lumma | 8604450bb4a0dcfe92852ef6b5049021a22db3cbae761cdb7adf779e83324e80

Analysis

max time kernel
159s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
01-04-2023 19:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$R98EQK9.exe
Size

49.6MB
MD5

d40781074f5a4c00a7514f7caa5ca6f4
SHA1

ebcaa459f5d01aaf0847a8e6dea3b3dc80471a62
SHA256

8604450bb4a0dcfe92852ef6b5049021a22db3cbae761cdb7adf779e83324e80
SHA512

765de343357450a7bbb0fc7bc7058fcbc265270ef5d8345f0fb7ad75e29e8d3dd611e400ba282295e58df71651516f5b562580e5573cd5e38cb320237640d973
SSDEEP

786432:Ni3vkfZhwLuiyhJaGSVJsK/8bPbNEPDEIH453obWe+tmVae8jq5Mj2Vg2S62Fxx9:c3KZSLhsREPDEoUob5+7zibNuC67

Score

10^/10

lumma spyware stealer

Malware Config

Signatures

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
Drops startup file 1 IoCs

Processes:

Frogs_King.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Updater.exe Frogs_King.exe
Executes dropped EXE 3 IoCs

Processes:

Frogs_King.exeFrogs_King.exeFrogs_King.exe

pid process

640 Frogs_King.exe
1508 Frogs_King.exe
560 Frogs_King.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Updater.exe	Frogs_King.exe

pid	process
640	Frogs_King.exe
1508	Frogs_King.exe
560	Frogs_King.exe

Loads dropped DLL 13 IoCs

Processes:

$R98EQK9.exeFrogs_King.exeFrogs_King.exeFrogs_King.exe

pid	process
808	$R98EQK9.exe
808	$R98EQK9.exe
808	$R98EQK9.exe
640	Frogs_King.exe
640	Frogs_King.exe
640	Frogs_King.exe
1508	Frogs_King.exe
1508	Frogs_King.exe
1508	Frogs_King.exe
1508	Frogs_King.exe
1508	Frogs_King.exe
1508	Frogs_King.exe
560	Frogs_King.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

3692 tasklist.exe
1556 tasklist.exe

pid	process
3692	tasklist.exe
1556	tasklist.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133248586795116078"	chrome.exe

Modifies registry class 3 IoCs

Processes:

chrome.exeOpenWith.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

Frogs_King.exechrome.exe

pid process

640 Frogs_King.exe
640 Frogs_King.exe
640 Frogs_King.exe
640 Frogs_King.exe
640 Frogs_King.exe
640 Frogs_King.exe
3352 chrome.exe
3352 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

Processes:

chrome.exe

pid process

3352 chrome.exe
3352 chrome.exe
3352 chrome.exe
3352 chrome.exe
3352 chrome.exe
3352 chrome.exe
3352 chrome.exe
3352 chrome.exe

pid	process
640	Frogs_King.exe
640	Frogs_King.exe
640	Frogs_King.exe
640	Frogs_King.exe
640	Frogs_King.exe
640	Frogs_King.exe
3352	chrome.exe
3352	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

$R98EQK9.exetasklist.exeFrogs_King.exetasklist.exe

description	pid	process
Token: SeSecurityPrivilege	808	$R98EQK9.exe
Token: SeDebugPrivilege	3692	tasklist.exe
Token: SeShutdownPrivilege	640	Frogs_King.exe
Token: SeCreatePagefilePrivilege	640	Frogs_King.exe
Token: SeShutdownPrivilege	640	Frogs_King.exe
Token: SeCreatePagefilePrivilege	640	Frogs_King.exe
Token: SeShutdownPrivilege	640	Frogs_King.exe
Token: SeCreatePagefilePrivilege	640	Frogs_King.exe
Token: SeShutdownPrivilege	640	Frogs_King.exe
Token: SeCreatePagefilePrivilege	640	Frogs_King.exe
Token: SeShutdownPrivilege	640	Frogs_King.exe
Token: SeCreatePagefilePrivilege	640	Frogs_King.exe
Token: SeShutdownPrivilege	640	Frogs_King.exe
Token: SeCreatePagefilePrivilege	640	Frogs_King.exe
Token: SeShutdownPrivilege	640	Frogs_King.exe
Token: SeCreatePagefilePrivilege	640	Frogs_King.exe
Token: SeShutdownPrivilege	640	Frogs_King.exe
Token: SeCreatePagefilePrivilege	640	Frogs_King.exe
Token: SeShutdownPrivilege	640	Frogs_King.exe
Token: SeCreatePagefilePrivilege	640	Frogs_King.exe
Token: SeShutdownPrivilege	640	Frogs_King.exe
Token: SeCreatePagefilePrivilege	640	Frogs_King.exe
Token: SeDebugPrivilege	1556	tasklist.exe
Token: SeShutdownPrivilege	640	Frogs_King.exe
Token: SeCreatePagefilePrivilege	640	Frogs_King.exe
Token: SeShutdownPrivilege	640	Frogs_King.exe
Token: SeCreatePagefilePrivilege	640	Frogs_King.exe
Token: SeShutdownPrivilege	640	Frogs_King.exe
Token: SeCreatePagefilePrivilege	640	Frogs_King.exe
Token: SeShutdownPrivilege	640	Frogs_King.exe
Token: SeCreatePagefilePrivilege	640	Frogs_King.exe
Token: SeShutdownPrivilege	640	Frogs_King.exe
Token: SeCreatePagefilePrivilege	640	Frogs_King.exe
Token: SeShutdownPrivilege	640	Frogs_King.exe
Token: SeCreatePagefilePrivilege	640	Frogs_King.exe
Token: SeShutdownPrivilege	640	Frogs_King.exe
Token: SeCreatePagefilePrivilege	640	Frogs_King.exe
Token: SeShutdownPrivilege	640	Frogs_King.exe
Token: SeCreatePagefilePrivilege	640	Frogs_King.exe
Token: SeShutdownPrivilege	640	Frogs_King.exe
Token: SeCreatePagefilePrivilege	640	Frogs_King.exe
Token: SeShutdownPrivilege	640	Frogs_King.exe
Token: SeCreatePagefilePrivilege	640	Frogs_King.exe
Token: SeShutdownPrivilege	640	Frogs_King.exe
Token: SeCreatePagefilePrivilege	640	Frogs_King.exe
Token: SeShutdownPrivilege	640	Frogs_King.exe
Token: SeCreatePagefilePrivilege	640	Frogs_King.exe
Token: SeShutdownPrivilege	640	Frogs_King.exe
Token: SeCreatePagefilePrivilege	640	Frogs_King.exe
Token: SeShutdownPrivilege	640	Frogs_King.exe
Token: SeCreatePagefilePrivilege	640	Frogs_King.exe
Token: SeShutdownPrivilege	640	Frogs_King.exe
Token: SeCreatePagefilePrivilege	640	Frogs_King.exe
Token: SeShutdownPrivilege	640	Frogs_King.exe
Token: SeCreatePagefilePrivilege	640	Frogs_King.exe
Token: SeShutdownPrivilege	640	Frogs_King.exe
Token: SeCreatePagefilePrivilege	640	Frogs_King.exe
Token: SeShutdownPrivilege	640	Frogs_King.exe
Token: SeCreatePagefilePrivilege	640	Frogs_King.exe
Token: SeShutdownPrivilege	640	Frogs_King.exe
Token: SeCreatePagefilePrivilege	640	Frogs_King.exe
Token: SeShutdownPrivilege	640	Frogs_King.exe
Token: SeCreatePagefilePrivilege	640	Frogs_King.exe
Token: SeShutdownPrivilege	640	Frogs_King.exe

