1e15a4290cff615f5b7dc68e1e4588778f5172ac0ed50a111885ae2d7ff2c76d

Analysis

max time kernel
388s
max time network
389s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12-01-2025 09:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

KexSetup_Release.exe
Size

3.9MB
MD5

5ff4a6c13b8c01e51042ac1213f39a34
SHA1

28709831e3f5833fd5ba679d05e7a20981c550cc
SHA256

1e15a4290cff615f5b7dc68e1e4588778f5172ac0ed50a111885ae2d7ff2c76d
SHA512

09474c45cbd93897c5a9240d25b4b491e3ceba6fbcef5b79b01b7e25a5af84a9b17b34c683bd9e73db4a916901809c53336035a0757b856d0cbb17dc3b2dd107
SSDEEP

98304:DST4mY6vkrpMgT3epjrsbLXMhN0U4N8l/MDxW76+44IY:uTY6vMMgT3eRuWpRz6+4xY

Score

9^/10

adware steam discovery persistence phishing privilege_escalation ransomware stealer

Malware Config

Signatures

Renames multiple (51) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Downloads MZ/PE file

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 15 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\{VxKexPropagationVirtualKey}\GlobalFlag = "256"	KexSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe\VxKex_6ABF6BD24E208F80	KexSetup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe\VxKex_6ABF6BD24E208F80\KEX_StrongVersionSpoof = "0"	KexSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe\VxKex_6ABF6BD24E208F80\VerifierDlls = "kexdll.dll"	KexSetup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\{VxKexPropagationVirtualKey}	KexSetup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\{VxKexPropagationVirtualKey}\VerifierFlags = "2147483648"	KexSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\{VxKexPropagationVirtualKey}\VerifierDlls = "KexDll.dll"	KexSetup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe\VxKex_6ABF6BD24E208F80\KEX_DisableForChild = "0"	KexSetup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe\VxKex_6ABF6BD24E208F80\GlobalFlag = "256"	KexSetup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe\VxKex_6ABF6BD24E208F80\VerifierFlags = "2147483648"	KexSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe	KexSetup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe\VxKex_6ABF6BD24E208F80\KEX_DisableAppSpecific = "0"	KexSetup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe\UseFilter = "1"	KexSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe\VxKex_6ABF6BD24E208F80\FilterFullPath = "C:\\Windows\\system32\\msiexec.exe"	KexSetup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe\VxKex_6ABF6BD24E208F80\KEX_WinVerSpoof = "0"	KexSetup.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 11 IoCs

pid	Process
2880	KexSetup.exe
1716	KexSetup.exe
2144	SteamSetup.exe
2940	steamservice.exe
2192	steam.exe
2452	steam.exe
1744	Steam.exe
2092	Steam.exe
1504	Steam.exe
920	Steam.exe
892	Steam.exe

Loads dropped DLL 20 IoCs

pid	Process
2300	KexSetup_Release.exe
2880	KexSetup.exe
2880	KexSetup.exe
2144	SteamSetup.exe
2144	SteamSetup.exe
2144	SteamSetup.exe
2144	SteamSetup.exe
2144	SteamSetup.exe
2144	SteamSetup.exe
2144	SteamSetup.exe
2144	SteamSetup.exe
1192	Process not Found
2192	steam.exe
2452	steam.exe
1192	Process not Found
1744	Steam.exe
1192	Process not Found
2092	Steam.exe
920	Steam.exe
892	Steam.exe

Modifies system executable filetype association 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\PropertySheetHandlers\KexShlEx Property Page\ = "{9AACA888-A5F5-4C01-852E-8A2005C1D45F}"	KexSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\KexShlEx Property Page	KexSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\KexShlEx Property Page\ = "{9AACA888-A5F5-4C01-852E-8A2005C1D45F}"	KexSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\PropertySheetHandlers\KexShlEx Property Page	KexSetup.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Steam = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -silent"	SteamSetup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7EF224FC-1840-433C-9BCB-2951DE71DDBD}\ = "VxKex CPIW Version Check Bypass"	KexSetup.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7EF224FC-1840-433C-9BCB-2951DE71DDBD}	KexSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{7EF224FC-1840-433C-9BCB-2951DE71DDBD}\ = "VxKex CPIW Version Check Bypass"	KexSetup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7EF224FC-1840-433C-9BCB-2951DE71DDBD}	KexSetup.exe

Detected potential entity reuse from brand STEAM.
phishing steam

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\images\controller\ghost_100_target_0160.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\hp_m1_sm-1.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\sd_rtrackpad_right_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\friends\InviteFriendResultSubPanel_failure.res_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steam\cached\InstallDirextXDialog.res_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\resource\[email protected]_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\icon_buy_hover.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\resource\overlay_russian.txt_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\hp_m1_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\sd_l1_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\friends\message.wav_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\public\steambootstrapper_schinese.txt_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\shared_lstick_click_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\binding_icons\ghost_010_wpn_0510.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\binding_icons\ghost_050_menu_0311.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\images\controller\ghost_035_magic_0355.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\images\controller\ghost_040_act_0319.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\localization\friendsui_japanese-json.js_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\sc_dpad_down_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\sd_r2_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\ps4_trackpad_r_up.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\switchpro_dpad_up.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\binding_icons\ghost_045_move_0130.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\css\chunk~2dcc5aaf7.css_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\support_flag_left.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\ps4_trackpad_l_down_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\xbox_rt.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\ps5_button_options_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\ps5_r2_soft.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\sc_button_l_arrow_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\binding_icons\ghost_080_input_0030.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\ps_dpad_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\sc_rb_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\sd_button_aux.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\ps5_button_create_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\friends\SubPanelFindBuddyResults.res_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\bin\cef\cef.win7x64\locales\hr.pak_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\ps5_r2_soft_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\ps_color_button_triangle_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\shared_rstick.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\flag_inactive_bottom_hover.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\inbox_gift.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\sd_rtrackpad_right_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\shared_mouse_4_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\ps4_trackpad_left_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\public\UseOfflineModeChosen.res_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\movies\steamdeck_trackpad_and_thumbsticks_move.webm_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\resource\layout\gamespage_grid_loading.layout_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\resource\styles\gameoverlay.styles_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\shared_touch_tap_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\ps4_trackpad_ring_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\sc_dpad_right.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\shared_dpad_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\switchpro_r2_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\shared_button_x_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\xbox_lt_soft_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\resource\filter_clean_vietnamese.txt.gz_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\localization\xbox_one_russian.txt_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\sd_l4_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\sd_ltrackpad_left_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\ps4_r1_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\sc_dpad_left.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steam\cached\offline_russian.html_	steam.exe
File created	C:\Program Files (x86)\Steam\logs\bootstrap_log.txt	steam.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Steam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Steam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KexSetup_Release.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	steam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SteamSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	steam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Steam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Steam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Steam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KexSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KexSetup.exe

