medusalocker | hxxp://95[.]213[.]145[.]101[:]8000/

Resubmissions

19-10-2022 20:57

221019-zrxvcagefn 8

18-10-2022 04:25

221018-e11x5sefgr 10

17-10-2022 22:33

221017-2gv9wadgal 10

Analysis

max time kernel
811s
max time network
799s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
17-10-2022 22:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://95.213.145.101:8000/

Score

10^/10

medusalocker systembc evasion ransomware spyware stealer trojan

Malware Config

Extracted

Path

C:\!-Recovery_Instructions-!.html

Ransom Note

<!DOCTYPE html> <html lang="en"> <head> <meta charset='utf-8'> <meta name='viewport' content='width=device-width,initial-scale=1'> <title></title> <style> html, body { background-color: #1a1a1a; } body { padding-top: 1rem !important; font-size: 1.3rem; color: white; } #text h2 { font-size: 2rem; font-weight: 600; line-height: 1.125; } .container { max-width: 1152px; flex-grow: 1; margin: 0 auto; position: relative; width: auto; } .box { background-color: #242424; display: block; padding: 1.25rem; border: 1px solid #303030; } a { color: #00b4d8; text-decoration: none; } a:hover { text-decoration: underline; } li { margin-bottom: 10px; } </style> </head> <body> <div class='container'> <div class='box'> <div id='text'> <h2>If you get this message, your network was hacked!</h2> <p>After we gained full access to your servers, we first downloaded a large amount of sensitive data and then encrypted all the data stored on them.</p> <p>That includes personal information on your clients, partners, your personnel, accounting documents, and other crucial files that are necessary for your company to work normally.</p> <p>We used modern complicated algorithms, so you or any recovery service will not be able to decrypt files without our help, wasting time on these attempts instead of negotiations can be fatal for your company.</p> <p>Make sure to act within <span style='color:#f4a261;'>72</span> hours or the negotiations will be considered failed!</p> <p>Inform your superior management about what's going on.</p> <p> Contact us for price and get decryption software.</p> <p> Contact us by email:<p> <h2>[email protected]</h2> </p>If you will get no answer within 24 hours contact us by our alternate emails:</p> <h2>[email protected]</h2> </p>To verify the possibility of the recovery of your files we can decrypted 1-3 file for free.</p> </p>Attach file to the letter (no more than 5Mb).</p> <h2>If you and us succeed the negotiations we will grant you:</h2> <ul> <li>complete confidentiality, we will keep in secret any information regarding to attack, your company will act as if nothing had happened.</li> <li>comprehensive information about vulnerabilities of your network and security report.</li> <li>software and instructions to decrypt all the data that was encrypted.</li> <li>all sensitive downloaded data will be permanently deleted from our cloud storage and we will provide an erasure log.</li> </ul> <h2>Our options if you act like nothing's happening, refuse to make a deal or fail the negotiations:</h2> <ul> <li>inform the media and independent journalists about what happened to your servers. To prove it we'll publish a chunk of private data that you should have ciphered if you care about potential breaches. Moreover, your company will inevitably take decent reputational loss which is hard to assess precisely.</li> <li>inform your clients, employees, partners by phone, e-mail, sms and social networks that you haven't prevent their data leakage. You will violate laws about private data protection.</li> <li>start DDOS attack on you website and infrastructures.</li> <li>personal data stored will be put on sale on the Darknet to find anyone interested to buy useful information regarding your company. It could be data mining agencies or your market competitors.</li> <li>publish all the discovered vulnerabilities found in your network, so anyone will do anything with it.</li> </ul> <h2>Why pay us?</h2> <p>We care about our reputation. You are welcome to google our cases up and be sure that we don't have a single case of failure to provide what we promissed.</p> <p>Turning this issue to a bug bounty will save your private information, reputation and will allow you to use the security report and avoid this kind of situations in future.</p> <h2>Your personal ID</p> 3A7A198B9359011DF2C894F21C57FB02131B0A4C4ADF5989B4B6C4BCF85FEB5E965BF3B803D49B6CE15BAA18DD51B913BE79748E4338230C4434BCD48B400808<br>EAB74E85EDFC237B886D140029BBEABCC8ED9968A136EB7678C7CC6BEE0D1844C3CF3DA45AECD4D0A140652BCD17E068114E1033CCFFF5E80E796358CBB0<br>B74610795E805B893C554CCE70F1745B43546924DAFDC285A7C74574C94F5EE8C47BFBE461339EF3520BE1BCD52A0ABFC22FD454E3E676C720772C5378E6<br>D1F494308933031092D8F7A8AE0F5B896925521FAADCC5AD6FF3614B5C100B37CECE94A99FA7E50ACFE725A20991BDACA8224B03BF3E4F7D63C78BF4DC74<br>32F94C40E0493C0D79F245798FCF7842B1272AF71248F604065CD1665C15D1930A67157BD85432A977BF5C6773E112F79E0B04484E25FC29E8F1453727D1<br>35C405E8CED5B9DCEA3211C07E554E6BE23528DDDF01E029869E34ED429140EC548CBB1E56F618584BD6473A30235C4E2B19400BF6466FB7C5BDE0B541D3<br>184185A31B327797C647DD03DB1038862D36733A77B8E95358653B6276515F0BA3DD11D4118AC45ACAF384C8FD17D840ABF6BD4AAB2D055CD97E84533298<br>99CF690CDC31900A191286C889F2057D3C20A068CA289FE2B53867FF96F7243E1992195BF3BAA5185E0A42AE018A9083EAE5E066E01394F50AC3288654FF<br>269CC401D9927045E5220D5E295C

