neshta | hxxps://www[.]mediafire[.]com/folder/uhgmdr3zimil6/HeartSender

Analysis

max time kernel
130s
max time network
129s
platform
windows10_x64
resource
win10-en-20211208
submitted
17-12-2021 09:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.mediafire.com/folder/uhgmdr3zimil6/HeartSender

Score

10^/10

neshta persistence spyware stealer

Malware Config

Signatures

Detect Neshta Payload 18 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\Heart-Sender V1.2\Heart-Sender-V1.2_Cracked_by_JC0der-FireEye\HeartSender V1.2.exe	family_neshta
C:\Users\Admin\Downloads\Heart-Sender V1.2\Heart-Sender-V1.2_Cracked_by_JC0der-FireEye\HeartSender V1.2.exe	family_neshta
C:\Users\Admin\Downloads\Heart-Sender V1.2\Heart-Sender-V1.2_Cracked_by_JC0der-FireEye\HeartSender V1.2 .exe	family_neshta
C:\Users\Admin\Downloads\Heart-Sender V1.2\Heart-Sender-V1.2_Cracked_by_JC0der-FireEye\HeartSender V1.2 .exe	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Windows\svchost.com	family_neshta
C:\odt\OFFICE~1.EXE	family_neshta
C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE	family_neshta
C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	family_neshta
C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	family_neshta
C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	family_neshta
C:\Users\Admin\DOWNLO~1\HEART-~1.2\HEART-~1.2_C\HEARTS~1.EXE	family_neshta
C:\Users\ALLUSE~1\Adobe\Setup\{AC76B~1\setup.exe	family_neshta
C:\Users\ALLUSE~1\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{CA675~1\VCREDI~1.EXE	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{F4220~1\VC_RED~1.EXE	family_neshta
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe	family_neshta

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

HeartSender V1.2 .exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	HeartSender V1.2 .exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

Executes dropped EXE 20 IoCs

Processes:

HeartSender V1.2.exeSetup.exeSetup.exeHeartSender V1.2 .exesvchost.exeHeartSender V1.2 .exesvchost.comexplorer.exesvchost.comHEARTS~1.EXEsvchost.comHEARTS~2.EXEsvchost.comSetup.exesvchost.comHEARTS~3.EXEsvchost.comsvchost.exesvchost.comexplorer.exe

pid	process
1796	HeartSender V1.2.exe
1632	Setup.exe
2124	Setup.exe
1360	HeartSender V1.2 .exe
2368	svchost.exe
1564	HeartSender V1.2 .exe
1416	svchost.com
3128	explorer.exe
5016	svchost.com
5032	HEARTS~1.EXE
2440	svchost.com
772	HEARTS~2.EXE
4184	svchost.com
60	Setup.exe
4208	svchost.com
4256	HEARTS~3.EXE
4144	svchost.com
2584	svchost.exe
3616	svchost.com
4376	explorer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Setup.exesvchost.exeSetup.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Intel Security Corporation = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\svchost.exe"	Setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Explorer = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\explorer.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Intel Security Corporation = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\svchost.exe"	Setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Explorer = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\explorer.exe"	svchost.exe

Drops file in Program Files directory 64 IoCs

Processes:

HeartSender V1.2 .exesvchost.com

description	ioc	process
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	HeartSender V1.2 .exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	HeartSender V1.2 .exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	HeartSender V1.2 .exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	HeartSender V1.2 .exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	HeartSender V1.2 .exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	HeartSender V1.2 .exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	HeartSender V1.2 .exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	svchost.com
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	HeartSender V1.2 .exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	svchost.com
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	svchost.com
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	HeartSender V1.2 .exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	HeartSender V1.2 .exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	HeartSender V1.2 .exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	HeartSender V1.2 .exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	HeartSender V1.2 .exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	svchost.com
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	HeartSender V1.2 .exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	HeartSender V1.2 .exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	HeartSender V1.2 .exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\armsvc.exe	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\armsvc.exe	HeartSender V1.2 .exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	svchost.com
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	svchost.com
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	svchost.com
File opened for modification	C:\PROGRA~3\PACKAG~1\{F4220~1\VC_RED~1.EXE	HeartSender V1.2 .exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	HeartSender V1.2 .exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	HeartSender V1.2 .exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	HeartSender V1.2 .exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	HeartSender V1.2 .exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	HeartSender V1.2 .exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{F4220~1\VC_RED~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	svchost.com
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~4\ACCESS~1\wordpad.exe	HeartSender V1.2 .exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	HeartSender V1.2 .exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	HeartSender V1.2 .exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	HeartSender V1.2 .exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	HeartSender V1.2 .exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	HeartSender V1.2 .exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	HeartSender V1.2 .exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE	HeartSender V1.2 .exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	HeartSender V1.2 .exe

Drops file in Windows directory 15 IoCs

Processes:

svchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comHeartSender V1.2 .exe

description	ioc	process
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	HeartSender V1.2 .exe
File opened for modification	C:\Windows\svchost.com	svchost.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies registry class 44 IoCs

Processes:

