stormkitty | dce4f486acb10ec17770782fada8e7696d454727912a2889ebfbf466c9bbb60e

Analysis

max time kernel
17s
max time network
153s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
01/06/2024, 22:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Lunar Release V1.2.exe
Size

26.8MB
MD5

7eae1354932dcc6f0db4a6b6d0f00971
SHA1

61f122ed38c93d36c08ffbfde8418580edb4a44c
SHA256

dce4f486acb10ec17770782fada8e7696d454727912a2889ebfbf466c9bbb60e
SHA512

606c5f2c1a781728577d4d175409e266e738f610529877a0ef0529e2627778a1b1814069acbf74b1da14f88a51da1c84cce4697b0b00c49c45ef16dc3537e9e5
SSDEEP

786432:aJTiZQH7iiQ3w+n9tlPLKEjp4YRX+8aHDB:aViZm7iiQ3w+n9tlPLKEjp4Y1+Zt

Score

10^/10

stormkitty xmrig xworm evasion execution miner persistence rat spyware stealer trojan upx

Malware Config

Extracted

Family

xworm

91.92.241.69:5555

Attributes

Install_directory
%AppData%
install_file
AMD Graphics Manager.exe

Signatures

Detect Xworm Payload 4 IoCs

resource	yara_rule
behavioral1/files/0x000100000002aa01-31.dat	family_xworm
behavioral1/memory/864-71-0x0000000000460000-0x0000000000476000-memory.dmp	family_xworm
behavioral1/memory/4776-2124-0x0000000000720000-0x0000000000736000-memory.dmp	family_xworm
behavioral1/memory/1120-2746-0x00000000009A0000-0x00000000009B6000-memory.dmp	family_xworm

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral1/memory/864-1636-0x000000001DF00000-0x000000001E020000-memory.dmp	family_stormkitty

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 7 IoCs

miner

resource	yara_rule
behavioral1/memory/4172-1139-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/4172-1140-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/4172-1144-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/4172-1145-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/4172-1146-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/4172-1143-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/4172-1142-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3444	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Drops startup file 10 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AMD Graphics Manager.lnk	RuntimeBroker.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AMD Graphics Manager.lnk	RuntimeBroker.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Intel Processer 2021.exe	voltlunars.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Intel Processer 2021.exe	voltlunars.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Intel Processer 2024.exe	voltlunars.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Intel Processer 2024.exe	voltlunars.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System32.exe	voltlunars.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System32.exe	voltlunars.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Spotify Update.exe	voltlunars.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Spotify Update.exe	voltlunars.exe

Executes dropped EXE 10 IoCs

pid	Process
2664	Lunar Release.exe
424	svchost.exe
864	RuntimeBroker.exe
3216	num2.EXE
5068	jhi_service.exe
4632	voltlunars.exe
1008	lunar.exe
2252	MicrosoftEdgeUpdater.exe
4704	kanilzbpgdul.exe
4200	fdjrmaypnxal.exe

Loads dropped DLL 64 IoCs

pid	Process
4632	voltlunars.exe
4632	voltlunars.exe
4632	voltlunars.exe
4632	voltlunars.exe
4632	voltlunars.exe
4632	voltlunars.exe
4632	voltlunars.exe
4632	voltlunars.exe
4632	voltlunars.exe
4632	voltlunars.exe
4632	voltlunars.exe
4632	voltlunars.exe
4632	voltlunars.exe
4632	voltlunars.exe
4632	voltlunars.exe
4632	voltlunars.exe
4632	voltlunars.exe
4632	voltlunars.exe
4632	voltlunars.exe
4632	voltlunars.exe
4632	voltlunars.exe
4632	voltlunars.exe
4632	voltlunars.exe
4632	voltlunars.exe
4632	voltlunars.exe
4632	voltlunars.exe
4632	voltlunars.exe
4632	voltlunars.exe
4632	voltlunars.exe
4632	voltlunars.exe
4632	voltlunars.exe
4632	voltlunars.exe
4632	voltlunars.exe
4632	voltlunars.exe
4632	voltlunars.exe
4632	voltlunars.exe
4632	voltlunars.exe
4632	voltlunars.exe
4632	voltlunars.exe
4632	voltlunars.exe
4632	voltlunars.exe
4632	voltlunars.exe
4632	voltlunars.exe
4632	voltlunars.exe
4632	voltlunars.exe
4632	voltlunars.exe
4632	voltlunars.exe
4632	voltlunars.exe
4632	voltlunars.exe
4632	voltlunars.exe
4632	voltlunars.exe
4632	voltlunars.exe
4632	voltlunars.exe
4632	voltlunars.exe
1008	lunar.exe
1008	lunar.exe
1008	lunar.exe
1008	lunar.exe
1008	lunar.exe
1008	lunar.exe
1008	lunar.exe
1008	lunar.exe
1008	lunar.exe
1008	lunar.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4172-1139-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4172-1135-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4172-1134-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4172-1140-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4172-1138-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4172-1137-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4172-1136-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4172-1144-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4172-1145-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4172-1146-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4172-1143-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4172-1142-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	num2.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Software\Microsoft\Windows\CurrentVersion\Run\AMD Graphics Manager = "C:\\Users\\Admin\\AppData\\Roaming\\AMD Graphics Manager"	RuntimeBroker.exe

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	api.ipify.org
6	ipinfo.io
7	api.ipify.org
8	ipinfo.io

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MRT.exe	MicrosoftEdgeUpdater.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4704 set thread context of 1924	4704	kanilzbpgdul.exe	112
PID 4704 set thread context of 4172	4704	kanilzbpgdul.exe	117
PID 2252 set thread context of 1428	2252	MicrosoftEdgeUpdater.exe	155

Launches sc.exe 13 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1884	sc.exe
4376	sc.exe
1520	sc.exe
4908	sc.exe
1784	sc.exe
3824	sc.exe
2100	sc.exe
684	sc.exe
2956	sc.exe
4232	sc.exe
1784	sc.exe
2500	sc.exe
2772	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key security queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wmiprvse.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1932	schtasks.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Kills process with taskkill 8 IoCs

