD5
2814acbd607ba47bdbcdf6ac3076ee95

SHA1
50ab892071bed2bb2365ca1d4bf5594e71c6b13b

SHA256
5904a7e4d97eeac939662c3638a0e145f64ff3dd0198f895c4bf0337595c6a67

SHA512
34c73014ffc8d38d6dd29f4f84c8f4f9ea971bc131f665f65b277f453504d5efc2d483a792cdea610c5e0544bf3997b132dcdbe37224912c5234c15cdb89d498

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 436364.crdownload

Filesize
3.6MB

MD5
0ac1fd602f5ec2d2231fe311777791e8

SHA1
52ca6ccd121faf4f3aad9e7760ee1a519b323d83

SHA256
bb68113cfaba1def162b8a0df4b1d41b83ea34ce4fd5b23e0a0b75b259b62bfc

SHA512
10fb445ccf904c20b1b3736d02f53bc43a3b9161465c6915c89a06e978be9e988342f40d4c895acbfdabf236fbdbaa87c8470577626cbc2ba1838dba48e57623

Download Submit
C:\Users\Admin\Downloads\tuxlerVPNSetup.exe

Filesize
27.7MB

MD5
a13762d95c8aa54293d7c031f2ab25c2

SHA1
1f9ab79b67ed763fb8f0a9dd476d7d7718c30b65

SHA256
7f1dd585a3e81da686670af1358d92e9532e1b17ef6ccc1fcc91966ff9ded72a

SHA512
a7867395f54e172591d80cffd6fdd398d200f5f43696e3b5e2f5c09c35ccc7dc7ee83a32d9ea5549440c1989dfeb4915b1d6a8fc31e2a388d67e6c114873aee5

Download Submit
memory/648-387-0x0000000000401000-0x000000000040C000-memory.dmp

Filesize
44KB

Download
memory/648-385-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/648-531-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/648-706-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2804-532-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/2804-392-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/2804-705-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download