hxxps://drive[.]google[.]com/file/d/1qJfhvuyA7Sgw2LGuSipFc1QA9-FErzom/view?usp=sharing

Analysis

max time kernel
267s
max time network
263s
platform
windows10-ltsc_2021_x64
resource
win10ltsc2021-20250314-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system
submitted
02/04/2025, 15:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1qJfhvuyA7Sgw2LGuSipFc1QA9-FErzom/view?usp=sharing

Score

8^/10

discovery execution persistence

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4036	powershell.exe
232	powershell.exe
64	powershell.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2423602651-1712563293-711691555-1000\Control Panel\International\Geo\Nation	Fitnes.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2423602651-1712563293-711691555-1000\Control Panel\International\Geo\Nation	Fitnes.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2423602651-1712563293-711691555-1000\Control Panel\International\Geo\Nation	Fitnes.exe

Executes dropped EXE 13 IoCs

pid	Process
2916	Fitnes.exe
764	Fitnes.exe
4048	Vkk.exe
3196	fitnes.exe
4628	fitnes.exe
4840	Fitnes.exe
520	Vkk.exe
4924	fitnes.exe
5168	fitnes.exe
3808	Fitnes.exe
5616	Vkk.exe
3840	fitnes.exe
3908	fitnes.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2423602651-1712563293-711691555-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fitnes = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fitnes.exe"	Fitnes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2423602651-1712563293-711691555-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fitnes = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fitnes.exe"	Fitnes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2423602651-1712563293-711691555-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fitnes = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fitnes.exe"	Fitnes.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
7	drive.google.com
8	drive.google.com