Suspicious use of FindShellTrayWindow 45 IoCs

Processes:

chrome.exe

pid	process
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

Processes:

chrome.exe

pid	process
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

OpenWith.exeOpenWith.exe

pid	process
2124	OpenWith.exe
2740	OpenWith.exe
2740	OpenWith.exe
2740	OpenWith.exe
2740	OpenWith.exe
2740	OpenWith.exe
2740	OpenWith.exe
2740	OpenWith.exe
2740	OpenWith.exe
2740	OpenWith.exe
2740	OpenWith.exe
2740	OpenWith.exe
2740	OpenWith.exe
2740	OpenWith.exe
2740	OpenWith.exe
2740	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

$R98EQK9.exeFrogs_King.execmd.execmd.exechrome.exe

description	pid	process	target process
PID 808 wrote to memory of 640	808	$R98EQK9.exe	Frogs_King.exe
PID 808 wrote to memory of 640	808	$R98EQK9.exe	Frogs_King.exe
PID 808 wrote to memory of 640	808	$R98EQK9.exe	Frogs_King.exe
PID 640 wrote to memory of 3584	640	Frogs_King.exe	cmd.exe
PID 640 wrote to memory of 3584	640	Frogs_King.exe	cmd.exe
PID 640 wrote to memory of 3584	640	Frogs_King.exe	cmd.exe
PID 3584 wrote to memory of 3692	3584	cmd.exe	tasklist.exe
PID 3584 wrote to memory of 3692	3584	cmd.exe	tasklist.exe
PID 3584 wrote to memory of 3692	3584	cmd.exe	tasklist.exe
PID 640 wrote to memory of 1508	640	Frogs_King.exe	Frogs_King.exe
PID 640 wrote to memory of 1508	640	Frogs_King.exe	Frogs_King.exe
PID 640 wrote to memory of 1508	640	Frogs_King.exe	Frogs_King.exe
PID 640 wrote to memory of 1508	640	Frogs_King.exe	Frogs_King.exe
PID 640 wrote to memory of 1508	640	Frogs_King.exe	Frogs_King.exe
PID 640 wrote to memory of 1508	640	Frogs_King.exe	Frogs_King.exe
PID 640 wrote to memory of 1508	640	Frogs_King.exe	Frogs_King.exe
PID 640 wrote to memory of 1508	640	Frogs_King.exe	Frogs_King.exe
PID 640 wrote to memory of 1508	640	Frogs_King.exe	Frogs_King.exe
PID 640 wrote to memory of 1508	640	Frogs_King.exe	Frogs_King.exe
PID 640 wrote to memory of 1508	640	Frogs_King.exe	Frogs_King.exe
PID 640 wrote to memory of 1508	640	Frogs_King.exe	Frogs_King.exe
PID 640 wrote to memory of 1508	640	Frogs_King.exe	Frogs_King.exe
PID 640 wrote to memory of 1508	640	Frogs_King.exe	Frogs_King.exe
PID 640 wrote to memory of 1508	640	Frogs_King.exe	Frogs_King.exe
PID 640 wrote to memory of 1508	640	Frogs_King.exe	Frogs_King.exe
PID 640 wrote to memory of 1508	640	Frogs_King.exe	Frogs_King.exe
PID 640 wrote to memory of 1508	640	Frogs_King.exe	Frogs_King.exe
PID 640 wrote to memory of 1508	640	Frogs_King.exe	Frogs_King.exe
PID 640 wrote to memory of 1508	640	Frogs_King.exe	Frogs_King.exe
PID 640 wrote to memory of 1508	640	Frogs_King.exe	Frogs_King.exe
PID 640 wrote to memory of 1508	640	Frogs_King.exe	Frogs_King.exe
PID 640 wrote to memory of 1508	640	Frogs_King.exe	Frogs_King.exe
PID 640 wrote to memory of 1508	640	Frogs_King.exe	Frogs_King.exe
PID 640 wrote to memory of 1508	640	Frogs_King.exe	Frogs_King.exe
PID 640 wrote to memory of 1508	640	Frogs_King.exe	Frogs_King.exe
PID 640 wrote to memory of 1508	640	Frogs_King.exe	Frogs_King.exe
PID 640 wrote to memory of 1508	640	Frogs_King.exe	Frogs_King.exe
PID 640 wrote to memory of 1508	640	Frogs_King.exe	Frogs_King.exe
PID 640 wrote to memory of 1508	640	Frogs_King.exe	Frogs_King.exe
PID 640 wrote to memory of 1508	640	Frogs_King.exe	Frogs_King.exe
PID 640 wrote to memory of 1508	640	Frogs_King.exe	Frogs_King.exe
PID 640 wrote to memory of 1508	640	Frogs_King.exe	Frogs_King.exe
PID 640 wrote to memory of 1508	640	Frogs_King.exe	Frogs_King.exe
PID 640 wrote to memory of 1508	640	Frogs_King.exe	Frogs_King.exe
PID 640 wrote to memory of 1508	640	Frogs_King.exe	Frogs_King.exe
PID 640 wrote to memory of 1508	640	Frogs_King.exe	Frogs_King.exe
PID 640 wrote to memory of 1508	640	Frogs_King.exe	Frogs_King.exe
PID 640 wrote to memory of 1508	640	Frogs_King.exe	Frogs_King.exe
PID 640 wrote to memory of 560	640	Frogs_King.exe	Frogs_King.exe
PID 640 wrote to memory of 560	640	Frogs_King.exe	Frogs_King.exe
PID 640 wrote to memory of 560	640	Frogs_King.exe	Frogs_King.exe
PID 640 wrote to memory of 3316	640	Frogs_King.exe	cmd.exe
PID 640 wrote to memory of 3316	640	Frogs_King.exe	cmd.exe
PID 640 wrote to memory of 3316	640	Frogs_King.exe	cmd.exe
PID 3316 wrote to memory of 1556	3316	cmd.exe	tasklist.exe
PID 3316 wrote to memory of 1556	3316	cmd.exe	tasklist.exe
PID 3316 wrote to memory of 1556	3316	cmd.exe	tasklist.exe
PID 3352 wrote to memory of 4976	3352	chrome.exe	chrome.exe
PID 3352 wrote to memory of 4976	3352	chrome.exe	chrome.exe
PID 3352 wrote to memory of 4000	3352	chrome.exe	chrome.exe
PID 3352 wrote to memory of 4000	3352	chrome.exe	chrome.exe
PID 3352 wrote to memory of 4000	3352	chrome.exe	chrome.exe
PID 3352 wrote to memory of 4000	3352	chrome.exe	chrome.exe
PID 3352 wrote to memory of 4000	3352	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\$R98EQK9.exe
"C:\Users\Admin\AppData\Local\Temp\$R98EQK9.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:808