Emails

<h2>[email protected]</h2>

Extracted

Family

systembc

92.53.90.84:4136

92.53.90.70:4136

Signatures

MedusaLocker
Ransomware with several variants first seen in September 2019.
ransomware medusalocker

MedusaLocker payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\64ME_bul.exe	family_medusalocker
C:\Users\Admin\Downloads\64ME_bul.exe	family_medusalocker

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

64ME_bul.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	64ME_bul.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	64ME_bul.exe

Downloads MZ/PE file
Executes dropped EXE 5 IoCs

Processes:

VmManagedSetup.exeVmManagedSetup.exeChromeRecovery.exe64ME_bul.exesvhost.exe

pid process

3208 VmManagedSetup.exe
1792 VmManagedSetup.exe
3540 ChromeRecovery.exe
3292 64ME_bul.exe
3428 svhost.exe

pid	process
3208	VmManagedSetup.exe
1792	VmManagedSetup.exe
3540	ChromeRecovery.exe
3292	64ME_bul.exe
3428	svhost.exe

Modifies extensions of user files 7 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

64ME_bul.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\SelectCompare.tiff => C:\Users\Admin\Pictures\SelectCompare.tiff.bulwark	64ME_bul.exe
File opened for modification	C:\Users\Admin\Pictures\SwitchUndo.tiff	64ME_bul.exe
File renamed	C:\Users\Admin\Pictures\SwitchUndo.tiff => C:\Users\Admin\Pictures\SwitchUndo.tiff.bulwark	64ME_bul.exe
File renamed	C:\Users\Admin\Pictures\ApproveMount.png => C:\Users\Admin\Pictures\ApproveMount.png.bulwark	64ME_bul.exe
File renamed	C:\Users\Admin\Pictures\BackupMeasure.png => C:\Users\Admin\Pictures\BackupMeasure.png.bulwark	64ME_bul.exe
File renamed	C:\Users\Admin\Pictures\CompareUnpublish.raw => C:\Users\Admin\Pictures\CompareUnpublish.raw.bulwark	64ME_bul.exe
File opened for modification	C:\Users\Admin\Pictures\SelectCompare.tiff	64ME_bul.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

64ME_bul.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 64ME_bul.exe
Drops desktop.ini file(s) 1 IoCs

Processes:

64ME_bul.exe

description ioc process

File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-929662420-1054238289-2961194603-1000\desktop.ini 64ME_bul.exe

description	ioc	process
File opened for modification	\??\Z:\$RECYCLE.BIN\S-1-5-21-929662420-1054238289-2961194603-1000\desktop.ini	64ME_bul.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

64ME_bul.exe

description	ioc	process
File opened (read-only)	\??\B:	64ME_bul.exe
File opened (read-only)	\??\F:	64ME_bul.exe
File opened (read-only)	\??\H:	64ME_bul.exe
File opened (read-only)	\??\J:	64ME_bul.exe
File opened (read-only)	\??\K:	64ME_bul.exe
File opened (read-only)	\??\L:	64ME_bul.exe
File opened (read-only)	\??\V:	64ME_bul.exe
File opened (read-only)	\??\X:	64ME_bul.exe
File opened (read-only)	\??\M:	64ME_bul.exe
File opened (read-only)	\??\O:	64ME_bul.exe
File opened (read-only)	\??\R:	64ME_bul.exe
File opened (read-only)	\??\S:	64ME_bul.exe
File opened (read-only)	\??\T:	64ME_bul.exe
File opened (read-only)	\??\U:	64ME_bul.exe
File opened (read-only)	\??\W:	64ME_bul.exe
File opened (read-only)	\??\A:	64ME_bul.exe
File opened (read-only)	\??\N:	64ME_bul.exe
File opened (read-only)	\??\Y:	64ME_bul.exe
File opened (read-only)	\??\E:	64ME_bul.exe
File opened (read-only)	\??\G:	64ME_bul.exe
File opened (read-only)	\??\I:	64ME_bul.exe
File opened (read-only)	\??\P:	64ME_bul.exe
File opened (read-only)	\??\Q:	64ME_bul.exe
File opened (read-only)	\??\Z:	64ME_bul.exe

Drops file in Program Files directory 7 IoCs

Processes:

elevation_service.exe

description	ioc	process
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir1088_991119990\manifest.json	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir1088_991119990\manifest.json	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir1088_991119990\_metadata\verified_contents.json	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir1088_991119990\_metadata\verified_contents.json	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir1088_991119990\ChromeRecoveryCRX.crx	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir1088_991119990\ChromeRecovery.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir1088_991119990\ChromeRecovery.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

