orcus | 6929f40d7bd70ce7e5189f9c940767d1d4426bcadd66828d1298ca96ffa44eb2

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
28/02/2025, 10:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BoostWare Woofer.exe
Size

10.0MB
MD5

7a0de259284a750bc1b9e489a3c549ee
SHA1

8bd17616907d5adf94489d2d6c833c55425148d0
SHA256

6929f40d7bd70ce7e5189f9c940767d1d4426bcadd66828d1298ca96ffa44eb2
SHA512

8c0a47f0ed7a1d30e8a5de563debac0753eac29db92445c9b14cdb905a09a6a34d7adbdbdacae774ee962cfc6f6a5f357ed71931b488b8f174a3fa99134c3704
SSDEEP

196608:stDsBPeJ5EHWb/I0onV2TNRXbUgoL8aA0TO3e5bau5Zcx:0xAE/IJ2TNugUHNyu5M

Score

10^/10

orcus fortnite defense_evasion discovery persistence rat spyware stealer

Malware Config

Extracted

Family

orcus

Botnet

Fortnite

82.9.246.24:8808

Mutex

f65beca88ddb49089d3a6be2931bc598

Attributes

autostart_method
Registry
enable_keylogger
false
install_path
%programfiles%\Microsoft\Skype.exe
reconnect_delay
10000
registry_keyname
Skype
taskscheduler_taskname
Orcus
watchdog_path
AppData\Skype.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus
Orcus family
orcus

Orcurs Rat Executable 2 IoCs

resource	yara_rule
behavioral2/files/0x0003000000022a04-38.dat	orcus
behavioral2/memory/1564-48-0x000001D8948C0000-0x000001D894BBC000-memory.dmp	orcus

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	Rha4t.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	Skype.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	Skype.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	BoostWare Woofer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	BoostWare.exe

Executes dropped EXE 10 IoCs

pid	Process
2596	BoostWare.exe
5088	perm spoofer.exe
404	Beta.exe
1564	Rha4t.exe
1944	WindowsInput.exe
3828	WindowsInput.exe
2816	Skype.exe
4732	Skype.exe
5044	Skype.exe
3924	Skype.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Skype = "\"C:\\Program Files\\Microsoft\\Skype.exe\""	Skype.exe

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WindowsInput.InstallState	WindowsInput.exe
File created	C:\Windows\SysWOW64\WindowsInput.exe	Rha4t.exe
File created	C:\Windows\SysWOW64\WindowsInput.exe.config	Rha4t.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft\Skype.exe	Rha4t.exe
File opened for modification	C:\Program Files\Microsoft\Skype.exe	Rha4t.exe
File created	C:\Program Files\Microsoft\Skype.exe.config	Rha4t.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3840	5088	WerFault.exe	91

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BoostWare Woofer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BoostWare.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perm spoofer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133852152195995231"	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1160	powershell.exe
4488	powershell.exe
4488	powershell.exe
1160	powershell.exe
1160	powershell.exe
2816	Skype.exe
2816	Skype.exe
2816	Skype.exe
2816	Skype.exe
3924	Skype.exe
3924	Skype.exe
3924	Skype.exe
2816	Skype.exe
3924	Skype.exe
2816	Skype.exe
3924	Skype.exe
2816	Skype.exe
2816	Skype.exe
3924	Skype.exe
3924	Skype.exe
1936	chrome.exe
1936	chrome.exe
2816	Skype.exe
3924	Skype.exe
3924	Skype.exe
2816	Skype.exe
3924	Skype.exe
2816	Skype.exe
3924	Skype.exe
2816	Skype.exe
3924	Skype.exe
2816	Skype.exe
3924	Skype.exe
2816	Skype.exe
3924	Skype.exe
2816	Skype.exe
3924	Skype.exe
2816	Skype.exe
3924	Skype.exe
2816	Skype.exe
3924	Skype.exe
2816	Skype.exe
3924	Skype.exe
2816	Skype.exe
2816	Skype.exe
3924	Skype.exe
2816	Skype.exe
3924	Skype.exe
2816	Skype.exe
3924	Skype.exe
2816	Skype.exe
3924	Skype.exe
2816	Skype.exe
3924	Skype.exe
2816	Skype.exe
3924	Skype.exe
3924	Skype.exe
2816	Skype.exe
3924	Skype.exe
2816	Skype.exe
3924	Skype.exe
2816	Skype.exe
3924	Skype.exe
2816	Skype.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1160	powershell.exe
Token: SeDebugPrivilege	4488	powershell.exe
Token: SeDebugPrivilege	5044	Skype.exe
Token: SeDebugPrivilege	2816	Skype.exe
Token: SeDebugPrivilege	3924	Skype.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe

Suspicious use of FindShellTrayWindow 59 IoCs

pid	Process
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe

Suspicious use of SendNotifyMessage 56 IoCs

pid	Process
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3104 wrote to memory of 1160	3104	BoostWare Woofer.exe	88
PID 3104 wrote to memory of 1160	3104	BoostWare Woofer.exe	88
PID 3104 wrote to memory of 1160	3104	BoostWare Woofer.exe	88
PID 3104 wrote to memory of 2596	3104	BoostWare Woofer.exe	90
PID 3104 wrote to memory of 2596	3104	BoostWare Woofer.exe	90
PID 3104 wrote to memory of 2596	3104	BoostWare Woofer.exe	90
PID 3104 wrote to memory of 5088	3104	BoostWare Woofer.exe	91
PID 3104 wrote to memory of 5088	3104	BoostWare Woofer.exe	91
PID 3104 wrote to memory of 5088	3104	BoostWare Woofer.exe	91
PID 2596 wrote to memory of 4488	2596	BoostWare.exe	92
PID 2596 wrote to memory of 4488	2596	BoostWare.exe	92
PID 2596 wrote to memory of 4488	2596	BoostWare.exe	92
PID 2596 wrote to memory of 404	2596	BoostWare.exe	94
PID 2596 wrote to memory of 404	2596	BoostWare.exe	94
PID 2596 wrote to memory of 1564	2596	BoostWare.exe	96
PID 2596 wrote to memory of 1564	2596	BoostWare.exe	96
PID 1564 wrote to memory of 1944	1564	Rha4t.exe	101
PID 1564 wrote to memory of 1944	1564	Rha4t.exe	101
PID 1564 wrote to memory of 2816	1564	Rha4t.exe	103
PID 1564 wrote to memory of 2816	1564	Rha4t.exe	103
PID 2816 wrote to memory of 5044	2816	Skype.exe	106
PID 2816 wrote to memory of 5044	2816	Skype.exe	106
PID 2816 wrote to memory of 5044	2816	Skype.exe	106
PID 5044 wrote to memory of 3924	5044	Skype.exe	107
PID 5044 wrote to memory of 3924	5044	Skype.exe	107
PID 5044 wrote to memory of 3924	5044	Skype.exe	107
PID 1936 wrote to memory of 760	1936	chrome.exe	110
PID 1936 wrote to memory of 760	1936	chrome.exe	110
PID 1936 wrote to memory of 3084	1936	chrome.exe	111
PID 1936 wrote to memory of 3084	1936	chrome.exe	111
PID 1936 wrote to memory of 3084	1936	chrome.exe	111
PID 1936 wrote to memory of 3084	1936	chrome.exe	111
PID 1936 wrote to memory of 3084	1936	chrome.exe	111
PID 1936 wrote to memory of 3084	1936	chrome.exe	111
PID 1936 wrote to memory of 3084	1936	chrome.exe	111
PID 1936 wrote to memory of 3084	1936	chrome.exe	111
PID 1936 wrote to memory of 3084	1936	chrome.exe	111
PID 1936 wrote to memory of 3084	1936	chrome.exe	111
PID 1936 wrote to memory of 3084	1936	chrome.exe	111
PID 1936 wrote to memory of 3084	1936	chrome.exe	111
PID 1936 wrote to memory of 3084	1936	chrome.exe	111
PID 1936 wrote to memory of 3084	1936	chrome.exe	111
PID 1936 wrote to memory of 3084	1936	chrome.exe	111
PID 1936 wrote to memory of 3084	1936	chrome.exe	111
PID 1936 wrote to memory of 3084	1936	chrome.exe	111
PID 1936 wrote to memory of 3084	1936	chrome.exe	111
PID 1936 wrote to memory of 3084	1936	chrome.exe	111
PID 1936 wrote to memory of 3084	1936	chrome.exe	111
PID 1936 wrote to memory of 3084	1936	chrome.exe	111
PID 1936 wrote to memory of 3084	1936	chrome.exe	111
PID 1936 wrote to memory of 3084	1936	chrome.exe	111
PID 1936 wrote to memory of 3084	1936	chrome.exe	111
PID 1936 wrote to memory of 3084	1936	chrome.exe	111
PID 1936 wrote to memory of 3084	1936	chrome.exe	111
PID 1936 wrote to memory of 3084	1936	chrome.exe	111
PID 1936 wrote to memory of 3084	1936	chrome.exe	111
PID 1936 wrote to memory of 3084	1936	chrome.exe	111
PID 1936 wrote to memory of 3084	1936	chrome.exe	111
PID 1936 wrote to memory of 2068	1936	chrome.exe	112
PID 1936 wrote to memory of 2068	1936	chrome.exe	112
PID 1936 wrote to memory of 1244	1936	chrome.exe	113
PID 1936 wrote to memory of 1244	1936	chrome.exe	113
PID 1936 wrote to memory of 1244	1936	chrome.exe	113
PID 1936 wrote to memory of 1244	1936	chrome.exe	113