C:\Users\Admin\AppData\Local\Temp\2NWWaDcXTbeXJTbB0UPBdEK4GQz\Frogs_King.exe
C:\Users\Admin\AppData\Local\Temp\2NWWaDcXTbeXJTbB0UPBdEK4GQz\Frogs_King.exe
2⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
3⤵
- Suspicious use of WriteProcessMemory
PID:3584

C:\Windows\SysWOW64\tasklist.exe
tasklist
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3692

C:\Users\Admin\AppData\Local\Temp\2NWWaDcXTbeXJTbB0UPBdEK4GQz\Frogs_King.exe
"C:\Users\Admin\AppData\Local\Temp\2NWWaDcXTbeXJTbB0UPBdEK4GQz\Frogs_King.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\xxxxxxxxxxxxxxxx" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1860 --field-trial-handle=1960,i,11906651877055586208,18264967942659118260,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1508

C:\Users\Admin\AppData\Local\Temp\2NWWaDcXTbeXJTbB0UPBdEK4GQz\Frogs_King.exe
"C:\Users\Admin\AppData\Local\Temp\2NWWaDcXTbeXJTbB0UPBdEK4GQz\Frogs_King.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\xxxxxxxxxxxxxxxx" --mojo-platform-channel-handle=2244 --field-trial-handle=1960,i,11906651877055586208,18264967942659118260,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
3⤵
- Suspicious use of WriteProcessMemory
PID:3316

C:\Windows\SysWOW64\tasklist.exe
tasklist
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
3⤵
PID:1192

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
4⤵
PID:2548

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3352

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff819f19758,0x7ff819f19768,0x7ff819f19778
2⤵
PID:4976

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1820 --field-trial-handle=1844,i,8815221451674387829,14087436407988452019,131072 /prefetch:2
2⤵
PID:4000

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 --field-trial-handle=1844,i,8815221451674387829,14087436407988452019,131072 /prefetch:8
2⤵
PID:3620

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2276 --field-trial-handle=1844,i,8815221451674387829,14087436407988452019,131072 /prefetch:8
2⤵
PID:1340

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3220 --field-trial-handle=1844,i,8815221451674387829,14087436407988452019,131072 /prefetch:1
2⤵
PID:3732

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3244 --field-trial-handle=1844,i,8815221451674387829,14087436407988452019,131072 /prefetch:1
2⤵
PID:3584

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4560 --field-trial-handle=1844,i,8815221451674387829,14087436407988452019,131072 /prefetch:1
2⤵
PID:1224

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4512 --field-trial-handle=1844,i,8815221451674387829,14087436407988452019,131072 /prefetch:8
2⤵
PID:1556

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4848 --field-trial-handle=1844,i,8815221451674387829,14087436407988452019,131072 /prefetch:8
2⤵
PID:380

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5000 --field-trial-handle=1844,i,8815221451674387829,14087436407988452019,131072 /prefetch:8
2⤵
PID:2392

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4984 --field-trial-handle=1844,i,8815221451674387829,14087436407988452019,131072 /prefetch:8
2⤵
PID:2180

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5012 --field-trial-handle=1844,i,8815221451674387829,14087436407988452019,131072 /prefetch:8
2⤵
PID:4132

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4772 --field-trial-handle=1844,i,8815221451674387829,14087436407988452019,131072 /prefetch:1
2⤵
PID:3500

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4012 --field-trial-handle=1844,i,8815221451674387829,14087436407988452019,131072 /prefetch:8
2⤵
PID:3008

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=2596 --field-trial-handle=1844,i,8815221451674387829,14087436407988452019,131072 /prefetch:1
2⤵
PID:2180

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=3556 --field-trial-handle=1844,i,8815221451674387829,14087436407988452019,131072 /prefetch:1
2⤵
PID:4788

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3332 --field-trial-handle=1844,i,8815221451674387829,14087436407988452019,131072 /prefetch:8
2⤵
PID:4672

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=5632 --field-trial-handle=1844,i,8815221451674387829,14087436407988452019,131072 /prefetch:1
2⤵
PID:3732

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=5664 --field-trial-handle=1844,i,8815221451674387829,14087436407988452019,131072 /prefetch:1
2⤵
PID:4884

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6036 --field-trial-handle=1844,i,8815221451674387829,14087436407988452019,131072 /prefetch:8
2⤵
PID:692

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3556 --field-trial-handle=1844,i,8815221451674387829,14087436407988452019,131072 /prefetch:8
2⤵
PID:768

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1696

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2124

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c82192ee-6cb5-4bc0-9ef0-fb818773790a} -Embedding
1⤵
PID:4856

