5558b04220e017f2a69fd88c575ec9450bde361049e42fd67501a0f89ba21834

Analysis

max time kernel
628s
max time network
621s
platform
windows10-2004_x64
resource
win10v2004-20250410-en
resource tags

arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system
submitted
13/04/2025, 14:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CyberSecure Pro.msi
Size

9.3MB
MD5

f1eefdb0865e3b5dcf1115cdcf4bd4ba
SHA1

d918c5cc45b9a97898af579c058e509f227f87b6
SHA256

5558b04220e017f2a69fd88c575ec9450bde361049e42fd67501a0f89ba21834
SHA512

879052b5114b4a3f23917b75b713db23d06e454185ac1fb2c72b4fa0b70bf17fe68284f5c0bbf3e29643c76bef2feb5b5052df1a713589d35d692f83cca94975
SSDEEP

196608:3i5QuZL4+qjtvelQP6XTIVqLbS6l4qZf1uozsXG:dua0lQAr14Jo4XG

Score

6^/10

discovery spyware stealer

Malware Config

Signatures

Downloads MZ/PE file 1 IoCs

flow	pid	Process
42	3812	teUninstall_test.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5572 set thread context of 3128	5572	SplashWin.exe	104

Executes dropped EXE 12 IoCs

pid	Process
4592	ISBEW64.exe
4708	ISBEW64.exe
4872	ISBEW64.exe
4732	ISBEW64.exe
4524	ISBEW64.exe
4848	ISBEW64.exe
4780	ISBEW64.exe
4956	ISBEW64.exe
5992	ISBEW64.exe
5648	ISBEW64.exe
2272	SplashWin.exe
5572	SplashWin.exe

