Malware Analysis Report

2024-11-30 13:02

Sample ID 240620-dplteavhph
Target Loader.exe
SHA256 5f423a4f624dbc6411dd0653fe49bb960a406ba099f20248d45fd91e9326c1e1
Tags
evasion execution persistence pyinstaller trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5f423a4f624dbc6411dd0653fe49bb960a406ba099f20248d45fd91e9326c1e1

Threat Level: Known bad

The file Loader.exe was found to be: Known bad.

Malicious Activity Summary

evasion execution persistence pyinstaller trojan

Modifies visiblity of hidden/system files in Explorer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Creates new service(s)

Drops file in Drivers directory

Stops running service(s)

Loads dropped DLL

Executes dropped EXE

Checks BIOS information in registry

Checks computer location settings

Checks whether UAC is enabled

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in System32 directory

Launches sc.exe

Drops file in Windows directory

Detects Pyinstaller

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Modifies data under HKEY_USERS

Uses Volume Shadow Copy service COM API

Uses Task Scheduler COM API

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Scheduled Task/Job: Scheduled Task

Uses Volume Shadow Copy WMI provider

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious behavior: LoadsDriver

Suspicious use of FindShellTrayWindow

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-20 03:11

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 03:11

Reported

2024-06-20 03:28

Platform

win7-20240611-en

Max time kernel

485s

Max time network

954s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\themes\explorer.exe N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\users\admin\appdata\local\temp\loader.exe  N/A

Downloads MZ/PE file

Stops running service(s)

evasion execution

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\users\admin\appdata\local\temp\loader.exe  N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\users\admin\appdata\local\temp\loader.exe  N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\svchost.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\users\admin\appdata\local\temp\loader.exe  N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\svchost.exe N/A
File opened for modification C:\Windows\System32\config\RegBack\{69CD1F2D-DF68-4E23-9108-1B70783F2444} \??\c:\users\admin\appdata\local\temp\loader.exe  N/A
File opened for modification C:\Windows\System32\IME\SHARED\namef.ini \??\c:\users\admin\appdata\local\temp\loader.exe  N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A \??\c:\users\admin\appdata\local\temp\loader.exe  N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\schemas\Provisioning\{69CD1F2D-DF68-4E23-9108-UPDATE} \??\c:\users\admin\appdata\local\temp\loader.exe  N/A
File opened for modification C:\Windows\Resources\tjud.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification C:\Windows\Resources\Themes\icsys.icn.exe C:\Users\Admin\Downloads\DemonWare.exe N/A
File opened for modification C:\Windows\Resources\Themes\icsys.icn.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
File opened for modification \??\c:\windows\resources\themes\explorer.exe C:\Windows\Resources\Themes\icsys.icn.exe N/A
File opened for modification \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A \??\c:\users\admin\appdata\local\temp\loader.exe  N/A
Token: SeSecurityPrivilege N/A \??\c:\users\admin\appdata\local\temp\loader.exe  N/A
Token: SeBackupPrivilege N/A \??\c:\users\admin\appdata\local\temp\loader.exe  N/A
Token: SeSecurityPrivilege N/A \??\c:\users\admin\appdata\local\temp\loader.exe  N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 236 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe \??\c:\users\admin\appdata\local\temp\loader.exe 
PID 236 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe \??\c:\users\admin\appdata\local\temp\loader.exe 
PID 236 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe \??\c:\users\admin\appdata\local\temp\loader.exe 
PID 236 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe \??\c:\users\admin\appdata\local\temp\loader.exe 
PID 236 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\Resources\Themes\icsys.icn.exe
PID 236 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\Resources\Themes\icsys.icn.exe
PID 236 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\Resources\Themes\icsys.icn.exe
PID 236 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\Resources\Themes\icsys.icn.exe
PID 2144 wrote to memory of 2948 N/A C:\Windows\Resources\Themes\icsys.icn.exe \??\c:\windows\resources\themes\explorer.exe
PID 2144 wrote to memory of 2948 N/A C:\Windows\Resources\Themes\icsys.icn.exe \??\c:\windows\resources\themes\explorer.exe
PID 2144 wrote to memory of 2948 N/A C:\Windows\Resources\Themes\icsys.icn.exe \??\c:\windows\resources\themes\explorer.exe
PID 2144 wrote to memory of 2948 N/A C:\Windows\Resources\Themes\icsys.icn.exe \??\c:\windows\resources\themes\explorer.exe
PID 2948 wrote to memory of 3028 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2948 wrote to memory of 3028 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2948 wrote to memory of 3028 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2948 wrote to memory of 3028 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 3028 wrote to memory of 2680 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 3028 wrote to memory of 2680 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 3028 wrote to memory of 2680 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 3028 wrote to memory of 2680 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2680 wrote to memory of 2592 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2680 wrote to memory of 2592 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2680 wrote to memory of 2592 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2680 wrote to memory of 2592 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2948 wrote to memory of 2488 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2948 wrote to memory of 2488 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2948 wrote to memory of 2488 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2948 wrote to memory of 2488 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2680 wrote to memory of 2492 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2680 wrote to memory of 2492 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2680 wrote to memory of 2492 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2680 wrote to memory of 2492 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 632 wrote to memory of 1852 N/A \??\c:\users\admin\appdata\local\temp\loader.exe  C:\Windows\System32\cmd.exe
PID 632 wrote to memory of 1852 N/A \??\c:\users\admin\appdata\local\temp\loader.exe  C:\Windows\System32\cmd.exe
PID 632 wrote to memory of 1852 N/A \??\c:\users\admin\appdata\local\temp\loader.exe  C:\Windows\System32\cmd.exe
PID 632 wrote to memory of 1908 N/A \??\c:\users\admin\appdata\local\temp\loader.exe  C:\Windows\System32\cmd.exe
PID 632 wrote to memory of 1908 N/A \??\c:\users\admin\appdata\local\temp\loader.exe  C:\Windows\System32\cmd.exe
PID 632 wrote to memory of 1908 N/A \??\c:\users\admin\appdata\local\temp\loader.exe  C:\Windows\System32\cmd.exe
PID 632 wrote to memory of 1256 N/A \??\c:\users\admin\appdata\local\temp\loader.exe  C:\Windows\system32\cmd.exe
PID 632 wrote to memory of 1256 N/A \??\c:\users\admin\appdata\local\temp\loader.exe  C:\Windows\system32\cmd.exe
PID 632 wrote to memory of 1256 N/A \??\c:\users\admin\appdata\local\temp\loader.exe  C:\Windows\system32\cmd.exe
PID 1908 wrote to memory of 1984 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 1908 wrote to memory of 1984 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 1908 wrote to memory of 1984 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 1852 wrote to memory of 1216 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 1852 wrote to memory of 1216 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 1852 wrote to memory of 1216 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 632 wrote to memory of 2204 N/A \??\c:\users\admin\appdata\local\temp\loader.exe  C:\Windows\system32\cmd.exe
PID 632 wrote to memory of 2204 N/A \??\c:\users\admin\appdata\local\temp\loader.exe  C:\Windows\system32\cmd.exe
PID 632 wrote to memory of 2204 N/A \??\c:\users\admin\appdata\local\temp\loader.exe  C:\Windows\system32\cmd.exe
PID 632 wrote to memory of 1248 N/A \??\c:\users\admin\appdata\local\temp\loader.exe  C:\Windows\system32\cmd.exe
PID 632 wrote to memory of 1248 N/A \??\c:\users\admin\appdata\local\temp\loader.exe  C:\Windows\system32\cmd.exe
PID 632 wrote to memory of 1248 N/A \??\c:\users\admin\appdata\local\temp\loader.exe  C:\Windows\system32\cmd.exe
PID 632 wrote to memory of 1896 N/A \??\c:\users\admin\appdata\local\temp\loader.exe  C:\Users\Admin\AppData\Local\Temp\Loader.exe
PID 632 wrote to memory of 1896 N/A \??\c:\users\admin\appdata\local\temp\loader.exe  C:\Users\Admin\AppData\Local\Temp\Loader.exe
PID 632 wrote to memory of 1896 N/A \??\c:\users\admin\appdata\local\temp\loader.exe  C:\Users\Admin\AppData\Local\Temp\Loader.exe
PID 2680 wrote to memory of 2344 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2680 wrote to memory of 2344 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2680 wrote to memory of 2344 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2680 wrote to memory of 2344 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2128 wrote to memory of 2988 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2128 wrote to memory of 2988 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2128 wrote to memory of 2988 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2128 wrote to memory of 1648 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