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2740

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
720B

MD5
e12bfcac76168f887e1a4468181b234a

SHA1
c02b7089ac553102d203501488dc25a8b21c4161

SHA256
96a282b69c3ef53764eb2b3deb8cb3c17615508e52ab47affb079c25acd83574

SHA512
0b98211e93a806d4f09a5ef2c429d579f841355104e7cd605832885c82ffa48a0fc519684409e19c292cc49eb5c322451751ca1dec004a57e56ac009e0453fdd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies.bby

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
aa6c00067b77bd9ec3ae2c49dd9946b5

SHA1
80ee36ea42506557769ae7440e6987c0000c540e

SHA256
bd33254ec15f980a5e857f3f6459e6653e068150d9e5f597012e7411938cbaa2

SHA512
32f93a6216ae2509d32bc544e7345e703cc4a6500957bd0689e53c13837dd58b6967b75dbabce1b54db0feb69a88e13653c0d9cf0271d186b676c2a172464235

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
538B

MD5
8bbff65addd2a832b210de658ad7163f

SHA1
d7f910fdcc81513d3b070838bbc97bdff3e4609d

SHA256
4df4b49f2665f1662ba491b1eaa8a912994cdcba2297834886d3a105c5751ced

SHA512
a21b7f571bbec4e2a53d76edef18446684cf369b9130d3273f85302235dec5c888e1871d1eea9b64311620b3e8efd7860d480d04f93e529d0fb1e6c9f1da5c99

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
706B

MD5
1c06fe6ced189a25fab5c982b6300e0c

SHA1
d7599d9ea6e21dd65156f57812ae619054744bee

SHA256
e6273f0511f8b9ca589e941080add4f7ece187df681eb512ed5c5d2891bd1a25

SHA512
552aa62e1fabcf833ce71e551a24493634ee7e30821954777f75c071a1df2cefd69fe80b64e9854369eb275a333b85357516a09d76e029f1a8697a30594c90a3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
bcbddc45da30c2bf48a4720ceaaf0688

SHA1
a522f7a17f358b14202acabfb0bbdbf7bd320c51

SHA256
7aed4c8851be06aab079141959914e626bdcc9df93e8329c398056af03ff6daf

SHA512
1536402a0e9f958613a63400aee19a0f36faa64ce7921785882d3c5ea4bc7410fa2101cfd6b310ed790196daa489a3d466eb42dbddb46d6711e615aab739ef91

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
7207d4f7b31bd62758d3738df33b491e

SHA1
72a61d3f2e89d626a14f1cc068c20e35615446c0

SHA256
b9c8f5304969d0972843348a14664e6f2e896e1329f62e734398d4e225f1b247

SHA512
df01a58f345e443493b010b4711f9e2c3bb5ac04d8249efcaae6b9bfa74bddcdb6cf4159adf9167b923db314645b5fb093ddfc89a83274ef12e1caa8bc1740b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
2150b906963abee18f4ad2df19c8812f

SHA1
16841ae481836898061b983c3ba6636ac7f5bd77

SHA256
eff304f20dd3e7eaf9aecc1b05269d67d1ea5c20d0964f2138a3191c2e564307

SHA512
162375bee6d3aacba12a7a244b08aab5e0f8c772cc3ffa04ec59185306690adf1133198db64eb14eb590bd9cb645b4d3b61d496d2855cb47993978df1c8554b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
6b89780be14d4a6d842079832204d86e

SHA1
0833991a65493ffcf8e0a8a4534b617bb7860936

SHA256
c6e57761726afcb235f9e55ba51019729efa4f095b4612a4c0d95a5620c1090c

SHA512
68f6bdbbc616c1886bd980715f23f9dfb0adc45a52faba03c6bcc44a1ee435b4596d3b777d1550fe8763b38c73aeb1673320be5a2ce9fb5b55120f7573e3bf77

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
173KB

MD5
b4f5b2ccba42fdd2fb6bd141c8e5e5b7

SHA1
8ef1045de84557093228d7d97108fe7f30356cd6

SHA256
56853dac21aba56fcf2ae2314f0f8fa46e6de3b183625186281db55e3397d41e

SHA512
11d0a59e098f7b16094ba56943aec8e9ed09882b6efe6eee99a3a99172c148c7b8eae38c676f45d9d89150458a848f5583eb44838b6029ef38ec55a291c3b5f4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
112KB

MD5
95d3afa38685348ef82fc409e5868abd

SHA1
784716d59d1ddb959bd345b299dc94a44d4b4f42

SHA256
ceea7007831b49a79902745ac26dad60b371d934b3e93e25f20c225ee9d24b2b

SHA512
679a8acb355047fee8365e72c6f59b85b5d1cdeb56b61c1b167236aa20465b39eef6e69459117a4fa4ce039621fe7260fb55465f9cc65a1474fce9a2c6f28b49

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe58b2f0.TMP

Filesize
97KB

MD5
19ccb9ba918d2484dc300e2ebf1a5c14

SHA1
0d2a6dc6f0adb7f2324234c4155f5eb2aae29358

SHA256
19ee377b003c44f590368714855bc102f285f3cda80719982a55e495f6c82297

SHA512
1af03ca379fce8bd4e01fa7ea18a688f4d52209546b48b0ba1b36fc7c9e81da098c2d191f2546a35aa30fe550f492881cbd80fc5595888d9112265ef3f3d4749

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\2NWWaDcXTbeXJTbB0UPBdEK4GQz\D3DCompiler_47.dll

Filesize
3.9MB

MD5
ab3be0c427c6e405fad496db1545bd61

SHA1
76012f31db8618624bc8b563698b2669365e49cb

SHA256
827d12e4ed62520b663078bbf26f95dfd106526e66048cf75b5c9612b2fb7ce6

SHA512
d1dc2ec77c770c5da99e688d799f88b1e585f8dcf63e6876e237fe7fce6e23b528e6a5ef94ffc68283c60ae4e465ff19d3fd6f2fae5de4504b5479d68cbc4dba

Download Submit
C:\Users\Admin\AppData\Local\Temp\2NWWaDcXTbeXJTbB0UPBdEK4GQz\Frogs_King.exe

Filesize
124.3MB

MD5
a81c2d5d296f24ab64fe793691e4ca4d

SHA1
24d8e3fa510d3f240ba1e64c05eb11628ca1c566

SHA256
8cd9dc61e7158bcb7fd618f37b48717d7cf67fefdf6e1ff9dfb9def5ce587e61

SHA512
ceb6024753070c6e2da55f42f6fd35955d6477e9fec2cdf0f3f2eb3e455521963aa1dfb60c16f6de082b3535658272011a0f4ee1ffcb350648c7003866d82340