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Vkk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Vkk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Vkk.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	chrome.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133880818510836284"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2423602651-1712563293-711691555-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2423602651-1712563293-711691555-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2423602651-1712563293-711691555-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2423602651-1712563293-711691555-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428\DisplayName = "Chrome Sandbox"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2423602651-1712563293-711691555-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428\Moniker = "cr.sb.odm3E4D1A088C1F6D498C84F3C86DE73CE49F82A104"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2423602651-1712563293-711691555-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428\Children	chrome.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe
4036	powershell.exe
4036	powershell.exe
4036	powershell.exe
4048	Vkk.exe
4048	Vkk.exe
4048	Vkk.exe
520	Vkk.exe
520	Vkk.exe
520	Vkk.exe
232	powershell.exe
232	powershell.exe
232	powershell.exe
5848	chrome.exe
5848	chrome.exe
5616	Vkk.exe
5616	Vkk.exe
5616	Vkk.exe
64	powershell.exe
64	powershell.exe
64	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2476	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3972	chrome.exe
Token: SeCreatePagefilePrivilege	3972	chrome.exe
Token: SeShutdownPrivilege	3972	chrome.exe
Token: SeCreatePagefilePrivilege	3972	chrome.exe
Token: SeShutdownPrivilege	3972	chrome.exe
Token: SeCreatePagefilePrivilege	3972	chrome.exe
Token: SeShutdownPrivilege	3972	chrome.exe
Token: SeCreatePagefilePrivilege	3972	chrome.exe
Token: SeShutdownPrivilege	3972	chrome.exe
Token: SeCreatePagefilePrivilege	3972	chrome.exe
Token: SeShutdownPrivilege	3972	chrome.exe
Token: SeCreatePagefilePrivilege	3972	chrome.exe
Token: SeShutdownPrivilege	3972	chrome.exe
Token: SeCreatePagefilePrivilege	3972	chrome.exe
Token: SeShutdownPrivilege	3972	chrome.exe
Token: SeCreatePagefilePrivilege	3972	chrome.exe
Token: SeShutdownPrivilege	3972	chrome.exe
Token: SeCreatePagefilePrivilege	3972	chrome.exe
Token: SeShutdownPrivilege	3972	chrome.exe
Token: SeCreatePagefilePrivilege	3972	chrome.exe
Token: SeShutdownPrivilege	3972	chrome.exe
Token: SeCreatePagefilePrivilege	3972	chrome.exe
Token: SeShutdownPrivilege	3972	chrome.exe
Token: SeCreatePagefilePrivilege	3972	chrome.exe
Token: SeShutdownPrivilege	3972	chrome.exe
Token: SeCreatePagefilePrivilege	3972	chrome.exe
Token: SeShutdownPrivilege	3972	chrome.exe
Token: SeCreatePagefilePrivilege	3972	chrome.exe
Token: SeShutdownPrivilege	3972	chrome.exe
Token: SeCreatePagefilePrivilege	3972	chrome.exe
Token: SeShutdownPrivilege	3972	chrome.exe
Token: SeCreatePagefilePrivilege	3972	chrome.exe
Token: SeShutdownPrivilege	3972	chrome.exe
Token: SeCreatePagefilePrivilege	3972	chrome.exe
Token: SeShutdownPrivilege	3972	chrome.exe
Token: SeCreatePagefilePrivilege	3972	chrome.exe
Token: SeShutdownPrivilege	3972	chrome.exe
Token: SeCreatePagefilePrivilege	3972	chrome.exe
Token: SeShutdownPrivilege	3972	chrome.exe
Token: SeCreatePagefilePrivilege	3972	chrome.exe
Token: SeShutdownPrivilege	3972	chrome.exe
Token: SeCreatePagefilePrivilege	3972	chrome.exe
Token: SeShutdownPrivilege	3972	chrome.exe
Token: SeCreatePagefilePrivilege	3972	chrome.exe
Token: SeShutdownPrivilege	3972	chrome.exe
Token: SeCreatePagefilePrivilege	3972	chrome.exe
Token: SeShutdownPrivilege	3972	chrome.exe
Token: SeCreatePagefilePrivilege	3972	chrome.exe
Token: SeShutdownPrivilege	3972	chrome.exe
Token: SeCreatePagefilePrivilege	3972	chrome.exe
Token: SeRestorePrivilege	1096	7zFM.exe
Token: 35	1096	7zFM.exe
Token: SeShutdownPrivilege	3972	chrome.exe
Token: SeCreatePagefilePrivilege	3972	chrome.exe
Token: SeShutdownPrivilege	3972	chrome.exe
Token: SeCreatePagefilePrivilege	3972	chrome.exe
Token: SeShutdownPrivilege	3972	chrome.exe
Token: SeCreatePagefilePrivilege	3972	chrome.exe
Token: SeShutdownPrivilege	3972	chrome.exe
Token: SeCreatePagefilePrivilege	3972	chrome.exe
Token: SeShutdownPrivilege	3972	chrome.exe
Token: SeCreatePagefilePrivilege	3972	chrome.exe
Token: SeShutdownPrivilege	3972	chrome.exe
Token: SeCreatePagefilePrivilege	3972	chrome.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe
1096	7zFM.exe
2476	7zFM.exe
2476	7zFM.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
4560	OpenWith.exe
4560	OpenWith.exe
4560	OpenWith.exe
4560	OpenWith.exe
4560	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3972 wrote to memory of 4128	3972	chrome.exe	82
PID 3972 wrote to memory of 4128	3972	chrome.exe	82
PID 3972 wrote to memory of 4364	3972	chrome.exe	83
PID 3972 wrote to memory of 4364	3972	chrome.exe	83
PID 3972 wrote to memory of 4072	3972	chrome.exe	84
PID 3972 wrote to memory of 4072	3972	chrome.exe	84
PID 3972 wrote to memory of 4072	3972	chrome.exe	84
PID 3972 wrote to memory of 4072	3972	chrome.exe	84
PID 3972 wrote to memory of 4072	3972	chrome.exe	84
PID 3972 wrote to memory of 4072	3972	chrome.exe	84
PID 3972 wrote to memory of 4072	3972	chrome.exe	84
PID 3972 wrote to memory of 4072	3972	chrome.exe	84
PID 3972 wrote to memory of 4072	3972	chrome.exe	84
PID 3972 wrote to memory of 4072	3972	chrome.exe	84
PID 3972 wrote to memory of 4072	3972	chrome.exe	84
PID 3972 wrote to memory of 4072	3972	chrome.exe	84
PID 3972 wrote to memory of 4072	3972	chrome.exe	84
PID 3972 wrote to memory of 4072	3972	chrome.exe	84
PID 3972 wrote to memory of 4072	3972	chrome.exe	84