HeartSender V1.2 .exesvchost.exechrome.exesvchost.exeHeartSender V1.2 .exeHEARTS~2.EXESetup.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\MRUListEx = 00000000ffffffff	HeartSender V1.2 .exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings	HeartSender V1.2 .exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1	HeartSender V1.2 .exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff	HeartSender V1.2 .exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	HeartSender V1.2 .exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	HeartSender V1.2 .exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0	HeartSender V1.2 .exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5	HeartSender V1.2 .exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	HeartSender V1.2 .exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell	HeartSender V1.2 .exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	HeartSender V1.2 .exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	HeartSender V1.2 .exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = 00000000ffffffff	HeartSender V1.2 .exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202	HeartSender V1.2 .exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	HeartSender V1.2 .exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	HeartSender V1.2 .exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	HeartSender V1.2 .exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	HeartSender V1.2 .exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	HeartSender V1.2 .exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0 = 6e003100000000008b534e1b100048454152542d7e312e320000540009000400efbe8b534e1b8b534e1b2e000000c4ab010000000700000000000000000000000000000097491300480065006100720074002d00530065006e006400650072002000560031002e00320000001a000000	HeartSender V1.2 .exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\SniffedFolderType = "Generic"	HeartSender V1.2 .exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	HeartSender V1.2 .exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	HeartSender V1.2 .exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	HeartSender V1.2 .exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\MRUListEx = ffffffff	HeartSender V1.2 .exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	HeartSender V1.2 .exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	HeartSender V1.2 .exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	HeartSender V1.2 .exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	HeartSender V1.2 .exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	HeartSender V1.2 .exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	HeartSender V1.2 .exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 14002e8005398e082303024b98265d99428e115f0000	HeartSender V1.2 .exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	HeartSender V1.2 .exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	HeartSender V1.2 .exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0	HeartSender V1.2 .exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0 = a4003100000000008b53541b100048454152542d7e312e325f430000880009000400efbe7653f4848b53541b2e00000036ad01000000050000000000000000000000000000008b4dfd00480065006100720074002d00530065006e006400650072002d00560031002e0032005f0043007200610063006b00650064005f00620079005f004a00430030006400650072002d00460069007200650045007900650000001c000000	HeartSender V1.2 .exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings	HEARTS~2.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\NodeSlot = "5"	HeartSender V1.2 .exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg	HeartSender V1.2 .exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	HeartSender V1.2 .exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings	Setup.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exe

pid	process
1264	chrome.exe
1264	chrome.exe
692	chrome.exe
692	chrome.exe
2364	chrome.exe
2364	chrome.exe
680	chrome.exe
680	chrome.exe
1728	chrome.exe
1728	chrome.exe
3644	chrome.exe
3644	chrome.exe
3464	chrome.exe
3464	chrome.exe
2440	chrome.exe
2440	chrome.exe
4876	chrome.exe
4876	chrome.exe
4720	chrome.exe
4720	chrome.exe
4720	chrome.exe
4720	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs

Processes:

chrome.exe

pid	process
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

7zG.exesvchost.exeexplorer.exe7zG.exetzutil.exesvchost.exeHEARTS~3.EXEexplorer.exe

description	pid	process
Token: SeRestorePrivilege	1836	7zG.exe
Token: 35	1836	7zG.exe
Token: SeSecurityPrivilege	1836	7zG.exe
Token: SeSecurityPrivilege	1836	7zG.exe
Token: SeDebugPrivilege	2368	svchost.exe
Token: SeDebugPrivilege	3128	explorer.exe
Token: SeRestorePrivilege	4960	7zG.exe
Token: 35	4960	7zG.exe
Token: SeSecurityPrivilege	4960	7zG.exe
Token: SeSecurityPrivilege	4960	7zG.exe
Token: 34	928	tzutil.exe
Token: SeDebugPrivilege	2584	svchost.exe
Token: SeDebugPrivilege	4256	HEARTS~3.EXE
Token: SeDebugPrivilege	4376	explorer.exe

Suspicious use of FindShellTrayWindow 53 IoCs

Processes:

chrome.exe7zG.exe7zG.exe

pid	process
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
1836	7zG.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
4960	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