Download Submit
C:\Users\Admin\AppData\Local\Temp\2NWWaDcXTbeXJTbB0UPBdEK4GQz\Frogs_King.exe

Filesize
124.3MB

MD5
a81c2d5d296f24ab64fe793691e4ca4d

SHA1
24d8e3fa510d3f240ba1e64c05eb11628ca1c566

SHA256
8cd9dc61e7158bcb7fd618f37b48717d7cf67fefdf6e1ff9dfb9def5ce587e61

SHA512
ceb6024753070c6e2da55f42f6fd35955d6477e9fec2cdf0f3f2eb3e455521963aa1dfb60c16f6de082b3535658272011a0f4ee1ffcb350648c7003866d82340

Download Submit
C:\Users\Admin\AppData\Local\Temp\2NWWaDcXTbeXJTbB0UPBdEK4GQz\Frogs_King.exe

Filesize
124.3MB

MD5
a81c2d5d296f24ab64fe793691e4ca4d

SHA1
24d8e3fa510d3f240ba1e64c05eb11628ca1c566

SHA256
8cd9dc61e7158bcb7fd618f37b48717d7cf67fefdf6e1ff9dfb9def5ce587e61

SHA512
ceb6024753070c6e2da55f42f6fd35955d6477e9fec2cdf0f3f2eb3e455521963aa1dfb60c16f6de082b3535658272011a0f4ee1ffcb350648c7003866d82340

Download Submit
C:\Users\Admin\AppData\Local\Temp\2NWWaDcXTbeXJTbB0UPBdEK4GQz\Frogs_King.exe

Filesize
124.3MB

MD5
a81c2d5d296f24ab64fe793691e4ca4d

SHA1
24d8e3fa510d3f240ba1e64c05eb11628ca1c566

SHA256
8cd9dc61e7158bcb7fd618f37b48717d7cf67fefdf6e1ff9dfb9def5ce587e61

SHA512
ceb6024753070c6e2da55f42f6fd35955d6477e9fec2cdf0f3f2eb3e455521963aa1dfb60c16f6de082b3535658272011a0f4ee1ffcb350648c7003866d82340

Download Submit
C:\Users\Admin\AppData\Local\Temp\2NWWaDcXTbeXJTbB0UPBdEK4GQz\Frogs_King.exe

Filesize
124.3MB

MD5
a81c2d5d296f24ab64fe793691e4ca4d

SHA1
24d8e3fa510d3f240ba1e64c05eb11628ca1c566

SHA256
8cd9dc61e7158bcb7fd618f37b48717d7cf67fefdf6e1ff9dfb9def5ce587e61

SHA512
ceb6024753070c6e2da55f42f6fd35955d6477e9fec2cdf0f3f2eb3e455521963aa1dfb60c16f6de082b3535658272011a0f4ee1ffcb350648c7003866d82340

Download Submit
C:\Users\Admin\AppData\Local\Temp\2NWWaDcXTbeXJTbB0UPBdEK4GQz\chrome_100_percent.pak

Filesize
125KB

MD5
0cf9de69dcfd8227665e08c644b9499c

SHA1
a27941acce0101627304e06533ba24f13e650e43

SHA256
d2c299095dbbd3a3cb2b4639e5b3bd389c691397ffd1a681e586f2cfe0e2ab88

SHA512
bb5d340009cef2bcb604ef38fdd7171fed0423c2dc6a01e590f8d15c4f6bc860606547550218db41fba554609e8395c9e3c3508dfa2d8b202e5059e7646bdcef

Download Submit
C:\Users\Admin\AppData\Local\Temp\2NWWaDcXTbeXJTbB0UPBdEK4GQz\chrome_100_percent.pak

Filesize
125KB

MD5
0cf9de69dcfd8227665e08c644b9499c

SHA1
a27941acce0101627304e06533ba24f13e650e43

SHA256
d2c299095dbbd3a3cb2b4639e5b3bd389c691397ffd1a681e586f2cfe0e2ab88

SHA512
bb5d340009cef2bcb604ef38fdd7171fed0423c2dc6a01e590f8d15c4f6bc860606547550218db41fba554609e8395c9e3c3508dfa2d8b202e5059e7646bdcef

Download Submit
C:\Users\Admin\AppData\Local\Temp\2NWWaDcXTbeXJTbB0UPBdEK4GQz\chrome_200_percent.pak

Filesize
174KB

MD5
d88936315a5bd83c1550e5b8093eb1e6

SHA1
6445d97ceb89635f6459bc2fb237324d66e6a4ee

SHA256
f49abd81e93a05c1e53c1201a5d3a12f2724f52b6971806c8306b512bf66aa25

SHA512
75142f03df6187fb75f887e4c8b9d5162902ba6aac86351186c85e5f0a2d3825ca312a36cf9f4bd656cdfc23a20cd38d4580ca1b41560d23ebaa0d41e4cf1dd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\2NWWaDcXTbeXJTbB0UPBdEK4GQz\d3dcompiler_47.dll

Filesize
3.9MB

MD5
ab3be0c427c6e405fad496db1545bd61

SHA1
76012f31db8618624bc8b563698b2669365e49cb

SHA256
827d12e4ed62520b663078bbf26f95dfd106526e66048cf75b5c9612b2fb7ce6

SHA512
d1dc2ec77c770c5da99e688d799f88b1e585f8dcf63e6876e237fe7fce6e23b528e6a5ef94ffc68283c60ae4e465ff19d3fd6f2fae5de4504b5479d68cbc4dba

Download Submit
C:\Users\Admin\AppData\Local\Temp\2NWWaDcXTbeXJTbB0UPBdEK4GQz\ffmpeg.dll

Filesize
2.5MB

MD5
6fa845139be73ae78dc4c939cafb761d

SHA1
26d427a3b35a09d78667d20de2a64e03bd22cb23

SHA256
d46473cb06cb8c8ba66659cdea497727c2880e8eeb73cb5ee4255b7fb671d043

SHA512
decc0fc52227165651dfedb56b877ace262823a211c21358f8ce7026c81e758ab131c7b9c56e09d07654d0973872ddd8b8c0db221ba4b6d81160ab24f66a0624