evasion

pid	Process
2052	taskkill.exe
2100	taskkill.exe
1236	taskkill.exe
2844	taskkill.exe
1992	taskkill.exe
3636	taskkill.exe
3104	taskkill.exe
2788	taskkill.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5068	jhi_service.exe
5068	jhi_service.exe
5068	jhi_service.exe
5068	jhi_service.exe
5068	jhi_service.exe
4632	voltlunars.exe
4632	voltlunars.exe
4632	voltlunars.exe
4632	voltlunars.exe
4632	voltlunars.exe
5068	jhi_service.exe
5068	jhi_service.exe
5068	jhi_service.exe
4632	voltlunars.exe
4632	voltlunars.exe
4632	voltlunars.exe
4704	kanilzbpgdul.exe
4704	kanilzbpgdul.exe
4704	kanilzbpgdul.exe
4704	kanilzbpgdul.exe
4704	kanilzbpgdul.exe
4704	kanilzbpgdul.exe
2252	MicrosoftEdgeUpdater.exe
3444	powershell.exe
3444	powershell.exe
4172	svchost.exe
4172	svchost.exe
2252	MicrosoftEdgeUpdater.exe
2252	MicrosoftEdgeUpdater.exe
2252	MicrosoftEdgeUpdater.exe
2252	MicrosoftEdgeUpdater.exe
2252	MicrosoftEdgeUpdater.exe
2252	MicrosoftEdgeUpdater.exe
2252	MicrosoftEdgeUpdater.exe
2252	MicrosoftEdgeUpdater.exe
2252	MicrosoftEdgeUpdater.exe
2252	MicrosoftEdgeUpdater.exe
2252	MicrosoftEdgeUpdater.exe
2252	MicrosoftEdgeUpdater.exe
1428	dialer.exe
1428	dialer.exe
1428	dialer.exe
2252	MicrosoftEdgeUpdater.exe
2252	MicrosoftEdgeUpdater.exe
2252	MicrosoftEdgeUpdater.exe
4172	svchost.exe
4172	svchost.exe
1428	dialer.exe
1428	dialer.exe
1428	dialer.exe
1428	dialer.exe
1428	dialer.exe
1428	dialer.exe
1428	dialer.exe
1428	dialer.exe
4172	svchost.exe
4172	svchost.exe
1428	dialer.exe
1428	dialer.exe
1428	dialer.exe
1428	dialer.exe
1428	dialer.exe
1428	dialer.exe
1428	dialer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	864	RuntimeBroker.exe
Token: SeDebugPrivilege	4632	voltlunars.exe
Token: SeShutdownPrivilege	3756	powercfg.exe
Token: SeCreatePagefilePrivilege	3756	powercfg.exe
Token: SeShutdownPrivilege	1092	powercfg.exe
Token: SeCreatePagefilePrivilege	1092	powercfg.exe
Token: SeShutdownPrivilege	1424	powercfg.exe
Token: SeCreatePagefilePrivilege	1424	powercfg.exe
Token: SeShutdownPrivilege	1408	powercfg.exe
Token: SeCreatePagefilePrivilege	1408	powercfg.exe
Token: SeLockMemoryPrivilege	4172	svchost.exe
Token: SeShutdownPrivilege	3296	powercfg.exe
Token: SeCreatePagefilePrivilege	3296	powercfg.exe
Token: SeShutdownPrivilege	4088	powercfg.exe
Token: SeCreatePagefilePrivilege	4088	powercfg.exe
Token: SeShutdownPrivilege	420	powercfg.exe
Token: SeCreatePagefilePrivilege	420	powercfg.exe
Token: SeShutdownPrivilege	4208	powercfg.exe
Token: SeCreatePagefilePrivilege	4208	powercfg.exe
Token: SeDebugPrivilege	1236	taskkill.exe
Token: SeDebugPrivilege	2844	taskkill.exe
Token: SeDebugPrivilege	3444	powershell.exe
Token: SeDebugPrivilege	1992	taskkill.exe
Token: SeDebugPrivilege	3636	taskkill.exe
Token: SeDebugPrivilege	3104	taskkill.exe
Token: SeDebugPrivilege	1428	dialer.exe
Token: SeShutdownPrivilege	3384	powercfg.exe
Token: SeCreatePagefilePrivilege	3384	powercfg.exe
Token: SeShutdownPrivilege	3544	powercfg.exe
Token: SeCreatePagefilePrivilege	3544	powercfg.exe
Token: SeShutdownPrivilege	980	powercfg.exe
Token: SeCreatePagefilePrivilege	980	powercfg.exe
Token: SeDebugPrivilege	2100	taskkill.exe
Token: SeShutdownPrivilege	3856	powercfg.exe
Token: SeCreatePagefilePrivilege	3856	powercfg.exe
Token: SeDebugPrivilege	2052	taskkill.exe
Token: SeDebugPrivilege	2788	taskkill.exe
Token: SeIncreaseQuotaPrivilege	2596	WMIC.exe
Token: SeSecurityPrivilege	2596	WMIC.exe
Token: SeTakeOwnershipPrivilege	2596	WMIC.exe
Token: SeLoadDriverPrivilege	2596	WMIC.exe
Token: SeSystemProfilePrivilege	2596	WMIC.exe
Token: SeSystemtimePrivilege	2596	WMIC.exe
Token: SeProfSingleProcessPrivilege	2596	WMIC.exe
Token: SeIncBasePriorityPrivilege	2596	WMIC.exe
Token: SeCreatePagefilePrivilege	2596	WMIC.exe
Token: SeBackupPrivilege	2596	WMIC.exe
Token: SeRestorePrivilege	2596	WMIC.exe
Token: SeShutdownPrivilege	2596	WMIC.exe
Token: SeDebugPrivilege	2596	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2596	WMIC.exe
Token: SeRemoteShutdownPrivilege	2596	WMIC.exe
Token: SeUndockPrivilege	2596	WMIC.exe
Token: SeManageVolumePrivilege	2596	WMIC.exe
Token: 33	2596	WMIC.exe
Token: 34	2596	WMIC.exe
Token: 35	2596	WMIC.exe
Token: 36	2596	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2596	WMIC.exe
Token: SeSecurityPrivilege	2596	WMIC.exe
Token: SeTakeOwnershipPrivilege	2596	WMIC.exe
Token: SeLoadDriverPrivilege	2596	WMIC.exe
Token: SeSystemProfilePrivilege	2596	WMIC.exe
Token: SeSystemtimePrivilege	2596	WMIC.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3508	Conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 488 wrote to memory of 2664	488	Lunar Release V1.2.exe	78
PID 488 wrote to memory of 2664	488	Lunar Release V1.2.exe	78
PID 488 wrote to memory of 424	488	Lunar Release V1.2.exe	80
PID 488 wrote to memory of 424	488	Lunar Release V1.2.exe	80
PID 488 wrote to memory of 864	488	Lunar Release V1.2.exe	81
PID 488 wrote to memory of 864	488	Lunar Release V1.2.exe	81
PID 488 wrote to memory of 3216	488	Lunar Release V1.2.exe	82
PID 488 wrote to memory of 3216	488	Lunar Release V1.2.exe	82
PID 3216 wrote to memory of 5068	3216	num2.EXE	83
PID 3216 wrote to memory of 5068	3216	num2.EXE	83
PID 424 wrote to memory of 4632	424	svchost.exe	84
PID 424 wrote to memory of 4632	424	svchost.exe	84
PID 2664 wrote to memory of 1008	2664	Lunar Release.exe	85
PID 2664 wrote to memory of 1008	2664	Lunar Release.exe	85
PID 4632 wrote to memory of 3104	4632	voltlunars.exe	144
PID 4632 wrote to memory of 3104	4632	voltlunars.exe	144
PID 4632 wrote to memory of 4324	4632	voltlunars.exe	104
PID 4632 wrote to memory of 4324	4632	voltlunars.exe	104
PID 3216 wrote to memory of 2252	3216	num2.EXE	106
PID 3216 wrote to memory of 2252	3216	num2.EXE	106
PID 4704 wrote to memory of 1924	4704	kanilzbpgdul.exe	112
PID 4704 wrote to memory of 1924	4704	kanilzbpgdul.exe	112
PID 4704 wrote to memory of 1924	4704	kanilzbpgdul.exe	112
PID 4704 wrote to memory of 1924	4704	kanilzbpgdul.exe	112
PID 4704 wrote to memory of 1924	4704	kanilzbpgdul.exe	112
PID 4704 wrote to memory of 1924	4704	kanilzbpgdul.exe	112
PID 4704 wrote to memory of 1924	4704	kanilzbpgdul.exe	112
PID 4704 wrote to memory of 1924	4704	kanilzbpgdul.exe	112
PID 4704 wrote to memory of 1924	4704	kanilzbpgdul.exe	112
PID 4704 wrote to memory of 4172	4704	kanilzbpgdul.exe	117
PID 4704 wrote to memory of 4172	4704	kanilzbpgdul.exe	117
PID 4704 wrote to memory of 4172	4704	kanilzbpgdul.exe	117
PID 4704 wrote to memory of 4172	4704	kanilzbpgdul.exe	117
PID 4704 wrote to memory of 4172	4704	kanilzbpgdul.exe	117
PID 4324 wrote to memory of 1236	4324	cmd.exe	118
PID 4324 wrote to memory of 1236	4324	cmd.exe	118
PID 4632 wrote to memory of 1204	4632	voltlunars.exe	120
PID 4632 wrote to memory of 1204	4632	voltlunars.exe	120
PID 1204 wrote to memory of 2844	1204	cmd.exe	122
PID 1204 wrote to memory of 2844	1204	cmd.exe	122
PID 4632 wrote to memory of 1748	4632	voltlunars.exe	125
PID 4632 wrote to memory of 1748	4632	voltlunars.exe	125
PID 1748 wrote to memory of 1992	1748	cmd.exe	127
PID 1748 wrote to memory of 1992	1748	cmd.exe	127
PID 864 wrote to memory of 1932	864	RuntimeBroker.exe	128
PID 864 wrote to memory of 1932	864	RuntimeBroker.exe	128
PID 4632 wrote to memory of 3508	4632	voltlunars.exe	177
PID 4632 wrote to memory of 3508	4632	voltlunars.exe	177
PID 3508 wrote to memory of 3636	3508	cmd.exe	132
PID 3508 wrote to memory of 3636	3508	cmd.exe	132
PID 4632 wrote to memory of 3716	4632	voltlunars.exe	137
PID 4632 wrote to memory of 3716	4632	voltlunars.exe	137
PID 1128 wrote to memory of 4700	1128	cmd.exe	141
PID 1128 wrote to memory of 4700	1128	cmd.exe	141
PID 3716 wrote to memory of 3104	3716	cmd.exe	144
PID 3716 wrote to memory of 3104	3716	cmd.exe	144
PID 4632 wrote to memory of 1812	4632	voltlunars.exe	190
PID 4632 wrote to memory of 1812	4632	voltlunars.exe	190
PID 2252 wrote to memory of 1428	2252	MicrosoftEdgeUpdater.exe	155
PID 2252 wrote to memory of 1428	2252	MicrosoftEdgeUpdater.exe	155
PID 2252 wrote to memory of 1428	2252	MicrosoftEdgeUpdater.exe	155
PID 2252 wrote to memory of 1428	2252	MicrosoftEdgeUpdater.exe	155
PID 2252 wrote to memory of 1428	2252	MicrosoftEdgeUpdater.exe	155
PID 2252 wrote to memory of 1428	2252	MicrosoftEdgeUpdater.exe	155