HeartSender V1.2 .exe

pid process

1564 HeartSender V1.2 .exe

pid	process
1564	HeartSender V1.2 .exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 692 wrote to memory of 2324	692	chrome.exe	chrome.exe
PID 692 wrote to memory of 2324	692	chrome.exe	chrome.exe
PID 692 wrote to memory of 1172	692	chrome.exe	chrome.exe
PID 692 wrote to memory of 1172	692	chrome.exe	chrome.exe
PID 692 wrote to memory of 1172	692	chrome.exe	chrome.exe
PID 692 wrote to memory of 1172	692	chrome.exe	chrome.exe
PID 692 wrote to memory of 1172	692	chrome.exe	chrome.exe
PID 692 wrote to memory of 1172	692	chrome.exe	chrome.exe
PID 692 wrote to memory of 1172	692	chrome.exe	chrome.exe
PID 692 wrote to memory of 1172	692	chrome.exe	chrome.exe
PID 692 wrote to memory of 1172	692	chrome.exe	chrome.exe
PID 692 wrote to memory of 1172	692	chrome.exe	chrome.exe
PID 692 wrote to memory of 1172	692	chrome.exe	chrome.exe
PID 692 wrote to memory of 1172	692	chrome.exe	chrome.exe
PID 692 wrote to memory of 1172	692	chrome.exe	chrome.exe
PID 692 wrote to memory of 1172	692	chrome.exe	chrome.exe
PID 692 wrote to memory of 1172	692	chrome.exe	chrome.exe
PID 692 wrote to memory of 1172	692	chrome.exe	chrome.exe
PID 692 wrote to memory of 1172	692	chrome.exe	chrome.exe
PID 692 wrote to memory of 1172	692	chrome.exe	chrome.exe
PID 692 wrote to memory of 1172	692	chrome.exe	chrome.exe
PID 692 wrote to memory of 1172	692	chrome.exe	chrome.exe
PID 692 wrote to memory of 1172	692	chrome.exe	chrome.exe
PID 692 wrote to memory of 1172	692	chrome.exe	chrome.exe
PID 692 wrote to memory of 1172	692	chrome.exe	chrome.exe
PID 692 wrote to memory of 1172	692	chrome.exe	chrome.exe
PID 692 wrote to memory of 1172	692	chrome.exe	chrome.exe
PID 692 wrote to memory of 1172	692	chrome.exe	chrome.exe
PID 692 wrote to memory of 1172	692	chrome.exe	chrome.exe
PID 692 wrote to memory of 1172	692	chrome.exe	chrome.exe
PID 692 wrote to memory of 1172	692	chrome.exe	chrome.exe
PID 692 wrote to memory of 1172	692	chrome.exe	chrome.exe
PID 692 wrote to memory of 1172	692	chrome.exe	chrome.exe
PID 692 wrote to memory of 1172	692	chrome.exe	chrome.exe
PID 692 wrote to memory of 1172	692	chrome.exe	chrome.exe
PID 692 wrote to memory of 1172	692	chrome.exe	chrome.exe
PID 692 wrote to memory of 1172	692	chrome.exe	chrome.exe
PID 692 wrote to memory of 1172	692	chrome.exe	chrome.exe
PID 692 wrote to memory of 1172	692	chrome.exe	chrome.exe
PID 692 wrote to memory of 1172	692	chrome.exe	chrome.exe
PID 692 wrote to memory of 1172	692	chrome.exe	chrome.exe
PID 692 wrote to memory of 1172	692	chrome.exe	chrome.exe
PID 692 wrote to memory of 1264	692	chrome.exe	chrome.exe
PID 692 wrote to memory of 1264	692	chrome.exe	chrome.exe
PID 692 wrote to memory of 892	692	chrome.exe	chrome.exe
PID 692 wrote to memory of 892	692	chrome.exe	chrome.exe
PID 692 wrote to memory of 892	692	chrome.exe	chrome.exe
PID 692 wrote to memory of 892	692	chrome.exe	chrome.exe
PID 692 wrote to memory of 892	692	chrome.exe	chrome.exe
PID 692 wrote to memory of 892	692	chrome.exe	chrome.exe
PID 692 wrote to memory of 892	692	chrome.exe	chrome.exe
PID 692 wrote to memory of 892	692	chrome.exe	chrome.exe
PID 692 wrote to memory of 892	692	chrome.exe	chrome.exe
PID 692 wrote to memory of 892	692	chrome.exe	chrome.exe
PID 692 wrote to memory of 892	692	chrome.exe	chrome.exe
PID 692 wrote to memory of 892	692	chrome.exe	chrome.exe
PID 692 wrote to memory of 892	692	chrome.exe	chrome.exe
PID 692 wrote to memory of 892	692	chrome.exe	chrome.exe
PID 692 wrote to memory of 892	692	chrome.exe	chrome.exe
PID 692 wrote to memory of 892	692	chrome.exe	chrome.exe
PID 692 wrote to memory of 892	692	chrome.exe	chrome.exe
PID 692 wrote to memory of 892	692	chrome.exe	chrome.exe
PID 692 wrote to memory of 892	692	chrome.exe	chrome.exe
PID 692 wrote to memory of 892	692	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.mediafire.com/folder/uhgmdr3zimil6/HeartSender
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:692

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7fff260a4f50,0x7fff260a4f60,0x7fff260a4f70
2⤵
PID:2324

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1484,212270753687203798,18202051691374090025,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1496 /prefetch:2
2⤵
PID:1172

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1484,212270753687203798,18202051691374090025,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1832 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1264

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1484,212270753687203798,18202051691374090025,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2188 /prefetch:8
2⤵
PID:892

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1484,212270753687203798,18202051691374090025,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2956 /prefetch:1
2⤵
PID:676

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1484,212270753687203798,18202051691374090025,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2976 /prefetch:1
2⤵
PID:2312

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1484,212270753687203798,18202051691374090025,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4224 /prefetch:8
2⤵
PID:2720

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1484,212270753687203798,18202051691374090025,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4252 /prefetch:1
2⤵
PID:1688

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1484,212270753687203798,18202051691374090025,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5132 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2364

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1484,212270753687203798,18202051691374090025,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5304 /prefetch:8
2⤵
PID:2972

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1484,212270753687203798,18202051691374090025,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5308 /prefetch:8
2⤵
PID:2988

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1484,212270753687203798,18202051691374090025,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5312 /prefetch:8
2⤵
PID:3428

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1484,212270753687203798,18202051691374090025,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5384 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:680

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1484,212270753687203798,18202051691374090025,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5364 /prefetch:8
2⤵
PID:1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1484,212270753687203798,18202051691374090025,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4920 /prefetch:8
2⤵
PID:2984

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1484,212270753687203798,18202051691374090025,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4868 /prefetch:8
2⤵
PID:3876

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1484,212270753687203798,18202051691374090025,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4876 /prefetch:8
2⤵
PID:3680

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1484,212270753687203798,18202051691374090025,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5440 /prefetch:8
2⤵
PID:2464

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1484,212270753687203798,18202051691374090025,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4728 /prefetch:1
2⤵
PID:3788