\??\c:\users\admin\appdata\local\temp\loader.exe 

c:\users\admin\appdata\local\temp\loader.exe 

C:\Windows\Resources\Themes\icsys.icn.exe

C:\Windows\Resources\Themes\icsys.icn.exe

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\windows\resources\svchost.exe

c:\windows\resources\svchost.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe PR

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 03:13 /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C sc stop iqvw64e.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C sc delete iqvw64e.sys

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\sc.exe

sc delete iqvw64e.sys

C:\Windows\system32\sc.exe

sc stop iqvw64e.sys

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 03:14 /f

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef56e9758,0x7fef56e9768,0x7fef56e9778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1164 --field-trial-handle=1368,i,10922390261086199293,743662435316273471,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1504 --field-trial-handle=1368,i,10922390261086199293,743662435316273471,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1612 --field-trial-handle=1368,i,10922390261086199293,743662435316273471,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2284 --field-trial-handle=1368,i,10922390261086199293,743662435316273471,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2296 --field-trial-handle=1368,i,10922390261086199293,743662435316273471,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1556 --field-trial-handle=1368,i,10922390261086199293,743662435316273471,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2224 --field-trial-handle=1368,i,10922390261086199293,743662435316273471,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3460 --field-trial-handle=1368,i,10922390261086199293,743662435316273471,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3580 --field-trial-handle=1368,i,10922390261086199293,743662435316273471,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3572 --field-trial-handle=1368,i,10922390261086199293,743662435316273471,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=1628 --field-trial-handle=1368,i,10922390261086199293,743662435316273471,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef56e9758,0x7fef56e9768,0x7fef56e9778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1164 --field-trial-handle=1360,i,18141033154302318829,10503954639608913391,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1492 --field-trial-handle=1360,i,18141033154302318829,10503954639608913391,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1584 --field-trial-handle=1360,i,18141033154302318829,10503954639608913391,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2228 --field-trial-handle=1360,i,18141033154302318829,10503954639608913391,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2236 --field-trial-handle=1360,i,18141033154302318829,10503954639608913391,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1144 --field-trial-handle=1360,i,18141033154302318829,10503954639608913391,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3300 --field-trial-handle=1360,i,18141033154302318829,10503954639608913391,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3356 --field-trial-handle=1360,i,18141033154302318829,10503954639608913391,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3356 --field-trial-handle=1360,i,18141033154302318829,10503954639608913391,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=3764 --field-trial-handle=1360,i,18141033154302318829,10503954639608913391,131072 /prefetch:1

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 03:15 /f

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3920 --field-trial-handle=1360,i,18141033154302318829,10503954639608913391,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3880 --field-trial-handle=1360,i,18141033154302318829,10503954639608913391,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=2640 --field-trial-handle=1360,i,18141033154302318829,10503954639608913391,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1416 --field-trial-handle=1360,i,18141033154302318829,10503954639608913391,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2276 --field-trial-handle=1360,i,18141033154302318829,10503954639608913391,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1488 --field-trial-handle=1360,i,18141033154302318829,10503954639608913391,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4104 --field-trial-handle=1360,i,18141033154302318829,10503954639608913391,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2652 --field-trial-handle=1360,i,18141033154302318829,10503954639608913391,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2660 --field-trial-handle=1360,i,18141033154302318829,10503954639608913391,131072 /prefetch:8

C:\Users\Admin\Downloads\DemonWare.exe

"C:\Users\Admin\Downloads\DemonWare.exe"

\??\c:\users\admin\downloads\demonware.exe 

c:\users\admin\downloads\demonware.exe 

\??\c:\users\admin\downloads\demonware.exe 

c:\users\admin\downloads\demonware.exe 

C:\Windows\Resources\Themes\icsys.icn.exe

C:\Windows\Resources\Themes\icsys.icn.exe

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 03:16 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 03:17 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 03:18 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 03:19 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 03:20 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 03:21 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 03:22 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 03:23 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 03:24 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 03:25 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 03:26 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 03:27 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 03:28 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 03:29 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 03:30 /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:443 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp
US 8.8.8.8:53 play.google.com udp
GB 142.250.179.238:443 play.google.com udp
N/A 224.0.0.251:5353 udp
GB 142.250.187.196:443 www.google.com udp
GB 142.250.179.238:443 play.google.com udp
GB 142.250.187.196:443 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp
US 8.8.8.8:53 apis.google.com udp
GB 142.250.200.14:443 apis.google.com udp
GB 142.250.179.238:443 play.google.com udp
GB 142.250.179.238:443 play.google.com tcp
US 8.8.8.8:53 ogs.google.com udp
GB 142.250.187.238:443 ogs.google.com tcp
US 8.8.8.8:53 ssl.gstatic.com udp
GB 172.217.169.3:443 ssl.gstatic.com tcp
US 8.8.8.8:53 gofile.io udp
FR 151.80.29.83:443 gofile.io tcp
FR 151.80.29.83:443 gofile.io tcp
US 8.8.8.8:53 api.gofile.io udp
FR 51.38.43.18:443 api.gofile.io tcp
US 8.8.8.8:53 s.gofile.io udp
FR 51.75.242.210:443 s.gofile.io tcp
FR 51.75.242.210:443 s.gofile.io tcp
US 8.8.8.8:53 content-autofill.googleapis.com udp
GB 172.217.169.10:443 content-autofill.googleapis.com tcp
US 8.8.8.8:53 store9.gofile.io udp
US 206.168.190.239:443 store9.gofile.io tcp
US 206.168.190.239:443 store9.gofile.io tcp
US 8.8.8.8:53 google.com udp
GB 142.250.178.14:443 google.com tcp
GB 142.250.178.14:443 google.com udp
US 8.8.8.8:53 codecmd01.googlecode.com udp
IE 172.253.116.82:80 codecmd01.googlecode.com tcp