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:640
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:472

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:696

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:1000

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:732

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:996

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1068

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1164

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1176
- C:\Users\Admin\AppData\Roaming\AMD Graphics Manager
  "C:\Users\Admin\AppData\Roaming\AMD Graphics Manager"
  2⤵
  PID:4776
- C:\Users\Admin\AppData\Roaming\AMD Graphics Manager
  "C:\Users\Admin\AppData\Roaming\AMD Graphics Manager"
  2⤵
  PID:1120

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1188

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm
1⤵
PID:1252

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1316

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1412

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1456
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2892

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:1636

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1644

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1656

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1752

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1828

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1840

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1984

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:2032

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:2024

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2072

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2088

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2180

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2296

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2400

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2524

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2532

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:2580

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2648

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2680

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2688

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2696

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2720

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2920

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3144

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
PID:3300
- C:\Users\Admin\AppData\Local\Temp\Lunar Release V1.2.exe
  "C:\Users\Admin\AppData\Local\Temp\Lunar Release V1.2.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:488
- - C:\Users\Admin\AppData\Local\Temp\Lunar Release.exe
    "C:\Users\Admin\AppData\Local\Temp\Lunar Release.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2664
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1060
  - - C:\Users\Admin\AppData\Local\Temp\onefile_2664_133617558259968478\lunar.exe
      "C:\Users\Admin\AppData\Local\Temp\Lunar Release.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1008
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:424
  - - C:\Users\Admin\AppData\Local\Temp\onefile_424_133617558261999465\voltlunars.exe
      "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4632
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        5⤵
        
        PID:3104
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /F /IM chrome.exe
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4324
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM chrome.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1236
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /F /IM msedge.exe
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1204
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM msedge.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2844
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /F /IM firefox.exe
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1748
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM firefox.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1992
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /F /IM opera.exe
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3508
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM opera.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3636
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /F /IM iexplore.exe
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3716
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM iexplore.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3104
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /F /IM brave.exe
        5⤵
        
        PID:1812
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM brave.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2100
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /F /IM vivaldi.exe
        5⤵
        
        PID:3188
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM vivaldi.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2052
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /F /IM Telegram.exe
        5⤵
        
        PID:3204
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM Telegram.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2788
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
        5⤵
        
        PID:3192
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3508
      - C:\Windows\System32\Wbem\WMIC.exe
        
        WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2596
- - C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
    "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:864
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "AMD Graphics Manager" /tr "C:\Users\Admin\AppData\Roaming\AMD Graphics Manager"
      4⤵
      Creates scheduled task(s)
      PID:1932
- - C:\Users\Admin\AppData\Local\Temp\num2.EXE
    "C:\Users\Admin\AppData\Local\Temp\num2.EXE"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3216
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jhi_service.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jhi_service.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:5068
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1092
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1424
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3756
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1408
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe delete "HDNFMUHS"
        5⤵
        Launches sc.exe
        
        PID:1784
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe create "HDNFMUHS" binpath= "C:\ProgramData\hvforlxxtnuo\kanilzbpgdul.exe" start= "auto"
        5⤵
        Launches sc.exe
        
        PID:1520
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        5⤵
        Launches sc.exe
        
        PID:2100
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "HDNFMUHS"
        5⤵
        Launches sc.exe
        
        PID:1884
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MicrosoftEdgeUpdater.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MicrosoftEdgeUpdater.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2252
    - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3444
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1128
      - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        6⤵
        
        PID:4700
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop UsoSvc
        5⤵
        Launches sc.exe
        
        PID:3824
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop WaaSMedicSvc
        5⤵
        Launches sc.exe
        
        PID:684
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop wuauserv
        5⤵
        Launches sc.exe
        
        PID:2956
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop bits
        5⤵
        Launches sc.exe
        
        PID:2772
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop dosvc
        5⤵
        Launches sc.exe
        
        PID:2500
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3856
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3384
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:980
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3544
    - - C:\Windows\system32\dialer.exe
        
        C:\Windows\system32\dialer.exe
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1428
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe delete "YWZWALUU"
        5⤵
        Launches sc.exe
        
        PID:1784
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe create "YWZWALUU" binpath= "C:\ProgramData\bbskkvrqdoji\fdjrmaypnxal.exe" start= "auto"
        5⤵
        Launches sc.exe
        
        PID:4376
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        5⤵
        Launches sc.exe
        
        PID:4908
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "YWZWALUU"
        5⤵
        Launches sc.exe
        
        PID:4232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Enumerates system info in registry
  PID:3796
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffcea93ab58,0x7ffcea93ab68,0x7ffcea93ab78
    3⤵
    PID:3528
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1700 --field-trial-handle=1640,i,16279957802650800390,899658488281645637,131072 /prefetch:2
    3⤵
    PID:3736
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2068 --field-trial-handle=1640,i,16279957802650800390,899658488281645637,131072 /prefetch:8
    3⤵
    PID:4560
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2124 --field-trial-handle=1640,i,16279957802650800390,899658488281645637,131072 /prefetch:8
    3⤵
    PID:2508
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3004 --field-trial-handle=1640,i,16279957802650800390,899658488281645637,131072 /prefetch:1
    3⤵
    PID:3260
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3244 --field-trial-handle=1640,i,16279957802650800390,899658488281645637,131072 /prefetch:1
    3⤵
    PID:5036
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4248 --field-trial-handle=1640,i,16279957802650800390,899658488281645637,131072 /prefetch:1
    3⤵
    PID:1812
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4376 --field-trial-handle=1640,i,16279957802650800390,899658488281645637,131072 /prefetch:8
    3⤵
    PID:2988
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4108 --field-trial-handle=1640,i,16279957802650800390,899658488281645637,131072 /prefetch:8
    3⤵
    PID:2832
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4652 --field-trial-handle=1640,i,16279957802650800390,899658488281645637,131072 /prefetch:8
    3⤵
    PID:4384
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4116 --field-trial-handle=1640,i,16279957802650800390,899658488281645637,131072 /prefetch:8
    3⤵
    PID:2228
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4848 --field-trial-handle=1640,i,16279957802650800390,899658488281645637,131072 /prefetch:8
    3⤵
    PID:4380
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4852 --field-trial-handle=1640,i,16279957802650800390,899658488281645637,131072 /prefetch:8
    3⤵
    PID:1780
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --reenable-autoupdates --system-level
    3⤵
    PID:2244
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x24c,0x250,0x254,0x228,0x258,0x7ff727f0ae48,0x7ff727f0ae58,0x7ff727f0ae68
      4⤵
      PID:1224
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4104 --field-trial-handle=1640,i,16279957802650800390,899658488281645637,131072 /prefetch:8
    3⤵
    PID:1672
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3088 --field-trial-handle=1640,i,16279957802650800390,899658488281645637,131072 /prefetch:1
    3⤵
    PID:3040
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4240 --field-trial-handle=1640,i,16279957802650800390,899658488281645637,131072 /prefetch:8
    3⤵
    PID:2472
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=2740 --field-trial-handle=1640,i,16279957802650800390,899658488281645637,131072 /prefetch:1
    3⤵
    PID:3936
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=2404 --field-trial-handle=1640,i,16279957802650800390,899658488281645637,131072 /prefetch:8
    3⤵
    PID:1084
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=876 --field-trial-handle=1640,i,16279957802650800390,899658488281645637,131072 /prefetch:8
    3⤵
    PID:3912
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4372 --field-trial-handle=1640,i,16279957802650800390,899658488281645637,131072 /prefetch:8
    3⤵
    PID:1760
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=5016 --field-trial-handle=1640,i,16279957802650800390,899658488281645637,131072 /prefetch:1
    3⤵
    PID:4100
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=4744 --field-trial-handle=1640,i,16279957802650800390,899658488281645637,131072 /prefetch:1
    3⤵
    PID:716
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=3172 --field-trial-handle=1640,i,16279957802650800390,899658488281645637,131072 /prefetch:1
    3⤵
    PID:4952
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3096 --field-trial-handle=1640,i,16279957802650800390,899658488281645637,131072 /prefetch:2
    3⤵
    PID:2988
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5032 --field-trial-handle=1640,i,16279957802650800390,899658488281645637,131072 /prefetch:8
    3⤵
    PID:1236
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4992 --field-trial-handle=1640,i,16279957802650800390,899658488281645637,131072 /prefetch:8
    3⤵
    PID:1764
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5440 --field-trial-handle=1640,i,16279957802650800390,899658488281645637,131072 /prefetch:8
    3⤵
    PID:2052
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4680 --field-trial-handle=1640,i,16279957802650800390,899658488281645637,131072 /prefetch:8
    3⤵
    PID:2988
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5372 --field-trial-handle=1640,i,16279957802650800390,899658488281645637,131072 /prefetch:8
    3⤵
    PID:2592
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5072 --field-trial-handle=1640,i,16279957802650800390,899658488281645637,131072 /prefetch:8
    3⤵
    PID:1156