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1484,212270753687203798,18202051691374090025,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1
2⤵
PID:1620

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1484,212270753687203798,18202051691374090025,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5396 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1728

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1484,212270753687203798,18202051691374090025,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5312 /prefetch:8
2⤵
PID:2052

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1484,212270753687203798,18202051691374090025,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4920 /prefetch:1
2⤵
PID:1776

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1484,212270753687203798,18202051691374090025,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4848 /prefetch:1
2⤵
PID:1796

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1484,212270753687203798,18202051691374090025,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4904 /prefetch:1
2⤵
PID:3620

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1484,212270753687203798,18202051691374090025,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6176 /prefetch:1
2⤵
PID:2100

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1484,212270753687203798,18202051691374090025,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4868 /prefetch:8
2⤵
PID:3316

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1484,212270753687203798,18202051691374090025,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6512 /prefetch:1
2⤵
PID:3204

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1484,212270753687203798,18202051691374090025,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5544 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3644

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1484,212270753687203798,18202051691374090025,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3316 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3464

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1484,212270753687203798,18202051691374090025,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2328 /prefetch:8
2⤵
PID:2472

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1484,212270753687203798,18202051691374090025,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5752 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2440

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1484,212270753687203798,18202051691374090025,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2484 /prefetch:8
2⤵
PID:4168

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1484,212270753687203798,18202051691374090025,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4400 /prefetch:8
2⤵
PID:4396

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1484,212270753687203798,18202051691374090025,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5972 /prefetch:1
2⤵
PID:4436

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1484,212270753687203798,18202051691374090025,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6208 /prefetch:1
2⤵
PID:4496

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1484,212270753687203798,18202051691374090025,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6312 /prefetch:1
2⤵
PID:4504

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1484,212270753687203798,18202051691374090025,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
2⤵
PID:4596

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1484,212270753687203798,18202051691374090025,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6496 /prefetch:1
2⤵
PID:4620

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1484,212270753687203798,18202051691374090025,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6052 /prefetch:1
2⤵
PID:4672

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1484,212270753687203798,18202051691374090025,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6196 /prefetch:8
2⤵
PID:4780

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1484,212270753687203798,18202051691374090025,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:1
2⤵
PID:4812

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1484,212270753687203798,18202051691374090025,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6188 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4876

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1484,212270753687203798,18202051691374090025,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6420 /prefetch:8
2⤵
PID:4136

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1484,212270753687203798,18202051691374090025,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6832 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4720

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3736

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Heart-Sender V1.2\" -spe -an -ai#7zMap16293:96:7zEvent30447
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1836

C:\Users\Admin\Downloads\Heart-Sender V1.2\Heart-Sender-V1.2_Cracked_by_JC0der-FireEye\HeartSender V1.2.exe
"C:\Users\Admin\Downloads\Heart-Sender V1.2\Heart-Sender-V1.2_Cracked_by_JC0der-FireEye\HeartSender V1.2.exe"
1⤵
- Executes dropped EXE
PID:1796

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1632

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2368

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\TEMPLA~1\explorer.exe"
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
PID:1416

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\TEMPLA~1\explorer.exe
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\TEMPLA~1\explorer.exe
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3128

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
2⤵
- Executes dropped EXE
PID:2124

C:\Users\Admin\Downloads\Heart-Sender V1.2\Heart-Sender-V1.2_Cracked_by_JC0der-FireEye\HeartSender V1.2 .exe
"C:\Users\Admin\Downloads\Heart-Sender V1.2\Heart-Sender-V1.2_Cracked_by_JC0der-FireEye\HeartSender V1.2 .exe"
2⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
PID:1360

C:\Users\Admin\AppData\Local\Temp\3582-490\HeartSender V1.2 .exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\HeartSender V1.2 .exe"
3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1564

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\HeartSender V2.0.33\" -spe -an -ai#7zMap24814:100:7zEvent29701
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4960

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\DOWNLO~1\HEARTS~1.33\HEARTS~1.33C\HEARTS~1.EXE"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5016

C:\Users\Admin\DOWNLO~1\HEARTS~1.33\HEARTS~1.33C\HEARTS~1.EXE
C:\Users\Admin\DOWNLO~1\HEARTS~1.33\HEARTS~1.33C\HEARTS~1.EXE
2⤵
- Executes dropped EXE
PID:5032

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\DOWNLO~1\HEARTS~1.33\HEARTS~1.33C\HEARTS~2.EXE"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2440

C:\Users\Admin\DOWNLO~1\HEARTS~1.33\HEARTS~1.33C\HEARTS~2.EXE
C:\Users\Admin\DOWNLO~1\HEARTS~1.33\HEARTS~1.33C\HEARTS~2.EXE
2⤵
- Executes dropped EXE
- Modifies registry class
PID:772

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4184

C:\Users\Admin\AppData\Local\Temp\Setup.exe
C:\Users\Admin\AppData\Local\Temp\Setup.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
PID:60

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\TEMPLA~1\svchost.exe"
5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4144

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\TEMPLA~1\svchost.exe
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\TEMPLA~1\svchost.exe
6⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2584

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\TEMPLA~1\explorer.exe"
7⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3616

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\TEMPLA~1\explorer.exe
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\TEMPLA~1\explorer.exe
8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4376

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\DOWNLO~1\HEARTS~1.33\HEARTS~1.33C\HEARTS~3.EXE"
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4208