Loads dropped DLL 12 IoCs

pid	Process
1708	MsiExec.exe
1708	MsiExec.exe
1708	MsiExec.exe
1708	MsiExec.exe
1708	MsiExec.exe
2272	SplashWin.exe
2272	SplashWin.exe
2272	SplashWin.exe
5572	SplashWin.exe
5572	SplashWin.exe
5572	SplashWin.exe
3812	teUninstall_test.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SplashWin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SplashWin.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	chrome.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133890278422601934"	chrome.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428\Children	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428\DisplayName = "Chrome Sandbox"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428\Moniker = "cr.sb.odm3E4D1A088C1F6D498C84F3C86DE73CE49F82A104"	chrome.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2272	SplashWin.exe
5572	SplashWin.exe
5572	SplashWin.exe
3128	cmd.exe
3128	cmd.exe
3812	teUninstall_test.exe
3812	teUninstall_test.exe
3492	chrome.exe
3492	chrome.exe
3812	teUninstall_test.exe
3812	teUninstall_test.exe
3812	teUninstall_test.exe
3812	teUninstall_test.exe
3812	teUninstall_test.exe
3812	teUninstall_test.exe
3480	chrome.exe
3480	chrome.exe
3492	chrome.exe
3492	chrome.exe
372	powershell.exe
372	powershell.exe
1932	powershell.exe
1932	powershell.exe
1932	powershell.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
5572	SplashWin.exe
3128	cmd.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	220	msiexec.exe
Token: SeIncreaseQuotaPrivilege	220	msiexec.exe
Token: SeSecurityPrivilege	5940	msiexec.exe
Token: SeCreateTokenPrivilege	220	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	220	msiexec.exe
Token: SeLockMemoryPrivilege	220	msiexec.exe
Token: SeIncreaseQuotaPrivilege	220	msiexec.exe
Token: SeMachineAccountPrivilege	220	msiexec.exe
Token: SeTcbPrivilege	220	msiexec.exe
Token: SeSecurityPrivilege	220	msiexec.exe
Token: SeTakeOwnershipPrivilege	220	msiexec.exe
Token: SeLoadDriverPrivilege	220	msiexec.exe
Token: SeSystemProfilePrivilege	220	msiexec.exe
Token: SeSystemtimePrivilege	220	msiexec.exe
Token: SeProfSingleProcessPrivilege	220	msiexec.exe
Token: SeIncBasePriorityPrivilege	220	msiexec.exe
Token: SeCreatePagefilePrivilege	220	msiexec.exe
Token: SeCreatePermanentPrivilege	220	msiexec.exe
Token: SeBackupPrivilege	220	msiexec.exe
Token: SeRestorePrivilege	220	msiexec.exe
Token: SeShutdownPrivilege	220	msiexec.exe
Token: SeDebugPrivilege	220	msiexec.exe
Token: SeAuditPrivilege	220	msiexec.exe
Token: SeSystemEnvironmentPrivilege	220	msiexec.exe
Token: SeChangeNotifyPrivilege	220	msiexec.exe
Token: SeRemoteShutdownPrivilege	220	msiexec.exe
Token: SeUndockPrivilege	220	msiexec.exe
Token: SeSyncAgentPrivilege	220	msiexec.exe
Token: SeEnableDelegationPrivilege	220	msiexec.exe
Token: SeManageVolumePrivilege	220	msiexec.exe
Token: SeImpersonatePrivilege	220	msiexec.exe
Token: SeCreateGlobalPrivilege	220	msiexec.exe
Token: SeCreateTokenPrivilege	220	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	220	msiexec.exe
Token: SeLockMemoryPrivilege	220	msiexec.exe
Token: SeIncreaseQuotaPrivilege	220	msiexec.exe
Token: SeMachineAccountPrivilege	220	msiexec.exe
Token: SeTcbPrivilege	220	msiexec.exe
Token: SeSecurityPrivilege	220	msiexec.exe
Token: SeTakeOwnershipPrivilege	220	msiexec.exe
Token: SeLoadDriverPrivilege	220	msiexec.exe
Token: SeSystemProfilePrivilege	220	msiexec.exe
Token: SeSystemtimePrivilege	220	msiexec.exe
Token: SeProfSingleProcessPrivilege	220	msiexec.exe
Token: SeIncBasePriorityPrivilege	220	msiexec.exe
Token: SeCreatePagefilePrivilege	220	msiexec.exe
Token: SeCreatePermanentPrivilege	220	msiexec.exe
Token: SeBackupPrivilege	220	msiexec.exe
Token: SeRestorePrivilege	220	msiexec.exe
Token: SeShutdownPrivilege	220	msiexec.exe
Token: SeDebugPrivilege	220	msiexec.exe
Token: SeAuditPrivilege	220	msiexec.exe
Token: SeSystemEnvironmentPrivilege	220	msiexec.exe
Token: SeChangeNotifyPrivilege	220	msiexec.exe
Token: SeRemoteShutdownPrivilege	220	msiexec.exe
Token: SeUndockPrivilege	220	msiexec.exe
Token: SeSyncAgentPrivilege	220	msiexec.exe
Token: SeEnableDelegationPrivilege	220	msiexec.exe
Token: SeManageVolumePrivilege	220	msiexec.exe
Token: SeImpersonatePrivilege	220	msiexec.exe
Token: SeCreateGlobalPrivilege	220	msiexec.exe
Token: SeCreateTokenPrivilege	220	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	220	msiexec.exe
Token: SeLockMemoryPrivilege	220	msiexec.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
220	msiexec.exe
220	msiexec.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5940 wrote to memory of 1708	5940	msiexec.exe	89
PID 5940 wrote to memory of 1708	5940	msiexec.exe	89
PID 5940 wrote to memory of 1708	5940	msiexec.exe	89
PID 1708 wrote to memory of 4592	1708	MsiExec.exe	92
PID 1708 wrote to memory of 4592	1708	MsiExec.exe	92
PID 1708 wrote to memory of 4708	1708	MsiExec.exe	93
PID 1708 wrote to memory of 4708	1708	MsiExec.exe	93
PID 1708 wrote to memory of 4872	1708	MsiExec.exe	94
PID 1708 wrote to memory of 4872	1708	MsiExec.exe	94
PID 1708 wrote to memory of 4732	1708	MsiExec.exe	95
PID 1708 wrote to memory of 4732	1708	MsiExec.exe	95
PID 1708 wrote to memory of 4524	1708	MsiExec.exe	96
PID 1708 wrote to memory of 4524	1708	MsiExec.exe	96
PID 1708 wrote to memory of 4848	1708	MsiExec.exe	97
PID 1708 wrote to memory of 4848	1708	MsiExec.exe	97
PID 1708 wrote to memory of 4780	1708	MsiExec.exe	98
PID 1708 wrote to memory of 4780	1708	MsiExec.exe	98
PID 1708 wrote to memory of 4956	1708	MsiExec.exe	99
PID 1708 wrote to memory of 4956	1708	MsiExec.exe	99
PID 1708 wrote to memory of 5992	1708	MsiExec.exe	100
PID 1708 wrote to memory of 5992	1708	MsiExec.exe	100
PID 1708 wrote to memory of 5648	1708	MsiExec.exe	101
PID 1708 wrote to memory of 5648	1708	MsiExec.exe	101
PID 1708 wrote to memory of 2272	1708	MsiExec.exe	102
PID 1708 wrote to memory of 2272	1708	MsiExec.exe	102
PID 1708 wrote to memory of 2272	1708	MsiExec.exe	102
PID 2272 wrote to memory of 5572	2272	SplashWin.exe	103
PID 2272 wrote to memory of 5572	2272	SplashWin.exe	103
PID 2272 wrote to memory of 5572	2272	SplashWin.exe	103
PID 5572 wrote to memory of 3128	5572	SplashWin.exe	104
PID 5572 wrote to memory of 3128	5572	SplashWin.exe	104
PID 5572 wrote to memory of 3128	5572	SplashWin.exe	104
PID 5572 wrote to memory of 3128	5572	SplashWin.exe	104
PID 3128 wrote to memory of 3812	3128	cmd.exe	108
PID 3128 wrote to memory of 3812	3128	cmd.exe	108
PID 3128 wrote to memory of 3812	3128	cmd.exe	108
PID 3128 wrote to memory of 3812	3128	cmd.exe	108
PID 3812 wrote to memory of 3492	3812	teUninstall_test.exe	112
PID 3812 wrote to memory of 3492	3812	teUninstall_test.exe	112
PID 3492 wrote to memory of 4324	3492	chrome.exe	113
PID 3492 wrote to memory of 4324	3492	chrome.exe	113
PID 3492 wrote to memory of 6140	3492	chrome.exe	114
PID 3492 wrote to memory of 6140	3492	chrome.exe	114
PID 3492 wrote to memory of 6140	3492	chrome.exe	114
PID 3492 wrote to memory of 6140	3492	chrome.exe	114
PID 3492 wrote to memory of 6140	3492	chrome.exe	114
PID 3492 wrote to memory of 6140	3492	chrome.exe	114
PID 3492 wrote to memory of 6140	3492	chrome.exe	114
PID 3492 wrote to memory of 6140	3492	chrome.exe	114
PID 3492 wrote to memory of 6140	3492	chrome.exe	114
PID 3492 wrote to memory of 6140	3492	chrome.exe	114
PID 3492 wrote to memory of 6140	3492	chrome.exe	114
PID 3492 wrote to memory of 6140	3492	chrome.exe	114
PID 3492 wrote to memory of 6140	3492	chrome.exe	114
PID 3492 wrote to memory of 6140	3492	chrome.exe	114
PID 3492 wrote to memory of 6140	3492	chrome.exe	114
PID 3492 wrote to memory of 6140	3492	chrome.exe	114
PID 3492 wrote to memory of 6140	3492	chrome.exe	114
PID 3492 wrote to memory of 6140	3492	chrome.exe	114
PID 3492 wrote to memory of 6140	3492	chrome.exe	114
PID 3492 wrote to memory of 6140	3492	chrome.exe	114
PID 3492 wrote to memory of 6140	3492	chrome.exe	114
PID 3492 wrote to memory of 6140	3492	chrome.exe	114
PID 3492 wrote to memory of 6140	3492	chrome.exe	114