Files

memory/236-0-0x0000000000400000-0x000000000041F000-memory.dmp

\Users\Admin\AppData\Local\Temp\loader.exe 

MD5 771eb39dd1312a63bb974018cb70d1b4
SHA1 94d751af62d417ff127ec0890179b5412b5e9e41
SHA256 98007690007fc38b33912f4113ccd7ddddbf881adfea23bf5cf53031666f2cfb
SHA512 4f9c5cefb8d9329ca7145fe15c0ab8bc445e5b9430776eaf06c51e810c14cb96a6cb679e36cf5713c3f1576e26199b72d6a8b1c819305a7d18f4c59b39e32af5

C:\Windows\Resources\Themes\icsys.icn.exe

MD5 902bc13c7b437a5ea7814a56c7083c7e
SHA1 61ec421d2c0d10c50fb3fdd0ebe040ea1eba07e8
SHA256 a2006295e0e65e89662634bb44b688b670ed4596ab419aab6f54bb40a0340e7b
SHA512 032c3fb9f425730aa3cdbc1e9d602cc1381b6da845e5308aea44124eaccb489f7911e86c211d4248539c1e9b1145451c5c8e2ac15c051191ae4515f913f5649a

memory/236-18-0x0000000002B20000-0x0000000005084000-memory.dmp

memory/2144-21-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Windows\Resources\Themes\explorer.exe

MD5 692f6a69e2b5df273f8085ee9e0a84e5
SHA1 18fc74abcc194d1e0b932e50dbabaeba9817133e
SHA256 711510947d8d6bc03ade3ff80cf976f129507b9b1dec830c6d6817c39be9ae2d
SHA512 acb648fee0199ae00d7656289156644cd2cf35edef15e02eac31cf590ad1d42bb676bb933facc1bec9abf819b25a61f39e0e535f5be2d17969f39c6c2f68b4e6

C:\Windows\Resources\spoolsv.exe

MD5 6d63abba24f7eb9093d078fb235707c5
SHA1 0ea75027bbf774766653a285531cb24c17c10d06
SHA256 3e5ff75a9c265ce9f05f8825e03f2bb771092b4cd10d25a2f7c7776c77d7d072
SHA512 6b90a8741e44668b013bbaf0fab52b66d4a89b01fecbdee91b2d633adf974c73a704ab67bea2284e9a4bb61f43699dd718abfa81680623ef2daa965f2df6875a

memory/2592-61-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2680-60-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3028-59-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2948-58-0x00000000002B0000-0x00000000002CF000-memory.dmp

memory/2948-57-0x0000000000400000-0x000000000041F000-memory.dmp

memory/632-56-0x0000000140000000-0x0000000142564000-memory.dmp

\??\c:\windows\resources\svchost.exe

MD5 a57ed3e1bf50d3ab3d27332e0a9b1321
SHA1 7e92ac988fff0bf02c0380cb4747442ae65a231a
SHA256 d8a547245029ea6f136750a8ef96372e61f369ef7d14021c5befe4296e42fae2
SHA512 ee4f4b894668ba60c2f7058f8f9da1f9ce1730a703517cff6c1d5d01ef2f6937c8750834e631f42693932c546816b4397ec7124ec18051987e2eeac7d70d21f3

memory/3028-62-0x0000000000400000-0x000000000041F000-memory.dmp

memory/236-64-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2144-63-0x0000000000400000-0x000000000041F000-memory.dmp

memory/632-65-0x0000000140000000-0x0000000142564000-memory.dmp

memory/632-66-0x0000000140000000-0x0000000142564000-memory.dmp

memory/632-67-0x0000000140000000-0x0000000142564000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Loader.exe

MD5 b073ef765e06f446add1b5dd51cccef1
SHA1 65b3ce621038bccb35649ee83de90e8759eb32f9
SHA256 e5bbef67d1b0b3bfe291e2451f7624824b309fa6644d2695c5c334aba85034f0
SHA512 7c2ffc8681875abaaaa04b33e52120cc2404cf855b851f918f26a1c104f3143f1c76e0c44d5d9ebf8ddb0b3c2d8d91488c36afb89d08eb558d9555811a9fcc71

memory/632-77-0x0000000140000000-0x0000000142564000-memory.dmp

memory/1896-81-0x0000000140000000-0x0000000142564000-memory.dmp

memory/1896-80-0x0000000140000000-0x0000000142564000-memory.dmp

memory/1896-82-0x0000000140000000-0x0000000142564000-memory.dmp

memory/1896-83-0x0000000140000000-0x0000000142564000-memory.dmp

\??\pipe\crashpad_2128_SRLBYHRGKTBGCJUM

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp

MD5 18e723571b00fb1694a3bad6c78e4054
SHA1 afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA256 8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA512 43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

MD5 aefd77f47fb84fae5ea194496b44c67a
SHA1 dcfbb6a5b8d05662c4858664f81693bb7f803b82
SHA256 4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611
SHA512 b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 a319b29f1060b4124ad53c7ace1e2147
SHA1 2eff8820b480c221257bc208f71a66dccb51aad6
SHA256 b6b0e8b99cd4d9004b9c335e451a8bd268de53ada3358f43af5003437336d9cb
SHA512 1c6f576871a72d3d853932d00bc912b56cb0a28c06a695172d64b4c1075cf3d77065394bbf67c488799b651b2dce4b5c5698acf9c661934fb9416c24c3b9ebce

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 d06000b8ffcc3b9c4e5705a9414e6745
SHA1 ab8f55e1739a78c453c5f3f48575760b88ddb66c
SHA256 928f0bd89db891b940db0a340e63891c2b168de80df4037dc1eb22c568c78ec4
SHA512 25678aa364cc64d07dd62ee3398bf56fe34fff3d94eb919054c9f91a183320070c193ef86d0df3bf0b2fe847b4230bfc2ecc36b4af3fddab44905e82eaccc454