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\BoostWare Woofer.exe
"C:\Users\Admin\AppData\Local\Temp\BoostWare Woofer.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3104
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGUAZwBlACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAZABiACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGcAcAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHUAbABrACMAPgA="
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1160
- C:\Users\Admin\AppData\Local\Temp\BoostWare.exe
  "C:\Users\Admin\AppData\Local\Temp\BoostWare.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2596
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGQAbAByACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHMAagBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGYAdQBqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHQAZABrACMAPgA="
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4488
- - C:\Users\Admin\AppData\Local\Temp\Beta.exe
    "C:\Users\Admin\AppData\Local\Temp\Beta.exe"
    3⤵
    - Executes dropped EXE
    PID:404
- - C:\Users\Admin\AppData\Local\Temp\Rha4t.exe
    "C:\Users\Admin\AppData\Local\Temp\Rha4t.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:1564
  - - C:\Windows\SysWOW64\WindowsInput.exe
      "C:\Windows\SysWOW64\WindowsInput.exe" --install
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      PID:1944
  - - C:\Program Files\Microsoft\Skype.exe
      "C:\Program Files\Microsoft\Skype.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2816
    - - C:\Users\Admin\AppData\Roaming\Skype.exe
        
        "C:\Users\Admin\AppData\Roaming\Skype.exe" /launchSelfAndExit "C:\Program Files\Microsoft\Skype.exe" 2816 /protectFile
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5044
      - C:\Users\Admin\AppData\Roaming\Skype.exe
        
        "C:\Users\Admin\AppData\Roaming\Skype.exe" /watchProcess "C:\Program Files\Microsoft\Skype.exe" 2816 "/protectFile"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3924
- C:\Users\Admin\AppData\Local\Temp\perm spoofer.exe
  "C:\Users\Admin\AppData\Local\Temp\perm spoofer.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5088
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5088 -s 1048
    3⤵
    - Program crash
    PID:3840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5088 -ip 5088
1⤵
PID:3500

C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe"
1⤵
- Executes dropped EXE
PID:3828

C:\Program Files\Microsoft\Skype.exe
"C:\Program Files\Microsoft\Skype.exe"
1⤵
- Executes dropped EXE
PID:4732