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Steam.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	steam.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	steam.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Steam.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Steam.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Steam.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Steam.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Steam.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Steam.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	steam.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	steam.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Steam.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Appearance\Schemes	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Appearance\CustomColors = ffffff00ffffff00ffffff00ffffff00ffffff00ffffff00ffffff00ffffff00ffffff00ffffff00ffffff00ffffff00ffffff00ffffff00ffffff00ffffff00	rundll32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\vxlfile\shell	KexSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9AACA888-A5F5-4C01-852E-8A2005C1D45F}\InProcServer32	KexSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9AACA888-A5F5-4C01-852E-8A2005C1D45F}\InProcServer32\ = "C:\\Program Files\\VxKex\\KexShl32.dll"	KexSetup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steamlink	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\URL Protocol	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steamlink\Shell\Open\Command	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\steamlink\URL Protocol	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\steamlink\Shell	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\PropertySheetHandlers\KexShlEx Property Page\ = "{9AACA888-A5F5-4C01-852E-8A2005C1D45F}"	KexSetup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steam\DefaultIcon	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\steam\Shell	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\steam\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -- \"%1\""	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\steamlink\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -- \"%1\""	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9AACA888-A5F5-4C01-852E-8A2005C1D45F}	KexSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7EF224FC-1840-433C-9BCB-2951DE71DDBD}\InProcServer32\ThreadingModel = "Apartment"	KexSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steam	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9AACA888-A5F5-4C01-852E-8A2005C1D45F}	KexSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	KexSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\DefaultIcon\ = "steam.exe"	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink	steamservice.exe
Key created	\Registry\User\S-1-5-21-312935884-697965778-3955649944-1000_Classes\steam	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\steam\DefaultIcon	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\steamlink	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7EF224FC-1840-433C-9BCB-2951DE71DDBD}\InProcServer32\ = "C:\\Program Files\\VxKex\\CpiwBp32.dll"	KexSetup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steamlink\DefaultIcon	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\vxlfile\ = "VxLog File"	KexSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	KexSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9AACA888-A5F5-4C01-852E-8A2005C1D45F}\InProcServer32\ThreadingModel = "Apartment"	KexSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\Shell	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vxl	KexSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\vxlfile\DefaultIcon	KexSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Msi.Package\shellex\PropertySheetHandlers\KexShlEx Property Page\ = "{9AACA888-A5F5-4C01-852E-8A2005C1D45F}"	KexSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\DefaultIcon\ = "steam.exe"	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\steamlink\Shell\Open\Command	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	KexSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7EF224FC-1840-433C-9BCB-2951DE71DDBD}	KexSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\ = "URL:steam protocol"	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\vxlfile\shell\open	KexSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\vxlfile\DefaultIcon\ = "C:\\Program Files\\VxKex\\VxlView.exe,1"	KexSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9AACA888-A5F5-4C01-852E-8A2005C1D45F}\InProcServer32	KexSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -- \"%1\""	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -- \"%1\""	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\steamlink\ = "URL:steamlink protocol"	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\steamlink\Shell\Open	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\steamlink\DefaultIcon\ = "steam.exe"	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\vxlfile\shell\open\command	KexSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9AACA888-A5F5-4C01-852E-8A2005C1D45F}\InProcServer32\ = "C:\\Program Files\\VxKex\\KexShlEx.dll"	KexSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7EF224FC-1840-433C-9BCB-2951DE71DDBD}	KexSetup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steam	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\Shell\Open	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\vxlfile\shell\open\command\ = "\"C:\\Program Files\\VxKex\\VxlView.exe\" \"%1\""	KexSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9AACA888-A5F5-4C01-852E-8A2005C1D45F}\InProcServer32\ThreadingModel = "Apartment"	KexSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\KexShlEx Property Page	KexSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7EF224FC-1840-433C-9BCB-2951DE71DDBD}\InProcServer32	KexSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7EF224FC-1840-433C-9BCB-2951DE71DDBD}\InProcServer32\ = "C:\\Program Files\\VxKex\\CpiwBypa.dll"	KexSetup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steam\Shell\Open\Command	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\Shell\Open\Command	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\PropertySheetHandlers\KexShlEx Property Page	KexSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Msi.Package\shellex\PropertySheetHandlers\KexShlEx Property Page	KexSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7EF224FC-1840-433C-9BCB-2951DE71DDBD}\InProcServer32\ThreadingModel = "Apartment"	KexSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\Shell	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\Shell\Open\Command	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\steam\URL Protocol	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\steam\DefaultIcon\ = "steam.exe"	steamservice.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
1528	chrome.exe
1528	chrome.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2812	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1716	KexSetup.exe
Token: SeDebugPrivilege	2812	taskmgr.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
2812	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2192	steam.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2300 wrote to memory of 2880	2300	KexSetup_Release.exe	31
PID 2300 wrote to memory of 2880	2300	KexSetup_Release.exe	31
PID 2300 wrote to memory of 2880	2300	KexSetup_Release.exe	31
PID 2300 wrote to memory of 2880	2300	KexSetup_Release.exe	31
PID 2300 wrote to memory of 2880	2300	KexSetup_Release.exe	31
PID 2300 wrote to memory of 2880	2300	KexSetup_Release.exe	31
PID 2300 wrote to memory of 2880	2300	KexSetup_Release.exe	31
PID 2880 wrote to memory of 1716	2880	KexSetup.exe	32
PID 2880 wrote to memory of 1716	2880	KexSetup.exe	32
PID 2880 wrote to memory of 1716	2880	KexSetup.exe	32
PID 2880 wrote to memory of 1716	2880	KexSetup.exe	32
PID 2880 wrote to memory of 1716	2880	KexSetup.exe	32
PID 2880 wrote to memory of 1716	2880	KexSetup.exe	32
PID 2880 wrote to memory of 1716	2880	KexSetup.exe	32
PID 1528 wrote to memory of 2284	1528	chrome.exe	35
PID 1528 wrote to memory of 2284	1528	chrome.exe	35
PID 1528 wrote to memory of 2284	1528	chrome.exe	35
PID 1528 wrote to memory of 1140	1528	chrome.exe	37
PID 1528 wrote to memory of 1140	1528	chrome.exe	37
PID 1528 wrote to memory of 1140	1528	chrome.exe	37
PID 1528 wrote to memory of 1140	1528	chrome.exe	37
PID 1528 wrote to memory of 1140	1528	chrome.exe	37
PID 1528 wrote to memory of 1140	1528	chrome.exe	37
PID 1528 wrote to memory of 1140	1528	chrome.exe	37
PID 1528 wrote to memory of 1140	1528	chrome.exe	37
PID 1528 wrote to memory of 1140	1528	chrome.exe	37
PID 1528 wrote to memory of 1140	1528	chrome.exe	37
PID 1528 wrote to memory of 1140	1528	chrome.exe	37
PID 1528 wrote to memory of 1140	1528	chrome.exe	37
PID 1528 wrote to memory of 1140	1528	chrome.exe	37
PID 1528 wrote to memory of 1140	1528	chrome.exe	37
PID 1528 wrote to memory of 1140	1528	chrome.exe	37
PID 1528 wrote to memory of 1140	1528	chrome.exe	37
PID 1528 wrote to memory of 1140	1528	chrome.exe	37
PID 1528 wrote to memory of 1140	1528	chrome.exe	37
PID 1528 wrote to memory of 1140	1528	chrome.exe	37
PID 1528 wrote to memory of 1140	1528	chrome.exe	37
PID 1528 wrote to memory of 1140	1528	chrome.exe	37
PID 1528 wrote to memory of 1140	1528	chrome.exe	37
PID 1528 wrote to memory of 1140	1528	chrome.exe	37
PID 1528 wrote to memory of 1140	1528	chrome.exe	37
PID 1528 wrote to memory of 1140	1528	chrome.exe	37
PID 1528 wrote to memory of 1140	1528	chrome.exe	37
PID 1528 wrote to memory of 1140	1528	chrome.exe	37
PID 1528 wrote to memory of 1140	1528	chrome.exe	37
PID 1528 wrote to memory of 1140	1528	chrome.exe	37
PID 1528 wrote to memory of 1140	1528	chrome.exe	37
PID 1528 wrote to memory of 1140	1528	chrome.exe	37
PID 1528 wrote to memory of 1140	1528	chrome.exe	37
PID 1528 wrote to memory of 1140	1528	chrome.exe	37
PID 1528 wrote to memory of 1140	1528	chrome.exe	37
PID 1528 wrote to memory of 1140	1528	chrome.exe	37
PID 1528 wrote to memory of 1140	1528	chrome.exe	37
PID 1528 wrote to memory of 1140	1528	chrome.exe	37
PID 1528 wrote to memory of 1140	1528	chrome.exe	37
PID 1528 wrote to memory of 1140	1528	chrome.exe	37
PID 1528 wrote to memory of 1264	1528	chrome.exe	38
PID 1528 wrote to memory of 1264	1528	chrome.exe	38
PID 1528 wrote to memory of 1264	1528	chrome.exe	38
PID 1528 wrote to memory of 664	1528	chrome.exe	39
PID 1528 wrote to memory of 664	1528	chrome.exe	39
PID 1528 wrote to memory of 664	1528	chrome.exe	39
PID 1528 wrote to memory of 664	1528	chrome.exe	39
PID 1528 wrote to memory of 664	1528	chrome.exe	39

