lumma | hxxps://deadlegacy[.]us

Analysis

max time kernel
309s
max time network
260s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
29-03-2023 20:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://deadlegacy.us

Score

10^/10

lumma spyware stealer

Malware Config

Signatures

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
Downloads MZ/PE file
Drops startup file 1 IoCs

Processes:

DeadLegacy.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Updater.exe DeadLegacy.exe
Executes dropped EXE 5 IoCs

Processes:

DeadLegacy.exeDeadLegacy.exeDeadLegacy.exeDeadLegacy.exeDeadLegacy.exe

pid process

1496 DeadLegacy.exe
388 DeadLegacy.exe
948 DeadLegacy.exe
2276 DeadLegacy.exe
1848 DeadLegacy.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Updater.exe	DeadLegacy.exe

Loads dropped DLL 15 IoCs

Processes:

DeadLegacy.exeDeadLegacy.exeDeadLegacy.exeDeadLegacy.exeDeadLegacy.exe

pid	process
1496	DeadLegacy.exe
1496	DeadLegacy.exe
1496	DeadLegacy.exe
388	DeadLegacy.exe
388	DeadLegacy.exe
388	DeadLegacy.exe
948	DeadLegacy.exe
948	DeadLegacy.exe
948	DeadLegacy.exe
948	DeadLegacy.exe
948	DeadLegacy.exe
948	DeadLegacy.exe
2276	DeadLegacy.exe
1848	DeadLegacy.exe
1848	DeadLegacy.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

75 ipinfo.io
76 ipinfo.io
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

3116 tasklist.exe
4268 tasklist.exe

flow	ioc
75	ipinfo.io
76	ipinfo.io

pid	process
3116	tasklist.exe
4268	tasklist.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

3188 taskkill.exe

pid	process
3188	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133246032861411185"	chrome.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

Processes:

chrome.exechrome.exeDeadLegacy.exepowershell.exepowershell.exeDeadLegacy.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1344	chrome.exe
1344	chrome.exe
2660	chrome.exe
2660	chrome.exe
388	DeadLegacy.exe
388	DeadLegacy.exe
388	DeadLegacy.exe
388	DeadLegacy.exe
388	DeadLegacy.exe
388	DeadLegacy.exe
2344	powershell.exe
2344	powershell.exe
3004	powershell.exe
3004	powershell.exe
1848	DeadLegacy.exe
1848	DeadLegacy.exe
3664	powershell.exe
3664	powershell.exe
2388	powershell.exe
2388	powershell.exe
1320	powershell.exe
1320	powershell.exe
2736	powershell.exe
2736	powershell.exe
4820	powershell.exe
4820	powershell.exe
1940	powershell.exe
1940	powershell.exe
2788	powershell.exe
2788	powershell.exe
3740	powershell.exe
3740	powershell.exe
1288	powershell.exe
1288	powershell.exe
2620	powershell.exe
2620	powershell.exe
4716	powershell.exe
4716	powershell.exe
1972	powershell.exe
1972	powershell.exe
1036	powershell.exe
1036	powershell.exe
1544	powershell.exe
1544	powershell.exe
1180	powershell.exe
1180	powershell.exe
2980	powershell.exe
2980	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

Processes:

chrome.exe

pid	process
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	1344	chrome.exe
Token: SeCreatePagefilePrivilege	1344	chrome.exe
Token: SeShutdownPrivilege	1344	chrome.exe
Token: SeCreatePagefilePrivilege	1344	chrome.exe
Token: SeShutdownPrivilege	1344	chrome.exe
Token: SeCreatePagefilePrivilege	1344	chrome.exe
Token: SeShutdownPrivilege	1344	chrome.exe
Token: SeCreatePagefilePrivilege	1344	chrome.exe
Token: SeShutdownPrivilege	1344	chrome.exe
Token: SeCreatePagefilePrivilege	1344	chrome.exe
Token: SeShutdownPrivilege	1344	chrome.exe
Token: SeCreatePagefilePrivilege	1344	chrome.exe
Token: SeShutdownPrivilege	1344	chrome.exe
Token: SeCreatePagefilePrivilege	1344	chrome.exe
Token: SeShutdownPrivilege	1344	chrome.exe
Token: SeCreatePagefilePrivilege	1344	chrome.exe
Token: SeShutdownPrivilege	1344	chrome.exe
Token: SeCreatePagefilePrivilege	1344	chrome.exe
Token: SeShutdownPrivilege	1344	chrome.exe
Token: SeCreatePagefilePrivilege	1344	chrome.exe
Token: SeShutdownPrivilege	1344	chrome.exe
Token: SeCreatePagefilePrivilege	1344	chrome.exe
Token: SeShutdownPrivilege	1344	chrome.exe
Token: SeCreatePagefilePrivilege	1344	chrome.exe
Token: SeShutdownPrivilege	1344	chrome.exe
Token: SeCreatePagefilePrivilege	1344	chrome.exe
Token: SeShutdownPrivilege	1344	chrome.exe
Token: SeCreatePagefilePrivilege	1344	chrome.exe
Token: SeShutdownPrivilege	1344	chrome.exe
Token: SeCreatePagefilePrivilege	1344	chrome.exe
Token: SeShutdownPrivilege	1344	chrome.exe
Token: SeCreatePagefilePrivilege	1344	chrome.exe
Token: SeShutdownPrivilege	1344	chrome.exe
Token: SeCreatePagefilePrivilege	1344	chrome.exe
Token: SeShutdownPrivilege	1344	chrome.exe
Token: SeCreatePagefilePrivilege	1344	chrome.exe
Token: SeShutdownPrivilege	1344	chrome.exe
Token: SeCreatePagefilePrivilege	1344	chrome.exe
Token: SeShutdownPrivilege	1344	chrome.exe
Token: SeCreatePagefilePrivilege	1344	chrome.exe
Token: SeShutdownPrivilege	1344	chrome.exe
Token: SeCreatePagefilePrivilege	1344	chrome.exe
Token: SeShutdownPrivilege	1344	chrome.exe
Token: SeCreatePagefilePrivilege	1344	chrome.exe
Token: SeShutdownPrivilege	1344	chrome.exe
Token: SeCreatePagefilePrivilege	1344	chrome.exe
Token: SeShutdownPrivilege	1344	chrome.exe
Token: SeCreatePagefilePrivilege	1344	chrome.exe
Token: SeShutdownPrivilege	1344	chrome.exe
Token: SeCreatePagefilePrivilege	1344	chrome.exe
Token: SeShutdownPrivilege	1344	chrome.exe
Token: SeCreatePagefilePrivilege	1344	chrome.exe
Token: SeShutdownPrivilege	1344	chrome.exe
Token: SeCreatePagefilePrivilege	1344	chrome.exe
Token: SeShutdownPrivilege	1344	chrome.exe
Token: SeCreatePagefilePrivilege	1344	chrome.exe
Token: SeShutdownPrivilege	1344	chrome.exe
Token: SeCreatePagefilePrivilege	1344	chrome.exe
Token: SeShutdownPrivilege	1344	chrome.exe
Token: SeCreatePagefilePrivilege	1344	chrome.exe
Token: SeShutdownPrivilege	1344	chrome.exe
Token: SeCreatePagefilePrivilege	1344	chrome.exe
Token: SeShutdownPrivilege	1344	chrome.exe
Token: SeCreatePagefilePrivilege	1344	chrome.exe