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 95485021f4e86715f42aa18e3e94317d
SHA1 f11cc990d5b68cd56142020e29f909337856832f
SHA256 8638fcdc55e69fca837446ed5b071e11207ec31b4d3d20b5739a265d5026c756
SHA512 760f9c9584fa77243175e08e707dfde9024bc184fbd0d8221314c03daabf4c92630ec221a66ef2cc9d9cf087bdb59e101b0696bdaa223d4f27b15a1946e2d717

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\a25b2737-9c21-4db3-9ef2-c6a9dc610fec.tmp

MD5 258f407d5b9837b0934d9c45b8382860
SHA1 8dbcbe5aef9046b3e9efe7820a865c642734fd8d
SHA256 4811954c9f1e36e591501870f0e926f8040553d23e2246e3bea8aa1928d4577d
SHA512 5279b83028b8fab105e6e8e191e4aab05ef045475eaf1f4501983094e6aede51b784092bd5301a2fb4d9812f8c2563289ca065f5095d1889ae597175889c34d0

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 633f52fd609935b5c0cd2b91bf67c31e
SHA1 ad8a60679447590df74b590092b4930aa0692a92
SHA256 d5cea979093d53e6a8b2eb1db37b1b76aaf433701bf3840d728d8342604f172a
SHA512 d760917397a437dc165b866e596e6eaa9d0cccd1352251c040597d86bcb2b5bf55990dce8946b825e7eec265df51913e27b53401051bc3cbed0600437d6d11e5

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

MD5 a9b28322cf5a1570150a3566e55ee8aa
SHA1 68ac3613f512fbe47992e4cbe9a42797942627da
SHA256 57f16b8f40e4df8da4c536e311b158eb28ef0bdc709c0fc09c2bda90716d82cc
SHA512 ea59ad63a440cfef03fe252bc76de6578938a8d0be453ef523e94d118e3a8e343ce79c4ef3640266fdbad087831d9b04ed30de1d96d36023047d02272176824b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations

MD5 961e3604f228b0d10541ebf921500c86
SHA1 6e00570d9f78d9cfebe67d4da5efe546543949a7
SHA256 f7b24f2eb3d5eb0550527490395d2f61c3d2fe74bb9cb345197dad81b58b5fed
SHA512 535f930afd2ef50282715c7e48859cc2d7b354ff4e6c156b94d5a2815f589b33189ffedfcaf4456525283e993087f9f560d84cfcf497d189ab8101510a09c472

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

MD5 74389453d4e4ec8d46bcf36bdb7ecf5d
SHA1 41a2d57b1fb70e615361d51bd761bb5c609c022c
SHA256 208fa04b20e069fb0c24f9e23722337e69e0989e3b0754347e835177d30baf52
SHA512 8a668771fc7cc184abb03b5e9ba13ba646a26f026be6d04b26acf4b961178e12f06477cbb57c162653fb5800834bf734df68ba593fdf34b10d1d70d99a8cb6c2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\History

MD5 2b75d17058d86b171229c508e5f610ec
SHA1 ffcecaf6f1a9404f478e05bcaac0ce53b316fa04
SHA256 f30341438aac7b95bb49d7cb081b483d412d6e2c58b796fd9da3f5bfbcb377ad
SHA512 265a3d3584aefd5d4c3f8bf289b964d24d0ecf3f893094506bb0a77e194e9ace8c7ccd4bff546a170b92f403c15e33663247915bcfc37d276f31b55fef2f22f3

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 65cb98eb6afa4484d26b8a523bd62e87
SHA1 710edbf713444dcd5bfa31da31fdd79af6f5dbb9
SHA256 78363baf5c28f70c97ef785e9ca24de07d035671510e2a4a3e233a0df91d7301
SHA512 1c778ba6c93a29f9bb9c76b930d98b069a67d6103ab5cd2da35b22bb96c085729606f94e0b76be2c66985db8aed832f428dda849597738aa29c6d541f240840a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version

MD5 9eae63c7a967fc314dd311d9f46a45b7
SHA1 caba9c2c93acfe0b9ceb9ab19b992b0fc19c71cf
SHA256 4288925b0cf871c7458c22c46936efb0e903802feb991a0e1803be94ca6c251d
SHA512 bed924bff236bf5b6ce1df1db82e86c935e5830a20d9d24697efd82ca331e30604db8d04b0d692ec8541ec6deb2225bcc7d805b79f2db5726642198ecf6348b8

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 66f6f67721c077bf9d8dbfc360aa7374
SHA1 283b9ab791b4f906d071cb16c4344cd3e011e01c
SHA256 cc1611cb369dc6798c3e06a273bef0f85879821ca80ff665a38622ac7bba7c07
SHA512 aa2c38c587aa3b54a79b8f1cdd255b71f99f4070e619d381e666ed6ff488b8acefb1ade92d0c9c17f406c09db76b8e936e7c2a22ddef7e8c22ea2e4906995068

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Visited Links

MD5 afad889a41a6db15900e6ebb58a6d3e8
SHA1 b4e74b88233f7d58ce523e961636201b8f1495dc
SHA256 dc465bc68794c654359e21554a0883b57edbfccc90636de38ddf7c8536f7f0a2
SHA512 513c6ac602140798d1b60135265ba8bbea9441a36b8ebf8138e7297b48c00a9092129e83295171bcb5b7083938beac4afdf8de112a1816415557c64c29c933e8

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Favicons

MD5 fec56691d4d3eb40c9f928abcce0b950
SHA1 c2ae835536738144008b34f2fa42e44f4f88341d
SHA256 09f7676b40fd336c2f057e08e9294081bbc83eab7ed50f09f66e816fb2ae6c3a
SHA512 d42b2623953d5d63e4272d2e32d93cc7e0b9aa0d4607d0a890e75fe241271cc74b8f07355b172c9205508d5e1495442f5027e43fe5b0435b9bf21191fb43eb62

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\000009.log

MD5 fe62c64b5b3d092170445d5f5230524e
SHA1 0e27b930da78fce26933c18129430816827b66d3
SHA256 1e1a9ca70503efd8c607f9bc7131f08aba0476d75f2586dadb4da5485a5315d4
SHA512 924daccfbfb0c0464b4c5fd769e01a8f2e96fe28b635aa27ab4cd91766b05b03bbf941af14c017436107673f01bad815ce1fac2a649e745c76b3c736994b4fd2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000010.dbtmp

MD5 60e3f691077715586b918375dd23c6b0
SHA1 476d3eab15649c40c6aebfb6ac2366db50283d1b
SHA256 e91d13722e31f9b06c5df3582cad1ea5b73547ce3dc08b12ed461f095aad48ee
SHA512 d1c146d27bbf19362d6571e2865bb472ce4fe43dc535305615d92d6a2366f98533747a8a70a578d1f00199f716a61ce39fac5cab9dd67e9c044bc49e7343130e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\MANIFEST-000007