PID 3972 wrote to memory of 4072	3972	chrome.exe	84
PID 3972 wrote to memory of 4072	3972	chrome.exe	84
PID 3972 wrote to memory of 4072	3972	chrome.exe	84
PID 3972 wrote to memory of 4072	3972	chrome.exe	84
PID 3972 wrote to memory of 4072	3972	chrome.exe	84
PID 3972 wrote to memory of 4072	3972	chrome.exe	84
PID 3972 wrote to memory of 4072	3972	chrome.exe	84
PID 3972 wrote to memory of 4072	3972	chrome.exe	84
PID 3972 wrote to memory of 4072	3972	chrome.exe	84
PID 3972 wrote to memory of 4072	3972	chrome.exe	84
PID 3972 wrote to memory of 4072	3972	chrome.exe	84
PID 3972 wrote to memory of 4072	3972	chrome.exe	84
PID 3972 wrote to memory of 4072	3972	chrome.exe	84
PID 3972 wrote to memory of 4072	3972	chrome.exe	84
PID 3972 wrote to memory of 4072	3972	chrome.exe	84
PID 3972 wrote to memory of 4400	3972	chrome.exe	86
PID 3972 wrote to memory of 4400	3972	chrome.exe	86
PID 3972 wrote to memory of 5564	3972	chrome.exe	87
PID 3972 wrote to memory of 5564	3972	chrome.exe	87
PID 3972 wrote to memory of 4400	3972	chrome.exe	86
PID 3972 wrote to memory of 4400	3972	chrome.exe	86
PID 3972 wrote to memory of 4400	3972	chrome.exe	86
PID 3972 wrote to memory of 4400	3972	chrome.exe	86
PID 3972 wrote to memory of 4400	3972	chrome.exe	86
PID 3972 wrote to memory of 4400	3972	chrome.exe	86
PID 3972 wrote to memory of 4400	3972	chrome.exe	86
PID 3972 wrote to memory of 4400	3972	chrome.exe	86
PID 3972 wrote to memory of 4400	3972	chrome.exe	86
PID 3972 wrote to memory of 4400	3972	chrome.exe	86
PID 3972 wrote to memory of 4400	3972	chrome.exe	86
PID 3972 wrote to memory of 4400	3972	chrome.exe	86
PID 3972 wrote to memory of 4400	3972	chrome.exe	86
PID 3972 wrote to memory of 4400	3972	chrome.exe	86
PID 3972 wrote to memory of 4400	3972	chrome.exe	86
PID 3972 wrote to memory of 4400	3972	chrome.exe	86
PID 3972 wrote to memory of 4400	3972	chrome.exe	86
PID 3972 wrote to memory of 4400	3972	chrome.exe	86
PID 3972 wrote to memory of 4400	3972	chrome.exe	86
PID 3972 wrote to memory of 4400	3972	chrome.exe	86
PID 3972 wrote to memory of 4400	3972	chrome.exe	86
PID 3972 wrote to memory of 4400	3972	chrome.exe	86
PID 3972 wrote to memory of 4400	3972	chrome.exe	86
PID 3972 wrote to memory of 4400	3972	chrome.exe	86
PID 3972 wrote to memory of 4400	3972	chrome.exe	86
PID 3972 wrote to memory of 4400	3972	chrome.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://drive.google.com/file/d/1qJfhvuyA7Sgw2LGuSipFc1QA9-FErzom/view?usp=sharing
1⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x21c,0x220,0x224,0x1f8,0x228,0x7ffda7d4dcf8,0x7ffda7d4dd04,0x7ffda7d4dd10
  2⤵
  PID:4128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1592,i,13020170666685455982,673827001460333550,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2088 /prefetch:3
  2⤵
  PID:4364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2060,i,13020170666685455982,673827001460333550,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2056 /prefetch:2
  2⤵
  PID:4072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2412,i,13020170666685455982,673827001460333550,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2388 /prefetch:8
  2⤵
  PID:1064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=2964,i,13020170666685455982,673827001460333550,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2996 /prefetch:1
  2⤵
  PID:4400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=2972,i,13020170666685455982,673827001460333550,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3016 /prefetch:1
  2⤵
  PID:5564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4252,i,13020170666685455982,673827001460333550,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4268 /prefetch:2
  2⤵
  PID:3916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4656,i,13020170666685455982,673827001460333550,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4664 /prefetch:1
  2⤵
  PID:5492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5412,i,13020170666685455982,673827001460333550,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5368 /prefetch:8
  2⤵
  PID:928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5584,i,13020170666685455982,673827001460333550,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5532 /prefetch:1
  2⤵
  PID:3564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5756,i,13020170666685455982,673827001460333550,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5808 /prefetch:1
  2⤵
  PID:4376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5848,i,13020170666685455982,673827001460333550,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=6072 /prefetch:8
  2⤵
  PID:3892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=500,i,13020170666685455982,673827001460333550,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5856 /prefetch:8
  2⤵
  PID:884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=3636,i,13020170666685455982,673827001460333550,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=6184 /prefetch:8
  2⤵
  PID:5764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5444,i,13020170666685455982,673827001460333550,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=6308 /prefetch:8
  2⤵
  PID:2032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=5900,i,13020170666685455982,673827001460333550,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5488 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=on_device_model.mojom.OnDeviceModelService --lang=en-US --service-sandbox-type=on_device_model_execution --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6336,i,13020170666685455982,673827001460333550,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=1528 /prefetch:8
  2⤵
  PID:1712