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3448

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:3480

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3832

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3944

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc
1⤵
PID:4012

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4024

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:4216

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc
1⤵
PID:4520

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:5012

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:1356

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:2736

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:4996

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:1500

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:2716

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:4684

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:4748

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2284

C:\ProgramData\hvforlxxtnuo\kanilzbpgdul.exe
C:\ProgramData\hvforlxxtnuo\kanilzbpgdul.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4704
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4208
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3296
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4088
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:420
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:1924
- C:\Windows\system32\svchost.exe
  svchost.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4172

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Checks processor information in registry
PID:2740

C:\ProgramData\bbskkvrqdoji\fdjrmaypnxal.exe
C:\ProgramData\bbskkvrqdoji\fdjrmaypnxal.exe
1⤵
- Executes dropped EXE
PID:4200

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:2872

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
1⤵
PID:4144
- C:\Windows\System32\pcaui.exe
  C:\Windows\System32\pcaui.exe -n 0 -a "" -v "" -g "" -x ""
  2⤵
  PID:224

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4008

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
PID:3124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00002e

Filesize
48KB

MD5
21af9bc981d404957c6344aaff4b3e28

SHA1
e5569bc0876884ded0d9594432cc261effc66d47

SHA256
e9515acb1b0c8f7c1008358ed424d6563cae681f0e87c53547d0cb7b9f51b051

SHA512
fb42427a114a3cb5739c30f6235c4fe3102876b2063772665c82ecce483955d357dead930e6da185f2b27fb0e72b9837ee272c3271efa5b7e80f98edf4cfaae8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000039

Filesize
29KB

MD5
ff122ed83c65b35220660f38c2fa26d2

SHA1
f99451f4b2fa18429253c8b80209900bf711e8ca

SHA256
a0b52734f27b7bcdacf0d69789bb34370bfc772019a37ec52a3f62ea60f83dbd

SHA512
482afdf9c42f5277ba8412746ed79d2a9628d1287b53c7ffdf4afa3c71adc3368bdd1731b45104991a3a500451c9f02a29e0d15387fd706ff22ff0dc6869bf1a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00003a

Filesize
42KB

MD5
c6560b6c6c938821d7fd5b3c57add117

SHA1
a6467891e6dfcf077dc63955b4d072301fc9e9bc

SHA256
310e59f033eaca139e3284dff77821b7b490a457ab290d3d79cc19a47530e020

SHA512
2d881f9e34ff61d4324134815fb5fad4b2523085eaf8749888a095541b2dcadc232d254289538f5d1e605d13a950ea36480dfded2b0a2d2a2771af071d151713

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00003b

Filesize
88KB

MD5
c729a3930550abc4a7d40fe798093b95

SHA1
b0f3bacaead5515f457850cd8df539d71fe2bd79

SHA256
f300dbc8120410263e239caa74cc4cbf3a99a89dd686f87e256e1e12d0e45cf1

SHA512
0505e70c560696e12b6321e04c98798c4f926afaab948097ebc6854d31a3df1612dce1c53e5ce980a68dc4fd52bf92a30e30911c16bbf7a2ab350b28480729cb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_0000d9

Filesize
51KB

MD5
588ee33c26fe83cb97ca65e3c66b2e87

SHA1
842429b803132c3e7827af42fe4dc7a66e736b37

SHA256
bbc4044fe46acd7ab69d8a4e3db46e7e3ca713b05fa8ecb096ebe9e133bba760

SHA512
6f7500b12fc7a9f57c00711af2bc8a7c62973f9a8e37012b88a0726d06063add02077420bc280e7163302d5f3a005ac8796aee97042c40954144d84c26adbd04

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
2a4c2883e64d734c6f67ca92370314dd

SHA1
f5586ba05ed07e00648f50552dcf628acb810b5e

SHA256
3369e9576cf925760bcea62579f411d5095b9f9acd844ff3bc84e1bbf9fe9347

SHA512
c14ccba2cb24934efaf501fed71e96344c7c4185d1a8283dde7ad1d45f9c9edba549258d18e7f263ee48121f19bf19337fab8caed60f61c8e2393f9cf3a2e805

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
6KB

MD5
4c6bc515a8dea8d27c66132943329176

SHA1
0f16efd98824ba40edd3920deed6c2d0f89e0a78

SHA256
76d5f32b975b31ec2cfd1af61dd668d1b7a87e35d60dc42fd388bb267a79ee81

SHA512
49af745b4c6f02534896a3278f58ae435e6ae603c7cab26f5ba635f4d9b139332be23ddc659a5d8142cf0fee8f28be03cba9363eb4e572b3ee70d97e058a3203

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.roblox.com_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.roblox.com_0.indexeddb.leveldb\LOG.old

Filesize
387B

MD5
6908beb6bb1690e13011874472159760

SHA1
24cac32cbc9e6ece8135f61d7c1a3e37966c2b23

SHA256
e9ae90390c492227bbda225d8fc1d6dec7de17319834403ef8c595a868407826

SHA512
9ca70f5fc89ceb67a37ff504cc94730dbf3780b6c82440fe25bb9de5406f97aeebd1b44f46683efd95b562d8beb4e7b1c4fcadc6e4f26daa4610d11694298b48

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.roblox.com_0.indexeddb.leveldb\LOG.old

Filesize
387B

MD5
d917d122f429b8ddf7c38345062ebdb0

SHA1
a0befbbca9cbe6fa26b964182e8afbfb7115595c

SHA256
1b1f2488d47329378d87c30132a1e35f05861c68e21f9c06da308b25c549b8c0

SHA512
b1a861c68bd2442bf319045c151a8b9560a8684562c5284c496c83b5d3f38aa034ad8f652f95853944990512e04a320ac2a8f54af885dda53239f266d3c1de9d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.roblox.com_0.indexeddb.leveldb\LOG.old~RFe58e6b2.TMP

Filesize
347B

MD5
318d8e98f20915fd3d450cdc5ab90dc5

SHA1
3ce5c1f2b4350f00063b367c16aaad763a91a738

SHA256
30cf8252f429a212c37d0cd1b2a40a258c8cd7ee8a83c5a5f194cdb1541e5883

SHA512
b943592b435e54dd907e2cd20dce2e0b830ddab8ebfe31dd5d147b9331e00d54ff8e22802ff3ca44e0c65f7fe96227ee578134063dce02b8b555e65e6f3da1d8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.roblox.com_0.indexeddb.leveldb\MANIFEST-000001

Filesize
23B

MD5
3fd11ff447c1ee23538dc4d9724427a3

SHA1
1335e6f71cc4e3cf7025233523b4760f8893e9c9

SHA256
720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed

SHA512
10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
7ce7da6f52f4fffcdfd257c321c07d52