MD5 4f194166d4f80d68f6b5ed2bcdd28fb9
SHA1 72615ba026f084ea1da8207674410b2148c803a7
SHA256 433547727beb4ef62256196909c5d240a4a13274040b77a748f0c129658963a4
SHA512 afad121054c02f6270978ae9cd5d054ce9413c53f1bea5829b688e3a5df537f886765ef56519675d887a32863d221cb3fc2f772b649da261f39f24247e40a48b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\LOG

MD5 3b66fafcdc73329423775ddd09e91c8b
SHA1 165c0ba461bd020493dc463d8f26d6504ca8d76e
SHA256 0d6a15584b6a08d8ae85469856e98eaf77e7df8e16d2b323313be720ff9d4698
SHA512 7f28418ffdb8bf0f98f54c0f0441923501c30f4ba6168ddc0ac53d4216067b19967f00a948ba89d3ef94db42a2b73f579747ca8a4f9f3a6e1e3f9738d971e888

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

MD5 99914b932bd37a50b983c5e7c90ae93b
SHA1 bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA256 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA512 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Data

MD5 49279f10e01e50db081f9ff8422f090c
SHA1 99b133e0bc7a947711bb5ea54609af0f10aa0960
SHA256 27ced3ff88f38830f3aa91e2931c94e558f80defe0906f3b868988969f7d3979
SHA512 94d058716c7718d10b5d689de6f12def6c4b6986ca6fca5ea54a9c44da98f3cd2b7934e55ca14fd2888bafa7ee00c34e3cbf0c06ce0e81dd1288741560e97d13

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

MD5 771c46ee3591a1b59236c33e7b48ad62
SHA1 57f6908682b1e4ec2427c05e0cec5a4bab9086eb
SHA256 aecb1d38f29836aec0439f2fbb8ee53e7ef84190ff1057333d681ef36eed289d
SHA512 65d806aa9a0ae40e662a172e48bab51206b3e34825fe5dd963908f991ebd2a31eaeb5a252488f02c2acc0184429008d4d52df06ef20ad1f3d066cbb24f32a305

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sessions\Tabs_13363326784426000

MD5 995c8c19c7b1079882b3ab016bd8efeb
SHA1 9812221980861c3681e39b47b57276673864fad1
SHA256 fae89a7d597382f5818e542402dfcca06a9a02f9fd90af5211b63929f54dd6fa
SHA512 494a0c13c943483eefa360d598db0a12a0e56c520ba6e12ce3d1d96fe8ebcf03d267b9cd366a64b71d5f0f6ad708c61bb10f30a7583734b3fce77e0ad407d511

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000009.log

MD5 1c75fb6489d24a06602244107c4404f9
SHA1 5fd4af90a56c734a02804ea25dc2f9659bba6013
SHA256 cffdfcfb8e8bb86f23722c0547580e973e766392a1bd7d95d3d21086158a0b39
SHA512 e4f262f8d7a70c925ab675df874ee22703f620aff4ae4dabfd8780a1beb643bbafe39dfd9adc75b4dfb9734fe361e83093f7fdfc3714469bd34cf896efc5feb1

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\MANIFEST-000007

MD5 174ac489425ec6604b7daeba77a51686
SHA1 3a2774aad9b055dbcfc701d4a33c4c1ae081e79a
SHA256 b54bb04226563d0464d3fbf274ae17d61607fbfc60861c806790db0c1b11c8c2
SHA512 074b93d3526f1c6b3bd1255267eb6d5f15c1892f19e0b58aa337ddc077418fbcad575726327b03e8f8d47ec82fbc3db40dd1b7af036c06a4b9240e4ce221bb75

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG

MD5 42e6d26a5a2d7f445dd01085876d1033
SHA1 413ccc9cb22564bb28329107820ebc2fdc2cdc27
SHA256 6e40ab0561b9eab1de06de56031b6fd2642a18736b8778b8012be30d9056b3aa
SHA512 3128c6d0487d9dc423b39de1b4851d0a1aa89766ee2bcb8d90047c348edabca5b18a2bd89b8e1e55f9cd3603d3f87916211af6d73d4d16080baa0a8b6834da35

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000008.log

MD5 21259b3cc83d3bc3ba94617eeff4c4e2
SHA1 006810a4f103775ede31cc6d3c26c059f310a3ec
SHA256 ae2a35c25dad931d9c6b6c915e7bb259e729381f713cdc4eba765dade2161e97
SHA512 2a5dfe10fdb95b8a1b4f78668b033cb1caa3ca5c4d4eb5bfd0e3967385d51184adc9014c23710bd52cd012c8c762d1a951226f75cf6125a71fb7f8a5505ec38a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\MANIFEST-000007

MD5 22b937965712bdbc90f3c4e5cd2a8950
SHA1 25a5df32156e12134996410c5f7d9e59b1d6c155
SHA256 cad3bbec41899ea5205612fc1494fa7ba88847fb75437a2def22211a4003e2eb
SHA512 931427ad4609ab4ca12b2ee852d4965680f58602b00c182a2d340acf3163d888be6cfad87ca089f2b47929ddfa66be03ab13a6d24922397334d6997d4c8ede3b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG

MD5 3f719249179888ead336366a72507dbf
SHA1 9e3c48be9332edd4f63908bd26e25e045463c61e
SHA256 d879872fbdc5d7d107dcbfa0507e77077f6202267282f8bcb12e9b3939fb7ede
SHA512 e786c429e516ac6cdee693bcb9949d7ffcf9ded7264dae5073daff4c4d0d0220060262656c32046194c9811ac6e445373e315aecb9148e15799f89de20e7881b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\000009.dbtmp

MD5 979c29c2917bed63ccf520ece1d18cda
SHA1 65cd81cdce0be04c74222b54d0881d3fdfe4736c
SHA256 b3524365a633ee6d1fa9953638d2867946c515218c497a5ec2dbef7dc44a7c53
SHA512 e38f694fd6ab9f678ae156528230d7a8bfb7b59a13b227f59f9c38ab5617db11ebb6be1276323a905d09c4066a3fe820cf58077ab48bf201f3c467a98516ee7a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000008.dbtmp

MD5 589c49f8a8e18ec6998a7a30b4958ebc
SHA1 cd4e0e2a5cb1fd5099ff88daf4f48bdba566332e
SHA256 26d067dbb5e448b16f93a1bb22a2541beb7134b1b3e39903346d10b96022b6b8
SHA512 e73566a037838d1f7db7e9b728eba07db08e079de471baca7c8f863c7af7beb36221e9ff77e0a898ce86d4ef4c36f83fb3af9c35e342061b7a5442ca3b9024d2