C:\Users\Admin\DOWNLO~1\HEARTS~1.33\HEARTS~1.33C\HEARTS~3.EXE
C:\Users\Admin\DOWNLO~1\HEARTS~1.33\HEARTS~1.33C\HEARTS~3.EXE
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4256

C:\Windows\SysWOW64\tzutil.exe
"tzutil.exe" /s "GMT Standard Time"
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:928

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE
MD5
950000c930454e0c30644f13ed60e9c3

SHA1
5f6b06e8a02e1390e7499722b277135b4950723d

SHA256
09786f64db91266470b56046098d9825253ba5d6a5361c2f4e6dbc8ec28c9bb2

SHA512
22e3c677c83c755e53a7bf8735734541223f57151d588c3380bc758e5433b706441666d0d95c42bd23a720b093a6942a62346dab24ee3f0a18bee3e5ad1cd9d9

Download Submit
C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE
MD5
fafb18b930b2b05ac8c5ddb988e9062f

SHA1
825ea5069601fb875f8d050aa01300eac03d3826

SHA256
c17785fe7e6b5e08fe5a4ca3679fee85ba6f2e5efcce0fb9807727cf8aa25265

SHA512
be034e7377bd27092aad02e13a152fb80ff74c1ba2fb63ccb344cd55315d115ee47e46727cbe55ca808efafa58d7924e3eed965e9a2fd3b9ae2dff7834383e54

Download Submit
C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE
MD5
018f65edabf8cad566cacd35da90eed7

SHA1
dda69ad75ec00e3fefffc39542a9b7f0fd21e942

SHA256
746119286fec5a58b16c606ec17652b3ccac611a898321c379be48e6d3be0252

SHA512
33a13b220a102826ed3e80af54965b2bf0cbe2e74c361520129363f354e0cfca905d4a56c33421b2cd9ecb0e4b21e399278c1abcaf3916c2b499c254ae8c18af

Download Submit
C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE
MD5
0d9146d70ac6a41ead1ea2d50d729508

SHA1
b9e6ff83a26aaf105640f5d5cdab213c989dc370

SHA256
0b876ddeefd88d5e98de7e409c5b6546ba8ffa195c168f9a4b6ba33b44d437ab

SHA512
c9394decfd469bfedd883095d604e11208aa290334ff5c0dce852f2ca74fba27c37ba2984dab8b27430e573681e22c9f903e53b01510a4b77d337cbd92c56cb3

Download Submit
C:\Users\ALLUSE~1\Adobe\Setup\{AC76B~1\setup.exe
MD5
8a403bc371b84920c641afa3cf9fef2f

SHA1
d6c9d38f3e571b54132dd7ee31a169c683abfd63

SHA256
614a701b90739e7dbf66b14fbdb6854394290030cc87bbcb3f47e1c45d1f06c3

SHA512
b376ef1f49b793a8cd8b7af587f538cf87cb2fffa70fc144e1d1b7e2e8e365ba4ad0568321a0b1c04e69b4b8b694d77e812597a66be1c59eda626cbf132e2c72

Download Submit
C:\Users\ALLUSE~1\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE
MD5
32853955255a94fcd7587ca9cbfe2b60

SHA1
c33a88184c09e89598f0cabf68ce91c8d5791521

SHA256
64df64b39ac4391aea14eb48b0489e6a970a3ea44c02c6a8f10c278cc0636330

SHA512
8566b69668729d70567ff494de8f241329baf2a7748ab0ebf5a53308c3e53e646100af4f6fc33325f3851030d11ff045a7e85e5897008e95c991990d8f80a997

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{CA675~1\VCREDI~1.EXE
MD5
0d9146d70ac6a41ead1ea2d50d729508

SHA1
b9e6ff83a26aaf105640f5d5cdab213c989dc370

SHA256
0b876ddeefd88d5e98de7e409c5b6546ba8ffa195c168f9a4b6ba33b44d437ab

SHA512
c9394decfd469bfedd883095d604e11208aa290334ff5c0dce852f2ca74fba27c37ba2984dab8b27430e573681e22c9f903e53b01510a4b77d337cbd92c56cb3

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{EF6B0~1\VCREDI~1.EXE
MD5
3e8de969e12cd5e6292489a12a9834b6

SHA1
285b89585a09ead4affa32ecaaa842bc51d53ad5

SHA256
7a25fc3b1ce0f1d06a84dd344c8f5a6c4604732f7d13a8aaad504c4376b305cf

SHA512
b14a5936181a1d8c0f966d969a049254238bf1eacdb1da952c2dc084d5d6dcd5d611d2d058d4c00d6384c20046deef5e74ea865c0062bb0761a391a1eaf1640e

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{F4220~1\VC_RED~1.EXE
MD5
fa982a173f9d3628c2b3ff62bd8a2f87

SHA1
2cfb18d542ae6b6cf5a1223f1a77defd9b91fa56

SHA256
bc5d80d05a1bd474cb5160782765bf973ba34ea25dedf7e96dfaf932b9935032

SHA512
95ca9066a2e5272494b8e234220b6028c14892679023ca70801475c38d341032363589375ec6ffc4cde3416dd88d0e3082d315f7beddccdf014122ddd0a90644

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\Setup.exe.log
MD5
ada7572a2723a67c8537985d082dacc9

SHA1
2900cc8a1cac3a9cbef8d46d5fa6b7e2d485a306

SHA256
e82e82cdd6eda8461b3b727059294b0a21f56218d854b72d3918b68232b60e7d

SHA512
1c65643d6f2f0f559fd3e1072c12a126a5fea4203fa6903fd7e59420d8899fa4ada3eb241b7e19e0b748e78259f9296aa89a16a5bbf21cf84d4fc6e40fec08db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
MD5
503fa91a7df32c765f0e3dd1040596a2