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\KexSetup_Release.exe
"C:\Users\Admin\AppData\Local\Temp\KexSetup_Release.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2300
- C:\Users\Admin\AppData\Local\Temp\7z6C1D58FC\KexSetup.exe
  C:\Users\Admin\AppData\Local\Temp\7z6C1D58FC\KexSetup.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2880
- - C:\Users\Admin\AppData\Local\Temp\7z6C1D58FC\KexSetup.exe
    "C:\Users\Admin\AppData\Local\Temp\7z6C1D58FC\KexSetup.exe" /SILENTUNATTEND /HWND:197070 /KEXDIR:"C:\Program Files\VxKex"
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    - Executes dropped EXE
    - Modifies system executable filetype association
    - Installs/modifies Browser Helper Object
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:1716

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2812

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef66c9758,0x7fef66c9768,0x7fef66c9778
  2⤵
  PID:2284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1160 --field-trial-handle=1476,i,5806134213722340499,9486398530164525475,131072 /prefetch:2
  2⤵
  PID:1140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1440 --field-trial-handle=1476,i,5806134213722340499,9486398530164525475,131072 /prefetch:8
  2⤵
  PID:1264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1640 --field-trial-handle=1476,i,5806134213722340499,9486398530164525475,131072 /prefetch:8
  2⤵
  PID:664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2280 --field-trial-handle=1476,i,5806134213722340499,9486398530164525475,131072 /prefetch:1
  2⤵
  PID:1800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2312 --field-trial-handle=1476,i,5806134213722340499,9486398530164525475,131072 /prefetch:1
  2⤵
  PID:1752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1508 --field-trial-handle=1476,i,5806134213722340499,9486398530164525475,131072 /prefetch:2
  2⤵
  PID:2576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1524 --field-trial-handle=1476,i,5806134213722340499,9486398530164525475,131072 /prefetch:1
  2⤵
  PID:2800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3672 --field-trial-handle=1476,i,5806134213722340499,9486398530164525475,131072 /prefetch:8
  2⤵
  PID:2660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3676 --field-trial-handle=1476,i,5806134213722340499,9486398530164525475,131072 /prefetch:1
  2⤵
  PID:2364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=1528 --field-trial-handle=1476,i,5806134213722340499,9486398530164525475,131072 /prefetch:1
  2⤵
  PID:2684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3008 --field-trial-handle=1476,i,5806134213722340499,9486398530164525475,131072 /prefetch:1
  2⤵
  PID:1752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2948 --field-trial-handle=1476,i,5806134213722340499,9486398530164525475,131072 /prefetch:8
  2⤵
  PID:1612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3000 --field-trial-handle=1476,i,5806134213722340499,9486398530164525475,131072 /prefetch:1
  2⤵
  PID:1308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2336 --field-trial-handle=1476,i,5806134213722340499,9486398530164525475,131072 /prefetch:8
  2⤵
  PID:1532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4052 --field-trial-handle=1476,i,5806134213722340499,9486398530164525475,131072 /prefetch:8
  2⤵
  PID:268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4076 --field-trial-handle=1476,i,5806134213722340499,9486398530164525475,131072 /prefetch:8
  2⤵
  PID:2908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 --field-trial-handle=1476,i,5806134213722340499,9486398530164525475,131072 /prefetch:8
  2⤵
  PID:2852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4268 --field-trial-handle=1476,i,5806134213722340499,9486398530164525475,131072 /prefetch:8
  2⤵
  PID:2648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4176 --field-trial-handle=1476,i,5806134213722340499,9486398530164525475,131072 /prefetch:8
  2⤵
  PID:2676
- C:\Users\Admin\Downloads\SteamSetup.exe
  "C:\Users\Admin\Downloads\SteamSetup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2144
- - C:\Program Files (x86)\Steam\bin\steamservice.exe
    "C:\Program Files (x86)\Steam\bin\steamservice.exe" /Install
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    PID:2940

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2172

C:\Program Files (x86)\Steam\steam.exe
"C:\Program Files (x86)\Steam\steam.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:2192
- C:\Program Files (x86)\Steam\steam.exe
  "C:\Program Files (x86)\Steam\steam.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:2452

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
- System Location Discovery: System Language Discovery
PID:2000

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x494
1⤵
PID:344

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" shell32.dll,Control_RunDLL desk.cpl,Advanced,@Advanced
1⤵
- Modifies Control Panel
PID:2648

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:1160

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1592

C:\Windows\System32\control.exe
"C:\Windows\System32\control.exe" SYSTEM
1⤵
PID:1104

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
- System Location Discovery: System Language Discovery
PID:884

C:\Program Files (x86)\Steam\Steam.exe
"C:\Program Files (x86)\Steam\Steam.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
PID:1744

C:\Program Files (x86)\Steam\Steam.exe
"C:\Program Files (x86)\Steam\Steam.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
PID:2092

C:\Program Files (x86)\Steam\Steam.exe
"C:\Program Files (x86)\Steam\Steam.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1504

C:\Program Files (x86)\Steam\Steam.exe
"C:\Program Files (x86)\Steam\Steam.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
PID:920

C:\Program Files (x86)\Steam\Steam.exe
"C:\Program Files (x86)\Steam\Steam.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
PID:892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Image File Execution Options Injection

T1546.012

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Image File Execution Options Injection