SHA1
ec10c8eceb3b00cde99d5337ddfab9e0f048e115

SHA256
13a78c1b3bd6ebd8ca1487cceb65e1ec4d3568a8896c582f7b03b1823329a5ba

SHA512
2205bb74c6a76efc69aedebeeab1b8a226ed6a00f146e4e60d61a7361600532bfdf3c5fd96e02a5f73cb16ea1e8f7af8e50841f58600a03f4cac66800508c1b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
f7fa8928c7f24a97fb010a2eaefe24b1

SHA1
c9ae2b9b556d4eecb1b7c235b819256b17456e50

SHA256
82aa56b1bd88ce91685b62d3064a8c1767fbd278a3fbea219d9e4493dd2cd926

SHA512
52ac75969384ba3dd4bc167ab8a4eabfc630d2bffe519661c4b1b1af4bb9a0cd3ff8abd5384f6d4284bbc63e91e1cae2c362ba5bc58c946a9ec2f57c0430b6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
692d07f4e9aa6ace3f59b4ac3a7a8f91

SHA1
7dbc07f757598a54dfe4379103f2328c447af81b

SHA256
09d43a3fdb608b421993e0f37ff019e86980e83d3afac3f24a181c41ee5ec787

SHA512
833799d7b546251e1d1f0b755b7399270280eee3c6df6e9f0870a8e7f5ac50ce557df1046ce2b52ac66bd5b1176fa480e80333f26df52664822931f628784d10

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
51beab5870ebfa6586852b3ed9b9b8f6

SHA1
f23cb060792a5d5c7d61b22754b9fce936300703

SHA256
45be64100036ab1f0af7c53997fbecf044764b0c205c6444fd7d42f48b2873be

SHA512
2ef87658a39dfcd23a54330f835438b12621f9709d85bfaa27ee7d09395701e23739e750ef2161b069789e3d4d82ffdc3d8e361d01f2c6a7e2da37805003221a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
7b68201d8be22e6e284dc57a91d5c1b1

SHA1
22d43413c1cf3507beabba061577847dbe7c4a93

SHA256
11e2fe28d6753fe61dda8a22739fc2dfe3b0f2267cfe9b823993e1af11035e69

SHA512
3b2679d79102a26a941af0eb10cef31ccd1e1fbab0ce0196455c62f246411242d3bec8bc4f5f95d5b83946f067b4adf51010713e9ec74993b6016e7851e33a36

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
d057cf8981c0e2519f039efb43357693

SHA1
5bd3897793ae90e2cf0151873d7b324fc18036aa

SHA256
49988df321d056c74f4ff96d9e0661ad6bd5306a835fa0b6b07ee91c7415f9ca

SHA512
b8ebbbc5657a75d28fffc1925d8d8143f9359a440b9717bf24f0273e558b9ac30909d2aa9d345ef59808bfcc43010f9a6bd7692c16f4f0b4015774d50795c28f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
5KB

MD5
5a739122585bd9e8c795fa2282c791a5

SHA1
9572f4599cf523af26ef542dca830fac925facca

SHA256
2d69d1288062a529bfe5e9f453841f8798c055b1266d473cb8a4fa5f2e2374d7

SHA512
336f0b9507181cc35803ebe27c26d45bc7a0dc4a9ffff3d34c3bee6bc60ed76121f4d5c854a768e7c807dfda404b8bd256dd93f0e1914cf2a5546f492b219557

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
3b50602c1f1398c4ebc7abfca71e7dbe

SHA1
ca85da45cd36752a9f878b1eb8ee30a126dcd2d4

SHA256
f6cd9aaa6a28e178d0e5cc3f41778d771ba30ffceeb8c7b52b87eda278c056ab

SHA512
3b6dafa49bfdaa162dc61f58b7ee9193277badadaacfac5dfef596635028c2a0b9960dc1ec50330c8e0804f0427719d19f9d28d0449cb38efd47b2baa73b4b45

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
d2c10c0a0f144f0ecd230a061763ab1f

SHA1
ed3e28f8d31cce98be6596dcf5a1d3f40c928e11

SHA256
a60c15c07d504f1157b625982b708229d391d5a9b940e7e9ed835e39d8db2943

SHA512
ef27d28be1826045428c11073642e54be43454ea51a85675e7d3ceb8e19e4d7d865c9e43ab25357fb3d8cb90d116e08444063e67af0182731148376d044c9124

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
5KB

MD5
1a04458daa8460795ce64bc95e6d3c1b

SHA1
c2f7c1dee93c4ff7baf6c00fcbb3d4fa45d7ec07

SHA256
65b05bf9a1dadeccd46b8c12f292597e63b6e578857821214c4c4d0585e22c82

SHA512
fa327401b169485c3bd79354ee12569fa90a62da65177bdf6f97ca05281f8f7b3d829628ee40b7d9d5e4469039cb920982862272b34d7ba3469d17388109263c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
6KB

MD5
7349b924abf2779c8d39be8b9843553b

SHA1
9587b520a02436560a0b907aac326110e41eca5d

SHA256
d1f7bf647b70d5a120fcafc475f87632d6a7b5c43dd4f620883ce11d32a087be

SHA512
62965c4db5d2e3a2f16c623c9bc125b4c5cfc4e975817dde32fff94b472d9c0f9dac07bf0b9bf9d91ba5a19466c6dafaf301cdfd9bad802981e134b6ff4304cb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
5KB

MD5
0ac55f1c285bdb9af016b5fb3142fcf2

SHA1
bec8948b2b0adababedea320ea54c24cb7a8fd7a

SHA256
0ffbcfd9290964be80223b8be99921932857b8b67361b7cdc556f577d5284f70

SHA512
10faebc3771f2b0c6dbc6a97e1ad353a5df7eaaff722683c5dfd8b6c2580521be6ad09897aaba2442c28b53c0e21ff4ffcbbb1c9f7e455807fae26fa961e9d26

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
c48c4f10aa68109bb4dce43cfa000200

SHA1
90d25a7781b76a61e7f4b5e7ff029f38a36982de

SHA256
a9f17c8beb621834c4d35002f658184be250ef321336f8a89e9f7bc2f6da5dda

SHA512
3d969fa11eb47d0135940e5848bea88abba97eb890afdd4d952abd358fb02c5aef738e8aba3c89e2bfb9e270f70786b0d037b01800055bd2aa8abcf64fdd1e70

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
762afab192c65d35756a6cbe8f1cf779

SHA1
3e26ff1b8a30e9b51a69d445e760571c3ab2f31a

SHA256
405499c9b032c9537d818593ee168f3899f218cfbb862ffab421acd0b8438789

SHA512
e4d5ccc9938cb3c7bcf0c311325d34f9365d0fa82a24a6338268503e376e877854066f7edda4a79528b0a0e6755b71168449a80d66ecaf6db1436b3722cda8b1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
3b70f1de7ab5b75025dc27e22044070d

SHA1
2f38abcf1ae4e101c2af0ca9d5927551215a50dc

SHA256
a8f468dfac9354094e73bddca371992071ca389a279029a6aeb745162b84fcf6

SHA512
b13b4ff2dc20529318abb1e48d0691f45b81e82317f1e1a22a8b7f892a4d556754d2677da5872c97e285b6d44fb73b0198e1a6fc846f75303b59038060c91375

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
4c814f3ab2ad7ba88a62824fd67b023e

SHA1
f63d697b1e2116bbb011e2f5ecaaa71751069904

SHA256
5f326890ff4869a9e02125d3e45ba3b00b19a8f5f9c416f7814ff98324c4dc7c

SHA512
38f7432c8d209c2eb05c3331b835989b5c2dedc89a33c743d4e6d138df2de74691a63025f3481c64eb637b45851c8f1f1ab2770c112fc75ac4017066a71d3dcc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
261KB

MD5
852b695fcea7fd116b17c22c8b7c7068

SHA1
9e64b4cf1d1dc4fbb0f7455c445131c52a68dca4

SHA256
1b15bef903ad5a386b3c10137ce00d58f55aea7d1d2678c63e28736663c221f0

SHA512
b5ad4062a23fb4d0a439f7379bb328dd8f0884393aca755d2ad04b4abd47957895e70f1298380837cc172f9e3cbe9899f9b655ca6c1e94176e505619db306aa3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
84KB