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:3532

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3592

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3984

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\VKK (1).rar" -trar
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1096

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4560

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\VKK (1).rar"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:2476

C:\Users\Admin\Desktop\Fitnes.exe
"C:\Users\Admin\Desktop\Fitnes.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:2916
- C:\Users\Admin\AppData\Local\Temp\Vkk.exe
  "C:\Users\Admin\AppData\Local\Temp\Vkk.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4048
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\fitnes.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4036
- C:\Users\Admin\AppData\Local\Temp\fitnes.exe
  "C:\Users\Admin\AppData\Local\Temp\fitnes.exe"
  2⤵
  - Executes dropped EXE
  PID:3196

C:\Users\Admin\Desktop\Fitnes.exe
"C:\Users\Admin\Desktop\Fitnes.exe"
1⤵
- Executes dropped EXE
PID:764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fitnes.exe
1⤵
PID:1492
- C:\Users\Admin\AppData\Local\Temp\fitnes.exe
  C:\Users\Admin\AppData\Local\Temp\fitnes.exe
  2⤵
  - Executes dropped EXE
  PID:4628

C:\Users\Admin\Desktop\Fitnes.exe
"C:\Users\Admin\Desktop\Fitnes.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:4840
- C:\Users\Admin\AppData\Local\Temp\Vkk.exe
  "C:\Users\Admin\AppData\Local\Temp\Vkk.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:520
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\fitnes.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:232
- C:\Users\Admin\AppData\Local\Temp\fitnes.exe
  "C:\Users\Admin\AppData\Local\Temp\fitnes.exe"
  2⤵
  - Executes dropped EXE
  PID:4924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fitnes.exe
1⤵
PID:5116
- C:\Users\Admin\AppData\Local\Temp\fitnes.exe
  C:\Users\Admin\AppData\Local\Temp\fitnes.exe
  2⤵
  - Executes dropped EXE
  PID:5168