T1546.012

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Steam\Steam.exe

Filesize
4.2MB

MD5
33bcb1c8975a4063a134a72803e0ca16

SHA1
ed7a4e6e66511bb8b3e32cbfb5557ebcb4082b65

SHA256
12222b0908eb69581985f7e04aa6240e928fb08aa5a3ec36acae3440633c9eb1

SHA512
13f3a7d6215bb4837ea0a1a9c5ba06a985e0c80979c25cfb526a390d71a15d1737c0290a899f4705c2749982c9f6c9007c1751fef1a97b12db529b2f33c97b49

Download Submit
C:\Program Files (x86)\Steam\package\tmp\graphics\[email protected]_

Filesize
15KB

MD5
577b7286c7b05cecde9bea0a0d39740e

SHA1
144d97afe83738177a2dbe43994f14ec11e44b53

SHA256
983aa3928f15f5154266be7063a75e1fce87238bbe81a910219dea01d5376824

SHA512
8cd55264a6e973bb6683c6f376672b74a263b48b087240df8296735fd7ae6274ee688fdb16d7febad14288a866ea47e78b114c357a9b03471b1e72df053ebcb0

Download Submit
C:\Program Files (x86)\Steam\package\tmp\graphics\icon_button_news_mousedown.tga_

Filesize
20KB

MD5
00bf35778a90f9dfa68ce0d1a032d9b5

SHA1
de6a3d102de9a186e1585be14b49390dcb9605d6

SHA256
cab3a68b64d8bf22c44080f12d7eab5b281102a8761f804224074ab1f6130fe2

SHA512
342c9732ef4185dee691c9c8657a56f577f9c90fc43a4330bdc173536750cee1c40af4adac4f47ac5aca6b80ab347ebe2d31d38ea540245b38ab72ee8718a041

Download Submit
C:\Program Files (x86)\Steam\package\tmp\resource\filter_clean_bulgarian.txt.gz_

Filesize
23B

MD5
836dd6b25a8902af48cd52738b675e4b

SHA1
449347c06a872bedf311046bca8d316bfba3830b

SHA256
6feb83ca306745d634903cf09274b7baf0ac38e43c6b3fab1a608be344c3ef64

SHA512
6ab1e4a7fa9da6d33cee104344ba2ccb3e85cd2d013ba3e4c6790fd7fd482c85f5f76e9ae38c5190cdbbe246a48dae775501f7414bec4f6682a05685994e6b80

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
215KB

MD5
d79b35ccf8e6af6714eb612714349097

SHA1
eb3ccc9ed29830df42f3fd129951cb8b791aaf98

SHA256
c8459799169b81fdab64d028a9ebb058ea2d0ad5feb33a11f6a45a54a5ccc365

SHA512
f4be1c1e192a700139d7cff5059af81c0234ed5f032796036a1a4879b032ce4eedd16a121bbf776f17bc84a0012846f467ad48b46db4008841c25b779c7d8f5a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
c7fc00b06f712c99704c7bf045b18129

SHA1
e992d6b13f1380d83f379920058f871ccd0d6e2f

SHA256
d3a9103f0ed60ec7d58c837ce2cacc8923dce26d9329926b3d73f413ee81ce09

SHA512
3d091e6537ac829705d126d9006f136022f08623b80c46fe6a9811f7d79513665fdcb749f5ad465953a4bd3245f797efa6ab056bcda13e0f08f4bcd03b94730f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
905e0bc1fe072ade0ea11940de793c17

SHA1
34bfe8abe5ccc0771a2a9b2f5a613bede4db1f4b

SHA256
8542679be85e834ac4bfb671980c21d6ed64e649100c94b944b0171f55677de5

SHA512
163bf1b70cde8c6c35553c419a611eecdc96da6f3bc77202cef69f345c5a91771c766d87abaabf052d2105578bd16beb29e63d57b5a0cdff05face89546098e3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
a4d88777955924681b17ad66680264fd

SHA1
3a37696dfab36bc0977476747f198cb5224482ae

SHA256
e603377085f88969c4c4bcf67423e3504b603daebd3b625048bf4fb48b663b0b

SHA512
4887bf2d2d765c65af15bf723fd72465200dbf951ce44fbde4b8acce2a0c979ffc1f971d8cc116786e8cc00883a29adbfac49df52f758a0e9671aad1aebf561a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
363B

MD5
7380ba802706a70f23225dcd1ec0375d

SHA1
f764886045c7543e6cc05f0d1232dc2f010bd9fb

SHA256
d40133bd3e1c1bedeae182e60c88f2260826ff77761ed37a1cef88de4501e9c9

SHA512
d448fe61470cb82dac5a53fdd96ddff95a883244ddb5592146cca6018657e87702de990a66b71fe83dc2c6d5d25883633bf618cd93297cfcbddc6f7b67a32f67

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
681B

MD5
8ba7595ed6d4630481709808a3a49ecb

SHA1
31d37c59f83588ac437b2cb400c8da0d605adadc

SHA256
4a2be7f5fccbf8e4684cced1a8666e510f501291e2c0d97023425783e77942e6

SHA512
aa0a9ddbd3880927f8931d66fda561ac996728afb3699feb34cbd675d109dea0c507ae3589ecf665b88fb2c82dfc28ccac63916c100f24a9769c43ab8e56230f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
de3c2e202561cf5968fcc8d625ac8f1d

SHA1
8ebaced172369933b22e3aee0f35a5b8e0ea6b93

SHA256
24b3a6e99f9e9bde5e6d6c044defe58937c1d1090bcdea8ea3d5bc5b0803f5ae

SHA512
085238cf85e09cafb4bd0ecbd463adf200c0ac16545486abc14a03547629afd81b93a3514288296ad5d221b497e603fa2194f39b19e1680732ac5b24134a37dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
615132a470ad7a25f0cf845db444e344

SHA1
e7441acb51ae6878bea7f10005f862b93410363b

SHA256
b98464b8f7b43977a384879d7b720ce3d3b93774aafe5995f5c0d54c47f9c6d3

SHA512
3c99e126e509e731da46f2bbe1e551f1a1363b343426bbac89bf9e42d638c673533a20e4de2e8882f4cfedea12f40947a174909dbcd24be2dc6047607cea3ac9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
8c2d5cd8bfbb069525270522214c3bcb

SHA1
89e258de88b3a5b17f24164aa01a9beb08a391a3

SHA256
89984e1aab6e75b92974d6dcbedbbabde94c14a73d4be3f4fd514b1b01dde073

SHA512
50be4af3ba13ca169e2e6591766960b0c8a85c582568f634f97211d1f112b905a77ca85ca41bee2e4b35fdac6175a509e5320ddf70fad5f35402798c7771c7d4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
d7bb6a6931a50a0697fe33611f8dbb25

SHA1
9399f7921704b9f02e05ed6725ed634166944e88

SHA256
c57833faee528ffbc54919bd13f98b486a77de9fb582d02423d490a7f1713f71

SHA512
cb1133da03d7d205c90d4072326a44f39cc3078d1dd47af4a59dca0f7fec39f1734f52e728d2ec799b2088c46be4f0f059c65d0eafaca9868799f06207ea344c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
3f74c7b40e6a53667148a1be650eeff6