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe13d2cc40,0x7ffe13d2cc4c,0x7ffe13d2cc58
  2⤵
  PID:760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1892,i,7218247728830216078,3992292240999109159,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=1884 /prefetch:2
  2⤵
  PID:3084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1924,i,7218247728830216078,3992292240999109159,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2168 /prefetch:3
  2⤵
  PID:2068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2232,i,7218247728830216078,3992292240999109159,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2244 /prefetch:8
  2⤵
  PID:1244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3128,i,7218247728830216078,3992292240999109159,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3144 /prefetch:1
  2⤵
  PID:2160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3148,i,7218247728830216078,3992292240999109159,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3192 /prefetch:1
  2⤵
  PID:764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3700,i,7218247728830216078,3992292240999109159,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4516 /prefetch:1
  2⤵
  PID:4276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4364,i,7218247728830216078,3992292240999109159,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4744 /prefetch:8
  2⤵
  PID:1220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4708,i,7218247728830216078,3992292240999109159,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4760 /prefetch:8
  2⤵
  PID:4996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4936,i,7218247728830216078,3992292240999109159,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4656 /prefetch:8
  2⤵
  PID:1788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4724,i,7218247728830216078,3992292240999109159,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4652 /prefetch:8
  2⤵
  PID:1356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5132,i,7218247728830216078,3992292240999109159,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5136 /prefetch:8
  2⤵
  PID:1640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5284,i,7218247728830216078,3992292240999109159,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5288 /prefetch:8
  2⤵
  PID:4728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5276,i,7218247728830216078,3992292240999109159,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5156 /prefetch:8
  2⤵
  PID:1060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5272,i,7218247728830216078,3992292240999109159,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4720 /prefetch:8
  2⤵
  PID:1836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5496,i,7218247728830216078,3992292240999109159,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2280 /prefetch:2
  2⤵
  PID:5676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=832,i,7218247728830216078,3992292240999109159,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5612 /prefetch:1
  2⤵
  PID:5924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5208,i,7218247728830216078,3992292240999109159,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4980 /prefetch:8
  2⤵
  PID:3908

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4952

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
2e997a104b7cbb514ca2af22637ca2c6

SHA1
2ed2853c0ceeb804e30b958446757e1b84d8b1b6

SHA256
5610509ba752073c59869df4fb1dd2926b7519a06269aa5ae3055b94d7156dbc

SHA512
7da48d18cd90037d3b36a530a1cf1c59bb52e19211fa6ae80c5c89f355f1c5c76edef82dc0021e45ab3fa7ab68d06cfd0b7e38d860b398aab4f9b7a717f558c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
216B

MD5
d1d770bf0d1bf2e73e5a01dc95c19de9

SHA1
e071b1aa243f1f1f8007666c16ffba90e53877c4

SHA256
8cf9d7669ae8b36aab2d5c5b00db43fd84070a7cbe1a8db7e5c73d67e0a68ebf

SHA512
ce4f112f8832f1eabf739506b55a681c96e83aa7e3ed703f60d27bcd6839304f0449a8304cbf9c682d7811ae7b1918310485b3950c0ad8cd7685794aaf7965e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.89.1_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.89.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
cfbcfc6945e86a71754508f7c9b8a799

SHA1
ebdafca9bd3c4ef01ed8fd0493152f7aa99f7088

SHA256
1802a3aba09c569bb40e439c84ee9f3d08ea60abf4b02eca479ef5a037b20a26

SHA512
1416156d0a1ecdda649dca0d31fcd63a62cabe7386d07c961e390ce3790e028c68e439a7c54c536299415873ba7b5d3d663d325cddd7386357a532dfcd906994

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
454c78e84dbb7c9a472434825e531017

SHA1
4733e38da026eaee0dabbf311cf41caa254987e5

SHA256
47b06a6df78f460332bea948271d0af1f257bf49004e10d08c9b4d9d3e1b4fb7

SHA512
6660e37aad00850cc388d0222c5431c9ecde671e57b5099bdc52cd7997a00a24c318e4d5fef41f808a7d064c81f2a021433ab6521e7105a64b25a30d8af6c370

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
522B

MD5
67e81514e4427cf160c89e41ee64dbf7

SHA1
8de73e20dbe0fc6c7f58245bbafcfda6472d8c9f

SHA256
4f756c82bd7399400201aec1fa5d5dc3f33e7a451c838748ef58fc619cbcf90f

SHA512
a0ffa57781d2a70d0afd10bcb7f4f02d7e03f3ddc1c7812707aaf8b374d0c7543d91ae4aaaee2b1f5f7209c1e84de7fbb45557df509d05e396f6a7d56916d034