C:\Users\Admin\Downloads\Unconfirmed 838941.crdownload

MD5 40f76deda9228388017c91aca9621de5
SHA1 f45e55b76725263883a9e40cefcd3a9d88ab89c0
SHA256 0359e89e0cff0d5537c3e4cf032b1e66f2f49b969a20737563e6ba72d06f1512
SHA512 1ad3ee7759aea345f29352ee29fa68193a0c2234b9e92f59f060b7361d6f2ac6cf89f6522c8772f67794a8ef3622cace5152a062630c5627010fe2412f6c345d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 85bcd61bd1705a459ebd1af0a2b2a4d6
SHA1 2e96a274ea78ca2bcc12b2b2f2d081d1db41c2b6
SHA256 1f1dc5688c4b6147674286f5a1c327adc0f42412e10d15088cee61fa89763ccb
SHA512 9d9566e42dce432ffb0727ce56c4c0df3c06677f72f9757a9d1d20f11de1d2e8cd0bb28ad04615addd2c300509e277e1c711c9e294f08a85fa9fc8f63194f543

C:\Users\Admin\AppData\Local\Temp\_MEI24122\setuptools-65.5.0.dist-info\INSTALLER

MD5 365c9bfeb7d89244f2ce01c1de44cb85
SHA1 d7a03141d5d6b1e88b6b59ef08b6681df212c599
SHA256 ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508
SHA512 d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 4cd8a545d86f8aac3013c72c9d39196d
SHA1 4157f75e158b60e8e4dad99777d7e78759a34eaf
SHA256 5e69c1fbf7c2e6bfdba7dc1524271c1271d5f4703859cf11f8a213f1f4419de3
SHA512 51855042b6f42128bc403b9e642f4edc62c70b55580cdffccfa288bddbb2637ed6d4223216a8e04474f592f0df0004bcb609957aa5c4b0b6764925a0801044bd

memory/2948-880-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2680-881-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\ca6c6728-a5f8-4cf9-b927-f94264cb2a71.tmp

MD5 ee1527ffa86b2e0d18ecaef3382b3a02
SHA1 9b0f129eb743428635053097e46112fe681d1406
SHA256 80991497bc9ead504015c1d7fc7b6f8ac3babea8a527e8f83ba9a791af8e01ef
SHA512 b899a234826f5429ba0298c16c3d9fb250acbd34d9661743d113c5523120627a044c4580fd883db6634cfe41e03800827904b8f31afc2553e0a80bab0af4b156

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 c984d84da87be41bc67f285d62a07322
SHA1 ba3a82a2cce7cb9a3cc3df5adf138ac7a0fddd18
SHA256 a571fea946e9bb504cf31dab11e643a89f6e60b5bdd9992b1a7b6e3e4c2efbaa
SHA512 d88a19241b23ad45fed1d2769b78c7add3ebd8d530711271071ac70597d83612eb649ac4f148d453887d94f8afc64e27152c22ad54d59174ab8bda084d3d9630

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 452f7b9efc3017aa3d5a1c569e14bcc8
SHA1 69abfbd138c4b9c40ab24199aa6e377e0813b206
SHA256 b14adf7f4cd0dbee104112b69e79069e5237ff35e28cac2944e58223ce052fbc
SHA512 61a715c8f0af9d852b69a8950de0012a5d32f3987a01f09f438855c19021242e1083ec107118998f7b47543457e6433ff5ad58cd22f6eaf2589758624889da6c

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 03:11

Reported

2024-06-20 03:13

Platform

win10v2004-20240226-en

Max time kernel

153s

Max time network

159s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\svchost.exe N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\users\admin\appdata\local\temp\loader.exe  N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A

Creates new service(s)

persistence execution

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\drivers\winhb.sys C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A

Stops running service(s)