SHA1
615f6426c530ed6a7ba1693165ab4467ea30b1b3

SHA256
44cf10dcd027552e26ce6b4fcb47fae296759eee0e21694016ce689c7933dbfd

SHA512
06186afc6cda1334a9bffcc0dacf124c77a86c26dd1c1cf43c85ac3cfa74f4b22a10d5178f8b1377b2f74111d457ebe1e184b03dfec51daa55da7f95032835ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
344KB

MD5
b2d480ce74876a6e297d8ac381e5dc5f

SHA1
976208675a5aaf26b4f777b00ccdf7782bcda0a3

SHA256
5ff9d36d2e1eab7bcccf0e65589299f3f178ee1602e7436731f4e529f5193ed9

SHA512
d87fdbe46fba43ca1a501d90a8a6b3fce860ce2784a746b7d812699f5e36956d64bf4bf03a9997cec63f697603a434137a02c9bf4a10fb4e21b38879ef08eaa8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\f7e47d47-42ad-4177-974a-e1f1c2e4a533.tmp

Filesize
344KB

MD5
c38cc023c7f4d0794fb16542c3cb15a4

SHA1
a7b82809c48adf7173111cfc296419673637c5cf

SHA256
5c6dec77e9d28859da45fe21502b8226a2596294a9a4e7a30a7dd32caea3a537

SHA512
4401fe2bcdd0f0cd526a10a6ab4869b643e90a2a0a245709cb801c464cbd90b1be27462e092a4d5699b573c58398b5ce81a3d2c6cd27669126695996a6af6d81

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z6C1D58FC\Core32\CpiwBypa.dll

Filesize
7KB

MD5
784ffd60b84d9d368ffff423c3618a1a

SHA1
36fe19136efcd5ac5bf0c961ab62648b4db68650

SHA256
087295f1a03fbf6eaedd7905ba89def0a357e3ff3d600f8fe63da365ad22c098

SHA512
0ddf409dd9e5ab28ee831424ffbadb986d0fee0afc8d0f27247dab0d2e04887941475fa350ccc22c4119aca82ec0ae0edcdd1aeb7b2dfa3e9997d379471427d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z6C1D58FC\Core32\KexDll.dll

Filesize
217KB

MD5
5cd0d8a341a6a75d81445efc9d2598f1

SHA1
caa7d0891c13537f4ab6bf918bd5fb92421fef5a

SHA256
8a062783e706a034bb40acd9bcd73e5dd23af2b921d91df46ab3954cf8fa8998

SHA512
cace3013708900ea4d60ad1be42d5278d8f8860b4d1229f15645c0dd5fde16a6e274d05368e7ee6ec3edd3b166bbab24c9fc71657e5a015144d2986846b7e3b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z6C1D58FC\Core32\KexShlEx.dll

Filesize
22KB

MD5
f61d9d2805ff6415984619a884113627

SHA1
16d873fabfd51a606feb69c17f0e4b79bae98067

SHA256
43f54c67a5d928174c4aade1dd3cb9e5b268b98ebb9eb9eced4f8d04c6fc060a

SHA512
edb462ddda62b8926c9695b78fe765128b65503b276aa976e07e9c570a251734e5fd7350fb687c64273c723e46c9f0e793e5ff24f35cfdf1014c4bd00d43e381

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z6C1D58FC\Core64\CpiwBypa.dll

Filesize
8KB

MD5
b3e4dd9ce8ccfdcfea3d15006167655e

SHA1
b5f62c2105d33a094cedd2eb4f42d670b9fa75b5

SHA256
206ef977d872fd5173e945145f40cb8e7c1c3f2ea03fabe8670ff40e077b2cb5

SHA512
456a6a688c09c962d0f0f856c6cdaa76ed9d26dd9e1c25b855fa398fab17a145e3ad698d8244dc21ad2adb97143e28fe1e39dd5902762698a4ad4fac9d9f6da2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z6C1D58FC\Core64\KexCfg.exe

Filesize
114KB

MD5
8596f03bf3c8543093c10b49082fdc15

SHA1
6bb56d7e837642e4de2b443914d4cda1102eb73e

SHA256
e4f3dc609dd37e64fb7d5098ef7a6e93f43f8fc5dd2daed3ae1d47e15e6f1d97

SHA512
67e7ff0d2c268354a77b870b324590dfa896411400491f7d5dfa9ad03ac8ce536a85a1a06ae42280ededaaef2ed133f696ebb1f6d3f15834b0d84546593ebfa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z6C1D58FC\Core64\KexDll.dll

Filesize
221KB

MD5
3c3b600498db482a77737d2f0aa7b4bf

SHA1
09288470ffe03847891fc2d70202ca3faee9db6a

SHA256
eac5b7eced3d44bcbf5704107415ddcdc7b07ff9a244b777370cb74b09589582

SHA512
4cb4ede39b9a1f021e1c928f5de905ba7c9647f49d9d95da6a55999a9a86840add22bb05c3536993a3c13f0ce08836f2f0729db6819cd30bc17350e8ee4868b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z6C1D58FC\Core64\KexShlEx.dll

Filesize
27KB

MD5
efda1219f93240d72168fa6ea624f9cf

SHA1
ba91d6aa1f5cbff8edba36a7783aa0ad79ccd1b9

SHA256
7e7fa51a7f279e867170b82e67e3548dad051d676d9ec20fe073165bd3bde97f

SHA512
87fc3725efadc65e0b551e982ccd7650ebdc39d30ebc3b716a371f88c53bd0e8882bcde4b8eef9725bbb315d5bea7f8f8cb9c1f1aa636fdabded9d29f6ee7bb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z6C1D58FC\Core64\VxKexLdr.exe

Filesize
40KB

MD5
a5b06feee784c4894e25f963a80de1e7

SHA1
926745c8ac0cfec77591b30b0c7e99487a9b3c25

SHA256
d5df00e9010495a711adbbd6ac2535487214121f6a652a56139e1170653a3cf5

SHA512
912cbfe8aa843de887c5e74f4b9d8e1fcaa0d4136f1bee0716d17da6266db0c6ce9f29f0197c96c1e75fbb98d572860188de89559db1c5af9bfaea8e34422d0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z6C1D58FC\Core64\VxlView.exe

Filesize
153KB

MD5
aa473410998739575347d0a65a9c6735

SHA1
ad461b03b2718aee373740324b11807703f52821

SHA256
b1b190969857b84b8af11bbe23cc34e54ffa2f3a861b5f7bd0190bf837480f7f

SHA512
ee3c55e32c888b459491019312efa72001f09e7a7d7a25ced79a16f2d56e67bce6581533169328faa76a43cce3edd70a282c73c6a9b9537b79c0c4d940410316

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z6C1D58FC\Core\Application Compatibility List.docx

Filesize
21KB

MD5
37bf15a43e5a2cc56dcafaf449264afe

SHA1
a5b1736b79370d2a1fbd0d9693fbb8b09d286c5a

SHA256
88cb1ac486d3b5c4cdfe43817e5b5c782d5b0d4fffa048af4ebcad6f2dd23848

SHA512
8578d5c81a881c693eeebe51a998b8bbea7864850b14ef2308d43ea519ebff06fd39a6482eefe7a6f3a6e2d9adf0b546dcddbce94a3289af48795f4422cd2e24

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z6C1D58FC\Core\Changelog.txt