C:\Users\Admin\Desktop\Fitnes.exe
"C:\Users\Admin\Desktop\Fitnes.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:3808
- C:\Users\Admin\AppData\Local\Temp\Vkk.exe
  "C:\Users\Admin\AppData\Local\Temp\Vkk.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:5616
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\fitnes.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:64
- C:\Users\Admin\AppData\Local\Temp\fitnes.exe
  "C:\Users\Admin\AppData\Local\Temp\fitnes.exe"
  2⤵
  - Executes dropped EXE
  PID:3840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fitnes.exe
1⤵
PID:1876
- C:\Users\Admin\AppData\Local\Temp\fitnes.exe
  C:\Users\Admin\AppData\Local\Temp\fitnes.exe
  2⤵
  - Executes dropped EXE
  PID:3908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Network Share Discovery

T1135

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\892f6759-5d09-408a-9f8d-35efd6852668.tmp

Filesize
649B

MD5
2787ba8189ee37427152b916492562cd

SHA1
782a74826261c085a3388a7588c2662fcbc783b6

SHA256
2600135045db84cd6ea931650f81982a980ab6f4bb9288a1f296dfea09f99672

SHA512
1a01ea87b49da88a1c25f02bfa5e4f8c1d22d28d6f9a40496cdd599aed5570823c183e7fd8b9d17b4c8af2ce8718c357336b2f8266a91c26d75478d9d52f0e80

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
432B

MD5
1d280be7d7d41aca7c3037b23b6f55da

SHA1
120bd44e6a847b01aa50ba82d50ed1a7693707be

SHA256
0bd4e7128fa71a563888c4108d0a1f0a970e2eeb4d6fb03ef3634695a1741b18

SHA512
6a37acb821c55bebad9e7051b75ec86581f8f27dfcf2a2ae48391f50edfd37fcd5af390179dc8a86db0bb274f768dbfc81a9bab667366fb509fff0de14f5c517

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\30a8fd9c-5542-4d6c-a174-adea0ced856c.tmp

Filesize
7KB

MD5
b05bd08aae2973b43f701b1c76de7123

SHA1
cd6dcddb09d1ecdf22c5742be6da4f65aba9744f

SHA256
82f86511d6456eb35c180f655299d27b8ce310cd26f0a1814ff6f97c808958a4

SHA512
9c323c4f77935579cc59970bc089f1d305db3d77c54e358f92dcdd857191af3d6b15eeff40d0e431eb9023b8422620bfa48209f99fa725a7ab3583ccc5479a01

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
d10c89f16696d840e0ff038472a5e9e2

SHA1
4559cd077fb09036337d9fe1af948b704ac1fd51

SHA256
23bf9bb9265a86ebfa838d0d7550dffe109e798e1c56552085844782f240d713

SHA512
71b5b4bdb5c5728ee33e88aa44e5d32c94c8b2a609dbc9b3146e2d1d6b4e8586f005e2eda4ea3218cec67ee4df642710bc93a9cd3279a4777b472ce6e03810c6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
66fe89acbcf33507255993d2eda4ac9f

SHA1
5eca9cfcacd86aea6cff5f6081c0cf401dc1db11

SHA256
08025f200dc40990e7e639f0c612a5a13781954aee1790aaf2ccdcd7a191e500

SHA512
73604fedd79e3d8d91d2fc35dafcf5b18837238bc97f0abf08aa0dc598a0f9eaa4a33c17e6af26c2a8bfd5f2711f2e4286468c1cd0d374dc0e6e408f7bd9d8f0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
e084420330ebfc10e30bcc72c0d5d1cc