MD5
443cc81df49b632e939bf4666a3e10ad

SHA1
f7ef704df6bb743985dcf01117e328dc953b65f8

SHA256
93a5de640eda7bc93404e23bbe9e2f43abafaafc150a91867670b184407ef074

SHA512
48f0bac61ef044831b3163f62e94384baed15d6bd4b8bbf75a63b23522004cdd02480bc39caf0b257e3af15fcb0ecd1ba3ec9a7be1974e22d1f8cf2fea51e9ca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
85KB

MD5
fa0d1ef92e0ef071a625ac94bd60f54f

SHA1
3f642ce268b1b9c72b1b3fb8c16d792eabd8c865

SHA256
2cf4eefa186aa5c1f927ca0757d90f08743c6292534658fcd444ff5b33280827

SHA512
5c46f19f27934cf114a742e0c2465c2b2c0ef370acce377e69a13d2cde3caee9416c9577c00b5dbb042ca4827b870abdc4d62b4c8e7a1c5d6479aa903566c557

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
86KB

MD5
c9b8c1da6779440eea85174bfd60d084

SHA1
86421d3420fd22c042081c2a1df34c5523169ce7

SHA256
63efbc8cfca03709b2e429bd85b58a705cdfb50d948f5618435cfac7e7430925

SHA512
4563da9b66ad7e82211f6ae13ac60a2d215ae9a455f56cb7a6b587dabb2990a93d74c1a014feb33e4708d51eaa5e1749cd07c9e80346fe31001696cdee3daa71

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe5817c9.TMP

Filesize
83KB

MD5
a8bc9b5f3f5e93950ef07a53fb359d43

SHA1
86cd73300cd88e05a6837368d09064d34aeed2ac

SHA256
f3ff1a364d798f0a664c3a0040d3860d241f146be97e17541d153635e31e2d2f

SHA512
730e3efb9ae7990e35bce781c376581200330a782149cebe12c4f98467827f412f5eeae36d74f2ec08b30bf6742a850de9c62aec1996786ee0fb6d32458edec2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jhi_service.exe

Filesize
2.5MB

MD5
1994ad04639f3d12c7bbfa37feb3434f

SHA1
4979247e5a9771286a91827851527e5dbfb80c8e

SHA256
c75f76cf5b34b4a165ad5705ae5229f67fc081d958239bf0faea58e6c342301c

SHA512
adc4eb990fc6721a0a39cf9832f133bde025a31b3ecd4d84e076d8c454b40dd043f1f045f6f989febf2478999a190d116a58192c49d8b878414490e7ce451b43

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lunar Release.exe

Filesize
10.1MB

MD5
999fc235f3be4e39dad4523ca297a7c2

SHA1
55852bd249ae7b2392e67e8a314336442b205436

SHA256
9b12e90cd2a650f55fea48e83085ce6656296fc0a7663659f21724e02943b2f8

SHA512
622e7928df55637b7276cb86ec503acb67ec2eb5e3b98ca3260ef6a286aa70d1eb4fd3acc05c6f1edd3cce209357989014008a3ca84a1e38ea8f31fc92ac8591

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~2\Crypto\Hash\_SHA256.pyd

Filesize
21KB

MD5
a442ea85e6f9627501d947be3c48a9dd

SHA1
d2dec6e1be3b221e8d4910546ad84fe7c88a524d

SHA256
3dbcb4d0070be355e0406e6b6c3e4ce58647f06e8650e1ab056e1d538b52b3d3

SHA512
850a00c7069ffdba1efe1324405da747d7bd3ba5d4e724d08a2450b5a5f15a69a0d3eaf67cef943f624d52a4e2159a9f7bdaeafdc6c689eacea9987414250f3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~2\_bz2.pyd

Filesize
78KB

MD5
b45e82a398713163216984f2feba88f6

SHA1
eaaf4b91db6f67d7c57c2711f4e968ce0fe5d839

SHA256
4c2649dc69a8874b91646723aacb84c565efeaa4277c46392055bca9a10497a8

SHA512
b9c4f22dc4b52815c407ab94d18a7f2e1e4f2250aecdb2e75119150e69b006ed69f3000622ec63eabcf0886b7f56ffdb154e0bf57d8f7f45c3b1dd5c18b84ec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~2\_ctypes.pyd

Filesize
117KB

MD5
79f339753dc8954b8eb45fe70910937e

SHA1
3ad1bf9872dc779f32795988eb85c81fe47b3dd4

SHA256
35cdd122679041ebef264de5626b7805f3f66c8ae6cc451b8bc520be647fa007

SHA512
21e567e813180ed0480c4b21be3e2e67974d8d787e663275be054cee0a3f5161fc39034704dbd25f1412feb021d6a21b300a32d1747dee072820be81b9d9b753

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~2\_socket.pyd

Filesize
72KB

MD5
5dd51579fa9b6a06336854889562bec0

SHA1
99c0ed0a15ed450279b01d95b75c162628c9be1d

SHA256
3669e56e99ae3a944fbe7845f0be05aea96a603717e883d56a27dc356f8c2f2c

SHA512
7aa6c6587890ae8c3f9a5e97ebde689243ac5b9abb9b1e887f29c53eef99a53e4b4ec100c03e1c043e2f0d330e7af444c3ca886c9a5e338c2ea42aaacae09f3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~2\certifi\cacert.pem

Filesize
285KB

MD5
d3e74c9d33719c8ab162baa4ae743b27

SHA1
ee32f2ccd4bc56ca68441a02bf33e32dc6205c2b

SHA256
7a347ca8fef6e29f82b6e4785355a6635c17fa755e0940f65f15aa8fc7bd7f92

SHA512
e0fb35d6901a6debbf48a0655e2aa1040700eb5166e732ae2617e89ef5e6869e8ddd5c7875fa83f31d447d4abc3db14bffd29600c9af725d9b03f03363469b4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~2\libssl-1_1.dll

Filesize
678KB

MD5
bd857f444ebbf147a8fcd1215efe79fc

SHA1
1550e0d241c27f41c63f197b1bd669591a20c15b

SHA256
b7c0e42c1a60a2a062b899c8d4ebd0c50ef956177ba21785ce07c517c143aeaf

SHA512
2b85c1521edeadf7e118610d6546fafbbad43c288a7f0f9d38d97c4423a541dfac686634cde956812916830fbb4aad8351a23d95cd490c4a5c0f628244d30f0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~2\unicodedata.pyd

Filesize
1.1MB

MD5
a40ff441b1b612b3b9f30f28fa3c680d

SHA1
42a309992bdbb68004e2b6b60b450e964276a8fc

SHA256
9b22d93f4db077a70a1d85ffc503980903f1a88e262068dd79c6190ec7a31b08

SHA512
5f9142b16ed7ffc0e5b17d6a4257d7249a21061fe5e928d3cde75265c2b87b723b2e7bd3109c30d2c8f83913134445e8672c98c187073368c244a476ac46c3ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe

Filesize
65KB

MD5
9ac62ff292d4ae060777d8fa192a5bbc

SHA1
37039579fd2940f2b7965d65fcbfb12bfec6aaee

SHA256
691fcb5dfa44d54d8e233989ef826d164bd0f3002052c0011b2698f4b5a2b062

SHA512
e81ec0bf563e85e127b1d3ed397426d4225eb3df697fa96e125d2bdaebd8c1f2c9b0604189fc8a6eae11f362eb293f7185344e4859c403a001cc0e71dfa1c60b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_aku4e30b.owp.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\num2.EXE

Filesize
4.3MB

MD5
e6fe75c4390d3970545f0fdbb3274244

SHA1
8b6ed33f1778800cf0549bd7214249bdb81fbb58

SHA256
48aaa21d99bf5fb15abc6945911438e5f3ac4c378ac89bc4eb850200f9f648d5

SHA512
17b0911f13a1348e6511faf412f63721e7df7b196ae3a6acb86789eb04a2f8a90a42a6931a0c0ad45ee98910c4661c6db7e43623c560a963cd4d021ce9b1ad20

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2664_133617558259968478\lunar.exe

Filesize
12.2MB

MD5
bfe10dcf1f862246816369f4ea03d68e

SHA1
86339ae7a7cdb197d7bf7a997022b60871404595

SHA256
a53db950e42653294e0eccdfdefb28267efe227c298fcb2e5366a2ee412e6f70

SHA512
e64823f44e0f9a13ced884fda17d9427f73c76f70bf12ad524dd4fb8353901cf2fb675cfcb83663d929949acee5695d1efc54371a32d8a209965972011444e35