C:\Windows\system32\msiexec.exe
msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\CyberSecure Pro.msi"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:220

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5940
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 9FC5B3A34B43354796B336E51818A4B7 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1708
- - C:\Users\Admin\AppData\Local\Temp\{FBDE73EF-BA41-4139-B061-6B0A35D4843E}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{FBDE73EF-BA41-4139-B061-6B0A35D4843E}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{D91E778F-414E-41AF-8817-478EA037473C}
    3⤵
    - Executes dropped EXE
    PID:4592
- - C:\Users\Admin\AppData\Local\Temp\{FBDE73EF-BA41-4139-B061-6B0A35D4843E}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{FBDE73EF-BA41-4139-B061-6B0A35D4843E}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{046A7F8D-3D4C-4593-87EC-733051B12995}
    3⤵
    - Executes dropped EXE
    PID:4708
- - C:\Users\Admin\AppData\Local\Temp\{FBDE73EF-BA41-4139-B061-6B0A35D4843E}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{FBDE73EF-BA41-4139-B061-6B0A35D4843E}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{0C9F57DB-1AF9-4453-AC8F-24E1D2F53E73}
    3⤵
    - Executes dropped EXE
    PID:4872
- - C:\Users\Admin\AppData\Local\Temp\{FBDE73EF-BA41-4139-B061-6B0A35D4843E}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{FBDE73EF-BA41-4139-B061-6B0A35D4843E}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{881ADF06-7E91-466E-A515-DCEFD39B9190}
    3⤵
    - Executes dropped EXE
    PID:4732
- - C:\Users\Admin\AppData\Local\Temp\{FBDE73EF-BA41-4139-B061-6B0A35D4843E}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{FBDE73EF-BA41-4139-B061-6B0A35D4843E}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{2A50E8D9-B49F-41E3-AA6F-5BEF688296C0}
    3⤵
    - Executes dropped EXE
    PID:4524
- - C:\Users\Admin\AppData\Local\Temp\{FBDE73EF-BA41-4139-B061-6B0A35D4843E}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{FBDE73EF-BA41-4139-B061-6B0A35D4843E}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{5B098E10-B44A-4B36-A79F-8C08F1AA88C2}
    3⤵
    - Executes dropped EXE
    PID:4848
- - C:\Users\Admin\AppData\Local\Temp\{FBDE73EF-BA41-4139-B061-6B0A35D4843E}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{FBDE73EF-BA41-4139-B061-6B0A35D4843E}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{EB44E595-EE9A-431E-BAF1-23F9D2ADE7D7}
    3⤵
    - Executes dropped EXE
    PID:4780
- - C:\Users\Admin\AppData\Local\Temp\{FBDE73EF-BA41-4139-B061-6B0A35D4843E}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{FBDE73EF-BA41-4139-B061-6B0A35D4843E}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{9ABEFB24-ED4E-4D3A-9FB9-1298E9C107EC}
    3⤵
    - Executes dropped EXE
    PID:4956
- - C:\Users\Admin\AppData\Local\Temp\{FBDE73EF-BA41-4139-B061-6B0A35D4843E}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{FBDE73EF-BA41-4139-B061-6B0A35D4843E}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{288AA649-F06D-4F80-9098-CD9584EA3988}
    3⤵
    - Executes dropped EXE
    PID:5992
- - C:\Users\Admin\AppData\Local\Temp\{FBDE73EF-BA41-4139-B061-6B0A35D4843E}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{FBDE73EF-BA41-4139-B061-6B0A35D4843E}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{B21C8CAA-5796-48BB-8408-D5FCEDBDF2D8}
    3⤵
    - Executes dropped EXE
    PID:5648
- - C:\Users\Admin\AppData\Local\Temp\{9061CA5B-4CB3-463D-8476-569E5A3F9445}\SplashWin.exe
    C:\Users\Admin\AppData\Local\Temp\{9061CA5B-4CB3-463D-8476-569E5A3F9445}\SplashWin.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2272
  - - C:\Users\Admin\AppData\Roaming\HUT_Quick\SplashWin.exe
      C:\Users\Admin\AppData\Roaming\HUT_Quick\SplashWin.exe
      4⤵
      Suspicious use of SetThreadContext
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:5572
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:3128
      - C:\Users\Admin\AppData\Local\Temp\teUninstall_test.exe
        