Filesize
6KB

MD5
28f06cee734a8ff74f03ba7742920e17

SHA1
386f42e8beffc7b0ebd2a0bc633f6a22aeb19c99

SHA256
dc20e31fa0fcb7b9a054940501821d39ed5e844bbdeda08a8ca9568366b3a532

SHA512
ee69ecd0ea31ef734cae752a6e97346fc84435d8611e7052da30228d4609552e6725959893348f5713fe7cce9af27d085e3845af21992bf2c54e0c38809c223a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z6C1D58FC\Kex32\KxAdvapi.dll

Filesize
52KB

MD5
554823b1bff7e50bc4a34b5e21e19e36

SHA1
af44d505b35460c0b395ffbf132bb520485301ee

SHA256
5077ce5c6e35c7aed881ce668f52f8c2e969ce542b40f21810b063f38b24f9c3

SHA512
09b30ddef892a083138c3f5a9ff0ee586cc1185630aed5ccbc1592bb7c5561f9016e96ac67e8e226a79381da7dadcc08431996e353ba7b682072713b78ecbf4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z6C1D58FC\Kex32\KxBase.dll

Filesize
129KB

MD5
8bdb8d78f58a18fffab3edc8bfebccd6

SHA1
82ac2ab2c86b6db41de52d8cb19d75bf70b2ab8a

SHA256
36c5e0f906d20f39c8927e8f999424e475906639f708ebe15862a1e7e77a37bf

SHA512
97f7f90f49783295daa85e6c67fc15498c73d73d9c7fba6e37f165ebcdfe5a30808c5931b1ccc0a6346fe849263233093fb5956855dcc2dd70c92ef1082ef32d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z6C1D58FC\Kex32\KxCom.dll

Filesize
38KB

MD5
5e278370f14de0e25c19612fec121c92

SHA1
e320800207b01c810afb23be0963a5ef20ec1b94

SHA256
5e9c8860d7b87237b9473ab997fa646cf7ccf02f61f96d48d1d560ec13adeb2c

SHA512
e3a669e11032260c14c77e9cb4a911a0002435e660d0aee85bd7f754f3b900cef48817e84b83b3a552acbb437e44296b59d4272455f7322ee6697af8ff87d52b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z6C1D58FC\Kex32\KxCrt.dll

Filesize
58KB

MD5
b73e825476de2b142b30d145797e10cf

SHA1
1e143c153fdd6daa4c15e1f95fe77bd81f5ffccc

SHA256
90321191aa3d5fb60c0c5aa1ea13490a768a04f07602e500c55c60bd0719607f

SHA512
ce24654c3b1a3e1171ada2c94c22e4649fc3c9191fc987ea7fa738be25191325d52ce7687256ac8785d12be4a27d6b01bd43ac9f0e61d1f28d42519e35b6f4ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z6C1D58FC\Kex32\KxCryp.dll

Filesize
14KB

MD5
23eb960237376a4bc185ddde287e72bd

SHA1
7781881d4a181b97b6349aab104616587313ddc0

SHA256
04d8679a5d8300e9a24d31f609e8c7409d9f9367e3eb8f7617f3dc8aef627e88

SHA512
6ef4a115f728cbc041c53ec11fab1db065fb955b8df9bc45bff274539c704794c9236c3a4c9e7e862c0281b510ea60b517876d5a1413ec46f159bee2a622461f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z6C1D58FC\Kex32\KxDx.dll

Filesize
19KB

MD5
ec8a6b1ae327737e3d16eb3968b5b0b3

SHA1
cb700f2fa98019412424b723b3724f54c6798b5c

SHA256
d6699d75443528527f843bf85baf0559956bdf7a980cfd2f727af528a3f93abf

SHA512
d4d5f9d75d6759d5afa9a9c365000012c804cbddaacbf5efa03db19a3e4d26b020ca148c12e68ac9467909c14054b1ca9131fb6b2438b07c309e605a057a383a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z6C1D58FC\Kex32\KxMi.dll

Filesize
16KB

MD5
0440c1fa1946592f87e87cb5b7974d8f

SHA1
dd178e3f1dcdbe3da746a7497ad70cf2d9ffebb2

SHA256
7ae6e5a3cfbbaeaa91197d63c1d3fcda080349f6089b761415784c9a61f4af41

SHA512
46d7005b017e6ace15d223205f813016dbea9f9ff4bb1d7527298641f9bb6392c8441ae2aa8ae47fbbf87d665b1e33944152d1423f9a13356971b40712d410ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z6C1D58FC\Kex32\KxNet.dll

Filesize
33KB

MD5
1cf1b365b63d598b77366b800835e228

SHA1
f358bf5e190d9e013f3479492236fe6d67e4bfe4

SHA256
e42d8ef02fcef49470ee7963ac06e7aa2ad6420dfe9c38d0ee2cbc50b9df5241

SHA512
6ce53bb8450e900c63c40d7cdad7ce0785a3d2bf724da85bc3ed274299ea39b0f752db3f8797aa46cb5c500166866b6d9b301eb5a6b31850403580f2b6d530fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z6C1D58FC\Kex32\KxNt.dll

Filesize
120KB

MD5
7126404fc2075b3450ea1438c0409ac1

SHA1
873292598105194665cf35effb266de2eee56cc3

SHA256
ba37c01a07ef7879f3a90aeeb904a171aeae43bf59fc96ab0d951286984e4c07

SHA512
aba763d5f2da494f49bdb2c4efe0bb99d9d383b3265a60ab25c3e461afee0e41c36c3e637c46a0216483655cbc097f2809eab517d5643148d57bf1c5c2f6854c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z6C1D58FC\Kex32\KxUia.dll

Filesize
10KB

MD5
c59a20e14b592e1661a1493a22d7fbb3

SHA1
3531a1ff1b1ae8d62d563a904415298563a9a5e5

SHA256
a41b29a8c2edafb0e218bf31c3243fff5dc844775270493f1b7cde463ca61b4e

SHA512
73de2de0839cc72c15379ab9678e898b2c10330315e58b220292525e53cf1fdca4a74c5c65bdb34a751731c160894f469e3e8a86f04e7b75252f7cb6506e9e85

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z6C1D58FC\Kex32\KxUser.dll

Filesize
97KB

MD5
d9b65cb4b0472af92869df55d843bfd4

SHA1
5582bf06e27ab782be41f3e190b29714912b840a

SHA256
19abc1c7bc8d4b491dfc5891a7d01b8348008fc0797b6771f53f545b7e928456

SHA512
3d98e1fec87f8b29ad8a93bc9dfe0d40e051589b80eccb1d7a0e3964b46902004cc1ffbb5c97a05eb41b94150148b2b73d7083f768e135a013e4c410375dd9f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z6C1D58FC\Kex32\dwrw10.dll

Filesize
2.5MB

MD5
c35e8c37e5d3bb64d5136b25b99e9d31

SHA1
abb2b634ed547d9b581bbbb90bc1720518b3703b

SHA256
02bd331766422b276645a8f398ef515142f3f803b9c59dda71dafd7c4d82b5a1

SHA512
5f90b8941236cf4ff6057058119c7b8a509980d7eafc3ee802679c0fc61ee85f444a3a582169e9b4f476d1fc1f05819c66848a60b757cbd4c94d13b6ae4ebf0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z6C1D58FC\Kex32\mshtmlmedia.dll