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
9fc7fc367416efed98059c2a2b7f2a3a

SHA1
e7318511fb8c64d7e0294797c07b460e8382e0ee

SHA256
2fbe129ef1e797062d09b9ede6c442ce94e54fd1ebe7981498ca5a0c441309f3

SHA512
4978ba9465b15914ca5599d49d9465a8a7ca0a48d9511304da46876c26839bc5984696c26ef78bb9a47a25d25aa77d7cc8cc8450e6139ef388160b10b47ca007

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\d367e4f4-73fc-4425-becc-7d3f2d324fd0.tmp

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5483b97d7991728e222cd211df3d6ebe

SHA1
4dbbc4cceadd33ace0a07c7ca4bcc44ed5711d9f

SHA256
7af47bce67cf5bd4a3822eeb30ea2d8149089e60723c03fc73eacdb9da923388

SHA512
ee5992dcac8de92ce2c3d3453c49d9bfb208272a32d030f58a79699512dc6027be70f17323bb8bd1283d45237af3ff33416942d297535400c2c6f274a4ebe20c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4bbc2831187c1de4f9063d0c9292269d

SHA1
8a272ea63efbdb1c67347dbccdf9e28ea1f8d702

SHA256
f687c1d3ff2e521316284ba465871a7201468aaac85762a2ef5a617013f1248e

SHA512
75531572d06637ade577ea0fad9a964fffc01afaa510f63f378a518ee47a3bd297d2473b9750ba8fbfc0db1adf356e735565bd270d126ab1f4a6350abff29106

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
acc180ea9512614804410766550a5fbc

SHA1
64f4304344f13a14d0e83f4270e7f83b8c1c831c

SHA256
b2cd41e8bd7835f4226dcf9cacea096aac44c06e7e94f8effe08885ae494178f

SHA512
aff1115eef8cc43d3be4a4063c22e66ca0995042a4d656cef09b23c8902e9089c03780396429f9f1217bad360dfae70ffeaf4722cf98285b67b7e1d5358c827a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0d2389b4c3e26054602ef66db8dfc311

SHA1
1409b16a622a0f55c65c07e1379e0fabb3dc36c4

SHA256
4c7e2555f67647343a4a1549b2b0e419bef84a4644531d6775ba15bf0cccc383

SHA512
e63c61f760cc217bf2c2bdc539fe573fa83a7633f5b9c5baaa26eb0e5073989e5ea60d8599be083d423b7dda726da735994f885b21c6783eb1267b46a2762765

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3f1b361a5bbcd9cca5d91de0bd460f56

SHA1
f9e5aef0d72058d58f4a666e200c8b1a63e4fbcd

SHA256
91ad73a5df84089ee3bd7bc6e5d14f1e380b5fcbf3093eebc1f292be62e845dc

SHA512
7365b98a3cece856a62f1877b04d695c2d5c73929ddd19d4bfe7d7320ecaea67c5a4b63c9849069bd27e033b85699dc8295b7ae2e694802415f77308a183d9dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
fa643478c18334051e5e0977c984c8bc

SHA1
7b909a3d01917d0b01dec78a37020351e48afbb8

SHA256
1d0b3622989c390fd16386ab4c51512bcfe6c5f50b36c1a8be4a2e63edc570f9

SHA512
81d17b5db47c45b5f9e9d3ad5c70dd2411c921e409b2b3d2c8e26215f5e3871a26761d91d4c82a60d7e6228ffb14875950aa4ab0c0c37ade0321bebb805a3e77

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0cbf562b3ad95d5346d5b367dc9b180a

SHA1
2ac15453d87c70b7e86c2e280b238b4f3e1e2191

SHA256
db21036a9313b027106c874b2b6d71133432fe2e825950a06d9b3c503c663ea3

SHA512
c968dd4dae6ca4289a27211a01802be302f58671a227d8a51cc2211ea48a464d49d0c029fdde15e0604baede345e0ea04d2d1cc9402eb12fc5d3be5fe220166d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
eeb3a22a100ae1aee838e12f9c53832d