Processes:

VmManagedSetup.exe

description	ioc	process
File opened for modification	C:\Windows\Tasks\wow64.job	VmManagedSetup.exe
File created	C:\Windows\Tasks\wow64.job	VmManagedSetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exe64ME_bul.exe

pid	process
1668	chrome.exe
1668	chrome.exe
2548	chrome.exe
2548	chrome.exe
1020	chrome.exe
1020	chrome.exe
4532	chrome.exe
4532	chrome.exe
1792	chrome.exe
1792	chrome.exe
4556	chrome.exe
4556	chrome.exe
3104	chrome.exe
3104	chrome.exe
1748	chrome.exe
1748	chrome.exe
3160	chrome.exe
3160	chrome.exe
1876	chrome.exe
1876	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1556	chrome.exe
1556	chrome.exe
2956	chrome.exe
2956	chrome.exe
3292	64ME_bul.exe
3292	64ME_bul.exe
3292	64ME_bul.exe
3292	64ME_bul.exe
3292	64ME_bul.exe
3292	64ME_bul.exe
3292	64ME_bul.exe
3292	64ME_bul.exe
3292	64ME_bul.exe
3292	64ME_bul.exe
3292	64ME_bul.exe
3292	64ME_bul.exe
3292	64ME_bul.exe
3292	64ME_bul.exe
3292	64ME_bul.exe
3292	64ME_bul.exe
3292	64ME_bul.exe
3292	64ME_bul.exe
3292	64ME_bul.exe
3292	64ME_bul.exe
3292	64ME_bul.exe
3292	64ME_bul.exe
3292	64ME_bul.exe
3292	64ME_bul.exe
3292	64ME_bul.exe
3292	64ME_bul.exe
3292	64ME_bul.exe
3292	64ME_bul.exe
3292	64ME_bul.exe
3292	64ME_bul.exe
3292	64ME_bul.exe
3292	64ME_bul.exe
3292	64ME_bul.exe
3292	64ME_bul.exe
3292	64ME_bul.exe
3292	64ME_bul.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

2548 chrome.exe
2548 chrome.exe
2548 chrome.exe
2548 chrome.exe

Suspicious use of AdjustPrivilegeToken 63 IoCs

Processes:

wmic.exewmic.exewmic.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	412	wmic.exe
Token: SeSecurityPrivilege	412	wmic.exe
Token: SeTakeOwnershipPrivilege	412	wmic.exe
Token: SeLoadDriverPrivilege	412	wmic.exe
Token: SeSystemProfilePrivilege	412	wmic.exe
Token: SeSystemtimePrivilege	412	wmic.exe
Token: SeProfSingleProcessPrivilege	412	wmic.exe
Token: SeIncBasePriorityPrivilege	412	wmic.exe
Token: SeCreatePagefilePrivilege	412	wmic.exe
Token: SeBackupPrivilege	412	wmic.exe
Token: SeRestorePrivilege	412	wmic.exe
Token: SeShutdownPrivilege	412	wmic.exe
Token: SeDebugPrivilege	412	wmic.exe
Token: SeSystemEnvironmentPrivilege	412	wmic.exe
Token: SeRemoteShutdownPrivilege	412	wmic.exe
Token: SeUndockPrivilege	412	wmic.exe
Token: SeManageVolumePrivilege	412	wmic.exe
Token: 33	412	wmic.exe
Token: 34	412	wmic.exe
Token: 35	412	wmic.exe
Token: 36	412	wmic.exe
Token: SeIncreaseQuotaPrivilege	1500	wmic.exe
Token: SeSecurityPrivilege	1500	wmic.exe
Token: SeTakeOwnershipPrivilege	1500	wmic.exe
Token: SeLoadDriverPrivilege	1500	wmic.exe
Token: SeSystemProfilePrivilege	1500	wmic.exe
Token: SeSystemtimePrivilege	1500	wmic.exe
Token: SeProfSingleProcessPrivilege	1500	wmic.exe
Token: SeIncBasePriorityPrivilege	1500	wmic.exe
Token: SeCreatePagefilePrivilege	1500	wmic.exe
Token: SeBackupPrivilege	1500	wmic.exe
Token: SeRestorePrivilege	1500	wmic.exe
Token: SeShutdownPrivilege	1500	wmic.exe
Token: SeDebugPrivilege	1500	wmic.exe
Token: SeSystemEnvironmentPrivilege	1500	wmic.exe
Token: SeRemoteShutdownPrivilege	1500	wmic.exe
Token: SeUndockPrivilege	1500	wmic.exe
Token: SeManageVolumePrivilege	1500	wmic.exe
Token: 33	1500	wmic.exe
Token: 34	1500	wmic.exe
Token: 35	1500	wmic.exe
Token: 36	1500	wmic.exe
Token: SeIncreaseQuotaPrivilege	1216	wmic.exe
Token: SeSecurityPrivilege	1216	wmic.exe
Token: SeTakeOwnershipPrivilege	1216	wmic.exe
Token: SeLoadDriverPrivilege	1216	wmic.exe
Token: SeSystemProfilePrivilege	1216	wmic.exe
Token: SeSystemtimePrivilege	1216	wmic.exe
Token: SeProfSingleProcessPrivilege	1216	wmic.exe
Token: SeIncBasePriorityPrivilege	1216	wmic.exe
Token: SeCreatePagefilePrivilege	1216	wmic.exe
Token: SeBackupPrivilege	1216	wmic.exe
Token: SeRestorePrivilege	1216	wmic.exe
Token: SeShutdownPrivilege	1216	wmic.exe
Token: SeDebugPrivilege	1216	wmic.exe
Token: SeSystemEnvironmentPrivilege	1216	wmic.exe
Token: SeRemoteShutdownPrivilege	1216	wmic.exe
Token: SeUndockPrivilege	1216	wmic.exe
Token: SeManageVolumePrivilege	1216	wmic.exe
Token: 33	1216	wmic.exe
Token: 34	1216	wmic.exe
Token: 35	1216	wmic.exe
Token: 36	1216	wmic.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exe