SHA1
a08ea7d72c54d9b142672dd266472829f502c897

SHA256
148ffcf69af91ec5b43d427daee7b96476803bcc9d8fbd9b194fdc3fa741c47f

SHA512
a0e6e3d0b4504648c0c3779e93ea6ac0a42dc4a1532d56704ae5e4190d7718ebee8767f696b6a00604b548d240b6dffcb4973ad5997d3f5b27edcd70881afbf0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
e2feb832713ad4b0fffb2f84467dbc37

SHA1
3b11b8dc50e53d2c02af683118eca9955b9e448e

SHA256
e7c6a9d55c63c76c5eb762a7d017782b6f9f07fe8c5dc62b9271f1091a49a5c7

SHA512
fa9f5d7b77206642ff23f51825b4e4e4aa11da845a502a18b5a68ae3db5fdf72adeb7b4405ac4f13d038c2c83549e19b6d528f6bf09ce61849d31717c4d1b723

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
c2b824fe84732ef855a5286fd6032c27

SHA1
60df9cc5b58f3801c35e7b92a93676ceba4484f3

SHA256
aef42822a383b93a4dcf1cee6820d246e19ed167ec879e03371283d5639c163e

SHA512
6a4c318bbbb9a9a7e84c49ec6fd610e37fcf22de8e382d856bd107185b2ca21b0edecbb9cf484f7da1176590c6715923c868f5ebf0381a401dccf9b32d780e3b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57aebe.TMP

Filesize
48B

MD5
0b1f658834ded33104acb6c886d9932b

SHA1
378bddf1d906f3727be9940ef2a855b89d395c10

SHA256
89fa9c7d1c5ef51b22fc3fd6a0b115e0843fb2d902c99de9806f6bdd660d79b6

SHA512
64ab554e28c3a526ef2f4e948c7df0f60abb0178ba0191e00a19c272c900d4948d6c8d00f2f20ec48fe46cf9495873d59db6e8ff2d376cb4eb9b1568d73b1205

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
80KB

MD5
943162b731735bba5cfc093935c6f303

SHA1
ef0eb3abd81b554d9642889c46b2cff5c14d6bad

SHA256
eb872836057b4c35a0472359a3f34c08102cb6b544d31f4c181edbeecc5155d9

SHA512
2a83f6bb68054ed3ec3c5046638bbeebfa29400e9151a86faa0f2b0701e57c7846ca97633cfd25bb997a496155150057311dbb7a1617121bb7626c3c02c52a3e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
81KB

MD5
df2a20948e7f3259d7faeb1094605efb

SHA1
19d258f2e80a2f759be20eb133db976d3ff4e05d

SHA256
103457c5d5fc504597b56ba0fbc2aa63b54d5ed5abfa5c65b9451cd72434f042

SHA512
3880e026d288b31520c5145b2976756b90dd7a536303f79cfc05a75853e5386cb6dfc6c4c63e6f92c39eefc7212dddf7d6b8ac0c89d41cd3183f5254f0589b11

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
81KB

MD5
8c6cbec896e70b555276f3813cd6715c

SHA1
59da49adf6dcb4a34d113fcf122da4d669c9c282

SHA256
3561a348e9ca296ef193f6d53fd1aeea6d51ba33b94772410628cfb0b8555112

SHA512
5305655879d605d70c2af9e910ad8ade02b3a5720bb2aafb9becf22586dd60cb599cb4f44aabd5014f7493d8e832710f637d69039859991b373a9acbca666521

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
81KB

MD5
6f014cbc0d59014a25e1c185d81a13ed

SHA1
7cfd29e13f5b974411bea8dc4184602d951747fc

SHA256
6f8852366435f20d43bfca449bdf7a657ef99675585afae7538490031e5a294a

SHA512
45ec46777fe35f441000b3f8cca56151b2962bb69622873e906b624217081ab59ea3026a328570226cc13f38340abf1251f4810551f38f952f772e3458641144