Filesize
1.1MB

MD5
7c4ffbcf7898e55c3427de56acba0c3e

SHA1
ec3c3ae6bd0ddae2c62086bbe64771e9e78a1517

SHA256
da79b0569d0ad5b66f1d761490d4b406f591a65f3ba2049a8e9d0ea5c45a48cd

SHA512
35c3c4e29afa388e3c0a348bef68a314acc53ef8b3a9d26d53c7c6e9394dd6333bc452f8a15e67448e5039ad5a72c33472f87e4cc02e6cc0acc0da60e34afe59

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z6C1D58FC\Kex32\ucrtbase.dll

Filesize
1.1MB

MD5
df160b9471e9ce9aa4efcfe625673310

SHA1
54d14ace2f00a93c28984a577ebb47929d29e3cf

SHA256
c8dbd811bb85d7e17d457c7938c15ef39dbde395f82e967387e082f2c9860748

SHA512
956af4328eaa55ca44d3c64aa6463f5e4d771d390afae0db9267df8267bad146177b9d7fdae817ec8aaba49d0bcada3f6d55cfa8bdefa9fa3610fc9c9353cd29

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z6C1D58FC\Kex64\KxAdvapi.dll

Filesize
52KB

MD5
0b02e50bd73456297c671d1939e7490c

SHA1
78367c5f4cd2c7df9d53377c70a88e7c76913b82

SHA256
db0d9b9d7c8dcb771b6bbcc49a6fbbf571d75628d95ed9d223a9526174a13253

SHA512
045653a82c1e2a3887688a72046a5b10ef9396843413e2014a547dfd48edae353d695586b49aba9dfafcb8a188873a58a4f3531f81e32b8b79b4530559d5d3e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z6C1D58FC\Kex64\KxBase.dll

Filesize
136KB

MD5
b3ca28500c1a11aac7a6f2bacb700ab5

SHA1
5b2f2fa956c17c91facf3531d18631376bbae9c4

SHA256
1029a68d37aa15fbeb4c513e55476323279d5a7f95e73c92e6a08ce5071301da

SHA512
20a6f3fc63d248e4713b4055cbe2b06c1c58b4cd23fe344bfa8c1a1c0c6d8c65407a25c278f33b27606b3c3ebc48cf41e71cec2fed0d717368abaf8a60394680

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z6C1D58FC\Kex64\KxCom.dll

Filesize
47KB

MD5
4a78634693201cc01f246c9044a48673

SHA1
536d20df759905d58c6fdec5e9de723538fc4cc3

SHA256
dbe6350995fb1923e690f9b4c32c8754533f6a8974c9d7e4ddd6271a4ae69525

SHA512
8a2d252dfce36d8f22669aa9490b7c82c9fb611620b28ea9c36503d8b8c520af35710dc660546889df6a5fcbcb3e7960c81cadba7cdbe6aa116940a7b6176056

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z6C1D58FC\Kex64\KxCrt.dll

Filesize
54KB

MD5
d3508302effe7e638e8e125839983ec2

SHA1
71b40424c870230a0cc180f5cb227432b0dd679e

SHA256
46cbf3d8f3cd5289cc0bd97088893dba8701d7692def6a10f1156e6e78379f57

SHA512
94995cf5711169db8c4f148feca00c67cb8d0e1e2e5e479ff7a938cd4732c608388776b0ce0733429c8ed104fde68d3bf1c8e140133c1e6c1366427e22daf830

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z6C1D58FC\Kex64\KxCryp.dll

Filesize
15KB

MD5
9cc9542d52d7356b4648e1c90906c74e

SHA1
03e5c38f07a0890051070e57d58e31c205a30ead

SHA256
e32cd037ec66231dfddf3d9e3b9d0c9ef2ad2f35ca846840f06349735f500223

SHA512
04e5b7c8f7aa28613f7eeaa44c305d55a340e8646795cc3b178952789c7eaf209c4fd25e35dc4527835b4b58762aa03a205e95d358c1cd8fb80cfced9b03db34

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z6C1D58FC\Kex64\KxDx.dll

Filesize
20KB

MD5
a4e543789d800f749c41cabe09f52ac2

SHA1
92b27d7bba8ccdc04f312dc5edf94eb81b6922f6

SHA256
349657c1002d60daebd6e05cb4857bdb8486bdb6644de95d0601b942a57c4a5a

SHA512
74787377f7f75c61b0d843fd10b1234bd66e2ccbcdb2ac4849c6668e61b36eb9a48775eb9f99cebf68cfe1a352a9a310729fecd46641a6c079bd5f74c849f6cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z6C1D58FC\Kex64\KxMi.dll

Filesize
17KB

MD5
1a133e643fbf976773e64181efae5ed1

SHA1
614987ace17b228cdbf0525cfe5bc51d3d30eae9

SHA256
a748668a5c23da1e3910c7832e7fce76c8c4959212571dd288c48b5ed51b6ea1

SHA512
df9a1df41797c083467e4e3dfbd29e8234b5cb16afd4c1e82ecc91f87945770e9d26146bd1fd6e05c3fda5e5c13e05a809878bec9dd7f0888e471057b6ecfc60

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z6C1D58FC\Kex64\KxNet.dll

Filesize
34KB

MD5
c8207fd2ff923008e701661b403b5722

SHA1
4cb68ea6cb6fa8759778d407c4e4be5126dcbc06

SHA256
19b4f2c93c874a732301bacb9f1c3e5d3e2eb56315187ec049933de81e869ac8

SHA512
734282a81b4250684d82fc9c2b1b82141efaccafa56b8b3ddd27254c195572b4c115d1b3ddb83704ae8820c936572f287d46546d929571dacec68abde9e78d5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z6C1D58FC\Kex64\KxNt.dll

Filesize
118KB

MD5
6cfb2d043d10301864249e7dab5a4647

SHA1
a16b14d6419b24b5c626f12e0a413a64a8b0cb71

SHA256
d75aacba74ce6338436c94be768c384cf8d80e6b61b6c5ba8a671ecac65cda25

SHA512
7485e15ce114831afe0a2e10f017119470e5dcd3360acf73e7c7f9fd57ca2d2b8a217acafed5510394cbd8552600711881b856fd374d0b09c037fe74e53e9292

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z6C1D58FC\Kex64\KxUia.dll

Filesize
10KB

MD5
859392917391c5b4b3654244402e1bce

SHA1
2f07650de7cf64363ce3dab872d2ae52c7862306

SHA256
5451109c9cdb9f00dcd6ead8b8e7ecc7cc622cf79313eb55de7cc1b51b00c416

SHA512
248c64206d5aae72c4098fa1b4974cb8f710084309e0b1ce65b40c8d21b627583365a392aa39e5bb9025aa7a847eeaf0c4bbb5d60c674764716e324356b77816

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z6C1D58FC\Kex64\KxUser.dll

Filesize
98KB

MD5
3ace4c237fb138528fca98f9e6546d32

SHA1
56894f6bc5794917f75bb5143ac6da8275d2f5c2

SHA256
91fe5f2a0134e1cc3fd3679c0ffb5496dddafd7a83b43f83dfda676f1f81f41a

SHA512
bf6ff2403ef09b9bdbc45ae8e77077911dcb0f2ca5b46ad203e98383bae888c999e9695dd8ae0b733ec818a750773c39fbf1bb1db69342938d966fac473c66ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z6C1D58FC\Kex64\dwrw10.dll