pid	process
2548	chrome.exe
2548	chrome.exe
2548	chrome.exe
2548	chrome.exe
2548	chrome.exe
2548	chrome.exe
2548	chrome.exe
2548	chrome.exe
2548	chrome.exe
2548	chrome.exe
2548	chrome.exe
2548	chrome.exe
2548	chrome.exe
2548	chrome.exe
2548	chrome.exe
2548	chrome.exe
2548	chrome.exe
2548	chrome.exe
2548	chrome.exe
2548	chrome.exe
2548	chrome.exe
2548	chrome.exe
2548	chrome.exe
2548	chrome.exe
2548	chrome.exe
2548	chrome.exe
2548	chrome.exe
2548	chrome.exe
2548	chrome.exe
2548	chrome.exe
2548	chrome.exe
2548	chrome.exe
2548	chrome.exe
2548	chrome.exe
2548	chrome.exe
2548	chrome.exe
2548	chrome.exe
2548	chrome.exe
2548	chrome.exe
2548	chrome.exe
2548	chrome.exe
2548	chrome.exe
2548	chrome.exe
2548	chrome.exe
2548	chrome.exe
2548	chrome.exe
2548	chrome.exe
2548	chrome.exe
2548	chrome.exe
2548	chrome.exe
2548	chrome.exe
2548	chrome.exe
2548	chrome.exe
2548	chrome.exe
2548	chrome.exe
2548	chrome.exe
2548	chrome.exe
2548	chrome.exe
2548	chrome.exe
2548	chrome.exe
2548	chrome.exe
2548	chrome.exe
2548	chrome.exe
2548	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
2548	chrome.exe
2548	chrome.exe
2548	chrome.exe
2548	chrome.exe
2548	chrome.exe
2548	chrome.exe
2548	chrome.exe
2548	chrome.exe
2548	chrome.exe
2548	chrome.exe
2548	chrome.exe
2548	chrome.exe
2548	chrome.exe
2548	chrome.exe
2548	chrome.exe
2548	chrome.exe
2548	chrome.exe
2548	chrome.exe
2548	chrome.exe
2548	chrome.exe
2548	chrome.exe
2548	chrome.exe
2548	chrome.exe
2548	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 2548 wrote to memory of 2640	2548	chrome.exe	chrome.exe
PID 2548 wrote to memory of 2640	2548	chrome.exe	chrome.exe
PID 2548 wrote to memory of 4744	2548	chrome.exe	chrome.exe
PID 2548 wrote to memory of 4744	2548	chrome.exe	chrome.exe
PID 2548 wrote to memory of 4744	2548	chrome.exe	chrome.exe
PID 2548 wrote to memory of 4744	2548	chrome.exe	chrome.exe
PID 2548 wrote to memory of 4744	2548	chrome.exe	chrome.exe
PID 2548 wrote to memory of 4744	2548	chrome.exe	chrome.exe
PID 2548 wrote to memory of 4744	2548	chrome.exe	chrome.exe
PID 2548 wrote to memory of 4744	2548	chrome.exe	chrome.exe
PID 2548 wrote to memory of 4744	2548	chrome.exe	chrome.exe
PID 2548 wrote to memory of 4744	2548	chrome.exe	chrome.exe
PID 2548 wrote to memory of 4744	2548	chrome.exe	chrome.exe
PID 2548 wrote to memory of 4744	2548	chrome.exe	chrome.exe
PID 2548 wrote to memory of 4744	2548	chrome.exe	chrome.exe
PID 2548 wrote to memory of 4744	2548	chrome.exe	chrome.exe
PID 2548 wrote to memory of 4744	2548	chrome.exe	chrome.exe
PID 2548 wrote to memory of 4744	2548	chrome.exe	chrome.exe
PID 2548 wrote to memory of 4744	2548	chrome.exe	chrome.exe
PID 2548 wrote to memory of 4744	2548	chrome.exe	chrome.exe
PID 2548 wrote to memory of 4744	2548	chrome.exe	chrome.exe
PID 2548 wrote to memory of 4744	2548	chrome.exe	chrome.exe
PID 2548 wrote to memory of 4744	2548	chrome.exe	chrome.exe
PID 2548 wrote to memory of 4744	2548	chrome.exe	chrome.exe
PID 2548 wrote to memory of 4744	2548	chrome.exe	chrome.exe
PID 2548 wrote to memory of 4744	2548	chrome.exe	chrome.exe
PID 2548 wrote to memory of 4744	2548	chrome.exe	chrome.exe
PID 2548 wrote to memory of 4744	2548	chrome.exe	chrome.exe
PID 2548 wrote to memory of 4744	2548	chrome.exe	chrome.exe
PID 2548 wrote to memory of 4744	2548	chrome.exe	chrome.exe
PID 2548 wrote to memory of 4744	2548	chrome.exe	chrome.exe
PID 2548 wrote to memory of 4744	2548	chrome.exe	chrome.exe
PID 2548 wrote to memory of 4744	2548	chrome.exe	chrome.exe
PID 2548 wrote to memory of 4744	2548	chrome.exe	chrome.exe
PID 2548 wrote to memory of 4744	2548	chrome.exe	chrome.exe
PID 2548 wrote to memory of 4744	2548	chrome.exe	chrome.exe
PID 2548 wrote to memory of 4744	2548	chrome.exe	chrome.exe
PID 2548 wrote to memory of 4744	2548	chrome.exe	chrome.exe
PID 2548 wrote to memory of 4744	2548	chrome.exe	chrome.exe
PID 2548 wrote to memory of 4744	2548	chrome.exe	chrome.exe
PID 2548 wrote to memory of 4744	2548	chrome.exe	chrome.exe
PID 2548 wrote to memory of 4744	2548	chrome.exe	chrome.exe
PID 2548 wrote to memory of 1668	2548	chrome.exe	chrome.exe
PID 2548 wrote to memory of 1668	2548	chrome.exe	chrome.exe
PID 2548 wrote to memory of 1112	2548	chrome.exe	chrome.exe
PID 2548 wrote to memory of 1112	2548	chrome.exe	chrome.exe
PID 2548 wrote to memory of 1112	2548	chrome.exe	chrome.exe
PID 2548 wrote to memory of 1112	2548	chrome.exe	chrome.exe
PID 2548 wrote to memory of 1112	2548	chrome.exe	chrome.exe
PID 2548 wrote to memory of 1112	2548	chrome.exe	chrome.exe
PID 2548 wrote to memory of 1112	2548	chrome.exe	chrome.exe
PID 2548 wrote to memory of 1112	2548	chrome.exe	chrome.exe
PID 2548 wrote to memory of 1112	2548	chrome.exe	chrome.exe
PID 2548 wrote to memory of 1112	2548	chrome.exe	chrome.exe
PID 2548 wrote to memory of 1112	2548	chrome.exe	chrome.exe
PID 2548 wrote to memory of 1112	2548	chrome.exe	chrome.exe
PID 2548 wrote to memory of 1112	2548	chrome.exe	chrome.exe
PID 2548 wrote to memory of 1112	2548	chrome.exe	chrome.exe
PID 2548 wrote to memory of 1112	2548	chrome.exe	chrome.exe
PID 2548 wrote to memory of 1112	2548	chrome.exe	chrome.exe
PID 2548 wrote to memory of 1112	2548	chrome.exe	chrome.exe
PID 2548 wrote to memory of 1112	2548	chrome.exe	chrome.exe
PID 2548 wrote to memory of 1112	2548	chrome.exe	chrome.exe
PID 2548 wrote to memory of 1112	2548	chrome.exe	chrome.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