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_424_133617558261999465\Crypto\Cipher\_raw_cbc.pyd

Filesize
12KB

MD5
20708935fdd89b3eddeea27d4d0ea52a

SHA1
85a9fe2c7c5d97fd02b47327e431d88a1dc865f7

SHA256
11dd1b49f70db23617e84e08e709d4a9c86759d911a24ebddfb91c414cc7f375

SHA512
f28c31b425dc38b5e9ad87b95e8071997e4a6f444608e57867016178cd0ca3e9f73a4b7f2a0a704e45f75b7dcff54490510c6bf8461f3261f676e9294506d09b

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_424_133617558261999465\Crypto\Cipher\_raw_cfb.pyd

Filesize
13KB

MD5
43bbe5d04460bd5847000804234321a6

SHA1
3cae8c4982bbd73af26eb8c6413671425828dbb7

SHA256
faa41385d0db8d4ee2ee74ee540bc879cf2e884bee87655ff3c89c8c517eed45

SHA512
dbc60f1d11d63bebbab3c742fb827efbde6dff3c563ae1703892d5643d5906751db3815b97cbfb7da5fcd306017e4a1cdcc0cdd0e61adf20e0816f9c88fe2c9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_424_133617558261999465\Crypto\Cipher\_raw_ctr.pyd

Filesize
14KB

MD5
c6b20332b4814799e643badffd8df2cd

SHA1
e7da1c1f09f6ec9a84af0ab0616afea55a58e984

SHA256
61c7a532e108f67874ef2e17244358df19158f6142680f5b21032ba4889ac5d8

SHA512
d50c7f67d2dfb268ad4cf18e16159604b6e8a50ea4f0c9137e26619fd7835faad323b5f6a2b8e3ec1c023e0678bcbe5d0f867cd711c5cd405bd207212228b2b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_424_133617558261999465\Crypto\Cipher\_raw_ecb.pyd

Filesize
10KB

MD5
fee13d4fb947835dbb62aca7eaff44ef

SHA1
7cc088ab68f90c563d1fe22d5e3c3f9e414efc04

SHA256
3e0d07bbf93e0748b42b1c2550f48f0d81597486038c22548224584ae178a543

SHA512
dea92f935bc710df6866e89cc6eb5b53fc7adf0f14f3d381b89d7869590a1b0b1f98f347664f7a19c6078e7aa3eb0f773ffcb711cc4275d0ecd54030d6cf5cb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_424_133617558261999465\Crypto\Cipher\_raw_ofb.pyd

Filesize
12KB

MD5
4d9182783ef19411ebd9f1f864a2ef2f

SHA1
ddc9f878b88e7b51b5f68a3f99a0857e362b0361

SHA256
c9f4c5ffcdd4f8814f8c07ce532a164ab699ae8cde737df02d6ecd7b5dd52dbd

SHA512
8f983984f0594c2cac447e9d75b86d6ec08ed1c789958afa835b0d1239fd4d7ebe16408d080e7fce17c379954609a93fc730b11be6f4a024e7d13d042b27f185

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_424_133617558261999465\Crypto\Hash\_BLAKE2s.pyd

Filesize
14KB

MD5
9d28433ea8ffbfe0c2870feda025f519

SHA1
4cc5cf74114d67934d346bb39ca76f01f7acc3e2

SHA256
fc296145ae46a11c472f99c5be317e77c840c2430fbb955ce3f913408a046284

SHA512
66b4d00100d4143ea72a3f603fb193afa6fd4efb5a74d0d17a206b5ef825e4cc5af175f5fb5c40c022bde676ba7a83087cb95c9f57e701ca4e7f0a2fce76e599

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_424_133617558261999465\Crypto\Hash\_SHA1.pyd

Filesize
19KB

MD5
ab0bcb36419ea87d827e770a080364f6

SHA1
6d398f48338fb017aacd00ae188606eb9e99e830

SHA256
a927548abea335e6bcb4a9ee0a949749c9e4aa8f8aad481cf63e3ac99b25a725

SHA512
3580fb949acee709836c36688457908c43860e68a36d3410f3fa9e17c6a66c1cdd7c081102468e4e92e5f42a0a802470e8f4d376daa4ed7126818538e0bd0bc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_424_133617558261999465\Crypto\Util\_strxor.pyd

Filesize
10KB

MD5
8f4313755f65509357e281744941bd36

SHA1
2aaf3f89e56ec6731b2a5fa40a2fe69b751eafc0

SHA256
70d90ddf87a9608699be6bbedf89ad469632fd0adc20a69da07618596d443639

SHA512
fed2b1007e31d73f18605fb164fee5b46034155ab5bb7fe9b255241cfa75ff0e39749200eb47a9ab1380d9f36f51afba45490979ab7d112f4d673a0c67899ef4

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_424_133617558261999465\_hashlib.pyd

Filesize
57KB

MD5
cfb9e0a73a6c9d6d35c2594e52e15234

SHA1
b86042c96f2ce6d8a239b7d426f298a23df8b3b9

SHA256
50daeb3985302a8d85ce8167b0bf08b9da43e7d51ceae50e8e1cdfb0edf218c6

SHA512
22a5fd139d88c0eee7241c5597d8dbbf2b78841565d0ed0df62383ab50fde04b13a203bddef03530f8609f5117869ed06894a572f7655224285823385d7492d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_424_133617558261999465\_lzma.pyd

Filesize
149KB

MD5
5a77a1e70e054431236adb9e46f40582

SHA1
be4a8d1618d3ad11cfdb6a366625b37c27f4611a

SHA256
f125a885c10e1be4b12d988d6c19128890e7add75baa935fe1354721aa2dea3e

SHA512
3c14297a1400a93d1a01c7f8b4463bfd6be062ec08daaf5eb7fcbcde7f4fa40ae06e016ff0de16cb03b987c263876f2f437705adc66244d3ee58f23d6bf7f635

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_424_133617558261999465\_queue.pyd

Filesize
26KB

MD5
c9ee37e9f3bffd296ade10a27c7e5b50

SHA1
b7eee121b2918b6c0997d4889cff13025af4f676

SHA256
9ecec72c5fe3c83c122043cad8ceb80d239d99d03b8ea665490bbced183ce42a

SHA512
c63bb1b5d84d027439af29c4827fa801df3a2f3d5854c7c79789cad3f5f7561eb2a7406c6f599d2ac553bc31969dc3fa9eef8648bed7282fbc5dc3fb3ba4307f

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_424_133617558261999465\_ssl.pyd

Filesize
152KB

MD5
11c5008e0ba2caa8adf7452f0aaafd1e

SHA1
764b33b749e3da9e716b8a853b63b2f7711fcc7c

SHA256
bf63f44951f14c9d0c890415d013276498d6d59e53811bbe2fa16825710bea14

SHA512
fceb022d8694bce6504d6b64de4596e2b8252fc2427ee66300e37bcff297579cc7d32a8cb8f847408eaa716cb053e20d53e93fbd945e3f60d58214e6a969c9dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_424_133617558261999465\charset_normalizer\md.pyd

Filesize
10KB

MD5
f33ca57d413e6b5313272fa54dbc8baa

SHA1
4e0cabe7d38fe8d649a0a497ed18d4d1ca5f4c44

SHA256
9b3d70922dcfaeb02812afa9030a40433b9d2b58bcf088781f9ab68a74d20664

SHA512
f17c06f4202b6edbb66660d68ff938d4f75b411f9fab48636c3575e42abaab6464d66cb57bce7f84e8e2b5755b6ef757a820a50c13dd5f85faa63cd553d3ff32

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_424_133617558261999465\charset_normalizer\md__mypyc.pyd

Filesize
117KB

MD5
494f5b9adc1cfb7fdb919c9b1af346e1

SHA1
4a5fddd47812d19948585390f76d5435c4220e6b

SHA256
ad9bcc0de6815516dfde91bb2e477f8fb5f099d7f5511d0f54b50fa77b721051

SHA512
2c0d68da196075ea30d97b5fd853c673e28949df2b6bf005ae72fd8b60a0c036f18103c5de662cac63baaef740b65b4ed2394fcd2e6da4dfcfbeef5b64dab794