SHA1
1846e3eb6f44e0d2ccde57719c00f6dff1bd9ed3

SHA256
c9118508ba45c6b9dc7f4f01681432e7c283f9cc20736455ae7edbf8f91b97ef

SHA512
8c556812ca3deed0310e9070ca38f42b4f0c59aa87be373886bf9c67ca11edb4f635e08fb018d09b05724566dc1ecc761022d4646ec1a112787dab24982ca776

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\HeartSender V1.2 .exe
MD5
9c7691ff597e9efd7f796b31accb78e8

SHA1
81bb289aa37d182b60e86990376a375de7a8decc

SHA256
1624af752c9f85fd117fafb28feb42a079f283dc133cdcc5799810072a95a6cb

SHA512
739f187aaeda13b7ebef3918a965b8da4ee939cd3e60d36802768f52be7b08f5964b121d1e977f4c408ff8ae6aba02df4a4d37785735c2f70d8610551cbab135

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\HeartSender V1.2 .exe
MD5
9c7691ff597e9efd7f796b31accb78e8

SHA1
81bb289aa37d182b60e86990376a375de7a8decc

SHA256
1624af752c9f85fd117fafb28feb42a079f283dc133cdcc5799810072a95a6cb

SHA512
739f187aaeda13b7ebef3918a965b8da4ee939cd3e60d36802768f52be7b08f5964b121d1e977f4c408ff8ae6aba02df4a4d37785735c2f70d8610551cbab135

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup.exe
MD5
fa0b327abd82686bb9d676a30fa89b46

SHA1
a5521f5e8e500f67b183542ffad65b83ebcb186f

SHA256
d01728070486e1abbf024db0eeeacf232e02fe326c4c0b762af73f728fc9392d

SHA512
ead84a6cbe44be5cb213154cf11f8cbe7cc992563549201500f11cf770e3b57b02da027fc982b436f8eebbfa60088f4dad8e10de1086dbb5781b2b3da004790d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup.exe
MD5
fa0b327abd82686bb9d676a30fa89b46

SHA1
a5521f5e8e500f67b183542ffad65b83ebcb186f

SHA256
d01728070486e1abbf024db0eeeacf232e02fe326c4c0b762af73f728fc9392d

SHA512
ead84a6cbe44be5cb213154cf11f8cbe7cc992563549201500f11cf770e3b57b02da027fc982b436f8eebbfa60088f4dad8e10de1086dbb5781b2b3da004790d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup.exe
MD5
fa0b327abd82686bb9d676a30fa89b46

SHA1
a5521f5e8e500f67b183542ffad65b83ebcb186f

SHA256
d01728070486e1abbf024db0eeeacf232e02fe326c4c0b762af73f728fc9392d

SHA512
ead84a6cbe44be5cb213154cf11f8cbe7cc992563549201500f11cf770e3b57b02da027fc982b436f8eebbfa60088f4dad8e10de1086dbb5781b2b3da004790d

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\TEMPLA~1\explorer.exe
MD5
d298454882caac154fc9217fc7e90499

SHA1
11970a2f8b9d1153fbc7fe925a846bd95e07e96f

SHA256
badaa2312457f3d08ca1f72287989456f9e62d6b417af6fb9b5e39ca1e8c8100

SHA512
e28a4d7c827b5c816503ddba4fee0bc82b16a0acb2eed9c81b20bb1b043d69b89cd3a1cf2beafb27a2471b6172f707d53e3c90568636b0c65e484e051dfde86f

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\TEMPLA~1\explorer.exe
MD5
d298454882caac154fc9217fc7e90499

SHA1
11970a2f8b9d1153fbc7fe925a846bd95e07e96f

SHA256
badaa2312457f3d08ca1f72287989456f9e62d6b417af6fb9b5e39ca1e8c8100

SHA512
e28a4d7c827b5c816503ddba4fee0bc82b16a0acb2eed9c81b20bb1b043d69b89cd3a1cf2beafb27a2471b6172f707d53e3c90568636b0c65e484e051dfde86f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
MD5
c4e4407b5fcf49586ddd5d5573ae4b95

SHA1
0f60aaaaac09d4f9273207114fcc78c0bfb250eb

SHA256
8f1e6eb0269fbe449678ce4863d494fda78bc648f27ad1c129270575efce4f7a

SHA512
95a89aae7f135b3355f2f0f751607742d8dfa5dfb04bf86cad0fff99d6c687a18a2f0be30d92a79d004cba49823c73f0208f40bb5e9cff3b26f72d1fe5f3d47b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
MD5
c4e4407b5fcf49586ddd5d5573ae4b95

SHA1
0f60aaaaac09d4f9273207114fcc78c0bfb250eb

SHA256
8f1e6eb0269fbe449678ce4863d494fda78bc648f27ad1c129270575efce4f7a

SHA512
95a89aae7f135b3355f2f0f751607742d8dfa5dfb04bf86cad0fff99d6c687a18a2f0be30d92a79d004cba49823c73f0208f40bb5e9cff3b26f72d1fe5f3d47b

Download Submit
C:\Users\Admin\DOWNLO~1\HEART-~1.2\HEART-~1.2_C\HEARTS~1.EXE
MD5
e44807d27df53db6bf6d54e0dbc98e1d