Filesize
2.9MB

MD5
2211bb5549b98d3e1846fb8af44c8bf7

SHA1
a073c7d7b88fa8679afa2d08435fa3ffb1ddbec6

SHA256
fdc1973c4bd46d73c6f4ebaa46b1f494187bac85519982e7beb73bfb62b534b9

SHA512
60dccc8984e7319354a4dd99b7f260da7d91651e3a89d11b7c7d2c7709d1ac5dcc2a02369bc539ba0f821a8d220430ca65c488fe6d1c9ab342a14d39f984a5a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z6C1D58FC\Kex64\mfdevmgr.dll

Filesize
1.3MB

MD5
2d2e9e696d872bb98c8ab73ce12f2a70

SHA1
437b14c163993be63f2a94f4c05146d6e6f7ab9a

SHA256
e185d05fc1774c4b9661121c49b33bfed5e824062a3749553b69064c982aa29e

SHA512
821ab2e89ec9d27b7193956225055ed446b53efdea886b331c63cb10a46267d5fe9143d547c4b2bf47cc92f3c951548b6033725c453b843e953d45850d7c491a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z6C1D58FC\Kex64\ucrtbase.dll

Filesize
1020KB

MD5
2c8fe06966d5085a595ffa3c98fe3098

SHA1
e82945e3e63ffef0974d6dd74f2aef2bf6d0a908

SHA256
de8d08d01291df93821314176381f3d1ae863e6c5584a7f8ea42f0b94b15ef65

SHA512
fb08838983c16082a362b3fc89d5b82e61ae629207c13c3cb76b8a0af557ad95c842ce5197ae458b5af61e5449cbab579f509fa72866308aa6fbd3d751522d0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9D6A.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9DAB.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskC90C.tmp\StdUtils.dll

Filesize
110KB

MD5
db11ab4828b429a987e7682e495c1810

SHA1
29c2c2069c4975c90789dc6d3677b4b650196561

SHA256
c602c44a4d4088dbf5a659f36ba1c3a9d81f8367577de0cb940c0b8afee5c376

SHA512
460d1ccfc0d7180eae4e6f1a326d175fec78a7d6014447a9a79b6df501fa05cd4bd90f8f7a85b7b6a4610e2fa7059e30ae6e17bc828d370e5750de9b40b9ae88

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskC90C.tmp\System.dll

Filesize
22KB

MD5
a36fbe922ffac9cd85a845d7a813f391

SHA1
f656a613a723cc1b449034d73551b4fcdf0dcf1a

SHA256
fa367ae36bfbe7c989c24c7abbb13482fc20bc35e7812dc377aa1c281ee14cc0

SHA512
1d1b95a285536ddc2a89a9b3be4bb5151b1d4c018ea8e521de838498f62e8f29bb7b3b0250df73e327e8e65e2c80b4a2d9a781276bf2a51d10e7099bacb2e50b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskC90C.tmp\modern-wizard.bmp

Filesize
150KB

MD5
3614a4be6b610f1daf6c801574f161fe

SHA1
6edee98c0084a94caa1fe0124b4c19f42b4e7de6

SHA256
16e0edc9f47e6e95a9bcad15adbdc46be774fbcd045dd526fc16fc38fdc8d49b

SHA512
06e0eff28dfd9a428b31147b242f989ce3e92474a3f391ba62ac8d0d05f1a48f4cf82fd27171658acbd667eaffb94cb4e1baf17040dc3b6e8b27f39b843ca281

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskC90C.tmp\nsDialogs.dll

Filesize
20KB

MD5
4e5bc4458afa770636f2806ee0a1e999

SHA1
76dcc64af867526f776ab9225e7f4fe076487765

SHA256
91a484dc79be64dd11bf5acb62c893e57505fcd8809483aa92b04f10d81f9de0

SHA512
b6f529073a943bddbcb30a57d62216c78fcc9a09424b51ac0824ebfb9cac6cae4211bda26522d6923bd228f244ed8c41656c38284c71867f65d425727dd70162

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskC90C.tmp\nsExec.dll

Filesize
17KB

MD5
2095af18c696968208315d4328a2b7fe

SHA1
b1b0e70c03724b2941e92c5098cc1fc0f2b51568

SHA256
3e2399ae5ce16dd69f7e2c71d928cf54a1024afced8155f1fd663a3e123d9226

SHA512
60105dfb1cd60b4048bd7b367969f36ed6bd29f92488ba8cfa862e31942fd529cbc58e8b0c738d91d8bef07c5902ce334e36c66eae1bfe104b44a159b5615ae5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskC90C.tmp\nsProcess.dll

Filesize
15KB

MD5
08072dc900ca0626e8c079b2c5bcfcf3

SHA1
35f2bfa0b1b2a65b9475fb91af31f7b02aee4e37

SHA256
bb6ce83ddaad4f530a66a1048fac868dfc3b86f5e7b8e240d84d1633e385aee8

SHA512
8981da7f225eb78c414e9fb3c63af0c4daae4a78b4f3033df11cce43c3a22fdbf3853425fe3024f68c73d57ffb128cba4d0db63eda1402212d1c7e0ac022353c

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 268160.crdownload

Filesize
2.3MB

MD5
1b54b70beef8eb240db31718e8f7eb5d

SHA1
da5995070737ec655824c92622333c489eb6bce4

SHA256
7d3654531c32d941b8cae81c4137fc542172bfa9635f169cb392f245a0a12bcb

SHA512
fda935694d0652dab3f1017faaf95781a300b420739e0f9d46b53ce07d592a4cfa536524989e2fc9f83602d315259817638a89c4e27da709aada5d1360b717eb

Download Submit
\Users\Admin\AppData\Local\Temp\7z6C1D58FC\KexSetup.exe

Filesize
67KB

MD5
12a64906c99da7939a89beeac2b95d71

SHA1
eb37a7f9b7f9a0a18bf6fe906cd44c121a7c748d

SHA256
7607e37c1f901e948dfe75c7e67dd519fd4b21e99cf8499daffe43a1664525e1

SHA512
08f04344a169a3fe790262327ca86ce3a49b8182160885ef0c6009e07a365f41e7731061a83335c137c097213016aa81be86f4a16eae16d6fc6c3e93a1cfeb63

Download Submit
memory/1716-133-0x0000000000200000-0x0000000000214000-memory.dmp

Filesize
80KB

Download
memory/1716-134-0x0000000074740000-0x0000000074761000-memory.dmp

Filesize
132KB

Download
memory/2144-768-0x0000000001F30000-0x0000000001F32000-memory.dmp

Filesize
8KB

Download
memory/2192-13102-0x00000000011B0000-0x0000000001662000-memory.dmp

Filesize
4.7MB

Download
memory/2812-255-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2812-194-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2812-251-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2812-252-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2812-206-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2812-205-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2812-265-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2812-256-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2812-195-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2812-234-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2812-259-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2812-260-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2812-145-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2812-144-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2812-261-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2812-262-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2880-136-0x0000000000200000-0x0000000000214000-memory.dmp

Filesize
80KB

Download