Download Submit
C:\Users\Admin\AppData\Local\Temp\2NWWaDcXTbeXJTbB0UPBdEK4GQz\ffmpeg.dll

Filesize
2.5MB

MD5
6fa845139be73ae78dc4c939cafb761d

SHA1
26d427a3b35a09d78667d20de2a64e03bd22cb23

SHA256
d46473cb06cb8c8ba66659cdea497727c2880e8eeb73cb5ee4255b7fb671d043

SHA512
decc0fc52227165651dfedb56b877ace262823a211c21358f8ce7026c81e758ab131c7b9c56e09d07654d0973872ddd8b8c0db221ba4b6d81160ab24f66a0624

Download Submit
C:\Users\Admin\AppData\Local\Temp\2NWWaDcXTbeXJTbB0UPBdEK4GQz\ffmpeg.dll

Filesize
2.5MB

MD5
6fa845139be73ae78dc4c939cafb761d

SHA1
26d427a3b35a09d78667d20de2a64e03bd22cb23

SHA256
d46473cb06cb8c8ba66659cdea497727c2880e8eeb73cb5ee4255b7fb671d043

SHA512
decc0fc52227165651dfedb56b877ace262823a211c21358f8ce7026c81e758ab131c7b9c56e09d07654d0973872ddd8b8c0db221ba4b6d81160ab24f66a0624

Download Submit
C:\Users\Admin\AppData\Local\Temp\2NWWaDcXTbeXJTbB0UPBdEK4GQz\ffmpeg.dll

Filesize
2.5MB

MD5
6fa845139be73ae78dc4c939cafb761d

SHA1
26d427a3b35a09d78667d20de2a64e03bd22cb23

SHA256
d46473cb06cb8c8ba66659cdea497727c2880e8eeb73cb5ee4255b7fb671d043

SHA512
decc0fc52227165651dfedb56b877ace262823a211c21358f8ce7026c81e758ab131c7b9c56e09d07654d0973872ddd8b8c0db221ba4b6d81160ab24f66a0624

Download Submit
C:\Users\Admin\AppData\Local\Temp\2NWWaDcXTbeXJTbB0UPBdEK4GQz\icudtl.dat

Filesize
9.9MB

MD5
c6ae43f9d596f3dd0d86fb3e62a5b5de

SHA1
198b3b4abc0f128398d25c66455c531a7af34a6d

SHA256
00f755664926fda5fda14b87af41097f6ea4b20154f90be65d73717580db26ee

SHA512
3c43e2dcdf037726a94319a147a8bc41a4c0fd66e6b18b3c7c95449912bf875382dde5ec0525dcad6a52e8820b0859caf8fa73cb287283334ec8d06eb3227ec4

Download Submit
C:\Users\Admin\AppData\Local\Temp\2NWWaDcXTbeXJTbB0UPBdEK4GQz\libEGL.dll

Filesize
364KB

MD5
596c3217f870d63a9feb190305b45790

SHA1
a65bdf045c38e2580f724e1cc4e460c46a0ea9fc

SHA256
1679ccf85c0fab467a3d12dc63248eb4d34e7345d6e6399740ffc7f78e4e927b

SHA512
1aae19270de9cc0768543ae0f691da4ea6c7d350d54f8accc02f5eb94e03f6b1671f8aa31f9370b9758827ad42870c9e264c3fea65e2074717ab24f9c0872d86

Download Submit
C:\Users\Admin\AppData\Local\Temp\2NWWaDcXTbeXJTbB0UPBdEK4GQz\libGLESv2.dll

Filesize
6.1MB

MD5
1baf13b30d409e0df85ac538d8883e3f

SHA1
e61c3231a330e806edebd04520b827b43820a268

SHA256
4a51e8a30804dd766dd01da3d574caeca459542f9aed255eca2bcc8e2ed9b893

SHA512
67fe5baa4948cacb2925710f68de3f7a226a9c26150d84b1a78d9d8d6aa097ae3055a557c4354eb545a314d9112702dec60c20fde2de5a4a025dce74f54e0bd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\2NWWaDcXTbeXJTbB0UPBdEK4GQz\libegl.dll

Filesize
364KB

MD5
596c3217f870d63a9feb190305b45790

SHA1
a65bdf045c38e2580f724e1cc4e460c46a0ea9fc

SHA256
1679ccf85c0fab467a3d12dc63248eb4d34e7345d6e6399740ffc7f78e4e927b

SHA512
1aae19270de9cc0768543ae0f691da4ea6c7d350d54f8accc02f5eb94e03f6b1671f8aa31f9370b9758827ad42870c9e264c3fea65e2074717ab24f9c0872d86

Download Submit
C:\Users\Admin\AppData\Local\Temp\2NWWaDcXTbeXJTbB0UPBdEK4GQz\libglesv2.dll

Filesize
6.1MB

MD5
1baf13b30d409e0df85ac538d8883e3f

SHA1
e61c3231a330e806edebd04520b827b43820a268

SHA256
4a51e8a30804dd766dd01da3d574caeca459542f9aed255eca2bcc8e2ed9b893

SHA512
67fe5baa4948cacb2925710f68de3f7a226a9c26150d84b1a78d9d8d6aa097ae3055a557c4354eb545a314d9112702dec60c20fde2de5a4a025dce74f54e0bd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\2NWWaDcXTbeXJTbB0UPBdEK4GQz\resources\app.asar

Filesize
39.1MB

MD5
26b8135393206d158663fe77f9ea0242

SHA1
a560c26be8e93adba230af2ddb57641ebdee1cd0

SHA256
5adc62762be0714d2c25736ad7fc897b81e2cb33fd3e80d9b9f7306b41739cf9

SHA512
e4246b4d89b8db637519a4301c95e8003d41d4fa9f617830d0791f2f64d901efe8467235bea022173912da2d97f5ef04fac0d6e261bd6b8c616e59129ec1e0ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\2NWWaDcXTbeXJTbB0UPBdEK4GQz\v8_context_snapshot.bin

Filesize
596KB

MD5
5d9b4473dd8705940bbb4a4036e395d0

SHA1
af35aa3374200dd2b9102f6767e53413e4e09e20

SHA256
ca2245da2a4aa7e4c9dcbf810c90048f73a9a96f6432f7895f3e6fe0c21e48f1

SHA512
bcc78b845a2aac96e46162c6a81dd1a914a6e8ed6d9753f648ae125958042a76ab49f1fefc8615891a1e007f0d0b63980517953ee088e29d46ba9d258f130192