SHA1
9642f167e6e8c379f58b84b286673f021c007a89

SHA256
5e40a4b3e3d617ae24699e38f0e753764f176896d90e409e77831d7388f0d4cd

SHA512
1671d43659ca71d50a5d3c01d9ef5a0f31432430ef31aa9ef5c9f2d942268d0109964baf4bb1861bc54e49a64275629231ef1739d9ef5be2c75a4dba32d1c055

Download Submit
C:\Users\Admin\Downloads\Heart-Sender V1.2.zip
MD5
8aa621221bfacf1a818f0f63817f79c9

SHA1
c16010f172431a5eb6314e3f82ad5460f115ea13

SHA256
7c441174cb40b5579b19f9af5b39c23a9c87157c23475bc4651b3fe05e3cef6e

SHA512
f8865167b9b7757ce174f7e8debb673a9e02ae9ad187066c9067271fcd8f59cfe956381079a9abf852e1a7dcbafbac20ca43460dfdf259a4a80f0aa4b05593cf

Download Submit
C:\Users\Admin\Downloads\Heart-Sender V1.2\Heart-Sender-V1.2_Cracked_by_JC0der-FireEye\HeartSender V1.2 .exe
MD5
6b909fd867131a66ad917f75f96bf59b

SHA1
ed708fedd795412cc9508058a68fe346c76884da

SHA256
e44b905322b17ee2f8335935c29768747684560faf5cc10ccadd3aa977d3df22

SHA512
b73c5cafb9284a2a501eb4bacd8719e9c8922d724d92d7e8a1318c652aab49a6c18af780042f70be3dda1e991ebe99f276b8211fd2f1b9974c07c5d164886427

Download Submit
C:\Users\Admin\Downloads\Heart-Sender V1.2\Heart-Sender-V1.2_Cracked_by_JC0der-FireEye\HeartSender V1.2 .exe
MD5
6b909fd867131a66ad917f75f96bf59b

SHA1
ed708fedd795412cc9508058a68fe346c76884da

SHA256
e44b905322b17ee2f8335935c29768747684560faf5cc10ccadd3aa977d3df22

SHA512
b73c5cafb9284a2a501eb4bacd8719e9c8922d724d92d7e8a1318c652aab49a6c18af780042f70be3dda1e991ebe99f276b8211fd2f1b9974c07c5d164886427

Download Submit
C:\Users\Admin\Downloads\Heart-Sender V1.2\Heart-Sender-V1.2_Cracked_by_JC0der-FireEye\HeartSender V1.2.exe
MD5
3aa4e1f9c2b10ff1b8b5e368b2289a3c

SHA1
4dd889cb8cd2329096f8dcbc9c8d55863d316fb6

SHA256
4b8aa8f66412d56dc4c08b91afc61a3734576b1bc7f43113804fb2fcd647a0d6

SHA512
b3374d494007875300b0d3f1b3bf668a2749dfe975174acb4288c4950192686d4168cb29635b695d230873ba2a397649cc96675e9b5a9a9c333399a63dfdabd3

Download Submit
C:\Users\Admin\Downloads\Heart-Sender V1.2\Heart-Sender-V1.2_Cracked_by_JC0der-FireEye\HeartSender V1.2.exe
MD5
3aa4e1f9c2b10ff1b8b5e368b2289a3c

SHA1
4dd889cb8cd2329096f8dcbc9c8d55863d316fb6

SHA256
4b8aa8f66412d56dc4c08b91afc61a3734576b1bc7f43113804fb2fcd647a0d6

SHA512
b3374d494007875300b0d3f1b3bf668a2749dfe975174acb4288c4950192686d4168cb29635b695d230873ba2a397649cc96675e9b5a9a9c333399a63dfdabd3

Download Submit
C:\Users\Admin\Downloads\Heart-Sender V1.2\Heart-Sender-V1.2_Cracked_by_JC0der-FireEye\Settings.ini
MD5
b48b1b05e298d45efa4c56c34a2ea642

SHA1
8367d10ba74e4ba800bbc564315049f96b318622

SHA256
b9ae3242dac9afe4d8c2a4f889d633a3bc10217e2c4e374158d9753e8ab02a6e

SHA512
b34deb22080f76df5376c78b387bf4b228ca778752dd7057af1b509947ffec98b0fffb8d06686aa53d56a0d28ea79aa1d548b1e770803466bb485729566a5b7d

Download Submit
C:\Users\Admin\Downloads\Heart-Sender V1.2\Heart-Sender-V1.2_Cracked_by_JC0der-FireEye\license.txt
MD5
b28ba1c42e3f7ac4a232f995db96f8e6

SHA1
0ba15f4f1c20646f8795641baba59e2f52033630

SHA256
f9598eba595aab0895f5804807ead4546e9c1770f10028d0fa843707a11f2897

SHA512
beaee548737ab29359d122fe79c8403d55c66f574aafce82f4dbb24e11e1fa0ea394370b52f7d1d9e2d0ffa8ce99c7e23a549170b4429cbfa9668bf865b235db

Download Submit
C:\Windows\svchost.com
MD5
e7c89731a4d2eb99f8926a6fe7f2773c

SHA1
dc7f50dd9989f3add7976f07415a9eabe903e616

SHA256
4caf49b69733ec446f282fc29a35ecbe4d38843d349fdcac6818f47bd2fe1e97

SHA512
ecdc710c9137aab0fde82502ca9a91c888c3618a3b4c131f992a5572174ee4637b18a2c390d0bf0d90c8b03e4c535571222ee7563ea6f951b927ef5c8f086102