Download Submit
C:\Users\Admin\AppData\Local\Leon_Miller\Vkk.exe_Url_zdfgtpz3sb2yglwan5j31xcy0bug0gel\1.0.0.0\gpb2lv5y.newcfg

Filesize
1KB

MD5
867804f17d1a39a22499d580e15d9107

SHA1
2a86ff35bdbba8a944cdba09fafa259de69a91fc

SHA256
3b75e65d7574fc901166f315c2d24dc2f0fb85d89c287bff693119ee58b84a68

SHA512
1eb56654d0bdc728b354cedb6f0235aea2cf998b4b4bfdf901e3039774fa1acc6d666ff570dff5136d900ac6c66cfe19801287700b6c35cedbcf55b6604daa96

Download Submit
C:\Users\Admin\AppData\Local\Leon_Miller\Vkk.exe_Url_zdfgtpz3sb2yglwan5j31xcy0bug0gel\1.0.0.0\user.config

Filesize
774B

MD5
8d00ff3a8c5c029e259670d28d8a7186

SHA1
4a98cd09ad41da7e140920e1aa85fabb18ead68f

SHA256
957626b52ade505ad611d7b4bb077d2203a6f25705d4391f385a57d39a8532ae

SHA512
0696ea437194622e419b139b3a2eb13f369a1068a81f63693fcbb1dd46cd85ee1f368f93a0830d5a1e0b791c657c8d81d34cf8e71c63bc7c7e0f18098c242e93

Download Submit
C:\Users\Admin\AppData\Local\Leon_Miller\Vkk.exe_Url_zdfgtpz3sb2yglwan5j31xcy0bug0gel\1.0.0.0\user.config

Filesize
1KB

MD5
7ef3177c05e3e450c582bfc16bc664f1

SHA1
b6f329321bff76c71d01058fecb7dd0d4af36e52

SHA256
28cc7ac25cad281843d7cd4acc6a307c8206628c77857f13824fea0c65f70f82

SHA512
2889b0805cfdef92d41e3e1b94a4524a006ebaff16cd3d9c85eace04df055c3b896192fa47753bb92035692762b8b46e61fd9ce351189cd7c0f0a7543812743b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Fitnes.exe.log

Filesize
42B

MD5
84cfdb4b995b1dbf543b26b86c863adc

SHA1
d2f47764908bf30036cf8248b9ff5541e2711fa2

SHA256
d8988d672d6915b46946b28c06ad8066c50041f6152a91d37ffa5cf129cc146b

SHA512
485f0ed45e13f00a93762cbf15b4b8f996553baa021152fae5aba051e3736bcd3ca8f4328f0e6d9e3e1f910c96c4a9ae055331123ee08e3c2ce3a99ac2e177ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3eb3833f769dd890afc295b977eab4b4

SHA1
e857649b037939602c72ad003e5d3698695f436f

SHA256
c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

SHA512
c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Vkk.exe.log

Filesize
2KB

MD5
5e975ad3f48e5633cd14b5113ca3ab7b

SHA1
42b7647f992980b36ff36c6d20760c5c280a79c9

SHA256
2ee119758721afd4dab0805892beea4d1ee2fbad6a7fda0d6623256b08cd804c

SHA512
3397fb54fdb9ad4c3f51cb3ecd9d89fa5ad582ccbf55c26dc4b289f97584fe5e6e497a31d2a424ac8bde64fb8822a5587aa62b6bc742e4915218174e6cf25cb6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0b5a6c53c51e706482864d74f21c6820

SHA1
c643a8992a01b650fb4144b51a7876d36dbbb872

SHA256
4ab706c44bf8b4a44709b998ddf91b1a7d59af1f1121b81af1f75e1a647059aa

SHA512
fad639eaf41691a3335c6c0cc2c0075efdaf13d9ac4fd65a17e729e914753d02c556f1826b1070ab150a05a88d51d4f3cfae700c16596076e6a9fcd7c1863138