Processes:

64ME_bul.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	64ME_bul.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	64ME_bul.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	64ME_bul.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" http://95.213.145.101:8000/
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xb4,0x108,0x7ffc54594f50,0x7ffc54594f60,0x7ffc54594f70
  2⤵
  PID:2640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1628,6457556579651660643,9190710877739215508,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1672 /prefetch:2
  2⤵
  PID:4744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1628,6457556579651660643,9190710877739215508,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2028 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1628,6457556579651660643,9190710877739215508,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2304 /prefetch:8
  2⤵
  PID:1112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1628,6457556579651660643,9190710877739215508,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2976 /prefetch:1
  2⤵
  PID:2412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1628,6457556579651660643,9190710877739215508,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2968 /prefetch:1
  2⤵
  PID:4504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1628,6457556579651660643,9190710877739215508,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4336 /prefetch:8
  2⤵
  PID:1216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1628,6457556579651660643,9190710877739215508,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4484 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1628,6457556579651660643,9190710877739215508,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4724 /prefetch:8
  2⤵
  PID:3492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1628,6457556579651660643,9190710877739215508,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4776 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1628,6457556579651660643,9190710877739215508,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4828 /prefetch:8
  2⤵
  PID:3836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1628,6457556579651660643,9190710877739215508,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5016 /prefetch:8
  2⤵
  PID:3756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1628,6457556579651660643,9190710877739215508,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4804 /prefetch:8
  2⤵
  PID:4076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1628,6457556579651660643,9190710877739215508,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4816 /prefetch:1
  2⤵
  PID:3772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1628,6457556579651660643,9190710877739215508,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5044 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1628,6457556579651660643,9190710877739215508,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4316 /prefetch:8
  2⤵
  PID:1844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1628,6457556579651660643,9190710877739215508,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5088 /prefetch:8
  2⤵
  PID:4060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1628,6457556579651660643,9190710877739215508,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2784 /prefetch:1
  2⤵
  PID:524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1628,6457556579651660643,9190710877739215508,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4828 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1628,6457556579651660643,9190710877739215508,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3368 /prefetch:8
  2⤵
  PID:3184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1628,6457556579651660643,9190710877739215508,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4316 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1628,6457556579651660643,9190710877739215508,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5092 /prefetch:8
  2⤵
  PID:4696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1628,6457556579651660643,9190710877739215508,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5520 /prefetch:8
  2⤵
  PID:1556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1628,6457556579651660643,9190710877739215508,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5684 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1628,6457556579651660643,9190710877739215508,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4828 /prefetch:8
  2⤵
  PID:4532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1628,6457556579651660643,9190710877739215508,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5176 /prefetch:8
  2⤵
  PID:1124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1628,6457556579651660643,9190710877739215508,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5392 /prefetch:8
  2⤵
  PID:4896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1628,6457556579651660643,9190710877739215508,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5540 /prefetch:8
  2⤵
  PID:4940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1628,6457556579651660643,9190710877739215508,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5704 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1628,6457556579651660643,9190710877739215508,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5588 /prefetch:8
  2⤵
  PID:4476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1628,6457556579651660643,9190710877739215508,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5720 /prefetch:8
  2⤵
  PID:3384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1628,6457556579651660643,9190710877739215508,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5804 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1876
- C:\Users\Admin\Downloads\VmManagedSetup.exe
  "C:\Users\Admin\Downloads\VmManagedSetup.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:3208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1628,6457556579651660643,9190710877739215508,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5744 /prefetch:8
  2⤵
  PID:4840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1628,6457556579651660643,9190710877739215508,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5628 /prefetch:8
  2⤵
  PID:2988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1628,6457556579651660643,9190710877739215508,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2716 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1628,6457556579651660643,9190710877739215508,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5064 /prefetch:8
  2⤵
  PID:3184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1628,6457556579651660643,9190710877739215508,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5796 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1628,6457556579651660643,9190710877739215508,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5108 /prefetch:8
  2⤵
  PID:1632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1628,6457556579651660643,9190710877739215508,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2848 /prefetch:8
  2⤵
  PID:1288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1628,6457556579651660643,9190710877739215508,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1392 /prefetch:8
  2⤵
  PID:2768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1628,6457556579651660643,9190710877739215508,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5308 /prefetch:8
  2⤵
  PID:2572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1628,6457556579651660643,9190710877739215508,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2868 /prefetch:8
  2⤵
  PID:4356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1628,6457556579651660643,9190710877739215508,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5572 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1628,6457556579651660643,9190710877739215508,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4760 /prefetch:8
  2⤵
  PID:5076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1628,6457556579651660643,9190710877739215508,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5176 /prefetch:8
  2⤵
  PID:4444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1628,6457556579651660643,9190710877739215508,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5192 /prefetch:8