        C:\Users\Admin\AppData\Local\Temp\teUninstall_test.exe
        6⤵
        Downloads MZ/PE file
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3812
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe"
        7⤵
        Checks processor information in registry
        Enumerates system info in registry
        Modifies data under HKEY_USERS
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:3492
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xf4,0xf8,0xfc,0xd0,0x100,0x7ffc5ab2dcf8,0x7ffc5ab2dd04,0x7ffc5ab2dd10
        8⤵
        
        PID:4324
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1972,i,6897169899027237171,2635622084933917440,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=1964 /prefetch:2
        8⤵
        
        PID:6140
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1556,i,6897169899027237171,2635622084933917440,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=2268 /prefetch:3
        8⤵
        
        PID:4352
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2336,i,6897169899027237171,2635622084933917440,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=2516 /prefetch:8
        8⤵
        
        PID:4256
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3164,i,6897169899027237171,2635622084933917440,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=3200 /prefetch:1
        8⤵
        
        PID:6072
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3172,i,6897169899027237171,2635622084933917440,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=3252 /prefetch:1
        8⤵
        
        PID:5856
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4192,i,6897169899027237171,2635622084933917440,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=3800 /prefetch:2
        8⤵
        
        PID:5032
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4604,i,6897169899027237171,2635622084933917440,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=4184 /prefetch:1
        8⤵
        
        PID:4644
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5380,i,6897169899027237171,2635622084933917440,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=5364 /prefetch:8
        8⤵
        
        PID:1756
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5388,i,6897169899027237171,2635622084933917440,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=5424 /prefetch:8
        8⤵
        
        PID:4552
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5396,i,6897169899027237171,2635622084933917440,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=5464 /prefetch:8
        8⤵
        
        PID:5720
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=5504,i,6897169899027237171,2635622084933917440,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=5428 /prefetch:8
        8⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3480
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=on_device_model.mojom.OnDeviceModelService --lang=en-US --service-sandbox-type=on_device_model_execution --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5456,i,6897169899027237171,2635622084933917440,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=3044 /prefetch:8
        8⤵
        
        PID:5660
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6072,i,6897169899027237171,2635622084933917440,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=6084 /prefetch:8
        8⤵
        
        PID:4132
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6184,i,6897169899027237171,2635622084933917440,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=6192 /prefetch:8
        8⤵
        
        PID:5812

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:2472

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:836

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1256

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:372

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c82192ee-6cb5-4bc0-9ef0-fb818773790a} -Embedding
1⤵
PID:5004

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1932

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5992

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
414B

MD5
53112a74d88e4e144a010f2c50160a92

SHA1
9d76b4551f6b8af819b9b9818c8f5bf3b199e2a1

SHA256
906dcafbef3c5960dd1f7ca700d7d9ba167923622d6e7aa4961d86d8eb93ea18

SHA512
22031e17b97127ffe5301336459115b799c5afe9c0600bab3b1a0d546a317dd0d3a36432641353198e9bf1a45c7dad5bc23fd934245e19f9493dbf6c666af5e3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
7dc5e92e56a8bb71047acd0c34726a79

SHA1
50d8df481e42582519824e831504f68435a72435

SHA256
399d7efe5a86f2e6dd037bce3451210a0b14043318af86f4563efbbc99783422

SHA512
c8848f26eb899c223bceed7e69ad3b02c022ca5d2116dc61b1aaf139f71137efdc027a9338995d4d9b27abd33283afdb7d3321f323bb82e1218b26d869adb298