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
05d5985f9530cd0ec6e0f862345f926b

SHA1
85d60d716865c998036aafd0bebda2a9ef5f344e

SHA256
99ecc05731562543a570a43ad0c36d325b691b19ef16088eec56b19d56ba1277

SHA512
cf5421ced92d2d58cf66e6882cbe7845c4debb19214f86a0dfa046d26d32396e360f9cb35dd452a09fdfd98d2558c1e0ee634769685b8562ef1f592c6b512947

Download Submit
C:\Users\Admin\AppData\Local\Temp\Vkk.exe

Filesize
225KB

MD5
94546d52741393dc7ab5dab78194c66b

SHA1
bfd1c134549b168e6ce8e673a8ad33e0a9919c1d

SHA256
2be09790d378c33427aa26df7c7398050d8190ecda5fbfc00b56de308845b4ac

SHA512
a21d6377ef86d029934ef035398f8277988373c210f492f2978850bc12fde7be9128c38e546890430d4bd3dfb70d6b637f60c794db048f70b78a6901fb05bb7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_p302sg53.4yl.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\fitnes.exe

Filesize
512KB

MD5
0ed14a025f7d69b5eaa05bda53bd6c5a

SHA1
f9c062941c5ad870efc38c371410484673c06b52

SHA256
d5e0114c85df708737ab890a466e28bbe938d8c799914475ab8400ddf306d071

SHA512
9c675f3c04ecf2fefa7a25a1ba58639d4f00eec67d295275b1b6fc8140969bfe9c2376f028d4332a7806a466523a79bf5a5f966005e3b1d7b549f5909d9df7e5

Download Submit
C:\Users\Admin\Desktop\Fitnes.exe

Filesize
454KB

MD5
3788f348c9a084d5a09ccd2c1a3b71bb

SHA1
5ebad6ff2bbb2e1641f914562dd79ab52304d108

SHA256
c6161401f55482496c8b2883d4580a61ed4074d523db5deba0a9ae186bb25b6d

SHA512
614a4a3508d88a08c845efdd428eb7ffa744d49af60a255bc32238cfc6ff543696a464be3771031e2a3cfc800ca52bc01582617f7c285c5a305376f6e2e45f00

Download Submit
C:\Users\Admin\Downloads\VKK (1).rar.crdownload

Filesize
396KB

MD5
b6eef6cf8fab3099f778fdf5dfb9fc19

SHA1
9c70b6f6432bc1979bdad432d044a5640e0fc6ad

SHA256
e3ada99b4a64064ad06bcfa6383cfeab88827175691edd0f64ee5c17250fb880

SHA512
40b4a86a6a5b9484dd5296fd1205f34b6cc1af0bd8155a0ae8f0c9150f14762d546e7b170963ec4b37ed72033bab1d9cbbb35bf3cf07f99d9b11e6f84ceabaf9

Download Submit
memory/2916-207-0x0000000000060000-0x00000000000D8000-memory.dmp

Filesize
480KB

Download
memory/3196-252-0x0000000000CD0000-0x0000000000D56000-memory.dmp

Filesize
536KB

Download
memory/4036-232-0x000001E78B8D0000-0x000001E78B8F2000-memory.dmp

Filesize
136KB

Download
memory/4048-254-0x0000000009A00000-0x0000000009A08000-memory.dmp

Filesize
32KB

Download
memory/4048-255-0x0000000009BC0000-0x0000000009BF8000-memory.dmp

Filesize
224KB

Download
memory/4048-256-0x0000000009B80000-0x0000000009B8E000-memory.dmp

Filesize
56KB

Download
memory/4048-234-0x00000000001D0000-0x000000000020E000-memory.dmp

Filesize
248KB

Download