  2⤵
  PID:3624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1628,6457556579651660643,9190710877739215508,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5148 /prefetch:8
  2⤵
  PID:4360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1628,6457556579651660643,9190710877739215508,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5588 /prefetch:8
  2⤵
  PID:2188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1628,6457556579651660643,9190710877739215508,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5028 /prefetch:8
  2⤵
  PID:4788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1628,6457556579651660643,9190710877739215508,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4652 /prefetch:8
  2⤵
  PID:4436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1628,6457556579651660643,9190710877739215508,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5380 /prefetch:8
  2⤵
  PID:3380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1628,6457556579651660643,9190710877739215508,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5884 /prefetch:8
  2⤵
  PID:1548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1628,6457556579651660643,9190710877739215508,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5588 /prefetch:8
  2⤵
  PID:4720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1628,6457556579651660643,9190710877739215508,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4652 /prefetch:8
  2⤵
  PID:3728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1628,6457556579651660643,9190710877739215508,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5400 /prefetch:8
  2⤵
  PID:3516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1628,6457556579651660643,9190710877739215508,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5308 /prefetch:8
  2⤵
  PID:3464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1628,6457556579651660643,9190710877739215508,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5500 /prefetch:8
  2⤵
  PID:4332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1628,6457556579651660643,9190710877739215508,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1060 /prefetch:8
  2⤵
  PID:5112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1628,6457556579651660643,9190710877739215508,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4996 /prefetch:8
  2⤵
  PID:2656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1628,6457556579651660643,9190710877739215508,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5076 /prefetch:8
  2⤵
  PID:1236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1628,6457556579651660643,9190710877739215508,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5944 /prefetch:8
  2⤵
  PID:4640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1628,6457556579651660643,9190710877739215508,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5700 /prefetch:8
  2⤵
  PID:1052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1628,6457556579651660643,9190710877739215508,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5956 /prefetch:8
  2⤵
  PID:2308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1628,6457556579651660643,9190710877739215508,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5744 /prefetch:8
  2⤵
  PID:2992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1628,6457556579651660643,9190710877739215508,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5132 /prefetch:8
  2⤵
  PID:4004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1628,6457556579651660643,9190710877739215508,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2572 /prefetch:8
  2⤵
  PID:1956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1628,6457556579651660643,9190710877739215508,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5884 /prefetch:8
  2⤵
  PID:4408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1628,6457556579651660643,9190710877739215508,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4736 /prefetch:8
  2⤵
  PID:1372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1628,6457556579651660643,9190710877739215508,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5616 /prefetch:8
  2⤵
  PID:2712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1628,6457556579651660643,9190710877739215508,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5692 /prefetch:8
  2⤵
  PID:1288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1628,6457556579651660643,9190710877739215508,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5852 /prefetch:8
  2⤵
  PID:2284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1628,6457556579651660643,9190710877739215508,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5108 /prefetch:8
  2⤵
  PID:1952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1628,6457556579651660643,9190710877739215508,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2864 /prefetch:8
  2⤵
  PID:5000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1628,6457556579651660643,9190710877739215508,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5160 /prefetch:8
  2⤵
  PID:652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1628,6457556579651660643,9190710877739215508,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5280 /prefetch:8
  2⤵
  PID:888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1628,6457556579651660643,9190710877739215508,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5808 /prefetch:8
  2⤵
  PID:572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1628,6457556579651660643,9190710877739215508,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5840 /prefetch:8
  2⤵
  PID:3624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1628,6457556579651660643,9190710877739215508,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5700 /prefetch:8
  2⤵
  PID:3052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1628,6457556579651660643,9190710877739215508,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5916 /prefetch:8
  2⤵
  PID:1872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1628,6457556579651660643,9190710877739215508,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=808 /prefetch:8
  2⤵
  PID:4732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1628,6457556579651660643,9190710877739215508,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5896 /prefetch:8
  2⤵
  PID:2436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1628,6457556579651660643,9190710877739215508,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2948 /prefetch:8
  2⤵
  PID:4252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1628,6457556579651660643,9190710877739215508,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3600 /prefetch:8
  2⤵
  PID:2716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1628,6457556579651660643,9190710877739215508,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5132 /prefetch:8
  2⤵
  PID:4912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1628,6457556579651660643,9190710877739215508,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4468 /prefetch:8
  2⤵
  PID:3296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1628,6457556579651660643,9190710877739215508,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4736 /prefetch:8
  2⤵
  PID:3044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1628,6457556579651660643,9190710877739215508,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4924 /prefetch:8
  2⤵
  PID:4464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1628,6457556579651660643,9190710877739215508,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4456 /prefetch:8
  2⤵
  PID:2140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1628,6457556579651660643,9190710877739215508,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6036 /prefetch:8
  2⤵
  PID:1888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1628,6457556579651660643,9190710877739215508,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5116 /prefetch:8
  2⤵
  PID:4024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1628,6457556579651660643,9190710877739215508,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5812 /prefetch:8
  2⤵
  PID:4288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1628,6457556579651660643,9190710877739215508,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2868 /prefetch:8
  2⤵
  PID:1336