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
94c7468320acb0df81fe4d23c8538b51

SHA1
529dc6e7f7e66af211178977fb81d8e5423ea9a6

SHA256
ed167218d662cb1976c079470521e8b59987e66d5944f00213df0a3ed0fc2b21

SHA512
3d2212e6fdbc201f227b2221c9e0868b53de369c370834224b9c5d84d08a4e940c84120c8cea9b778704c8890c8916ffc7638caa472309075fd92ac63f6a1f88

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
6d021cd3540e041ba50feb07eac62121

SHA1
a28f3ee90b1772586c9d9a85c903b848ce09d567

SHA256
8d555100d879c15268a150ae58f318d184993d380879262ca312a381106fa485

SHA512
e71ec14e0c5590e6a034841b254d26e15f40adbe1f7a5d473c2b7bc017cac44dea2103652c9a9f2b25e3c8102639fb1b77c81258a9d18bab87303daae17d73c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
74620d36a8ff3fe90e43d5410445a98f

SHA1
ffe88bf1b928d54b6ada96e3c2a516672163bbe0

SHA256
cd98d8c480963fa9beba79b664dae9788a136b444ec1bfc5c1a7b66dd81f72b9

SHA512
a7f274cce29319551fb07da3a7e420115bf4ca224e096b340b328b39a2f92c148477f9b36deecfb6483f62a1d25596388b286e0fe2ed94041c64343f3072d2bb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
51b53d5f8019179898af8708f55469e1

SHA1
4b82c75811d16966986f2494ca91298a4d915555

SHA256
39698d62f10f7f0dae761ea5f66a8decdea6af213b95276516c5f08aa09464ef

SHA512
7f193f32c9b255dfe2a0de5990fb39ad8ab09e35d6aac70bd7cc67861569b996339dd087e8124ed14b1fd0c5c3bad0b16444cfc871e8b80309dfc93137ee37a7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
c25d653263917c7c4c00638e6d2c9f1a

SHA1
801925bfb33951007a8d852a9980e1e85b97a879

SHA256
bd6e179170bcdeb893ff4f731d6aa5a34da60f0a05dfb1350f5d9f3240e0354b

SHA512
3dc7bb35f3c004f58acbc0e68057b30e91cacdcc0455c13897d8e0bf7b0f8aedaf668f6e2f950fd00f4084f86990d7fb63626d43c308cc79898a438d8ddb7599

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
6e4b7354040c2e30ff64838335ed15b3

SHA1
6fac6bbd11919f558bcaf43239194fc612ffc059

SHA256
e8683aad33168ff66393a71dc0c3bf755afc7fd5bcfd03ded46aaba991c67186

SHA512
0f1d9177fa5a64ca5f04a38091af896f307339ec2811f22e71814c827f129d05c7437ffae084e3043d720d27022d7b8d7ba6aca3d4611a17aa0648ae23181266

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
bf419416e81eb9d2821638a7cf4f8e43

SHA1
0b5b736a9bb3f1bc291c797ccef65056f27da326

SHA256
ded5df298b14b5fc8f8aff78fc2f9caaad0802125124f5701cfe83fca868e18e

SHA512
79c496678336bbb39ed4e68d947c9e663dc2338b7c51becf363136581f848eae6d03b16db0e3394e18b64d2c277ef80e66993e14a555cb123e515b82aa81fe46

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
79ee5edc170a900245482d56d56de650

SHA1
4691bcf5430abf4743b0ced20a63e5ac6cd6301b

SHA256
0d6963f8e16b76dd40bfe314e296c48c8773fcd30a607c10d1940f5e31d48bcb

SHA512
4905be819ba8a83f092fa2ee332859c5f4263e133ba675d6c6f100ad0865f143b1efd67c3e5220a72686a9315f736867505f8407d64b43559f44aa417a0d3235

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
75c2614b54cfdbaa5cc197c9661bd9d6

SHA1
cf1d4c0fbc2ab726f96e5410dd6649395e944f0e

SHA256
58802a1d0c6cab2de68d93c69f3111ea7e48af215cbb6922f7a42e5faf5d2d05

SHA512
cb614ac648e54e212bc5a821fe83e8c3b33df74d1e6c970a42b42daa3cb784b1cc7ba87a61bbd8fdc859528b7643c860bf207dd57d49afc57e6fa11b6eb9996a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58cf80.TMP

Filesize
48B

MD5
e75cf536464347772682651316f8ef3d

SHA1
65980999aeed534b37246c5c760e48085e12ba91

SHA256
e9b51adf15f4e03032c468770017670f025136c03a23ccf5da7507276dd1d1cc

SHA512
63b55040ab1a1cfb9333bb92ffaab27f7d136b38c3ac0ae77c7ab65fdb82d36c414703022b100c79d38241afe12e9e68cc9854dd636e623deb29175a41b7c710