evasion execution

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\users\admin\appdata\local\temp\loader.exe  N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\users\admin\appdata\local\temp\loader.exe  N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation \??\c:\users\admin\appdata\local\temp\loader.exe  N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\svchost.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\users\admin\appdata\local\temp\loader.exe  N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\config\RegBack\{69CD1F2D-DF68-4E23-9108-1B70783F2444} C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
File opened for modification C:\Windows\System32\IME\SHARED\namef.ini C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\svchost.exe N/A
File opened for modification C:\Windows\System32\config\RegBack\{69CD1F2D-DF68-4E23-9108-1B70783F2444} \??\c:\users\admin\appdata\local\temp\loader.exe  N/A
File opened for modification C:\Windows\System32\IME\SHARED\namef.ini \??\c:\users\admin\appdata\local\temp\loader.exe  N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A \??\c:\users\admin\appdata\local\temp\loader.exe  N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Resources\Themes\icsys.icn.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
File opened for modification \??\c:\windows\resources\themes\explorer.exe C:\Windows\Resources\Themes\icsys.icn.exe N/A
File opened for modification \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe N/A
File opened for modification C:\Windows\schemas\Provisioning\{69CD1F2D-DF68-4E23-9108-UPDATE} \??\c:\users\admin\appdata\local\temp\loader.exe  N/A
File opened for modification C:\Windows\schemas\Provisioning\{69CD1F2D-DF68-4E23-9108-UPDATE} C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
File opened for modification C:\Windows\Resources\tjud.exe \??\c:\windows\resources\themes\explorer.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133633268321833273" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A \??\c:\users\admin\appdata\local\temp\loader.exe  N/A
Token: SeSecurityPrivilege N/A \??\c:\users\admin\appdata\local\temp\loader.exe  N/A
Token: SeBackupPrivilege N/A \??\c:\users\admin\appdata\local\temp\loader.exe  N/A
Token: SeSecurityPrivilege N/A \??\c:\users\admin\appdata\local\temp\loader.exe  N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4136 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe \??\c:\users\admin\appdata\local\temp\loader.exe 
PID 4136 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe \??\c:\users\admin\appdata\local\temp\loader.exe 
PID 4136 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\Resources\Themes\icsys.icn.exe
PID 4136 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\Resources\Themes\icsys.icn.exe
PID 4136 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\Resources\Themes\icsys.icn.exe
PID 1444 wrote to memory of 4036 N/A C:\Windows\Resources\Themes\icsys.icn.exe \??\c:\windows\resources\themes\explorer.exe
PID 1444 wrote to memory of 4036 N/A C:\Windows\Resources\Themes\icsys.icn.exe \??\c:\windows\resources\themes\explorer.exe
PID 1444 wrote to memory of 4036 N/A C:\Windows\Resources\Themes\icsys.icn.exe \??\c:\windows\resources\themes\explorer.exe
PID 4036 wrote to memory of 5000 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 4036 wrote to memory of 5000 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 4036 wrote to memory of 5000 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 5000 wrote to memory of 1804 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 5000 wrote to memory of 1804 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 5000 wrote to memory of 1804 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 1804 wrote to memory of 5072 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 1804 wrote to memory of 5072 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 1804 wrote to memory of 5072 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 3968 wrote to memory of 3632 N/A \??\c:\users\admin\appdata\local\temp\loader.exe  C:\Windows\System32\cmd.exe
PID 3968 wrote to memory of 3632 N/A \??\c:\users\admin\appdata\local\temp\loader.exe  C:\Windows\System32\cmd.exe
PID 3968 wrote to memory of 1684 N/A \??\c:\users\admin\appdata\local\temp\loader.exe  C:\Windows\System32\cmd.exe
PID 3968 wrote to memory of 1684 N/A \??\c:\users\admin\appdata\local\temp\loader.exe  C:\Windows\System32\cmd.exe
PID 3968 wrote to memory of 4480 N/A \??\c:\users\admin\appdata\local\temp\loader.exe  C:\Windows\system32\cmd.exe
PID 3968 wrote to memory of 4480 N/A \??\c:\users\admin\appdata\local\temp\loader.exe  C:\Windows\system32\cmd.exe
PID 1684 wrote to memory of 2596 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 1684 wrote to memory of 2596 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 3632 wrote to memory of 4312 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 3632 wrote to memory of 4312 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 3968 wrote to memory of 4756 N/A \??\c:\users\admin\appdata\local\temp\loader.exe  C:\Windows\system32\cmd.exe
PID 3968 wrote to memory of 4756 N/A \??\c:\users\admin\appdata\local\temp\loader.exe  C:\Windows\system32\cmd.exe
PID 3968 wrote to memory of 2392 N/A \??\c:\users\admin\appdata\local\temp\loader.exe  C:\Windows\system32\cmd.exe
PID 3968 wrote to memory of 2392 N/A \??\c:\users\admin\appdata\local\temp\loader.exe  C:\Windows\system32\cmd.exe
PID 3968 wrote to memory of 568 N/A \??\c:\users\admin\appdata\local\temp\loader.exe  C:\Users\Admin\AppData\Local\Temp\Loader.exe
PID 3968 wrote to memory of 568 N/A \??\c:\users\admin\appdata\local\temp\loader.exe  C:\Users\Admin\AppData\Local\Temp\Loader.exe
PID 568 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\System32\cmd.exe
PID 568 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\System32\cmd.exe
PID 568 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\System32\cmd.exe
PID 568 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\System32\cmd.exe
PID 568 wrote to memory of 728 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\system32\cmd.exe
PID 568 wrote to memory of 728 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\system32\cmd.exe
PID 1860 wrote to memory of 3752 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 1860 wrote to memory of 3752 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 2568 wrote to memory of 4352 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 2568 wrote to memory of 4352 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 568 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\system32\cmd.exe
PID 568 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\system32\cmd.exe
PID 568 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\System32\cmd.exe
PID 568 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\System32\cmd.exe
PID 568 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\system32\cmd.exe
PID 568 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\system32\cmd.exe
PID 4324 wrote to memory of 4588 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 4324 wrote to memory of 4588 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 568 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\System32\cmd.exe
PID 568 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\System32\cmd.exe
PID 4964 wrote to memory of 3232 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 4964 wrote to memory of 3232 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 568 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\system32\cmd.exe
PID 568 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\system32\cmd.exe
PID 568 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\system32\cmd.exe
PID 568 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\system32\cmd.exe
PID 1412 wrote to memory of 2212 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1412 wrote to memory of 2212 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1412 wrote to memory of 212 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1412 wrote to memory of 212 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1412 wrote to memory of 212 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

\??\c:\users\admin\appdata\local\temp\loader.exe 

c:\users\admin\appdata\local\temp\loader.exe 

C:\Windows\Resources\Themes\icsys.icn.exe

C:\Windows\Resources\Themes\icsys.icn.exe

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\windows\resources\svchost.exe

c:\windows\resources\svchost.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe PR

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C sc stop iqvw64e.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C sc delete iqvw64e.sys

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\sc.exe

sc delete iqvw64e.sys

C:\Windows\system32\sc.exe

sc stop iqvw64e.sys

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3700 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:8

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C sc stop iqvw64e.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C sc delete iqvw64e.sys

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\sc.exe

sc stop iqvw64e.sys

C:\Windows\system32\sc.exe

sc delete iqvw64e.sys

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C sc create windowsproc type=kernel binpath=C:\Windows\System32\drivers\winhb.sys

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\sc.exe

sc create windowsproc type=kernel binpath=C:\Windows\System32\drivers\winhb.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C sc start windowsproc

C:\Windows\system32\sc.exe

sc start windowsproc

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffdba839758,0x7ffdba839768,0x7ffdba839778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1816 --field-trial-handle=2064,i,3637260982589851650,1973393115213745327,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1964 --field-trial-handle=2064,i,3637260982589851650,1973393115213745327,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2284 --field-trial-handle=2064,i,3637260982589851650,1973393115213745327,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3064 --field-trial-handle=2064,i,3637260982589851650,1973393115213745327,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3076 --field-trial-handle=2064,i,3637260982589851650,1973393115213745327,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4700 --field-trial-handle=2064,i,3637260982589851650,1973393115213745327,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4652 --field-trial-handle=2064,i,3637260982589851650,1973393115213745327,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4980 --field-trial-handle=2064,i,3637260982589851650,1973393115213745327,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5444 --field-trial-handle=2064,i,3637260982589851650,1973393115213745327,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4876 --field-trial-handle=2064,i,3637260982589851650,1973393115213745327,131072 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 172.217.169.74:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 pki.goog udp
US 8.8.8.8:53 pki.goog udp
US 216.239.32.29:80 pki.goog tcp
US 8.8.8.8:53 74.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 29.32.239.216.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 download.simpletoolz.fun udp
US 172.67.133.190:443 download.simpletoolz.fun tcp
US 8.8.8.8:53 190.133.67.172.in-addr.arpa udp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 172.67.133.190:443 download.simpletoolz.fun tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 5.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 195.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp
GB 142.250.187.196:443 www.google.com udp
US 8.8.8.8:53 196.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 227.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 apis.google.com udp
GB 142.250.200.14:443 apis.google.com tcp
US 8.8.8.8:53 14.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
GB 172.217.169.46:443 play.google.com tcp
US 8.8.8.8:53 46.169.217.172.in-addr.arpa udp
N/A 224.0.0.251:5353 udp

Files

memory/4136-0-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\loader.exe 

MD5 771eb39dd1312a63bb974018cb70d1b4
SHA1 94d751af62d417ff127ec0890179b5412b5e9e41
SHA256 98007690007fc38b33912f4113ccd7ddddbf881adfea23bf5cf53031666f2cfb
SHA512 4f9c5cefb8d9329ca7145fe15c0ab8bc445e5b9430776eaf06c51e810c14cb96a6cb679e36cf5713c3f1576e26199b72d6a8b1c819305a7d18f4c59b39e32af5