SHA1
412d6bb6053273169f71d6e5ba43d7a6401900e0

SHA256
59cd405e7c994c5e59f68283502c902805cdf60ed5796f8ab6929b2e6560d14c

SHA512
09290af05604d5e3d1383583a8f55e2eb8cc0e8c6473ac32724e60afe7d7aca77fe6bdb9532bcba160c83bb42eed9eb3b96cfa935266d89b6d6c2dbc19a05fbc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
91b23956dc7bdc6c4d5edf90db5e9f3b

SHA1
e399ab9e2ac4c202cf2c0affe19b01553b68267e

SHA256
bccd2c41edeeb4516b979987ac3604027629441098155a78fd67e0cbd5a70b19

SHA512
49ef8e23bf504d910c6c4e5347683895907927e1b34dbc6fbdc05686ef5e7f505791755160c9800a6a1b607a6d09f8718d44a09e755c3bef964f02e32a6891ad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
9f5fdd7fd972356ebe7790e9a18fc178

SHA1
df23a8852764922e0be38b646aacae199469111b

SHA256
28a8b7e5a66b48f193cc9a07557abba9a69b7b557960dd3fa7118ae523284f77

SHA512
7c8bd24092c71d64dd14b615948da1c883fecb83c335914d97096de94f38588fe34d3c2b89cdae25e360b95aa3067acaebba0bbcd717b3b922176f64a59ecda9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
a49d076593f6e22c8720c9e1ecd787fb

SHA1
b0f3d6687a930ae6768031bbff001dcbd5dc0f4b

SHA256
e23fd7c34de667978b93a5ffd44ffcc697b261c77785c95062942e6bc500ecec

SHA512
47ed74933d837ecebcc5c4692cb7bdaee5d98ace5aa403b650b1dd63152a9454b0f983e6b163e6d2f86301abf85ba064e2b15e75536970e01c4372b1d6018481

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
244KB

MD5
476286213c87fb8533cb51e685882001

SHA1
09097df1497b2a64cc4519a6d1368dc8a59327b2

SHA256
32fff48419576ce6ce0085b22945eef756e178651dec646a6b8ec0f1f39cf799

SHA512
182ee1e32dcfd19213b24853fa986abe5eade42a5b6d39812ac54c354db3ef5e035314c372cf73a24dbbdb9679673c17ab9c8684119ebf665fadd373318ef729

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
244KB

MD5
a3485b91fad1bce59e04d7053a8517c1

SHA1
19a8fc37b27fbf7b5fda62ea2231793ee59bba70

SHA256
d37db61e673570b6af9842e4f267c1a83be484c12dfa1858062a9f6ad0d3c302

SHA512
30e56a93db5909cefe56a0ccabd93b4573c088f3e46e0a297f29e3548b1c4256ebf49bc230c506631dc0c4a7e43d05127459df5c31e9fed385ddd959da51f7b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
244B

MD5
dd36c4a843e10f0fef936a22b6888d6a

SHA1
e918e33c7c98cd7cd91e737421475b9a4d814d33

SHA256
b968689e241ff513430294ec5daeb8eb3072deca9e1ac8989946fec06bb74c79

SHA512
66981cb499659232a8322962a94c42f88e6397755a87800883629358b40e643174cb5bb2e9913a8215511181a7d738cfc8d8d435052ed2d1b046c82b0b27f540

Download Submit
C:\Users\Admin\AppData\Local\Temp\Beta.exe

Filesize
6.7MB

MD5
e7537ce869ffa596c293e451f3c8f726

SHA1
8873228a10fef6b3a5b05c9e2e447a1985841bcf

SHA256
4d135ec8daf850061742ddd4d49155e6b57599af896deb056dd68d26a8d0c13f

SHA512
3956b1cd36bf8fb73b411cba07d0c0e84e3e84b85d2d8234b65648a6826c11441d0963c04558831fbd5dc9e6fe04752557d6e0720afbe34c73e16b19f1eab561

Download Submit
C:\Users\Admin\AppData\Local\Temp\BoostWare.exe

Filesize
9.6MB

MD5
1dc82cdf4c25c697678c3d95e12c494a

SHA1
7e52934ffb36810cc3ed9974e7f650a9f2e1ba2e

SHA256
5cf6ff4162d3eb61d3877ca0f2ab3174b95e210a8424134d4bc8698ba33e0ff3

SHA512
5531feda823aa5d73f3538b22731dd54b93e15da9ce4f3e52ec380e99b52dcb7ad269fd532784a92b76deb8c2365cc190b8f784c18af7f4115612df01272ac2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rha4t.exe