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version

Filesize
13B

MD5
a4710a30ca124ef24daf2c2462a1da92

SHA1
96958e2fe60d71e08ea922dfd5e69a50e38cc5db

SHA256
7114eaf0a021d2eb098b1e9f56f3500dc4f74ac68a87f5256922e4a4b9fa66b7

SHA512
43878e3bc6479df9e4ebd11092be61a73ab5a1441cd0bc8755edd401d37032c44a7279bab477c01d563ab4fa5d8078c0ba163a9207383538e894e0a7ff5a3e15

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
79KB

MD5
ae084530b1591e9d6042494413f876ad

SHA1
7a48c30be4f2d9f4d4dc12aee2c956821a4b70f1

SHA256
cbabaa202168b0e107bf1802f923a8d506644045b3bbb10660b283404c3de7fa

SHA512
ea46bed6f254595dca99d70918ef0f5a7920ca5aa73f0fe48ceff374b2e8cfd92a633be92d996d2e62acd2ebc983c13371ac36450057b287bdccfd7b43c812e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
78KB

MD5
d1c486251dfd6ad9465fd300999f5403

SHA1
cbe786a0b7dc49bcdea6d0bda9636fcfec564076

SHA256
8a445dfe6eb2ae911ae934bd6c272a05328263012f827112c806a43566421b9e

SHA512
03d36d779d2ad494856b17dec0a50f51bbaafb4f1f850b3c7bb2ab685651ca7cf3407a427d24add96bc7066b3123cd20ed702c0733f138e5519c65ad73b1652d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
79KB

MD5
e810579f85c665f61207eec270736fbd

SHA1
8d797f2e7c864e3b2a569187411eaf318ba44f3d

SHA256
ed58e93bcda14f607931d5dd79dcbcf2bfb1a9dce8322d74a068da50709d9514

SHA512
c479e3771fb4e291e8584fbd11de5c8489128c6b11218eb6a79760d41715eb03a4e81b4108b373699afcb4de44eb12d26b97fc490e77398e3230691442ab930a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
153KB

MD5
6bce24f3f9dc5b98b4375e9d6b6a1464

SHA1
b8abb98b8a4d5a24543bbd9503dff795efe8272c

SHA256
65876d339a3c5091b8b30309b25c11a29c15e2a13a74e43e125559003bbcd6a2

SHA512
758d7c87ebd16cde3d1aa816553dc5eeba2e196ecc6ed36bdec29ffeab1b2b3c564cbcb7aa0618f98667e35c4df9243d7f8cd6ed772b5d083eba5553eaafccb8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3f01549ee3e4c18244797530b588dad9

SHA1
3e87863fc06995fe4b741357c68931221d6cc0b9

SHA256
36b51e575810b6af6fc5e778ce0f228bc7797cd3224839b00829ca166fa13f9a

SHA512
73843215228865a4186ac3709bf2896f0f68da0ba3601cc20226203dd429a2ad9817b904a45f6b0456b8be68deebf3b011742a923ce4a77c0c6f3a155522ab50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
e05c79a5982414083892a9602685cc40

SHA1
9fe229c08fb0117309bbd0ab9cc2cedd2e547d53

SHA256
9ea651784059c88a43346b091d0d5c72cc5cb1ffd33355d2de40986761a00551

SHA512
72f39ecc357db67f95c50b4db1b445fee5bf2aada2b1b1c6117b5ed25a1b7fc579de0e761c1bb6653ed2c4ba294c3591e86976137cfca7e8233d3263ff94451f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI68BC.tmp

Filesize
171KB

MD5
a0e940a3d3c1523416675125e3b0c07e

SHA1
2e29eeba6da9a4023bc8071158feee3b0277fd1b

SHA256
b8fa7aa425e4084ea3721780a13d11e08b8d53d1c5414b73f22faeca1bfd314f

SHA512
736ea06824388372aeef1938c6b11e66f4595e0b0589d7b4a87ff4abbabe52e82dff64d916293eab47aa869cf372ced2c66755dd8a8471b2ab0d3a37ba91d0b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI6A92.tmp

Filesize
2.5MB

MD5
9dd37625fd77c30e9f4fac7078ad92f6

SHA1
91f29877f9cd7ad69dd021c274381bac82895d19

SHA256
c070976e1bec6527d5117b87be44628c609cd47dca805f9899f827ef1ccaddf1

SHA512
2211cda9e261c0d43a6e3e8953aacbe21b74cb527a7c073fe1671812ba346d398e8ce2e3f8e710635b41016c8ce61e5668ef65c94c2cc3b658d3be514adc83ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_awfk1ltz.txr.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\df41793b

Filesize
5.4MB

MD5
e950d3dea50e7d97e2a1d966bd4a5e3d

SHA1
c55151171593d72b592e67d03ca292bddc422ecb

SHA256
3c5c84c65c3b7ead08275b599043f36ea4bfd356478c1b0fe37b63373c4024fd

SHA512
b8fab6be9f818e9edfa422b8c77a1c7d498387ea38e714b49b05f74af9f1483281cf91f78623a43e865550cc9841a29fae03ee913e5d98dd88b3c997baee3692