C:\Windows\Resources\Themes\icsys.icn.exe

MD5 902bc13c7b437a5ea7814a56c7083c7e
SHA1 61ec421d2c0d10c50fb3fdd0ebe040ea1eba07e8
SHA256 a2006295e0e65e89662634bb44b688b670ed4596ab419aab6f54bb40a0340e7b
SHA512 032c3fb9f425730aa3cdbc1e9d602cc1381b6da845e5308aea44124eaccb489f7911e86c211d4248539c1e9b1145451c5c8e2ac15c051191ae4515f913f5649a

C:\Windows\Resources\Themes\explorer.exe

MD5 3c3a44a25082b66832566681a3905304
SHA1 39a91499ec916c68f3f15bda592f136209c21b57
SHA256 8cc50381b9b47a4919e587762689f1848926b18ae1adae5f6205550bd49e3663
SHA512 581e3003864bbc0a884484531be00c1a99388b2809212561c20837a35de5efdceb1dbd4d4b3af17a337d9ff50f6d474709425cafb32ad3521f9e1c40b744a30b

memory/3968-19-0x0000000140000000-0x0000000142564000-memory.dmp

memory/1444-21-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3968-25-0x00007FFDD96F0000-0x00007FFDD96F2000-memory.dmp

C:\Windows\Resources\spoolsv.exe

MD5 225f095a010be4935671ebe7f61758ac
SHA1 fdb1e3e9cfd25cd741c23900192f493458c325b2
SHA256 f6778917b8222a0b6b36f06e09a32ad1dcde21887042767e6715318d9869ca8d
SHA512 80cf2dc58f377183cfa26b85d21d34a49f7bbb5458596496163ae3036abf919d6d7d06807292c88c27bb06e3ef3cfb5295f38ad9df0882eb6749301e61e2d915

memory/5000-36-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Windows\Resources\svchost.exe

MD5 b67e92becda676c4444f8d76b5a03f3d
SHA1 c7d6a68ab166f5a09200f583886ef0bfd96c860a
SHA256 9796ee2f5875de84f0c643db0a792841cfdeaaf629f3a5a1140b46a400edf1b7
SHA512 249a1a111fe654521147afbf150b1238bb0086ac6926340e37d2b9115ab34442ba1248f9421776253cc7d0278f33fb5000ff708e3e89c715b9ef5a9e7597ca0d

memory/1804-43-0x0000000000400000-0x000000000041F000-memory.dmp

memory/5072-48-0x0000000000400000-0x000000000041F000-memory.dmp

memory/5072-49-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1444-51-0x0000000000400000-0x000000000041F000-memory.dmp

memory/5000-50-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4136-52-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3968-53-0x0000000140000000-0x0000000142564000-memory.dmp

memory/3968-54-0x0000000140000000-0x0000000142564000-memory.dmp

memory/3968-55-0x0000000140000000-0x0000000142564000-memory.dmp

memory/3968-56-0x0000000140000000-0x0000000142564000-memory.dmp

memory/3968-58-0x0000000140000000-0x0000000142564000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Loader.exe

MD5 1b4f7095f4518fb5f79dbf8add67dce3
SHA1 dd0e13c1e8a2bd0f5ba7c9b192ee882b680dcd51
SHA256 13a544df91dd8182c679744e02b8fde1376805bd085cc481db3fb3d75ba23ff6
SHA512 677c66fe91bdad610e1c28d82f23f18282668d1ebc7604489c5fef7ebe9dca372dc27dafbedd18cef46c25a82a7f9f88f4c248506f96db5293da84010031dc8f

memory/3968-69-0x0000000140000000-0x0000000142564000-memory.dmp

memory/3968-75-0x0000000140000000-0x0000000142564000-memory.dmp

memory/568-76-0x0000000140000000-0x0000000142564000-memory.dmp

memory/568-78-0x0000000140000000-0x0000000142564000-memory.dmp

memory/568-79-0x0000000140000000-0x0000000142564000-memory.dmp

memory/568-80-0x0000000140000000-0x0000000142564000-memory.dmp

memory/568-81-0x0000000140000000-0x0000000142564000-memory.dmp

C:\Windows\System32\IME\SHARED\namef.ini

MD5 f32dea2b04dc3f7dca1ab634f22e501a
SHA1 069f843cc7f23a2a957af76feb337713893f2e7e
SHA256 b8386a42222a00e4844a222153a0e7ab20229eb7f788916a4e83d5f2997ec855
SHA512 864cc622d8c2433a6961fd9ac7713802034c0b60e4c85db7f2ad6f61aea83a0e8476d332802c5fe483564d7a5e8ebeb08a2ca98a4b2fb136484d6353ba31a4f4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 80270881aa7a9f851139e34dd2a04c8d
SHA1 a86400a95505174c076bd081d185257fdc6e30b5
SHA256 297e5fd7a4b316bce08a35771daef227ecdc294306f7b7d141727ec7c3da5fce
SHA512 15bfb12d0e49fccb001ada76fa764f2823634c8066d26997b06905f8015fcf502578d2fc2b7e610b84632f675d5699734a632a3e7b0b358f8f6b5640529f01a6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 9996e03a482e32fa08d6e19a1720e3ab
SHA1 c69e71a3cc5ae22a3fa61042e3f99c23627798ef
SHA256 6a12761e969fa53e5ca60634c63dc8e73999e45018e1e25da5cf55e11f6d28e8
SHA512 425e3977143cc288e6a3f3e81c870e32480ef4f7f601255c38e7b5c5a2b97046f8b68bed6a5004adc0b38604cabe04df860b8e724c732440c2c0786996a95c78

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 1e7a140869240fa63314f14e86de0363
SHA1 86d4ddf4bf85be71b002372db1562b747932c38a
SHA256 707a0ff341a2ec6c82aade88eca748efd42dd39bc739763fe60f4ce1c5c9a088
SHA512 9ed6e9c60e70ff782d9fc577c93f9cf7766fb9076a75b439c7df0dbaf243ccad535b2552fc21013986798d34b525b81706c30061904afd1a3b9fea333a6be539

memory/568-89-0x0000000140000000-0x0000000142564000-memory.dmp

memory/568-91-0x0000000140000000-0x0000000142564000-memory.dmp

\??\pipe\crashpad_1412_XMYXAPNKWNGRFVIZ

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

MD5 99914b932bd37a50b983c5e7c90ae93b
SHA1 bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA256 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA512 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 3e5627b4d7f4c2ce66e10fd2f9509a79
SHA1 1628eb499e30afcda44a4ec4caeea5484263f358
SHA256 eb5293471b866c5aedda3f2cf626da94739b7be6924051e9a1fb972dff63e395
SHA512 6d4a52b1aeda00d1ea5bc0eda23f5d6b25f339aa9caa7df6854378c4061ec44b5737389abb53787d83b7fc051afd42fd895033daf49bcc5e7dda9b6a489e1a80