Filesize
3.0MB

MD5
4676c622444293d23fc92c88b4d5de1f

SHA1
2a99665bd67956a8a55b0992ce736a55558f308e

SHA256
3023628d4215c3441486912e46694f64ff34636e9513456f162f3c1fa0c03847

SHA512
fb4b258db7d1b3962576d56af57a13962a8acff1233a58679c4286c2669a3e07888df24d9c28d9ab2fb8f5c3be4b3d51eedf7f0009de4bc02a52519f06af6990

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5gqdsbco.x51.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\perm spoofer.exe

Filesize
331KB

MD5
7468b957d1ac40c3ea827dd1edd34704

SHA1
446cbfee65258c61c2f0e932d4242b429f77866d

SHA256
ef5ffc2cb37850ecadb77ae8cd9c8aa081b98f8a0118b7842e6b92e6a1d6e565

SHA512
bd075c12763f4c78d8cb24981423a371e9a39813136f076ac960b5ffda745d442c4165e8456e14fcafb882bdda58d8619e0a60414f9f3245c23db3b97560ac2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir1936_171295502\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir1936_171295502\dac972af-dd53-45c0-a494-4bed2ce8a7e7.tmp

Filesize
150KB

MD5
eae462c55eba847a1a8b58e58976b253

SHA1
4d7c9d59d6ae64eb852bd60b48c161125c820673

SHA256
ebcda644bcfbd0c9300227bafde696e8923ddb004b4ee619d7873e8a12eae2ad

SHA512
494481a98ab6c83b16b4e8d287d85ba66499501545da45458acc395da89955971cf2a14e83c2da041c79c580714b92b9409aa14017a16d0b80a7ff3d91bad2a3

Download Submit
C:\Users\Admin\AppData\Roaming\Skype.exe

Filesize
9KB

MD5
8ace06702ec59d170ca2b31f95812e0f

SHA1
de36712adf9b67d0b4c99d12eb59361adfc5473f

SHA256
f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45

SHA512
5d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5

Download Submit
C:\Users\Admin\AppData\Roaming\Skype.exe.config

Filesize
159B

MD5
740dde6369b1c855ea2f8e171fa888c8

SHA1
db3f1c7e5e4c087cf9eb02376fd750f1879f28f8

SHA256
e03c480b46464159387618445ca9fd9870b53e092e2278837f2d5a54daf06cae

SHA512
114607dcee4439e5e5c97ca986a65c8114a0e3f3c56f494ef6eaac9cb0f9ebf29b828aabc3100e4be197c94d54a7c26513942c56806bfb3bb0d3594ffef7458c

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe

Filesize
21KB

MD5
a80be96476032d2eaa901d180fe9fb73

SHA1
f378d0bc5fefb9ea0b5006f020091ffcbcd7acec

SHA256
d6075c1ed6f285f5de01ce0cc6a817b59054da8b19f20bc7081cfe7fb2b1af42

SHA512
210c0c4c845b416a601015fba5ccd2a3e8a4b81d3b4c5e0491b07bd0dcad938d9b118728bb1abc21eb73c5f9263a3c08e1822ece91002a2d1f0983857f0192ea

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
memory/1160-7-0x0000000073BCE000-0x0000000073BCF000-memory.dmp