Download Submit
C:\Users\Admin\AppData\Local\Temp\teUninstall_test.exe

Filesize
2.3MB

MD5
967f4470627f823f4d7981e511c9824f

SHA1
416501b096df80ddc49f4144c3832cf2cadb9cb2

SHA256
b22bf1210b5fd173a210ebfa9092390aa0513c41e1914cbe161eb547f049ef91

SHA512
8883ead428c9d4b415046de9f8398aa1f65ae81fe7945a840c822620e18f6f9930cce2e10acff3b5da8b9c817ade3dabc1de576cbd255087267f77341900a41c

Download Submit
C:\Users\Admin\AppData\Local\Temp\{9061CA5B-4CB3-463D-8476-569E5A3F9445}\DuiLib_u.dll

Filesize
840KB

MD5
677004470e3bb68df7b0cf61c67bb5b8

SHA1
d82697919f929bfac3069d70242c82b41b32f2dd

SHA256
8d11e5e24f3f4454b3bcddc3b6ad8848c4bc7bdb96bb6375188b1f5d44e84a6a

SHA512
676f64dff0d90943f9c42beeb34e8efb5cb88440c2a8b720ef8404f54d6e297b50a247d517eb03c83eb00e0f6355f1233b73c36cc7d35db7bce7ed7573e88c30

Download Submit
C:\Users\Admin\AppData\Local\Temp\{9061CA5B-4CB3-463D-8476-569E5A3F9445}\SplashWin.exe

Filesize
446KB

MD5
4d20b83562eec3660e45027ad56fb444

SHA1
ff6134c34500a8f8e5881e6a34263e5796f83667

SHA256
c5e650b331fa5292872fdaede3a75c8167a0f1280ce0cd3d58b880d23854bdb1

SHA512
718bd66fcff80b8008a4523d88bd726cdbc95e6e7bdb3f50e337e291294505ed54e6f5995d431968b85415e96f6f7ed37381ca021401ad57fda3b08a1f0c27f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\{9061CA5B-4CB3-463D-8476-569E5A3F9445}\VCRUNTIME140.dll

Filesize
74KB

MD5
a554e4f1addc0c2c4ebb93d66b790796

SHA1
9fbd1d222da47240db92cd6c50625eb0cf650f61

SHA256
e610cdac0a37147919032d0d723b967276c217ff06ea402f098696ab4112512a

SHA512
5f3253f071da3e0110def888682d255186f2e2a30a8480791c0cad74029420033b5c90f818ae845b5f041ee4005f6de174a687aca8f858371026423f017902cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\{9061CA5B-4CB3-463D-8476-569E5A3F9445}\horoscope.html

Filesize
45KB

MD5
75c30eb9a53a184a8b05dca487f07de5

SHA1
c3fe8d85a16817c402bd5c5776195f6c337ccda0

SHA256
f709a1b33efaa8ecd4070193803aea5986c4ddacb8846ad8612605679b1096c5

SHA512
855d2532438bf6d6ce2f2c8a51921cf356e14c3083b56963ec8b6d4943807bf94d4dae4ffbb4623117d0e8018f3d771810ef54da6c61ffadbb7b3f8b9d8f8597

Download Submit
C:\Users\Admin\AppData\Local\Temp\{9061CA5B-4CB3-463D-8476-569E5A3F9445}\msvcp140.dll

Filesize
437KB

MD5
e9f00dd8746712610706cbeffd8df0bd

SHA1
5004d98c89a40ebf35f51407553e38e5ca16fb98

SHA256
4cb882621a3d1c6283570447f842801b396db1b3dcd2e01c2f7002efd66a0a97

SHA512
4d1ce1fc92cea60859b27ca95ca1d1a7c2bec4e2356f87659a69bab9c1befa7a94a2c64669cef1c9dadf9d38ab77e836fe69acdda0f95fa1b32cba9e8c6bb554

Download Submit
C:\Users\Admin\AppData\Local\Temp\{9061CA5B-4CB3-463D-8476-569E5A3F9445}\reremouse.apk

Filesize
4.3MB

MD5
e149647a7062e031613909aef3ba6837

SHA1
ceb8e23622d59c26e641f8d1d89c883f680edf2a

SHA256
0bad86799b73ac2234c268db6e0a1b55292b94b39b46b1ef7c14e8ae0807fefc

SHA512
4997b3d387c7776fc19285bb4a95287fadd66660b526199fb2193b6be9e5588a82343529793789b48eee5253e830f69103dde0deb17be38c1939f7468aafce49

Download Submit
C:\Users\Admin\AppData\Local\Temp\{FBDE73EF-BA41-4139-B061-6B0A35D4843E}\ISBEW64.exe