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_424_133617558261999465\libcrypto-1_1.dll

Filesize
3.3MB

MD5
63c4f445b6998e63a1414f5765c18217

SHA1
8c1ac1b4290b122e62f706f7434517077974f40e

SHA256
664c3e52f914e351bb8a66ce2465ee0d40acab1d2a6b3167ae6acf6f1d1724d2

SHA512
aa7bdb3c5bc8aeefbad70d785f2468acbb88ef6e6cac175da765647030734453a2836f9658dc7ce33f6fff0de85cb701c825ef5c04018d79fa1953c8ef946afd

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_424_133617558261999465\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_424_133617558261999465\python310.dll

Filesize
4.2MB

MD5
384349987b60775d6fc3a6d202c3e1bd

SHA1
701cb80c55f859ad4a31c53aa744a00d61e467e5

SHA256
f281c2e252ed59dd96726dbb2de529a2b07b818e9cc3799d1ffa9883e3028ed8

SHA512
6bf3ef9f08f4fc07461b6ea8d9822568ad0a0f211e471b990f62c6713adb7b6be28b90f206a4ec0673b92bae99597d1c7785381e486f6091265c7df85ff0f9b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_424_133617558261999465\select.pyd

Filesize
25KB

MD5
78d421a4e6b06b5561c45b9a5c6f86b1

SHA1
c70747d3f2d26a92a0fe0b353f1d1d01693929ac

SHA256
f1694ce82da997faa89a9d22d469bfc94abb0f2063a69ec9b953bc085c2cb823

SHA512
83e02963c9726a40cd4608b69b4cdf697e41c9eedfb2d48f3c02c91500e212e7e0ab03e6b3f70f42e16e734e572593f27b016b901c8aa75f674b6e0fbb735012

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_424_133617558261999465\vcruntime140.dll

Filesize
94KB

MD5
11d9ac94e8cb17bd23dea89f8e757f18

SHA1
d4fb80a512486821ad320c4fd67abcae63005158

SHA256
e1d6f78a72836ea120bd27a33ae89cbdc3f3ca7d9d0231aaa3aac91996d2fa4e

SHA512
aa6afd6bea27f554e3646152d8c4f96f7bcaaa4933f8b7c04346e410f93f23cfa6d29362fd5d51ccbb8b6223e094cd89e351f072ad0517553703f5bf9de28778

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_424_133617558261999465\voltlunars.exe

Filesize
22.2MB

MD5
f41d7855a35edb404bed4062111c0341

SHA1
405bf84fde9a541e484b7df73aa9ac2c3c3629c7

SHA256
78484e6c8a30095299a0b5287e2c4ce4f4b2dc35aa17a67655311543eed52474

SHA512
f276e03c594a01e607bc69acc28dcd449c6383e03702cbef41ef113943e2f250efad43e201d7e9bedf8142561c362b42122e022071b5a859434c1de33ac1300e

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_424_133617558261999465\zstandard\backend_c.pyd

Filesize
512KB

MD5
4652c4087b148d08adefedf55719308b

SHA1
30e06026fea94e5777c529b479470809025ffbe2

SHA256
003f439c27a532d6f3443706ccefac6be4152bebc1aa8bdf1c4adfc095d33795

SHA512
d4972c51ffbce63d2888ddfead2f616166b6f21a0c186ccf97a41c447c1fac6e848f464e4acde05bea5b24c73c5a03b834731f8807a54ee46ca8619b1d0c465d

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
12.2MB

MD5
aabe27cfef7627bef4a34f49fa698a82

SHA1
00f6f02d8bd64a3221d76c40727a7e0ad44fe14c

SHA256
d4fb5c902296b58558fc1cb63a1e01563bd02cde3944d3fdd8901c047500fc4e

SHA512
97cf8141a15ce26b56daf7b255a161e3a0ca86509281c3765f80e872c0f121e31a0ddf62a827355e393c4243dbac86459d274fa643db646279f8d4f4ba71f705

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBA97.tmp.dat

Filesize
20KB

MD5
42c395b8db48b6ce3d34c301d1eba9d5

SHA1
b7cfa3de344814bec105391663c0df4a74310996

SHA256
5644546ecefc6786c7be5b1a89e935e640963ccd34b130f21baab9370cb9055d

SHA512
7b9214db96e9bec8745b4161a41c4c0520cdda9950f0cd3f12c7744227a25d639d07c0dd68b552cf1e032181c2e4f8297747f27bad6c7447b0f415a86bd82845

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 390229.crdownload

Filesize
5.4MB

MD5
cfefb36838560b726b44c5eb64bc55f6

SHA1
28b9646a5d6e9aecf4b6cdf6bb97fe30f18900f3

SHA256
eb02f21fab1f3bd916d086a5129c7d9aa39027cab9b61e93866e0bfb0724d85a

SHA512
732173841815647fe8d3fa758669afebcf9e754c93ed1722b4d4119d04f6a5297ca6177ee1c777b3302ff6f72a810a037b2d344c66ba6086af791ed8a50c9519

Download Submit
memory/472-1204-0x00007FFCD1130000-0x00007FFCD1140000-memory.dmp

Filesize
64KB

Download
memory/472-1203-0x0000024AF0230000-0x0000024AF025B000-memory.dmp

Filesize
172KB

Download
memory/640-1193-0x000001D983710000-0x000001D983734000-memory.dmp

Filesize
144KB

Download
memory/640-1194-0x000001D983740000-0x000001D98376B000-memory.dmp

Filesize
172KB

Download
memory/640-1195-0x00007FFCD1130000-0x00007FFCD1140000-memory.dmp

Filesize
64KB

Download
memory/696-1198-0x000001F275AD0000-0x000001F275AFB000-memory.dmp

Filesize
172KB

Download
memory/696-1199-0x00007FFCD1130000-0x00007FFCD1140000-memory.dmp

Filesize
64KB

Download
memory/732-1210-0x000001FF39700000-0x000001FF3972B000-memory.dmp

Filesize
172KB

Download
memory/732-1211-0x00007FFCD1130000-0x00007FFCD1140000-memory.dmp

Filesize
64KB

Download
memory/864-71-0x0000000000460000-0x0000000000476000-memory.dmp

Filesize
88KB

Download
memory/864-1636-0x000000001DF00000-0x000000001E020000-memory.dmp

Filesize
1.1MB

Download
memory/996-1214-0x0000025F623D0000-0x0000025F623FB000-memory.dmp

Filesize
172KB

Download
memory/996-1215-0x00007FFCD1130000-0x00007FFCD1140000-memory.dmp

Filesize
64KB

Download
memory/1000-1207-0x00007FFCD1130000-0x00007FFCD1140000-memory.dmp

Filesize
64KB

Download
memory/1000-1206-0x0000019CF22B0000-0x0000019CF22DB000-memory.dmp

Filesize
172KB

Download
memory/1068-1224-0x00007FFCD1130000-0x00007FFCD1140000-memory.dmp

Filesize
64KB

Download
memory/1068-1223-0x000001384E1C0000-0x000001384E1EB000-memory.dmp

Filesize
172KB

Download
memory/1120-2746-0x00000000009A0000-0x00000000009B6000-memory.dmp

Filesize
88KB

Download
memory/1428-1164-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/1428-1161-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/1428-1163-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/1428-1162-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/1428-1190-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/1428-1166-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/1428-1167-0x00007FFD110A0000-0x00007FFD112A9000-memory.dmp

Filesize
2.0MB

Download
memory/1428-1168-0x00007FFD10590000-0x00007FFD1064D000-memory.dmp

Filesize
756KB

Download
memory/1924-1126-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/1924-1127-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/1924-1128-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/1924-1130-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/1924-1133-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/1924-1129-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/3444-1156-0x000002739CEF0000-0x000002739CF12000-memory.dmp

Filesize
136KB

Download
memory/4172-1142-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4172-1144-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4172-1136-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4172-1137-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4172-1138-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4172-1140-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4172-1134-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4172-1141-0x000002AC695E0000-0x000002AC69600000-memory.dmp

Filesize
128KB

Download
memory/4172-1145-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4172-1146-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4172-1135-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4172-1139-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4172-1143-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4776-2124-0x0000000000720000-0x0000000000736000-memory.dmp

Filesize
88KB

Download