Download Submit
C:\Windows\svchost.com
MD5
e7c89731a4d2eb99f8926a6fe7f2773c

SHA1
dc7f50dd9989f3add7976f07415a9eabe903e616

SHA256
4caf49b69733ec446f282fc29a35ecbe4d38843d349fdcac6818f47bd2fe1e97

SHA512
ecdc710c9137aab0fde82502ca9a91c888c3618a3b4c131f992a5572174ee4637b18a2c390d0bf0d90c8b03e4c535571222ee7563ea6f951b927ef5c8f086102

Download Submit
C:\odt\OFFICE~1.EXE
MD5
02c3d242fe142b0eabec69211b34bc55

SHA1
ea0a4a6d6078b362f7b3a4ad1505ce49957dc16e

SHA256
2a1ed24be7e3859b46ec3ebc316789ead5f12055853f86a9656e04b4bb771842

SHA512
0efb08492eaaa2e923beddc21566e98fbbef3a102f9415ff310ec616f5c84fd2ba3a7025b05e01c0bdf37e5e2f64dfd845f9254a376144cc7d827e7577dbb099

Download Submit
\??\pipe\crashpad_692_DSRGZWHGPCOKBSQE
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/60-185-0x0000000002320000-0x0000000002322000-memory.dmp

Filesize
8KB

Download
memory/60-181-0x0000000000000000-mapping.dmp

Download
memory/772-184-0x0000000003270000-0x0000000003272000-memory.dmp

Filesize
8KB

Download
memory/772-179-0x0000000000000000-mapping.dmp

Download
memory/928-196-0x0000000000000000-mapping.dmp

Download
memory/1360-125-0x0000000000000000-mapping.dmp

Download
memory/1416-145-0x0000000000000000-mapping.dmp

Download
memory/1564-135-0x0000000000000000-mapping.dmp

Download
memory/1564-142-0x0000000004E10000-0x0000000004E11000-memory.dmp

Filesize
4KB

Download
memory/1564-157-0x0000000008B00000-0x0000000008B01000-memory.dmp

Filesize
4KB

Download
memory/1564-155-0x0000000002573000-0x0000000002575000-memory.dmp

Filesize
8KB

Download
memory/1564-138-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/1564-156-0x0000000008740000-0x0000000008741000-memory.dmp

Filesize
4KB

Download
memory/1564-144-0x0000000004F80000-0x0000000004F81000-memory.dmp

Filesize
4KB

Download
memory/1564-162-0x0000000002575000-0x0000000002576000-memory.dmp

Filesize
4KB

Download
memory/1564-143-0x0000000002570000-0x0000000002571000-memory.dmp

Filesize
4KB

Download
memory/1564-140-0x00000000070F0000-0x00000000071A4000-memory.dmp

Filesize
720KB

Download
memory/1564-141-0x00000000098B0000-0x00000000098B1000-memory.dmp

Filesize
4KB

Download
memory/1632-127-0x0000000002340000-0x0000000002342000-memory.dmp

Filesize
8KB

Download
memory/1632-120-0x0000000000000000-mapping.dmp

Download
memory/1796-119-0x00000000008E0000-0x00000000008E2000-memory.dmp

Filesize
8KB

Download
memory/2124-123-0x0000000000000000-mapping.dmp

Download
memory/2124-128-0x0000000002B90000-0x0000000002B92000-memory.dmp

Filesize
8KB

Download
memory/2368-134-0x0000000003402000-0x0000000003403000-memory.dmp

Filesize
4KB

Download
memory/2368-130-0x0000000000000000-mapping.dmp

Download
memory/2584-188-0x0000000000000000-mapping.dmp

Download
memory/2584-194-0x0000000002802000-0x0000000002803000-memory.dmp

Filesize
4KB

Download
memory/3128-152-0x0000000000B20000-0x0000000000B22000-memory.dmp

Filesize
8KB

Download
memory/3128-149-0x0000000000000000-mapping.dmp

Download
memory/3616-197-0x0000000000000000-mapping.dmp

Download
memory/4144-186-0x0000000000000000-mapping.dmp

Download
memory/4184-180-0x0000000000000000-mapping.dmp

Download
memory/4208-182-0x0000000000000000-mapping.dmp

Download
memory/4256-183-0x0000000000000000-mapping.dmp

Download
memory/4256-198-0x000000000E460000-0x000000000E461000-memory.dmp

Filesize
4KB

Download
memory/4256-202-0x0000000005685000-0x0000000005686000-memory.dmp

Filesize
4KB

Download
memory/4256-187-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

Filesize
4KB

Download
memory/4256-190-0x0000000007A50000-0x0000000007B71000-memory.dmp

Filesize
1.1MB

Download
memory/4256-199-0x0000000005683000-0x0000000005685000-memory.dmp

Filesize
8KB

Download
memory/4256-195-0x0000000005680000-0x0000000005681000-memory.dmp

Filesize
4KB

Download
memory/4376-200-0x0000000000000000-mapping.dmp

Download
memory/4376-201-0x0000000000640000-0x0000000000642000-memory.dmp

Filesize
8KB

Download
memory/5032-177-0x0000000004E10000-0x0000000004EA2000-memory.dmp

Filesize
584KB

Download
memory/5032-176-0x0000000004E10000-0x0000000004EA2000-memory.dmp

Filesize
584KB

Download
memory/5032-170-0x0000000000000000-mapping.dmp

Download
memory/5032-178-0x0000000004E10000-0x0000000004EA2000-memory.dmp

Filesize
584KB

Download
memory/5032-171-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download