Filesize
4KB

Download
memory/1160-25-0x00000000059C0000-0x0000000005FE8000-memory.dmp

Filesize
6.2MB

Download
memory/1160-44-0x0000000006200000-0x0000000006266000-memory.dmp

Filesize
408KB

Download
memory/1160-45-0x0000000006270000-0x00000000062D6000-memory.dmp

Filesize
408KB

Download
memory/1160-21-0x0000000005350000-0x0000000005386000-memory.dmp

Filesize
216KB

Download
memory/1160-129-0x0000000074490000-0x00000000744DC000-memory.dmp

Filesize
304KB

Download
memory/1160-49-0x00000000062E0000-0x0000000006634000-memory.dmp

Filesize
3.3MB

Download
memory/1160-43-0x0000000006160000-0x0000000006182000-memory.dmp

Filesize
136KB

Download
memory/1564-64-0x000001D8AF0C0000-0x000001D8AF11C000-memory.dmp

Filesize
368KB

Download
memory/1564-48-0x000001D8948C0000-0x000001D894BBC000-memory.dmp

Filesize
3.0MB

Download
memory/1564-65-0x000001D896710000-0x000001D89671E000-memory.dmp

Filesize
56KB

Download
memory/1564-71-0x000001D8AF320000-0x000001D8AF332000-memory.dmp

Filesize
72KB

Download
memory/1944-89-0x0000027500780000-0x00000275007BC000-memory.dmp

Filesize
240KB

Download
memory/1944-88-0x0000027500700000-0x0000027500712000-memory.dmp

Filesize
72KB

Download
memory/1944-86-0x0000027500320000-0x000002750032C000-memory.dmp

Filesize
48KB

Download
memory/2816-141-0x0000025839350000-0x0000025839360000-memory.dmp

Filesize
64KB

Download
memory/2816-140-0x0000025839320000-0x0000025839338000-memory.dmp

Filesize
96KB

Download
memory/2816-139-0x0000025851AB0000-0x0000025851B08000-memory.dmp

Filesize
352KB

Download
memory/3828-94-0x0000028431E40000-0x0000028431F4A000-memory.dmp

Filesize
1.0MB

Download
memory/4488-128-0x0000000006FD0000-0x0000000006FE1000-memory.dmp

Filesize
68KB

Download
memory/4488-157-0x0000000007110000-0x000000000712A000-memory.dmp

Filesize
104KB

Download
memory/4488-115-0x0000000006DD0000-0x0000000006DEA000-memory.dmp

Filesize
104KB

Download
memory/4488-100-0x0000000074490000-0x00000000744DC000-memory.dmp

Filesize
304KB

Download
memory/4488-111-0x0000000006C90000-0x0000000006D33000-memory.dmp

Filesize
652KB

Download
memory/4488-110-0x0000000005FF0000-0x000000000600E000-memory.dmp

Filesize
120KB

Download
memory/4488-99-0x0000000006090000-0x00000000060C2000-memory.dmp

Filesize
200KB

Download
memory/4488-112-0x0000000007410000-0x0000000007A8A000-memory.dmp

Filesize
6.5MB

Download
memory/4488-124-0x0000000006E50000-0x0000000006E5A000-memory.dmp

Filesize
40KB

Download
memory/4488-127-0x0000000007050000-0x00000000070E6000-memory.dmp

Filesize
600KB

Download
memory/4488-147-0x0000000007020000-0x0000000007034000-memory.dmp

Filesize
80KB

Download
memory/4488-144-0x0000000007010000-0x000000000701E000-memory.dmp

Filesize
56KB

Download
memory/4488-87-0x0000000006040000-0x000000000608C000-memory.dmp

Filesize
304KB

Download
memory/4488-85-0x0000000005AA0000-0x0000000005ABE000-memory.dmp

Filesize
120KB

Download
memory/4488-160-0x00000000070F0000-0x00000000070F8000-memory.dmp

Filesize
32KB

Download
memory/5044-159-0x0000000000370000-0x0000000000378000-memory.dmp

Filesize
32KB

Download
memory/5088-98-0x0000000073BC0000-0x0000000074370000-memory.dmp

Filesize
7.7MB

Download
memory/5088-36-0x0000000005A60000-0x0000000005A6A000-memory.dmp

Filesize
40KB

Download
memory/5088-28-0x00000000058D0000-0x0000000005962000-memory.dmp

Filesize
584KB

Download
memory/5088-22-0x0000000005DE0000-0x0000000006384000-memory.dmp

Filesize
5.6MB

Download
memory/5088-23-0x0000000073BC0000-0x0000000074370000-memory.dmp

Filesize
7.7MB

Download
memory/5088-20-0x0000000000FB0000-0x0000000001008000-memory.dmp

Filesize
352KB

Download