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2236

C:\Users\Admin\Downloads\VmManagedSetup.exe
C:\Users\Admin\Downloads\VmManagedSetup.exe start
1⤵
- Executes dropped EXE
PID:1792

C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"
1⤵
- Drops file in Program Files directory
PID:1088
- C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir1088_991119990\ChromeRecovery.exe
  "C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir1088_991119990\ChromeRecovery.exe" --appguid={8A69D345-D564-463c-AFF1-A69D9E530F96} --browser-version=89.0.4389.114 --sessionid={1f2bf8bf-93eb-4f95-a542-2f6ac8146cba} --system
  2⤵
  - Executes dropped EXE
  PID:3540

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3856

C:\Users\Admin\Downloads\64ME_bul.exe
"C:\Users\Admin\Downloads\64ME_bul.exe"
1⤵
- UAC bypass
- Executes dropped EXE
- Modifies extensions of user files
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:3292
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic.exe SHADOWCOPY /nointeractive
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:412
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic.exe SHADOWCOPY /nointeractive
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1500
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic.exe SHADOWCOPY /nointeractive
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1216

C:\Users\Admin\AppData\Roaming\svhost.exe
C:\Users\Admin\AppData\Roaming\svhost.exe
1⤵
- Executes dropped EXE
PID:3428

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir1088_991119990\ChromeRecovery.exe

Filesize
253KB

MD5
49ac3c96d270702a27b4895e4ce1f42a

SHA1
55b90405f1e1b72143c64113e8bc65608dd3fd76

SHA256
82aa3fd6a25cda9e16689cfadea175091be010cecae537e517f392e0bef5ba0f

SHA512
b62f6501cb4c992d42d9097e356805c88ac4ac5a46ead4a8eee9f8cbae197b2305da8aab5b4a61891fe73951588025f2d642c32524b360687993f98c913138a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\RecoveryImproved\1.3.36.141\Recovery.crx3