Suspicious use of FindShellTrayWindow 37 IoCs

Processes:

chrome.exe

pid	process
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 1344 wrote to memory of 1680	1344	chrome.exe	chrome.exe
PID 1344 wrote to memory of 1680	1344	chrome.exe	chrome.exe
PID 1344 wrote to memory of 3636	1344	chrome.exe	chrome.exe
PID 1344 wrote to memory of 3636	1344	chrome.exe	chrome.exe
PID 1344 wrote to memory of 3636	1344	chrome.exe	chrome.exe
PID 1344 wrote to memory of 3636	1344	chrome.exe	chrome.exe
PID 1344 wrote to memory of 3636	1344	chrome.exe	chrome.exe
PID 1344 wrote to memory of 3636	1344	chrome.exe	chrome.exe
PID 1344 wrote to memory of 3636	1344	chrome.exe	chrome.exe
PID 1344 wrote to memory of 3636	1344	chrome.exe	chrome.exe
PID 1344 wrote to memory of 3636	1344	chrome.exe	chrome.exe
PID 1344 wrote to memory of 3636	1344	chrome.exe	chrome.exe
PID 1344 wrote to memory of 3636	1344	chrome.exe	chrome.exe
PID 1344 wrote to memory of 3636	1344	chrome.exe	chrome.exe
PID 1344 wrote to memory of 3636	1344	chrome.exe	chrome.exe
PID 1344 wrote to memory of 3636	1344	chrome.exe	chrome.exe
PID 1344 wrote to memory of 3636	1344	chrome.exe	chrome.exe
PID 1344 wrote to memory of 3636	1344	chrome.exe	chrome.exe
PID 1344 wrote to memory of 3636	1344	chrome.exe	chrome.exe
PID 1344 wrote to memory of 3636	1344	chrome.exe	chrome.exe
PID 1344 wrote to memory of 3636	1344	chrome.exe	chrome.exe
PID 1344 wrote to memory of 3636	1344	chrome.exe	chrome.exe
PID 1344 wrote to memory of 3636	1344	chrome.exe	chrome.exe
PID 1344 wrote to memory of 3636	1344	chrome.exe	chrome.exe
PID 1344 wrote to memory of 3636	1344	chrome.exe	chrome.exe
PID 1344 wrote to memory of 3636	1344	chrome.exe	chrome.exe
PID 1344 wrote to memory of 3636	1344	chrome.exe	chrome.exe
PID 1344 wrote to memory of 3636	1344	chrome.exe	chrome.exe
PID 1344 wrote to memory of 3636	1344	chrome.exe	chrome.exe
PID 1344 wrote to memory of 3636	1344	chrome.exe	chrome.exe
PID 1344 wrote to memory of 3636	1344	chrome.exe	chrome.exe
PID 1344 wrote to memory of 3636	1344	chrome.exe	chrome.exe
PID 1344 wrote to memory of 3636	1344	chrome.exe	chrome.exe
PID 1344 wrote to memory of 3636	1344	chrome.exe	chrome.exe
PID 1344 wrote to memory of 3636	1344	chrome.exe	chrome.exe
PID 1344 wrote to memory of 3636	1344	chrome.exe	chrome.exe
PID 1344 wrote to memory of 3636	1344	chrome.exe	chrome.exe
PID 1344 wrote to memory of 3636	1344	chrome.exe	chrome.exe
PID 1344 wrote to memory of 3636	1344	chrome.exe	chrome.exe
PID 1344 wrote to memory of 3636	1344	chrome.exe	chrome.exe
PID 1344 wrote to memory of 1400	1344	chrome.exe	chrome.exe
PID 1344 wrote to memory of 1400	1344	chrome.exe	chrome.exe
PID 1344 wrote to memory of 4472	1344	chrome.exe	chrome.exe
PID 1344 wrote to memory of 4472	1344	chrome.exe	chrome.exe
PID 1344 wrote to memory of 4472	1344	chrome.exe	chrome.exe
PID 1344 wrote to memory of 4472	1344	chrome.exe	chrome.exe
PID 1344 wrote to memory of 4472	1344	chrome.exe	chrome.exe
PID 1344 wrote to memory of 4472	1344	chrome.exe	chrome.exe
PID 1344 wrote to memory of 4472	1344	chrome.exe	chrome.exe
PID 1344 wrote to memory of 4472	1344	chrome.exe	chrome.exe
PID 1344 wrote to memory of 4472	1344	chrome.exe	chrome.exe
PID 1344 wrote to memory of 4472	1344	chrome.exe	chrome.exe
PID 1344 wrote to memory of 4472	1344	chrome.exe	chrome.exe
PID 1344 wrote to memory of 4472	1344	chrome.exe	chrome.exe
PID 1344 wrote to memory of 4472	1344	chrome.exe	chrome.exe
PID 1344 wrote to memory of 4472	1344	chrome.exe	chrome.exe
PID 1344 wrote to memory of 4472	1344	chrome.exe	chrome.exe
PID 1344 wrote to memory of 4472	1344	chrome.exe	chrome.exe
PID 1344 wrote to memory of 4472	1344	chrome.exe	chrome.exe
PID 1344 wrote to memory of 4472	1344	chrome.exe	chrome.exe
PID 1344 wrote to memory of 4472	1344	chrome.exe	chrome.exe
PID 1344 wrote to memory of 4472	1344	chrome.exe	chrome.exe
PID 1344 wrote to memory of 4472	1344	chrome.exe	chrome.exe
PID 1344 wrote to memory of 4472	1344	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://deadlegacy.us
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1344

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa4bfc9758,0x7ffa4bfc9768,0x7ffa4bfc9778
2⤵
PID:1680

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1820 --field-trial-handle=1836,i,2866547813655878349,1272275224974948560,131072 /prefetch:2
2⤵
PID:3636

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=1836,i,2866547813655878349,1272275224974948560,131072 /prefetch:8
2⤵
PID:1400

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1308 --field-trial-handle=1836,i,2866547813655878349,1272275224974948560,131072 /prefetch:8
2⤵
PID:4472

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3240 --field-trial-handle=1836,i,2866547813655878349,1272275224974948560,131072 /prefetch:1
2⤵
PID:1856

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3252 --field-trial-handle=1836,i,2866547813655878349,1272275224974948560,131072 /prefetch:1
2⤵
PID:208

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4068 --field-trial-handle=1836,i,2866547813655878349,1272275224974948560,131072 /prefetch:1
2⤵
PID:4976

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3248 --field-trial-handle=1836,i,2866547813655878349,1272275224974948560,131072 /prefetch:1
2⤵
PID:4544

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4200 --field-trial-handle=1836,i,2866547813655878349,1272275224974948560,131072 /prefetch:8
2⤵
PID:1604

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4712 --field-trial-handle=1836,i,2866547813655878349,1272275224974948560,131072 /prefetch:8
2⤵
PID:3364

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3964 --field-trial-handle=1836,i,2866547813655878349,1272275224974948560,131072 /prefetch:8
2⤵
PID:4028

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4912 --field-trial-handle=1836,i,2866547813655878349,1272275224974948560,131072 /prefetch:1
2⤵
PID:1972

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=2796 --field-trial-handle=1836,i,2866547813655878349,1272275224974948560,131072 /prefetch:1
2⤵
PID:5060

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4632 --field-trial-handle=1836,i,2866547813655878349,1272275224974948560,131072 /prefetch:1
2⤵
PID:792

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3248 --field-trial-handle=1836,i,2866547813655878349,1272275224974948560,131072 /prefetch:1
2⤵
PID:1872

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=5008 --field-trial-handle=1836,i,2866547813655878349,1272275224974948560,131072 /prefetch:1
2⤵
PID:548

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1668 --field-trial-handle=1836,i,2866547813655878349,1272275224974948560,131072 /prefetch:8
2⤵
PID:724

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=2732 --field-trial-handle=1836,i,2866547813655878349,1272275224974948560,131072 /prefetch:1
2⤵
PID:3864

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3456 --field-trial-handle=1836,i,2866547813655878349,1272275224974948560,131072 /prefetch:8
2⤵
PID:3772

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5304 --field-trial-handle=1836,i,2866547813655878349,1272275224974948560,131072 /prefetch:8
2⤵
PID:2512

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3432 --field-trial-handle=1836,i,2866547813655878349,1272275224974948560,131072 /prefetch:8
2⤵
PID:3688

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5620 --field-trial-handle=1836,i,2866547813655878349,1272275224974948560,131072 /prefetch:8
2⤵
PID:4940

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5296 --field-trial-handle=1836,i,2866547813655878349,1272275224974948560,131072 /prefetch:8
2⤵
PID:5060

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5388 --field-trial-handle=1836,i,2866547813655878349,1272275224974948560,131072 /prefetch:8
2⤵
PID:1524

C:\Users\Admin\Downloads\DeadLegacy.exe
"C:\Users\Admin\Downloads\DeadLegacy.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1496

C:\Users\Admin\AppData\Local\Temp\2NhYIqAkepSbeMS8xZGDLzaZJHG\DeadLegacy.exe
C:\Users\Admin\AppData\Local\Temp\2NhYIqAkepSbeMS8xZGDLzaZJHG\DeadLegacy.exe
3⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
4⤵
PID:2024

C:\Windows\SysWOW64\tasklist.exe
tasklist
5⤵
- Enumerates processes with tasklist
PID:3116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /IM chrome.exe /F"
4⤵
PID:4876

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM chrome.exe /F
5⤵
- Kills process with taskkill
PID:3188

C:\Users\Admin\AppData\Local\Temp\2NhYIqAkepSbeMS8xZGDLzaZJHG\DeadLegacy.exe
"C:\Users\Admin\AppData\Local\Temp\2NhYIqAkepSbeMS8xZGDLzaZJHG\DeadLegacy.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\xxxxxxxxxxxxxxxx" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1940 --field-trial-handle=2060,i,17077684144452711551,3353266590136546568,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
4⤵
PID:2400

C:\Windows\SysWOW64\tasklist.exe
tasklist
5⤵
- Enumerates processes with tasklist
PID:4268

C:\Users\Admin\AppData\Local\Temp\2NhYIqAkepSbeMS8xZGDLzaZJHG\DeadLegacy.exe
"C:\Users\Admin\AppData\Local\Temp\2NhYIqAkepSbeMS8xZGDLzaZJHG\DeadLegacy.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\xxxxxxxxxxxxxxxx" --mojo-platform-channel-handle=1360 --field-trial-handle=2060,i,17077684144452711551,3353266590136546568,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2276

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
4⤵
PID:548

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:2344

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
4⤵
PID:4660

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:3004

C:\Users\Admin\AppData\Local\Temp\2NhYIqAkepSbeMS8xZGDLzaZJHG\DeadLegacy.exe
"C:\Users\Admin\AppData\Local\Temp\2NhYIqAkepSbeMS8xZGDLzaZJHG\DeadLegacy.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\xxxxxxxxxxxxxxxx" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1784 --field-trial-handle=2060,i,17077684144452711551,3353266590136546568,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
4⤵
PID:3192

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:3664

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
4⤵
PID:4908

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:2388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
4⤵
PID:1348

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:1320

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
4⤵
PID:5100

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:2736

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
4⤵
PID:1804

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:4820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
4⤵
PID:4968

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:1940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
4⤵
PID:4560

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:2788

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
4⤵
PID:3500

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:3740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
4⤵
PID:4292

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:1288

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
4⤵
PID:4384

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:2620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
4⤵
PID:2540

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:4716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
4⤵
PID:3192

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:1972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
4⤵
PID:4852

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:1036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
4⤵
PID:3224

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:1544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
4⤵
PID:1476

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:1180

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
4⤵
PID:944

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:2980

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5460 --field-trial-handle=1836,i,2866547813655878349,1272275224974948560,131072 /prefetch:8
2⤵
PID:4412

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3944 --field-trial-handle=1836,i,2866547813655878349,1272275224974948560,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2660

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4552

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Process Discovery

T1057

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Filesize
20KB

MD5
fb4dd4cfb1d68053bdd5c79d11495e77

SHA1
c726d446c7111faa4ef6389d89d3cd1b8c2f56db

SHA256
a2451738508c9560ceb068ac52c6a50c3bfb31ec4d19c8147d1097ec892367de

SHA512
1a47ac10952fdcd1dc64e8a4b0d408778d7de7f0fdefdfa04c51f6d21c91f835ff9ce523434bc2d74d2c28c20a8bd77d18ce72997b3d3fae53a8d886e1a1e4de

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
b2e9d212959c0d1d4819a7204b310071

SHA1
9a9876e060384b53e367bb785e08fd72543d7751

SHA256
d50f2296f44e4aea60734abdf3b04635366cd1fd475a00461dbab6238b4fc5ce

SHA512
a174f41aafb017ec3d58d68cc87d6f0c1fa23f2b5f6e3a8f59e0026949c47814b5d466edb29978563dce647459ce53d21e1786b205c92124718d7a7f596cfb07

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
5068b62f9da643a1422f5b68078c6751

SHA1
4165f5949934229c684bbaf495742553d4930056

SHA256
972711b802d322d4e57ca03072fc0e6bdd99ab5ea19097e56821ab6b24b50bc6

SHA512
95dedcbefeb21bf9c9c30402f0431d6beebd74c1bc0017b386d71f524c6252403c75f1756d820442b0fb1c5e4f2893c614d7c53b91b179b6739c9655c0104840

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
706B

MD5
319579b2b7637fa2767e40c37a91515a

SHA1
6705d3b7ef16d3bc5e315c7d23a5708001740b8b

SHA256
a36e870a68bf6f60061fd2dd7ddb0bb9bd0bd1a37f25fcc3fc8a92c873ef52d9

SHA512
b278bd6cec4c64d8d90e360dad586d40df4e3f03ea253d38cf21ddee0fd1d0f0e38cb072ebb3991ae79dd75f85167daa6ada5851cb58dee1fdf7f7937a02f2a5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
1c7cb343feee9a1f62d352795c7d8ca9

SHA1
53bafeedf5b00d30bae6baf5efeadcc55a5742e1

SHA256
703e036fce9ddf07f783cd71b522296e3f641dc392d947a694e8a9794a116ead

SHA512
6d0e23165c06ba574ea21e6e3990f0b04687f7d41d1a8ce94ec4afa44d29494c38019dd6a4ff3101931fbcc26b45fb8850175421dc297a52bd92aa407ee51644

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
fe9fe8b7789cecaf75d124ddb951a88e

SHA1
037ec56ed2c7ebbda05d29bf769cc2b074113193

SHA256
804c16276221cfcc1bb561f0285b9276fabb81aa9fc6cfd81ff290b394c45062

SHA512
1d58e710b5b5603e0007f059a3e4838d0aaa5a8f32e08acebd1039dbbc6cdbe83150de79d09081d50b15af9158744771e054a780c8b89eadde5540654b7293d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
67a9eaae4dd8e2f00fdb99d89e338548

SHA1
119480312d1462ce9e45b1d224f000a20982e909

SHA256
42a67bd4345715627f15faf4827446b0a445841480db2f9d038c3c3014769095

SHA512
1e4208720f78fbb8b307cf76f029e452e9b3daee4ed80e6203a0209a8bf8e8ea3ea109b3b0528be2aebebfbbddbea5f605102a002df9dfda78adfb3ecb3a5433

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
10160a8b56d289a4ddbb3fcd68b032a1

SHA1
42d53c02d4a1384b5b071977672fe778c1980818

SHA256
2f64bff50b9c75f96044183547642a7bb7a4b54d6c7e8a56b0437e86349fcea5

SHA512
b758c3450a515ed8a4078eb54a87ed4729cf5865c4ef6bdcac8186d9d759197614d4cfd798941487e0c91b45ba29a9e46a9a09996e586e57bf032ddec5a6ab6b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
15KB

MD5
77cfb3542c54351de91074e4b70266b7

SHA1
f396be638619ab82f390fbb95c1c2e0b01f6a4da

SHA256
1541798c5a4a9ef1b8741be006fca4bd5387bdbfc57a176c1b0f1305b1711b55

SHA512
f5a2a54a95411f95c92f2cf89b76dc7b6d0ae0795be0a011ee630769c96e63462afc29db5b1de8159bb23e0cc2a139ecd07de1af7e856f441177145fe883fe66

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
145KB

MD5
d59c3059b997db17706e301b3261d569

SHA1
ec71117f40c4749554ce259f5f971dffe8248132

SHA256
1d469a33ed61b5122b2621e87cd9ef4ede9a9a5ace359bc9783324bbc7a518c6

SHA512
6df2447455d4cff1e369ac0587acf534c2ff404ab69261eda0fcdf2a2081a113da609fb8d583611b7fda0e973ed6497a39232f0070b592eae6096d36334d27b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
145KB

MD5
d59c3059b997db17706e301b3261d569

SHA1
ec71117f40c4749554ce259f5f971dffe8248132

SHA256
1d469a33ed61b5122b2621e87cd9ef4ede9a9a5ace359bc9783324bbc7a518c6

SHA512
6df2447455d4cff1e369ac0587acf534c2ff404ab69261eda0fcdf2a2081a113da609fb8d583611b7fda0e973ed6497a39232f0070b592eae6096d36334d27b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
113KB

MD5
be10cf93223aa3a560dca3f4cb63faa8

SHA1
4897c184dbd16eed37994762cbd3d172630af47c

SHA256
37ec0b49e8dac4c542e1f56add00b124f8c142b793cf00755fc26c8cb7601788

SHA512
65975a05d080cc060fab5e89d95432b43d4d9de6746ad9dc1007b121fd7f422cdfbe8ee5c7cb1480ae6e15008b546f61e954a7f332dd1d7453a035d6cd4d826c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
100KB

MD5
d74744bd1179748628603c4922f0e2f1

SHA1
27d2e4d503b28f062de9743b67a0b29afd998bec

SHA256
5bc40f16bcca93d45b07c7ace2fd1d36a2726fa48ec4fef9c70b6f68d37c2e1f

SHA512
64daec70c5cdec53cebaf8345da5b44faacfd4ed1823112ebad3c80055f0faaf547e4f44f11da5b43350505ac7f4f990d14b0226240c7cd5ae6a1096c22c4025

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57882b.TMP
Filesize
96KB

MD5
0c09a807e97e1d719f1890dd842dba96

SHA1
895a51df62ce87e8ea1a3e8102c32e7d231aed4f

SHA256
c941caaa68a17fc845deb1dba8bf7dd240f2be7c223458a00302e842409045c1

SHA512
ed70d3482db705b7472502eb8c73b32785336bc89d40a344af2b0e93e4eb357e940483f4fd2c5acafbc5bf5d25d5432ce74591185ae2658fc1cbee8f9ae3e8d3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
eedc851ccfb2e8281babb78c2f244c68

SHA1
4df05baf7c1b4f14aad3244aa30e95f234504eaf

SHA256
f8bb083f4072511a1b6c0c2e571a376fb678719fc20890ec96be851d25eaa790

SHA512
643d95f22f271d585f33609fefe30fd17b5b0380613553a86d1e94d5fb602660f2d4b7196915ac5e00f1d17702bbbecf9f4274f5dbb18820745a215b91cbc7ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
e8be85148d67965227c6a94344d2e694

SHA1
b4f568241018913b58aa61700129592a0833a6cf

SHA256
2563b511e6bb11b0a9c9aacff5de2b5073252d9758eb8874bd74a665f45f5aef

SHA512
d44473142e47f4fb3159a276abe6d6ab23b1decf4c6b5ec60a78c7110280d3ec4ee96897d1cadb6dcd49623148eee0108bccda3162c78560a4df78d92427a58d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
9935bc1b1a2fbfdc29e935e6b92bfa93

SHA1
4fa32bd5b21c2d23e9b2cd0d8ef77dc6dc2e4093

SHA256
dd5e81197e4cdbf19ded150a8f1b81002d82bfad379ff706407781244c8d2f9c

SHA512
97e10e76a5c3fa5e83b6661e5fd4e7d90b6c8e974a65e9f5ef38b6e9a1876258dcce5dbd7a860e74888c075eb2b7720d28b180e8a9b9056dd36c0321ded932f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\2NhYIqAkepSbeMS8xZGDLzaZJHG\D3DCompiler_47.dll
Filesize
3.9MB

MD5
ab3be0c427c6e405fad496db1545bd61

SHA1
76012f31db8618624bc8b563698b2669365e49cb

SHA256
827d12e4ed62520b663078bbf26f95dfd106526e66048cf75b5c9612b2fb7ce6

SHA512
d1dc2ec77c770c5da99e688d799f88b1e585f8dcf63e6876e237fe7fce6e23b528e6a5ef94ffc68283c60ae4e465ff19d3fd6f2fae5de4504b5479d68cbc4dba

Download Submit
C:\Users\Admin\AppData\Local\Temp\2NhYIqAkepSbeMS8xZGDLzaZJHG\DeadLegacy.exe
Filesize
124.3MB

MD5
111f1cd127bf032a5b6ef57fe7e1475a

SHA1
3cd2117b14ed2871c721708d2fde281540631156

SHA256
0ae876b5bdcc52e0d182185b4b5a6ccf3a25c37aedaad26cc0c6f08a5e4e89fa

SHA512
82bead829003f3dbf19de24c3c82acc9af715815ee2b3fe2817a0b64af1dd4016cc7c6e3ce03e8484179efe97284115224d83084c5be1d362cb57275b7caa97b

Download Submit
C:\Users\Admin\AppData\Local\Temp\2NhYIqAkepSbeMS8xZGDLzaZJHG\DeadLegacy.exe
Filesize
124.3MB

MD5
111f1cd127bf032a5b6ef57fe7e1475a

SHA1
3cd2117b14ed2871c721708d2fde281540631156

SHA256
0ae876b5bdcc52e0d182185b4b5a6ccf3a25c37aedaad26cc0c6f08a5e4e89fa

SHA512
82bead829003f3dbf19de24c3c82acc9af715815ee2b3fe2817a0b64af1dd4016cc7c6e3ce03e8484179efe97284115224d83084c5be1d362cb57275b7caa97b

Download Submit
C:\Users\Admin\AppData\Local\Temp\2NhYIqAkepSbeMS8xZGDLzaZJHG\DeadLegacy.exe
Filesize
124.3MB

MD5
111f1cd127bf032a5b6ef57fe7e1475a

SHA1
3cd2117b14ed2871c721708d2fde281540631156

SHA256
0ae876b5bdcc52e0d182185b4b5a6ccf3a25c37aedaad26cc0c6f08a5e4e89fa

SHA512
82bead829003f3dbf19de24c3c82acc9af715815ee2b3fe2817a0b64af1dd4016cc7c6e3ce03e8484179efe97284115224d83084c5be1d362cb57275b7caa97b

Download Submit
C:\Users\Admin\AppData\Local\Temp\2NhYIqAkepSbeMS8xZGDLzaZJHG\DeadLegacy.exe
Filesize
124.3MB

MD5
111f1cd127bf032a5b6ef57fe7e1475a

SHA1
3cd2117b14ed2871c721708d2fde281540631156

SHA256
0ae876b5bdcc52e0d182185b4b5a6ccf3a25c37aedaad26cc0c6f08a5e4e89fa

SHA512
82bead829003f3dbf19de24c3c82acc9af715815ee2b3fe2817a0b64af1dd4016cc7c6e3ce03e8484179efe97284115224d83084c5be1d362cb57275b7caa97b

Download Submit
C:\Users\Admin\AppData\Local\Temp\2NhYIqAkepSbeMS8xZGDLzaZJHG\DeadLegacy.exe
Filesize
124.3MB

MD5
111f1cd127bf032a5b6ef57fe7e1475a

SHA1
3cd2117b14ed2871c721708d2fde281540631156

SHA256
0ae876b5bdcc52e0d182185b4b5a6ccf3a25c37aedaad26cc0c6f08a5e4e89fa

SHA512
82bead829003f3dbf19de24c3c82acc9af715815ee2b3fe2817a0b64af1dd4016cc7c6e3ce03e8484179efe97284115224d83084c5be1d362cb57275b7caa97b

Download Submit
C:\Users\Admin\AppData\Local\Temp\2NhYIqAkepSbeMS8xZGDLzaZJHG\chrome_100_percent.pak
Filesize
125KB

MD5
0cf9de69dcfd8227665e08c644b9499c

SHA1
a27941acce0101627304e06533ba24f13e650e43

SHA256
d2c299095dbbd3a3cb2b4639e5b3bd389c691397ffd1a681e586f2cfe0e2ab88

SHA512
bb5d340009cef2bcb604ef38fdd7171fed0423c2dc6a01e590f8d15c4f6bc860606547550218db41fba554609e8395c9e3c3508dfa2d8b202e5059e7646bdcef

Download Submit
C:\Users\Admin\AppData\Local\Temp\2NhYIqAkepSbeMS8xZGDLzaZJHG\chrome_100_percent.pak
Filesize
125KB

MD5
0cf9de69dcfd8227665e08c644b9499c

SHA1
a27941acce0101627304e06533ba24f13e650e43

SHA256
d2c299095dbbd3a3cb2b4639e5b3bd389c691397ffd1a681e586f2cfe0e2ab88

SHA512
bb5d340009cef2bcb604ef38fdd7171fed0423c2dc6a01e590f8d15c4f6bc860606547550218db41fba554609e8395c9e3c3508dfa2d8b202e5059e7646bdcef

Download Submit
C:\Users\Admin\AppData\Local\Temp\2NhYIqAkepSbeMS8xZGDLzaZJHG\chrome_200_percent.pak
Filesize
174KB

MD5
d88936315a5bd83c1550e5b8093eb1e6

SHA1
6445d97ceb89635f6459bc2fb237324d66e6a4ee

SHA256
f49abd81e93a05c1e53c1201a5d3a12f2724f52b6971806c8306b512bf66aa25

SHA512
75142f03df6187fb75f887e4c8b9d5162902ba6aac86351186c85e5f0a2d3825ca312a36cf9f4bd656cdfc23a20cd38d4580ca1b41560d23ebaa0d41e4cf1dd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\2NhYIqAkepSbeMS8xZGDLzaZJHG\d3dcompiler_47.dll
Filesize
3.9MB

MD5
ab3be0c427c6e405fad496db1545bd61

SHA1
76012f31db8618624bc8b563698b2669365e49cb

SHA256
827d12e4ed62520b663078bbf26f95dfd106526e66048cf75b5c9612b2fb7ce6

SHA512
d1dc2ec77c770c5da99e688d799f88b1e585f8dcf63e6876e237fe7fce6e23b528e6a5ef94ffc68283c60ae4e465ff19d3fd6f2fae5de4504b5479d68cbc4dba

Download Submit
C:\Users\Admin\AppData\Local\Temp\2NhYIqAkepSbeMS8xZGDLzaZJHG\debug.log
Filesize
500B

MD5
34dc01aaf1817d8c25a7e83099365be5

SHA1
346f436d99f2c7a10231894e90ce2595191b42ae

SHA256
064c0392557cf924350b1dfe4d8771fd621b6118e95f1c1208f372540928dd0f

SHA512
cb6f6a72a6e57497d224599501f55740e532fc2a6169e85927279ddb1a048a154f0c4b4b7629bf8779e51c8c91d39e3c12bde65c659a0576da6b2ac1f37bbc09

Download Submit
C:\Users\Admin\AppData\Local\Temp\2NhYIqAkepSbeMS8xZGDLzaZJHG\ffmpeg.dll
Filesize
2.5MB

MD5
6fa845139be73ae78dc4c939cafb761d

SHA1
26d427a3b35a09d78667d20de2a64e03bd22cb23

SHA256
d46473cb06cb8c8ba66659cdea497727c2880e8eeb73cb5ee4255b7fb671d043

SHA512
decc0fc52227165651dfedb56b877ace262823a211c21358f8ce7026c81e758ab131c7b9c56e09d07654d0973872ddd8b8c0db221ba4b6d81160ab24f66a0624

Download Submit
C:\Users\Admin\AppData\Local\Temp\2NhYIqAkepSbeMS8xZGDLzaZJHG\ffmpeg.dll
Filesize
2.5MB

MD5
6fa845139be73ae78dc4c939cafb761d

SHA1
26d427a3b35a09d78667d20de2a64e03bd22cb23

SHA256
d46473cb06cb8c8ba66659cdea497727c2880e8eeb73cb5ee4255b7fb671d043

SHA512
decc0fc52227165651dfedb56b877ace262823a211c21358f8ce7026c81e758ab131c7b9c56e09d07654d0973872ddd8b8c0db221ba4b6d81160ab24f66a0624

Download Submit
C:\Users\Admin\AppData\Local\Temp\2NhYIqAkepSbeMS8xZGDLzaZJHG\ffmpeg.dll
Filesize
2.5MB

MD5
6fa845139be73ae78dc4c939cafb761d

SHA1
26d427a3b35a09d78667d20de2a64e03bd22cb23

SHA256
d46473cb06cb8c8ba66659cdea497727c2880e8eeb73cb5ee4255b7fb671d043

SHA512
decc0fc52227165651dfedb56b877ace262823a211c21358f8ce7026c81e758ab131c7b9c56e09d07654d0973872ddd8b8c0db221ba4b6d81160ab24f66a0624

Download Submit
C:\Users\Admin\AppData\Local\Temp\2NhYIqAkepSbeMS8xZGDLzaZJHG\ffmpeg.dll
Filesize
2.5MB

MD5
6fa845139be73ae78dc4c939cafb761d

SHA1
26d427a3b35a09d78667d20de2a64e03bd22cb23

SHA256
d46473cb06cb8c8ba66659cdea497727c2880e8eeb73cb5ee4255b7fb671d043

SHA512
decc0fc52227165651dfedb56b877ace262823a211c21358f8ce7026c81e758ab131c7b9c56e09d07654d0973872ddd8b8c0db221ba4b6d81160ab24f66a0624

Download Submit
C:\Users\Admin\AppData\Local\Temp\2NhYIqAkepSbeMS8xZGDLzaZJHG\ffmpeg.dll
Filesize
2.5MB

MD5
6fa845139be73ae78dc4c939cafb761d

SHA1
26d427a3b35a09d78667d20de2a64e03bd22cb23

SHA256
d46473cb06cb8c8ba66659cdea497727c2880e8eeb73cb5ee4255b7fb671d043

SHA512
decc0fc52227165651dfedb56b877ace262823a211c21358f8ce7026c81e758ab131c7b9c56e09d07654d0973872ddd8b8c0db221ba4b6d81160ab24f66a0624

Download Submit
C:\Users\Admin\AppData\Local\Temp\2NhYIqAkepSbeMS8xZGDLzaZJHG\icudtl.dat
Filesize
9.9MB

MD5
c6ae43f9d596f3dd0d86fb3e62a5b5de

SHA1
198b3b4abc0f128398d25c66455c531a7af34a6d

SHA256
00f755664926fda5fda14b87af41097f6ea4b20154f90be65d73717580db26ee

SHA512
3c43e2dcdf037726a94319a147a8bc41a4c0fd66e6b18b3c7c95449912bf875382dde5ec0525dcad6a52e8820b0859caf8fa73cb287283334ec8d06eb3227ec4

Download Submit
C:\Users\Admin\AppData\Local\Temp\2NhYIqAkepSbeMS8xZGDLzaZJHG\libEGL.dll
Filesize
364KB

MD5
596c3217f870d63a9feb190305b45790

SHA1
a65bdf045c38e2580f724e1cc4e460c46a0ea9fc

SHA256
1679ccf85c0fab467a3d12dc63248eb4d34e7345d6e6399740ffc7f78e4e927b

SHA512
1aae19270de9cc0768543ae0f691da4ea6c7d350d54f8accc02f5eb94e03f6b1671f8aa31f9370b9758827ad42870c9e264c3fea65e2074717ab24f9c0872d86

Download Submit
C:\Users\Admin\AppData\Local\Temp\2NhYIqAkepSbeMS8xZGDLzaZJHG\libGLESv2.dll
Filesize
6.1MB

MD5
1baf13b30d409e0df85ac538d8883e3f

SHA1
e61c3231a330e806edebd04520b827b43820a268

SHA256
4a51e8a30804dd766dd01da3d574caeca459542f9aed255eca2bcc8e2ed9b893

SHA512
67fe5baa4948cacb2925710f68de3f7a226a9c26150d84b1a78d9d8d6aa097ae3055a557c4354eb545a314d9112702dec60c20fde2de5a4a025dce74f54e0bd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\2NhYIqAkepSbeMS8xZGDLzaZJHG\libegl.dll
Filesize
364KB