Filesize
178KB

MD5
40f3a092744e46f3531a40b917cca81e

SHA1
c73f62a44cb3a75933cecf1be73a48d0d623039b

SHA256
561f14cdece85b38617403e1c525ff0b1b752303797894607a4615d0bd66f97f

SHA512
1589b27db29051c772e5ba56953d9f798efbf74d75e0524fa8569df092d28960972779811a7916198d0707d35b1093d3e0dd7669a8179c412cfa7df7120733b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\{FBDE73EF-BA41-4139-B061-6B0A35D4843E}\ISRT.dll

Filesize
426KB

MD5
8af02bf8e358e11caec4f2e7884b43cc

SHA1
16badc6c610eeb08de121ab268093dd36b56bf27

SHA256
58a724d23c63387a2dda27ccfdbc8ca87fd4db671bea8bb636247667f6a5a11e

SHA512
d0228a8cc93ff6647c2f4ba645fa224dc9d114e2adb5b5d01670b6dafc2258b5b1be11629868748e77b346e291974325e8e8e1192042d7c04a35fc727ad4e3fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\{FBDE73EF-BA41-4139-B061-6B0A35D4843E}\_isres_0x0409.dll

Filesize
1.8MB

MD5
7de024bc275f9cdeaf66a865e6fd8e58

SHA1
5086e4a26f9b80699ea8d9f2a33cead28a1819c0

SHA256
bd32468ee7e8885323f22eabbff9763a0f6ffef3cc151e0bd0481df5888f4152

SHA512
191c57e22ea13d13806dd390c4039029d40c7532918618d185d8a627aabc3969c7af2e532e3c933bde8f652b4723d951bf712e9ba0cc0d172dde693012f5ef1a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
5KB

MD5
0e6a9f3ab599b6baac381c8cbda97805

SHA1
5261150c884fb44f8e11f840941e99b27b342930

SHA256
6e8e83e42afc689d115efebac2ddc4a66c9eb275cbeb771787d42c6c3a5ec069

SHA512
a83b1f3760af6516a71b1c4e0e692619286ed52d6682846bd9f2c06720556174d094ec7a2c96f296f4815ddff7c798f3b97e78d6d69e509ca5d7f10be98a27fd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
5KB

MD5
731079a7894726de142a1031c001bf43

SHA1
209fcb9e5db1bbf62f0b05894bf188d24005a2a5

SHA256
996e227c60bba1d41ae798bf0bff43b552fb3384ec4dc0c9b693cea0266208c7

SHA512
7ed04a8287f2f009a277c169959fdef830e777b54158a15ddc35716099388ced332340134d84ef50ad6810f07e33628c6940e256b6eb6dca9db1902232927d9c

Download Submit
memory/372-392-0x0000015D615B0000-0x0000015D615D2000-memory.dmp

Filesize
136KB

Download
memory/372-394-0x0000015D61A40000-0x0000015D61AB6000-memory.dmp

Filesize
472KB

Download
memory/372-393-0x0000015D61970000-0x0000015D619B4000-memory.dmp

Filesize
272KB

Download
memory/1708-39-0x0000000003200000-0x00000000033C7000-memory.dmp

Filesize
1.8MB

Download
memory/1708-34-0x0000000010000000-0x0000000010114000-memory.dmp

Filesize
1.1MB

Download
memory/2272-60-0x0000000073D60000-0x0000000073EDB000-memory.dmp

Filesize
1.5MB

Download
memory/2272-61-0x00007FFC69870000-0x00007FFC69A65000-memory.dmp

Filesize
2.0MB

Download
memory/3128-97-0x0000000074BF0000-0x0000000074D6B000-memory.dmp

Filesize
1.5MB

Download
memory/3128-94-0x00007FFC69870000-0x00007FFC69A65000-memory.dmp

Filesize
2.0MB

Download
memory/3812-186-0x00007FF661770000-0x00007FF661A88000-memory.dmp

Filesize
3.1MB

Download
memory/3812-113-0x00007FF661770000-0x00007FF661A88000-memory.dmp

Filesize
3.1MB

Download
memory/3812-112-0x00007FF661770000-0x00007FF661A88000-memory.dmp

Filesize
3.1MB

Download
memory/3812-108-0x00007FF661770000-0x00007FF661A88000-memory.dmp

Filesize
3.1MB

Download
memory/3812-105-0x00007FF661770000-0x00007FF661A88000-memory.dmp

Filesize
3.1MB

Download
memory/3812-104-0x00007FF661770000-0x00007FF661A88000-memory.dmp

Filesize
3.1MB

Download
memory/5572-91-0x0000000074BF0000-0x0000000074D6B000-memory.dmp

Filesize
1.5MB

Download
memory/5572-90-0x00007FFC69870000-0x00007FFC69A65000-memory.dmp

Filesize
2.0MB

Download
memory/5572-89-0x0000000074BF0000-0x0000000074D6B000-memory.dmp

Filesize
1.5MB

Download