Filesize
141KB

MD5
ea1c1ffd3ea54d1fb117bfdbb3569c60

SHA1
10958b0f690ae8f5240e1528b1ccffff28a33272

SHA256
7c3a6a7d16ac44c3200f572a764bce7d8fa84b9572dd028b15c59bdccbc0a77d

SHA512
6c30728cac9eac53f0b27b7dbe2222da83225c3b63617d6b271a6cfedf18e8f0a8dffa1053e1cbc4c5e16625f4bbc0d03aa306a946c9d72faa4ceb779f8ffcaf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\Downloads\64ME_bul.exe

Filesize
666KB

MD5
f07dc09a859321bca78c1d7da99ad181

SHA1
6d51174ce888641bc27d5ee968b19b472e014212

SHA256
f064dfde1338a45c76c9cbbe9d7c8b358884c32c21510df14ab9b72df9ead1ba

SHA512
c9597ef6570f0c806f74051ddeb85ac3a0fcd6fcee7815d7c64b29d474ee4894bb703796c01ebb700579cb938ef1a19cb7db36a3add470da4df717a419e3ef8e

Download Submit
C:\Users\Admin\Downloads\64ME_bul.exe

Filesize
666KB

MD5
f07dc09a859321bca78c1d7da99ad181

SHA1
6d51174ce888641bc27d5ee968b19b472e014212

SHA256
f064dfde1338a45c76c9cbbe9d7c8b358884c32c21510df14ab9b72df9ead1ba

SHA512
c9597ef6570f0c806f74051ddeb85ac3a0fcd6fcee7815d7c64b29d474ee4894bb703796c01ebb700579cb938ef1a19cb7db36a3add470da4df717a419e3ef8e

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 196125.crdownload

Filesize
216KB

MD5
ff0c41f5f541a93c3556617d1e27b9e1

SHA1
ab7b312922a651c08b586b6539f4297c71a756f0

SHA256
6b408c3d5d5721c5457d8b6b77267ebd2f31c03c4c8c2428979e547c363640a9

SHA512
0396580ac699729a322b49f1fc9f6b20f725610315d5f00b9c47d85dcc59a8aa4d7d819f423ef2d8e6afc0e283abfd3ac8d5dce273dfe18f99a5ebd62c0b8d2b

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 626874.crdownload

Filesize
672KB

MD5
1c8c31a225bc622c622c8526a442ddfa

SHA1
5dda503b0193fef88c0f7bec5b753c3c5b583bb4

SHA256
6543e5a07b7d91cd0d6e48dc1d2e6d67cb8ca1798cd29def9419b683d41622a8

SHA512
f398f8478c410d8005673d1b2a93f8b6ffb7f8c726dd8ca08714b137041ba76a50255141dbf14348bc19d47db15ea3d7b12946ede5b3bf2ce3aebc03cfe9f51c

Download Submit
C:\Users\Admin\Downloads\VmManagedSetup.exe

Filesize
13KB

MD5
383a80304cc43365619d7e20b9d54d56

SHA1
299894d56be26ca9304927848951235c61322fef

SHA256
2f90da6517ba31d42cd907480ded408e711761fb727c89baef821e040485365a

SHA512
2d8442c6863b0dd733e6adebe5ff16b8e5e33446b2313e1e8077cd10ae94c5b1ed95a890ba7025fc2872e8a5c0de65f860a0a89cd71b6d6e0131289220437561

Download Submit
C:\Users\Admin\Downloads\VmManagedSetup.exe

Filesize
13KB

MD5
383a80304cc43365619d7e20b9d54d56

SHA1
299894d56be26ca9304927848951235c61322fef

SHA256
2f90da6517ba31d42cd907480ded408e711761fb727c89baef821e040485365a

SHA512
2d8442c6863b0dd733e6adebe5ff16b8e5e33446b2313e1e8077cd10ae94c5b1ed95a890ba7025fc2872e8a5c0de65f860a0a89cd71b6d6e0131289220437561

Download Submit
C:\Users\Admin\Downloads\VmManagedSetup.exe

Filesize
13KB

MD5
383a80304cc43365619d7e20b9d54d56

SHA1
299894d56be26ca9304927848951235c61322fef

SHA256
2f90da6517ba31d42cd907480ded408e711761fb727c89baef821e040485365a

SHA512
2d8442c6863b0dd733e6adebe5ff16b8e5e33446b2313e1e8077cd10ae94c5b1ed95a890ba7025fc2872e8a5c0de65f860a0a89cd71b6d6e0131289220437561

Download Submit
\??\pipe\crashpad_2548_NUZMPJSDDUFBCRYN

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/412-143-0x0000000000000000-mapping.dmp

Download
memory/1216-145-0x0000000000000000-mapping.dmp

Download
memory/1500-144-0x0000000000000000-mapping.dmp

Download
memory/3208-134-0x0000000000000000-mapping.dmp

Download
memory/3540-139-0x0000000000000000-mapping.dmp

Download