Download Submit
C:\Users\Admin\AppData\Local\Temp\2NWWaDcXTbeXJTbB0UPBdEK4GQz\vk_swiftshader.dll

Filesize
4.0MB

MD5
f6f3a64471f6a9738456259d09e617c4

SHA1
47cf0831fa4fb561c045e38f5edb5aa45a01324a

SHA256
0e7950569c56123708e5f9b934c3d2abfe787c3e275af3fab9fb0517329783be

SHA512
7eb35f7283475471e8e8ba77fb276bb7348c4c5b2ee552edf3b23f94b3eeb92d54ed09c8930faa059733532a33861e3af5f261e36e288237b611864e7b272118

Download Submit
C:\Users\Admin\AppData\Local\Temp\2NWWaDcXTbeXJTbB0UPBdEK4GQz\vk_swiftshader.dll

Filesize
4.0MB

MD5
f6f3a64471f6a9738456259d09e617c4

SHA1
47cf0831fa4fb561c045e38f5edb5aa45a01324a

SHA256
0e7950569c56123708e5f9b934c3d2abfe787c3e275af3fab9fb0517329783be

SHA512
7eb35f7283475471e8e8ba77fb276bb7348c4c5b2ee552edf3b23f94b3eeb92d54ed09c8930faa059733532a33861e3af5f261e36e288237b611864e7b272118

Download Submit
C:\Users\Admin\AppData\Local\Temp\2NWWaDcXTbeXJTbB0UPBdEK4GQz\vk_swiftshader_icd.json

Filesize
106B

MD5
8642dd3a87e2de6e991fae08458e302b

SHA1
9c06735c31cec00600fd763a92f8112d085bd12a

SHA256
32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9

SHA512
f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

Download Submit
C:\Users\Admin\AppData\Local\Temp\2NWWaDcXTbeXJTbB0UPBdEK4GQz\vulkan-1.dll

Filesize
743KB

MD5
eafcefd44884880bb202cfac8f2576ad

SHA1
9936e5fed1328e72d34a8a6239101f1264290879

SHA256
1e7851e7828d9b99745fdb9f13793147df3248a6550ae81af99177c168aad5b2

SHA512
c7745839afbe953f030e54cec75db50ccd1277ce59c7c3cf05004b15d1476ae0ef27bb7de7be3c7beccc2946c43c422a48adba82d47dddc7fa58a9db6ed1325a

Download Submit
C:\Users\Admin\AppData\Local\Temp\2NWWaDcXTbeXJTbB0UPBdEK4GQz\vulkan-1.dll

Filesize
743KB

MD5
eafcefd44884880bb202cfac8f2576ad

SHA1
9936e5fed1328e72d34a8a6239101f1264290879

SHA256
1e7851e7828d9b99745fdb9f13793147df3248a6550ae81af99177c168aad5b2

SHA512
c7745839afbe953f030e54cec75db50ccd1277ce59c7c3cf05004b15d1476ae0ef27bb7de7be3c7beccc2946c43c422a48adba82d47dddc7fa58a9db6ed1325a

Download Submit
C:\Users\Admin\AppData\Local\Temp\41e806a4-7278-4c91-a494-647e93a8e594.tmp.node

Filesize
489KB

MD5
035d5df8d2c724878071d9dc1155c6aa

SHA1
3f23f2664cd5a173d98aaf09f0f7142b1c2c9b15

SHA256
a763486d99daf0c7b52cc24337703cfdf6099520f47b183b7658694f767c79ba

SHA512
6cffd4d7e549bba069113839d3f6d7ec89799bcacb60342d65bfcea9539e830b8113bc60d0c2d63ba16d42a00205b262fafabe836ad2a301a28c5d8036cf141c

Download Submit
C:\Users\Admin\AppData\Local\Temp\9859c4bf-1b22-4982-8933-e130f0460e1b.tmp.node

Filesize
2.1MB

MD5
3bc107cac5de2a16c41af09753c17d8a

SHA1
3fc350965383a1850263322b163ea9e7db84aa18

SHA256
2fedc6242d32e83c3959ac2bc6d2d69f2ffbbf537fd9354a5fed31bf3ae75546

SHA512
a688118157fdcf0177b6667217c64c3dccad99c9a909d0aba3ef39861f773b96e30769c34af5a3853333f4c30fb3b1658b713e345677a0b7c46cf835a51a5d4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl966A.tmp\7z-out\chrome_200_percent.pak

Filesize
174KB

MD5
d88936315a5bd83c1550e5b8093eb1e6

SHA1
6445d97ceb89635f6459bc2fb237324d66e6a4ee

SHA256
f49abd81e93a05c1e53c1201a5d3a12f2724f52b6971806c8306b512bf66aa25

SHA512
75142f03df6187fb75f887e4c8b9d5162902ba6aac86351186c85e5f0a2d3825ca312a36cf9f4bd656cdfc23a20cd38d4580ca1b41560d23ebaa0d41e4cf1dd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl966A.tmp\7z-out\d3dcompiler_47.dll

Filesize
3.9MB

MD5
ab3be0c427c6e405fad496db1545bd61

SHA1
76012f31db8618624bc8b563698b2669365e49cb

SHA256
827d12e4ed62520b663078bbf26f95dfd106526e66048cf75b5c9612b2fb7ce6

SHA512
d1dc2ec77c770c5da99e688d799f88b1e585f8dcf63e6876e237fe7fce6e23b528e6a5ef94ffc68283c60ae4e465ff19d3fd6f2fae5de4504b5479d68cbc4dba

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl966A.tmp\7z-out\ffmpeg.dll

Filesize
2.5MB

MD5
6fa845139be73ae78dc4c939cafb761d

SHA1
26d427a3b35a09d78667d20de2a64e03bd22cb23

SHA256
d46473cb06cb8c8ba66659cdea497727c2880e8eeb73cb5ee4255b7fb671d043

SHA512
decc0fc52227165651dfedb56b877ace262823a211c21358f8ce7026c81e758ab131c7b9c56e09d07654d0973872ddd8b8c0db221ba4b6d81160ab24f66a0624