MD5
596c3217f870d63a9feb190305b45790

SHA1
a65bdf045c38e2580f724e1cc4e460c46a0ea9fc

SHA256
1679ccf85c0fab467a3d12dc63248eb4d34e7345d6e6399740ffc7f78e4e927b

SHA512
1aae19270de9cc0768543ae0f691da4ea6c7d350d54f8accc02f5eb94e03f6b1671f8aa31f9370b9758827ad42870c9e264c3fea65e2074717ab24f9c0872d86

Download Submit
C:\Users\Admin\AppData\Local\Temp\2NhYIqAkepSbeMS8xZGDLzaZJHG\libglesv2.dll
Filesize
6.1MB

MD5
1baf13b30d409e0df85ac538d8883e3f

SHA1
e61c3231a330e806edebd04520b827b43820a268

SHA256
4a51e8a30804dd766dd01da3d574caeca459542f9aed255eca2bcc8e2ed9b893

SHA512
67fe5baa4948cacb2925710f68de3f7a226a9c26150d84b1a78d9d8d6aa097ae3055a557c4354eb545a314d9112702dec60c20fde2de5a4a025dce74f54e0bd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\2NhYIqAkepSbeMS8xZGDLzaZJHG\resources\app.asar
Filesize
39.1MB

MD5
b10798eb6beb4e7a54a4ea076321ced6

SHA1
efc0b07b7d0f472ddbe07abd749ccce1ed5df2c7

SHA256
390b486c620110d55a86a6e43478776015a3e5447e5e4fae7601abf23ca09331

SHA512
dfb32509bb4ecc11c10942698319c012ca2485418d2d2b1bb45d44b9c1b7c8e3e9f4569584103d0b74b94470a03cf70f7865735243318cba20316ad805406da3

Download Submit
C:\Users\Admin\AppData\Local\Temp\2NhYIqAkepSbeMS8xZGDLzaZJHG\v8_context_snapshot.bin
Filesize
596KB

MD5
5d9b4473dd8705940bbb4a4036e395d0

SHA1
af35aa3374200dd2b9102f6767e53413e4e09e20

SHA256
ca2245da2a4aa7e4c9dcbf810c90048f73a9a96f6432f7895f3e6fe0c21e48f1

SHA512
bcc78b845a2aac96e46162c6a81dd1a914a6e8ed6d9753f648ae125958042a76ab49f1fefc8615891a1e007f0d0b63980517953ee088e29d46ba9d258f130192

Download Submit
C:\Users\Admin\AppData\Local\Temp\2NhYIqAkepSbeMS8xZGDLzaZJHG\vk_swiftshader.dll
Filesize
4.0MB

MD5
f6f3a64471f6a9738456259d09e617c4

SHA1
47cf0831fa4fb561c045e38f5edb5aa45a01324a

SHA256
0e7950569c56123708e5f9b934c3d2abfe787c3e275af3fab9fb0517329783be

SHA512
7eb35f7283475471e8e8ba77fb276bb7348c4c5b2ee552edf3b23f94b3eeb92d54ed09c8930faa059733532a33861e3af5f261e36e288237b611864e7b272118

Download Submit
C:\Users\Admin\AppData\Local\Temp\2NhYIqAkepSbeMS8xZGDLzaZJHG\vk_swiftshader.dll
Filesize
4.0MB

MD5
f6f3a64471f6a9738456259d09e617c4

SHA1
47cf0831fa4fb561c045e38f5edb5aa45a01324a

SHA256
0e7950569c56123708e5f9b934c3d2abfe787c3e275af3fab9fb0517329783be

SHA512
7eb35f7283475471e8e8ba77fb276bb7348c4c5b2ee552edf3b23f94b3eeb92d54ed09c8930faa059733532a33861e3af5f261e36e288237b611864e7b272118

Download Submit
C:\Users\Admin\AppData\Local\Temp\2NhYIqAkepSbeMS8xZGDLzaZJHG\vk_swiftshader.dll
Filesize
4.0MB

MD5
f6f3a64471f6a9738456259d09e617c4

SHA1
47cf0831fa4fb561c045e38f5edb5aa45a01324a

SHA256
0e7950569c56123708e5f9b934c3d2abfe787c3e275af3fab9fb0517329783be

SHA512
7eb35f7283475471e8e8ba77fb276bb7348c4c5b2ee552edf3b23f94b3eeb92d54ed09c8930faa059733532a33861e3af5f261e36e288237b611864e7b272118

Download Submit
C:\Users\Admin\AppData\Local\Temp\2NhYIqAkepSbeMS8xZGDLzaZJHG\vk_swiftshader_icd.json
Filesize
106B

MD5
8642dd3a87e2de6e991fae08458e302b

SHA1
9c06735c31cec00600fd763a92f8112d085bd12a

SHA256
32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9

SHA512
f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

Download Submit
C:\Users\Admin\AppData\Local\Temp\2NhYIqAkepSbeMS8xZGDLzaZJHG\vulkan-1.dll
Filesize
743KB

MD5
eafcefd44884880bb202cfac8f2576ad

SHA1
9936e5fed1328e72d34a8a6239101f1264290879

SHA256
1e7851e7828d9b99745fdb9f13793147df3248a6550ae81af99177c168aad5b2

SHA512
c7745839afbe953f030e54cec75db50ccd1277ce59c7c3cf05004b15d1476ae0ef27bb7de7be3c7beccc2946c43c422a48adba82d47dddc7fa58a9db6ed1325a

Download Submit
C:\Users\Admin\AppData\Local\Temp\2NhYIqAkepSbeMS8xZGDLzaZJHG\vulkan-1.dll
Filesize
743KB

MD5
eafcefd44884880bb202cfac8f2576ad

SHA1
9936e5fed1328e72d34a8a6239101f1264290879

SHA256
1e7851e7828d9b99745fdb9f13793147df3248a6550ae81af99177c168aad5b2

SHA512
c7745839afbe953f030e54cec75db50ccd1277ce59c7c3cf05004b15d1476ae0ef27bb7de7be3c7beccc2946c43c422a48adba82d47dddc7fa58a9db6ed1325a

Download Submit
C:\Users\Admin\AppData\Local\Temp\6364d886-f75b-4484-aa5e-f363e185b97c.tmp.node
Filesize
489KB

MD5
035d5df8d2c724878071d9dc1155c6aa

SHA1
3f23f2664cd5a173d98aaf09f0f7142b1c2c9b15

SHA256
a763486d99daf0c7b52cc24337703cfdf6099520f47b183b7658694f767c79ba

SHA512
6cffd4d7e549bba069113839d3f6d7ec89799bcacb60342d65bfcea9539e830b8113bc60d0c2d63ba16d42a00205b262fafabe836ad2a301a28c5d8036cf141c

Download Submit
C:\Users\Admin\AppData\Local\Temp\63b7626d-25b4-4c2d-8871-b55b114cc1f0.tmp.node
Filesize
2.1MB

MD5
3bc107cac5de2a16c41af09753c17d8a

SHA1
3fc350965383a1850263322b163ea9e7db84aa18

SHA256
2fedc6242d32e83c3959ac2bc6d2d69f2ffbbf537fd9354a5fed31bf3ae75546

SHA512
a688118157fdcf0177b6667217c64c3dccad99c9a909d0aba3ef39861f773b96e30769c34af5a3853333f4c30fb3b1658b713e345677a0b7c46cf835a51a5d4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_03hp4mv0.kpi.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmE475.tmp\7z-out\DeadLegacy.exe
Filesize
124.3MB

MD5
111f1cd127bf032a5b6ef57fe7e1475a

SHA1
3cd2117b14ed2871c721708d2fde281540631156

SHA256
0ae876b5bdcc52e0d182185b4b5a6ccf3a25c37aedaad26cc0c6f08a5e4e89fa

SHA512
82bead829003f3dbf19de24c3c82acc9af715815ee2b3fe2817a0b64af1dd4016cc7c6e3ce03e8484179efe97284115224d83084c5be1d362cb57275b7caa97b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmE475.tmp\7z-out\chrome_200_percent.pak
Filesize
174KB

MD5
d88936315a5bd83c1550e5b8093eb1e6

SHA1
6445d97ceb89635f6459bc2fb237324d66e6a4ee

SHA256
f49abd81e93a05c1e53c1201a5d3a12f2724f52b6971806c8306b512bf66aa25

SHA512
75142f03df6187fb75f887e4c8b9d5162902ba6aac86351186c85e5f0a2d3825ca312a36cf9f4bd656cdfc23a20cd38d4580ca1b41560d23ebaa0d41e4cf1dd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmE475.tmp\7z-out\d3dcompiler_47.dll
Filesize
3.9MB

MD5
ab3be0c427c6e405fad496db1545bd61

SHA1
76012f31db8618624bc8b563698b2669365e49cb

SHA256
827d12e4ed62520b663078bbf26f95dfd106526e66048cf75b5c9612b2fb7ce6

SHA512
d1dc2ec77c770c5da99e688d799f88b1e585f8dcf63e6876e237fe7fce6e23b528e6a5ef94ffc68283c60ae4e465ff19d3fd6f2fae5de4504b5479d68cbc4dba

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmE475.tmp\7z-out\ffmpeg.dll
Filesize
2.5MB

MD5
6fa845139be73ae78dc4c939cafb761d

SHA1
26d427a3b35a09d78667d20de2a64e03bd22cb23

SHA256
d46473cb06cb8c8ba66659cdea497727c2880e8eeb73cb5ee4255b7fb671d043

SHA512
decc0fc52227165651dfedb56b877ace262823a211c21358f8ce7026c81e758ab131c7b9c56e09d07654d0973872ddd8b8c0db221ba4b6d81160ab24f66a0624

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmE475.tmp\7z-out\icudtl.dat
Filesize
9.9MB

MD5
c6ae43f9d596f3dd0d86fb3e62a5b5de

SHA1
198b3b4abc0f128398d25c66455c531a7af34a6d

SHA256
00f755664926fda5fda14b87af41097f6ea4b20154f90be65d73717580db26ee

SHA512
3c43e2dcdf037726a94319a147a8bc41a4c0fd66e6b18b3c7c95449912bf875382dde5ec0525dcad6a52e8820b0859caf8fa73cb287283334ec8d06eb3227ec4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmE475.tmp\7z-out\libEGL.dll
Filesize
364KB

MD5
596c3217f870d63a9feb190305b45790

SHA1
a65bdf045c38e2580f724e1cc4e460c46a0ea9fc

SHA256
1679ccf85c0fab467a3d12dc63248eb4d34e7345d6e6399740ffc7f78e4e927b

SHA512
1aae19270de9cc0768543ae0f691da4ea6c7d350d54f8accc02f5eb94e03f6b1671f8aa31f9370b9758827ad42870c9e264c3fea65e2074717ab24f9c0872d86

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmE475.tmp\7z-out\libGLESv2.dll
Filesize
6.1MB

MD5
1baf13b30d409e0df85ac538d8883e3f

SHA1
e61c3231a330e806edebd04520b827b43820a268

SHA256
4a51e8a30804dd766dd01da3d574caeca459542f9aed255eca2bcc8e2ed9b893

SHA512
67fe5baa4948cacb2925710f68de3f7a226a9c26150d84b1a78d9d8d6aa097ae3055a557c4354eb545a314d9112702dec60c20fde2de5a4a025dce74f54e0bd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmE475.tmp\7z-out\resources\app.asar
Filesize
39.1MB

MD5
b10798eb6beb4e7a54a4ea076321ced6

SHA1
efc0b07b7d0f472ddbe07abd749ccce1ed5df2c7

SHA256
390b486c620110d55a86a6e43478776015a3e5447e5e4fae7601abf23ca09331

SHA512
dfb32509bb4ecc11c10942698319c012ca2485418d2d2b1bb45d44b9c1b7c8e3e9f4569584103d0b74b94470a03cf70f7865735243318cba20316ad805406da3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmE475.tmp\7z-out\resources\elevate.exe
Filesize
105KB

MD5
792b92c8ad13c46f27c7ced0810694df

SHA1
d8d449b92de20a57df722df46435ba4553ecc802

SHA256
9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37

SHA512
6c247254dc18ed81213a978cce2e321d6692848c64307097d2c43432a42f4f4f6d3cf22fb92610dfa8b7b16a5f1d94e9017cf64f88f2d08e79c0fe71a9121e40

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmE475.tmp\7z-out\snapshot_blob.bin
Filesize
281KB

MD5
52304e76978a13b8d7fd46771cbfea84

SHA1
a1af053116b9cd1018fa3c145785eb3c030f709f

SHA256
bb3acfe786e2efd17ad5f5957f06e4ba3d656aac65dcab1b9a2ddaae877bc824

SHA512
d1face9a819fe54500435dd55dc051337229de4f1c10713457b6a7847eb71b4713c2a50f260c35576cc41fef7606a3b6b33407962c91224c389ed0b97ed8b3dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmE475.tmp\7z-out\v8_context_snapshot.bin
Filesize
596KB

MD5
5d9b4473dd8705940bbb4a4036e395d0

SHA1
af35aa3374200dd2b9102f6767e53413e4e09e20

SHA256
ca2245da2a4aa7e4c9dcbf810c90048f73a9a96f6432f7895f3e6fe0c21e48f1

SHA512
bcc78b845a2aac96e46162c6a81dd1a914a6e8ed6d9753f648ae125958042a76ab49f1fefc8615891a1e007f0d0b63980517953ee088e29d46ba9d258f130192

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmE475.tmp\7z-out\vk_swiftshader.dll
Filesize
4.0MB

MD5
f6f3a64471f6a9738456259d09e617c4

SHA1
47cf0831fa4fb561c045e38f5edb5aa45a01324a

SHA256
0e7950569c56123708e5f9b934c3d2abfe787c3e275af3fab9fb0517329783be

SHA512
7eb35f7283475471e8e8ba77fb276bb7348c4c5b2ee552edf3b23f94b3eeb92d54ed09c8930faa059733532a33861e3af5f261e36e288237b611864e7b272118

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmE475.tmp\7z-out\vk_swiftshader_icd.json
Filesize
106B

MD5
8642dd3a87e2de6e991fae08458e302b

SHA1
9c06735c31cec00600fd763a92f8112d085bd12a

SHA256
32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9

SHA512
f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmE475.tmp\7z-out\vulkan-1.dll
Filesize
743KB

MD5
eafcefd44884880bb202cfac8f2576ad

SHA1
9936e5fed1328e72d34a8a6239101f1264290879

SHA256
1e7851e7828d9b99745fdb9f13793147df3248a6550ae81af99177c168aad5b2

SHA512
c7745839afbe953f030e54cec75db50ccd1277ce59c7c3cf05004b15d1476ae0ef27bb7de7be3c7beccc2946c43c422a48adba82d47dddc7fa58a9db6ed1325a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmE475.tmp\StdUtils.dll
Filesize
100KB

MD5
c6a6e03f77c313b267498515488c5740

SHA1
3d49fc2784b9450962ed6b82b46e9c3c957d7c15

SHA256
b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

SHA512
9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmE475.tmp\StdUtils.dll
Filesize
100KB

MD5
c6a6e03f77c313b267498515488c5740

SHA1
3d49fc2784b9450962ed6b82b46e9c3c957d7c15

SHA256
b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

SHA512
9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmE475.tmp\System.dll
Filesize
12KB

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmE475.tmp\nsis7z.dll
Filesize
424KB

MD5
80e44ce4895304c6a3a831310fbf8cd0

SHA1
36bd49ae21c460be5753a904b4501f1abca53508

SHA256
b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592

SHA512
c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

Download Submit
C:\Users\Admin\Downloads\DeadLegacy.exe
Filesize
49.6MB

MD5
a6489ec9205e22cb793c0a2205c00974

SHA1
e3b634bcf042bc6131db2704a8dea60b3f66948c

SHA256
faaededff6d5022966ed05f6aa22c3d6d95cd3d140d75814a4d4538733debe6e

SHA512
ff9bf83420def8c1d6b2817afeda3f50642318b87bec04d3c05716f79d2d3c9d67a0faa206f4bc10d12316c34120cdf265b600dee0910dc5e5376d1e58013caf

Download Submit
C:\Users\Admin\Downloads\DeadLegacy.exe
Filesize
49.6MB

MD5
a6489ec9205e22cb793c0a2205c00974

SHA1
e3b634bcf042bc6131db2704a8dea60b3f66948c

SHA256
faaededff6d5022966ed05f6aa22c3d6d95cd3d140d75814a4d4538733debe6e

SHA512
ff9bf83420def8c1d6b2817afeda3f50642318b87bec04d3c05716f79d2d3c9d67a0faa206f4bc10d12316c34120cdf265b600dee0910dc5e5376d1e58013caf

Download Submit
C:\Users\Admin\Downloads\DeadLegacy.exe
Filesize
49.6MB

MD5
a6489ec9205e22cb793c0a2205c00974

SHA1
e3b634bcf042bc6131db2704a8dea60b3f66948c

SHA256
faaededff6d5022966ed05f6aa22c3d6d95cd3d140d75814a4d4538733debe6e

SHA512
ff9bf83420def8c1d6b2817afeda3f50642318b87bec04d3c05716f79d2d3c9d67a0faa206f4bc10d12316c34120cdf265b600dee0910dc5e5376d1e58013caf

Download Submit
\??\pipe\crashpad_1344_ZJYSJUPBHIHBGYSB
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1036-709-0x00000000053D0000-0x00000000053E0000-memory.dmp

Filesize
64KB

Download
memory/1036-710-0x00000000053D0000-0x00000000053E0000-memory.dmp

Filesize
64KB

Download
memory/1180-725-0x00000000046B0000-0x00000000046C0000-memory.dmp

Filesize
64KB

Download
memory/1180-724-0x00000000046B0000-0x00000000046C0000-memory.dmp

Filesize
64KB

Download
memory/1288-662-0x0000000002230000-0x0000000002240000-memory.dmp

Filesize
64KB

Download
memory/1288-661-0x0000000002230000-0x0000000002240000-memory.dmp

Filesize
64KB

Download
memory/1320-590-0x0000000002400000-0x0000000002410000-memory.dmp

Filesize
64KB

Download
memory/1320-591-0x0000000002400000-0x0000000002410000-memory.dmp

Filesize
64KB

Download
memory/1544-722-0x0000000004970000-0x0000000004980000-memory.dmp

Filesize
64KB

Download
memory/1544-721-0x0000000004970000-0x0000000004980000-memory.dmp

Filesize
64KB

Download
memory/1848-564-0x000000000ED70000-0x000000000ED71000-memory.dmp

Filesize
4KB

Download
memory/1848-563-0x000000000ED70000-0x000000000ED71000-memory.dmp

Filesize
4KB

Download
memory/1848-541-0x000000000ED70000-0x000000000ED71000-memory.dmp

Filesize
4KB

Download
memory/1848-542-0x000000000ED70000-0x000000000ED71000-memory.dmp

Filesize
4KB

Download
memory/1848-543-0x000000000ED70000-0x000000000ED71000-memory.dmp

Filesize
4KB

Download
memory/1848-562-0x000000000ED70000-0x000000000ED71000-memory.dmp

Filesize
4KB

Download
memory/1848-561-0x000000000ED70000-0x000000000ED71000-memory.dmp

Filesize
4KB

Download
memory/1848-559-0x000000000ED70000-0x000000000ED71000-memory.dmp

Filesize
4KB

Download
memory/1848-560-0x000000000ED70000-0x000000000ED71000-memory.dmp

Filesize
4KB

Download
memory/1848-565-0x000000000ED70000-0x000000000ED71000-memory.dmp

Filesize
4KB

Download
memory/1940-626-0x00000000021D0000-0x00000000021E0000-memory.dmp

Filesize
64KB

Download
memory/1972-698-0x00000000049C0000-0x00000000049D0000-memory.dmp

Filesize
64KB

Download
memory/1972-697-0x00000000049C0000-0x00000000049D0000-memory.dmp

Filesize
64KB

Download
memory/2344-505-0x0000000005D90000-0x0000000005DF6000-memory.dmp

Filesize
408KB

Download
memory/2344-499-0x0000000002A90000-0x0000000002AC6000-memory.dmp

Filesize
216KB

Download
memory/2344-516-0x0000000007370000-0x0000000007406000-memory.dmp

Filesize
600KB

Download
memory/2344-519-0x00000000079C0000-0x0000000007F64000-memory.dmp

Filesize
5.6MB

Download
memory/2344-503-0x0000000005420000-0x0000000005442000-memory.dmp

Filesize
136KB

Download
memory/2344-515-0x00000000063C0000-0x00000000063DE000-memory.dmp

Filesize
120KB

Download
memory/2344-517-0x00000000068C0000-0x00000000068DA000-memory.dmp

Filesize
104KB

Download
memory/2344-501-0x0000000002C00000-0x0000000002C10000-memory.dmp

Filesize
64KB

Download
memory/2344-518-0x0000000006910000-0x0000000006932000-memory.dmp

Filesize
136KB

Download
memory/2344-520-0x00000000074B0000-0x0000000007542000-memory.dmp

Filesize
584KB

Download
memory/2344-502-0x0000000002C00000-0x0000000002C10000-memory.dmp

Filesize
64KB

Download
memory/2344-504-0x0000000005D20000-0x0000000005D86000-memory.dmp

Filesize
408KB

Download
memory/2344-500-0x00000000055C0000-0x0000000005BE8000-memory.dmp

Filesize
6.2MB

Download
memory/2388-579-0x0000000002370000-0x0000000002380000-memory.dmp

Filesize
64KB

Download
memory/2388-578-0x0000000002370000-0x0000000002380000-memory.dmp

Filesize
64KB

Download
memory/2620-664-0x0000000003120000-0x0000000003130000-memory.dmp

Filesize
64KB

Download
memory/2620-665-0x0000000003120000-0x0000000003130000-memory.dmp

Filesize
64KB

Download
memory/2736-602-0x0000000004E10000-0x0000000004E20000-memory.dmp

Filesize
64KB

Download
memory/2736-603-0x0000000004E10000-0x0000000004E20000-memory.dmp

Filesize
64KB

Download
memory/2788-638-0x0000000002910000-0x0000000002920000-memory.dmp

Filesize
64KB

Download
memory/2788-637-0x0000000002910000-0x0000000002920000-memory.dmp

Filesize
64KB

Download
memory/2980-745-0x0000000002240000-0x0000000002250000-memory.dmp

Filesize
64KB

Download
memory/2980-746-0x0000000002240000-0x0000000002250000-memory.dmp

Filesize
64KB

Download
memory/3004-535-0x0000000004B00000-0x0000000004B10000-memory.dmp

Filesize
64KB

Download
memory/3004-534-0x0000000004B00000-0x0000000004B10000-memory.dmp

Filesize
64KB

Download
memory/3664-549-0x0000000004600000-0x0000000004610000-memory.dmp

Filesize
64KB

Download
memory/3664-554-0x0000000004600000-0x0000000004610000-memory.dmp

Filesize
64KB

Download
memory/3740-649-0x0000000005430000-0x0000000005440000-memory.dmp

Filesize
64KB

Download
memory/3740-650-0x0000000005430000-0x0000000005440000-memory.dmp

Filesize
64KB

Download
memory/4716-685-0x0000000003140000-0x0000000003150000-memory.dmp

Filesize
64KB

Download
memory/4716-686-0x0000000003140000-0x0000000003150000-memory.dmp

Filesize
64KB

Download
memory/4820-606-0x00000000057C0000-0x00000000057D0000-memory.dmp

Filesize
64KB

Download
memory/4820-605-0x00000000057C0000-0x00000000057D0000-memory.dmp

Filesize
64KB

Download