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl966A.tmp\7z-out\icudtl.dat

Filesize
9.9MB

MD5
c6ae43f9d596f3dd0d86fb3e62a5b5de

SHA1
198b3b4abc0f128398d25c66455c531a7af34a6d

SHA256
00f755664926fda5fda14b87af41097f6ea4b20154f90be65d73717580db26ee

SHA512
3c43e2dcdf037726a94319a147a8bc41a4c0fd66e6b18b3c7c95449912bf875382dde5ec0525dcad6a52e8820b0859caf8fa73cb287283334ec8d06eb3227ec4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl966A.tmp\7z-out\libEGL.dll

Filesize
364KB

MD5
596c3217f870d63a9feb190305b45790

SHA1
a65bdf045c38e2580f724e1cc4e460c46a0ea9fc

SHA256
1679ccf85c0fab467a3d12dc63248eb4d34e7345d6e6399740ffc7f78e4e927b

SHA512
1aae19270de9cc0768543ae0f691da4ea6c7d350d54f8accc02f5eb94e03f6b1671f8aa31f9370b9758827ad42870c9e264c3fea65e2074717ab24f9c0872d86

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl966A.tmp\7z-out\libGLESv2.dll

Filesize
6.1MB

MD5
1baf13b30d409e0df85ac538d8883e3f

SHA1
e61c3231a330e806edebd04520b827b43820a268

SHA256
4a51e8a30804dd766dd01da3d574caeca459542f9aed255eca2bcc8e2ed9b893

SHA512
67fe5baa4948cacb2925710f68de3f7a226a9c26150d84b1a78d9d8d6aa097ae3055a557c4354eb545a314d9112702dec60c20fde2de5a4a025dce74f54e0bd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl966A.tmp\7z-out\resources\app.asar

Filesize
39.1MB

MD5
26b8135393206d158663fe77f9ea0242

SHA1
a560c26be8e93adba230af2ddb57641ebdee1cd0

SHA256
5adc62762be0714d2c25736ad7fc897b81e2cb33fd3e80d9b9f7306b41739cf9

SHA512
e4246b4d89b8db637519a4301c95e8003d41d4fa9f617830d0791f2f64d901efe8467235bea022173912da2d97f5ef04fac0d6e261bd6b8c616e59129ec1e0ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl966A.tmp\7z-out\resources\elevate.exe

Filesize
105KB

MD5
792b92c8ad13c46f27c7ced0810694df

SHA1
d8d449b92de20a57df722df46435ba4553ecc802

SHA256
9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37

SHA512
6c247254dc18ed81213a978cce2e321d6692848c64307097d2c43432a42f4f4f6d3cf22fb92610dfa8b7b16a5f1d94e9017cf64f88f2d08e79c0fe71a9121e40

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl966A.tmp\7z-out\snapshot_blob.bin

Filesize
281KB

MD5
52304e76978a13b8d7fd46771cbfea84

SHA1
a1af053116b9cd1018fa3c145785eb3c030f709f

SHA256
bb3acfe786e2efd17ad5f5957f06e4ba3d656aac65dcab1b9a2ddaae877bc824

SHA512
d1face9a819fe54500435dd55dc051337229de4f1c10713457b6a7847eb71b4713c2a50f260c35576cc41fef7606a3b6b33407962c91224c389ed0b97ed8b3dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl966A.tmp\7z-out\v8_context_snapshot.bin

Filesize
596KB

MD5
5d9b4473dd8705940bbb4a4036e395d0

SHA1
af35aa3374200dd2b9102f6767e53413e4e09e20

SHA256
ca2245da2a4aa7e4c9dcbf810c90048f73a9a96f6432f7895f3e6fe0c21e48f1

SHA512
bcc78b845a2aac96e46162c6a81dd1a914a6e8ed6d9753f648ae125958042a76ab49f1fefc8615891a1e007f0d0b63980517953ee088e29d46ba9d258f130192

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl966A.tmp\7z-out\vk_swiftshader.dll

Filesize
4.0MB

MD5
f6f3a64471f6a9738456259d09e617c4

SHA1
47cf0831fa4fb561c045e38f5edb5aa45a01324a

SHA256
0e7950569c56123708e5f9b934c3d2abfe787c3e275af3fab9fb0517329783be

SHA512
7eb35f7283475471e8e8ba77fb276bb7348c4c5b2ee552edf3b23f94b3eeb92d54ed09c8930faa059733532a33861e3af5f261e36e288237b611864e7b272118

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl966A.tmp\7z-out\vk_swiftshader_icd.json

Filesize
106B

MD5
8642dd3a87e2de6e991fae08458e302b

SHA1
9c06735c31cec00600fd763a92f8112d085bd12a

SHA256
32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9

SHA512
f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl966A.tmp\7z-out\vulkan-1.dll

Filesize
743KB

MD5
eafcefd44884880bb202cfac8f2576ad

SHA1
9936e5fed1328e72d34a8a6239101f1264290879

SHA256
1e7851e7828d9b99745fdb9f13793147df3248a6550ae81af99177c168aad5b2

SHA512
c7745839afbe953f030e54cec75db50ccd1277ce59c7c3cf05004b15d1476ae0ef27bb7de7be3c7beccc2946c43c422a48adba82d47dddc7fa58a9db6ed1325a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl966A.tmp\StdUtils.dll

Filesize
100KB

MD5
c6a6e03f77c313b267498515488c5740

SHA1
3d49fc2784b9450962ed6b82b46e9c3c957d7c15

SHA256
b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

SHA512
9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl966A.tmp\System.dll

Filesize
12KB

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl966A.tmp\nsis7z.dll

Filesize
424KB

MD5
80e44ce4895304c6a3a831310fbf8cd0

SHA1
36bd49ae21c460be5753a904b4501f1abca53508

SHA256
b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592

SHA512
c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

Download Submit
C:\Users\Admin\Downloads\Frogs_King.rar

Filesize
49.6MB

MD5
d0b4b276c9aafff011a75b4d9f97ebea

SHA1
a55c53171ed46e90bcc7a36cc4e72a21ad90c9ff

SHA256
1e2379ca4063d79132f185e2499ed6aeee16ccd7c9e1c4772640b5848419adf0

SHA512
c89df2e5f5e6578325f6b5df0eb54c4a005122742af304b4f2a5b40e69be7ec25108eabd305c532386aabb21f5764c84dd75499264399b73f27c7a7ccc735daa

Download Submit
\??\pipe\crashpad_3352_RETGKETXQQJSCMRC

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit