banload | hxxp://getlo4d[.]com/fooji

Analysis

max time kernel
159s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
20-06-2024 22:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://getlo4d.com/fooji

Score

10^/10

banload lumma downloader dropper evasion persistence privilege_escalation stealer trojan

Malware Config

Extracted

Family

lumma

https://sailorshelfquids.shop/api

https://publicitycharetew.shop/api

https://computerexcudesp.shop/api

https://leafcalfconflcitw.shop/api

https://injurypiggyoewirog.shop/api

https://bargainnygroandjwk.shop/api

https://disappointcredisotw.shop/api

https://doughtdrillyksow.shop/api

https://facilitycoursedw.shop/api

Signatures

Banload
Banload variants download malicious files, then install and execute the files.
trojan dropper downloader banload
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Setup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Setup.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	Setup.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 5 IoCs

pid	Process
1960	Setup.exe
4388	Setup.exe
4048	HDHelper_[0MB]_[1].exe
4200	Setup.exe
4760	Setup.exe

Loads dropped DLL 7 IoCs

pid	Process
1960	Setup.exe
1960	Setup.exe
1960	Setup.exe
1508	httpd.au3
4200	Setup.exe
4200	Setup.exe
4200	Setup.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1960 set thread context of 5104	1960	Setup.exe	121
PID 4200 set thread context of 1992	4200	Setup.exe	143

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3556	4388	WerFault.exe	120
2724	4760	WerFault.exe	141

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133633967162334388"	chrome.exe

Modifies registry class 46 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\qyLjiveezty\ = "WuKrdpyinOFvBlsXdnLhLMhhHA"	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\fRdpdymr\ = "kHiipRSnaDwzKOjAUm[KjQujXal\\EX^^"	Setup.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\MPDx	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\IwxZnaqlucy\ = "zVuq{y\x7fGYbHOV]d~{"	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\fRdpdymr	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\nCQSkqje	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\gRbr	Setup.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\uwZywixpyE	Setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\nCQSkqje\ = "UrLi@wGECHEmKUtRohU"	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\gRbr\ = "nK[bAK~WMRbciGkM[QW@SqcuylPF"	Setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\gRbr\ = "QAyEn]Ry{a^@TnewNNbpDf^EixJ}"	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\uwZywixpyE	Setup.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\fRdpdymr	Setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\fRdpdymr\ = "bM@QuxD^e\|}LOsdQ[\|ZrOuOAa[^Yn_\\@"	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\vnbkcRza\ = "Rs}S~eAJv`FyHi}{\\"	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InProcServer32	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InProcServer32\ThreadingModel = "Both"	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\MPDx	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\qyLjiveezty	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\zcljaAUrdhun\ = "fcYrBQmd`d~\|eBMPqi"	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\gRbr\ = "nK[bAK~WMRbciGkMZaW@SqaRmO\|Z"	Setup.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}	Setup.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\qyLjiveezty	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InProcServer32\ = "C:\\Windows\\System32\\oobe\\oobecoreadapters.dll"	Setup.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\zcljaAUrdhun	Setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\zcljaAUrdhun\ = "DEdiFi\x7fGeg\x7fp[I\|]Ty"	Setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\IwxZnaqlucy\ = "B}B]hrnygKC\\\x7fQgcW"	Setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\qyLjiveezty\ = "zdagNnDLQ\\m\x7f\\\x7fhFWJbflH[LTl"	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\zcljaAUrdhun	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\nCQSkqje\ = "ppFtsfQxcpqUE~swmW~"	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\IwxZnaqlucy	Setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\uwZywixpyE\ = "leUHeQgNFCCA^BAg~P"	Setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\MPDx\ = "@BgNsA[D~\x7f]\|~OJ\\pqvFf"	Setup.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\vnbkcRza	Setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\vnbkcRza\ = "zDsM{[rsN[_zT[\\~_"	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\MPDx\ = "ABvErUm^]iI`VgPvtAQWz"	Setup.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\IwxZnaqlucy	Setup.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\gRbr	Setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\gRbr\ = "QAyEn]Ry{a^@TnewO~bpDf\\b}[fa"	Setup.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\nCQSkqje	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\vnbkcRza	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\uwZywixpyE\ = "lkkE@J@vuT`wRD{Yn@"	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\vnbkcRza\ = "Rs}SNeAJv`Fyxi}{\\"	Setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\vnbkcRza\ = "zDsMK[rsN[_zd[\\~_"	Setup.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings	chrome.exe

NTFS ADS 2 IoCs

description	ioc	Process
File created	C:\ProgramData\TEMP:8934AEBA	Setup.exe
File opened for modification	C:\ProgramData\TEMP:8934AEBA	Setup.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
2860	chrome.exe
2860	chrome.exe
1960	Setup.exe
1960	Setup.exe
1960	Setup.exe
5104	more.com
5104	more.com
5104	more.com
5104	more.com
4992	chrome.exe
4992	chrome.exe
4200	Setup.exe
4200	Setup.exe
4200	Setup.exe
1992	more.com
1992	more.com
1992	more.com
1992	more.com

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
1960	Setup.exe
5104	more.com
4200	Setup.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
1232	7zG.exe
1232	7zG.exe
2724	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2860 wrote to memory of 4256	2860	chrome.exe	82
PID 2860 wrote to memory of 4256	2860	chrome.exe	82
PID 2860 wrote to memory of 692	2860	chrome.exe	83
PID 2860 wrote to memory of 692	2860	chrome.exe	83
PID 2860 wrote to memory of 692	2860	chrome.exe	83
PID 2860 wrote to memory of 692	2860	chrome.exe	83
PID 2860 wrote to memory of 692	2860	chrome.exe	83
PID 2860 wrote to memory of 692	2860	chrome.exe	83
PID 2860 wrote to memory of 692	2860	chrome.exe	83
PID 2860 wrote to memory of 692	2860	chrome.exe	83
PID 2860 wrote to memory of 692	2860	chrome.exe	83
PID 2860 wrote to memory of 692	2860	chrome.exe	83
PID 2860 wrote to memory of 692	2860	chrome.exe	83
PID 2860 wrote to memory of 692	2860	chrome.exe	83
PID 2860 wrote to memory of 692	2860	chrome.exe	83
PID 2860 wrote to memory of 692	2860	chrome.exe	83
PID 2860 wrote to memory of 692	2860	chrome.exe	83
PID 2860 wrote to memory of 692	2860	chrome.exe	83
PID 2860 wrote to memory of 692	2860	chrome.exe	83
PID 2860 wrote to memory of 692	2860	chrome.exe	83
PID 2860 wrote to memory of 692	2860	chrome.exe	83
PID 2860 wrote to memory of 692	2860	chrome.exe	83
PID 2860 wrote to memory of 692	2860	chrome.exe	83
PID 2860 wrote to memory of 692	2860	chrome.exe	83
PID 2860 wrote to memory of 692	2860	chrome.exe	83
PID 2860 wrote to memory of 692	2860	chrome.exe	83
PID 2860 wrote to memory of 692	2860	chrome.exe	83
PID 2860 wrote to memory of 692	2860	chrome.exe	83
PID 2860 wrote to memory of 692	2860	chrome.exe	83
PID 2860 wrote to memory of 692	2860	chrome.exe	83
PID 2860 wrote to memory of 692	2860	chrome.exe	83
PID 2860 wrote to memory of 692	2860	chrome.exe	83
PID 2860 wrote to memory of 692	2860	chrome.exe	83
PID 2860 wrote to memory of 2708	2860	chrome.exe	84
PID 2860 wrote to memory of 2708	2860	chrome.exe	84
PID 2860 wrote to memory of 724	2860	chrome.exe	85
PID 2860 wrote to memory of 724	2860	chrome.exe	85
PID 2860 wrote to memory of 724	2860	chrome.exe	85
PID 2860 wrote to memory of 724	2860	chrome.exe	85
PID 2860 wrote to memory of 724	2860	chrome.exe	85
PID 2860 wrote to memory of 724	2860	chrome.exe	85
PID 2860 wrote to memory of 724	2860	chrome.exe	85
PID 2860 wrote to memory of 724	2860	chrome.exe	85
PID 2860 wrote to memory of 724	2860	chrome.exe	85
PID 2860 wrote to memory of 724	2860	chrome.exe	85
PID 2860 wrote to memory of 724	2860	chrome.exe	85
PID 2860 wrote to memory of 724	2860	chrome.exe	85
PID 2860 wrote to memory of 724	2860	chrome.exe	85
PID 2860 wrote to memory of 724	2860	chrome.exe	85
PID 2860 wrote to memory of 724	2860	chrome.exe	85
PID 2860 wrote to memory of 724	2860	chrome.exe	85
PID 2860 wrote to memory of 724	2860	chrome.exe	85
PID 2860 wrote to memory of 724	2860	chrome.exe	85
PID 2860 wrote to memory of 724	2860	chrome.exe	85
PID 2860 wrote to memory of 724	2860	chrome.exe	85
PID 2860 wrote to memory of 724	2860	chrome.exe	85
PID 2860 wrote to memory of 724	2860	chrome.exe	85
PID 2860 wrote to memory of 724	2860	chrome.exe	85
PID 2860 wrote to memory of 724	2860	chrome.exe	85
PID 2860 wrote to memory of 724	2860	chrome.exe	85
PID 2860 wrote to memory of 724	2860	chrome.exe	85
PID 2860 wrote to memory of 724	2860	chrome.exe	85
PID 2860 wrote to memory of 724	2860	chrome.exe	85
PID 2860 wrote to memory of 724	2860	chrome.exe	85

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://getlo4d.com/fooji
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb1710ab58,0x7ffb1710ab68,0x7ffb1710ab78
  2⤵
  PID:4256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1680 --field-trial-handle=1860,i,13429336432032019858,11336159999715354590,131072 /prefetch:2
  2⤵
  PID:692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 --field-trial-handle=1860,i,13429336432032019858,11336159999715354590,131072 /prefetch:8
  2⤵
  PID:2708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2212 --field-trial-handle=1860,i,13429336432032019858,11336159999715354590,131072 /prefetch:8
  2⤵
  PID:724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2976 --field-trial-handle=1860,i,13429336432032019858,11336159999715354590,131072 /prefetch:1
  2⤵
  PID:1292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2996 --field-trial-handle=1860,i,13429336432032019858,11336159999715354590,131072 /prefetch:1
  2⤵
  PID:3952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4328 --field-trial-handle=1860,i,13429336432032019858,11336159999715354590,131072 /prefetch:1
  2⤵
  PID:3680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4196 --field-trial-handle=1860,i,13429336432032019858,11336159999715354590,131072 /prefetch:8
  2⤵
  PID:1932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4828 --field-trial-handle=1860,i,13429336432032019858,11336159999715354590,131072 /prefetch:8
  2⤵
  PID:4296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4524 --field-trial-handle=1860,i,13429336432032019858,11336159999715354590,131072 /prefetch:1
  2⤵
  PID:1440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4980 --field-trial-handle=1860,i,13429336432032019858,11336159999715354590,131072 /prefetch:1
  2⤵
  PID:3432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4112 --field-trial-handle=1860,i,13429336432032019858,11336159999715354590,131072 /prefetch:1
  2⤵
  PID:2300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=1868 --field-trial-handle=1860,i,13429336432032019858,11336159999715354590,131072 /prefetch:8
  2⤵
  PID:2556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5216 --field-trial-handle=1860,i,13429336432032019858,11336159999715354590,131072 /prefetch:8
  2⤵
  PID:4884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5372 --field-trial-handle=1860,i,13429336432032019858,11336159999715354590,131072 /prefetch:8
  2⤵
  PID:3340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1628 --field-trial-handle=1860,i,13429336432032019858,11336159999715354590,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4992

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:1452

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x42c 0x2fc
1⤵
PID:876

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4388

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\!ṨetUp_5572--#PaSꞨW0rd!$$\" -spe -an -ai#7zMap23734:116:7zEvent29612
1⤵
- Suspicious use of FindShellTrayWindow
PID:1232

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\!ṨetUp_5572--#PaSꞨW0rd!$$\0pen___file\!Ŝetüp-5572_PaS$Ḵḙy!#$$\" -spe -an -ai#7zMap26888:188:7zEvent2371
1⤵
- Suspicious use of FindShellTrayWindow
PID:1232

C:\Users\Admin\Downloads\!ṨetUp_5572--#PaSꞨW0rd!$$\0pen___file\!Ŝetüp-5572_PaS$Ḵḙy!#$$\Setup.exe
"C:\Users\Admin\Downloads\!ṨetUp_5572--#PaSꞨW0rd!$$\0pen___file\!Ŝetüp-5572_PaS$Ḵḙy!#$$\Setup.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1960
- C:\Users\Admin\AppData\Roaming\loadctrltb\WQUJWFIJUKEKAX\Setup.exe
  C:\Users\Admin\AppData\Roaming\loadctrltb\WQUJWFIJUKEKAX\Setup.exe
  2⤵
  - Executes dropped EXE
  PID:4388
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 860
    3⤵
    - Program crash
    PID:3556
- C:\Windows\SysWOW64\more.com
  C:\Windows\SysWOW64\more.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:5104
- - C:\Users\Admin\AppData\Local\Temp\httpd.au3
    C:\Users\Admin\AppData\Local\Temp\httpd.au3
    3⤵
    - Loads dropped DLL
    PID:1508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4388 -ip 4388
1⤵
PID:1312

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\!ṨetUp_5572--#PaSꞨW0rd!$$\0pen___file\!Ŝetüp-5572_PaS$Ḵḙy!#$$\kurrajong\" -spe -an -ai#7zMap25480:208:7zEvent30909
1⤵
- Suspicious use of FindShellTrayWindow
PID:2724

C:\Users\Admin\Downloads\!ṨetUp_5572--#PaSꞨW0rd!$$\0pen___file\!Ŝetüp-5572_PaS$Ḵḙy!#$$\x86\HDHelper_[0MB]_[1].exe
"C:\Users\Admin\Downloads\!ṨetUp_5572--#PaSꞨW0rd!$$\0pen___file\!Ŝetüp-5572_PaS$Ḵḙy!#$$\x86\HDHelper_[0MB]_[1].exe"
1⤵
- Executes dropped EXE
PID:4048

C:\Users\Admin\Downloads\!ṨetUp_5572--#PaSꞨW0rd!$$\0pen___file\!Ŝetüp-5572_PaS$Ḵḙy!#$$\Setup.exe
"C:\Users\Admin\Downloads\!ṨetUp_5572--#PaSꞨW0rd!$$\0pen___file\!Ŝetüp-5572_PaS$Ḵḙy!#$$\Setup.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4200
- C:\Users\Admin\AppData\Roaming\loadctrltb\WQUJWFIJUKEKAX\Setup.exe
  C:\Users\Admin\AppData\Roaming\loadctrltb\WQUJWFIJUKEKAX\Setup.exe
  2⤵
  - Executes dropped EXE
  PID:4760
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 784
    3⤵
    - Program crash
    PID:2724
- C:\Windows\SysWOW64\more.com
  C:\Windows\SysWOW64\more.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4760 -ip 4760
1⤵
PID:1508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Licenses\01D69EEBF42E950EA.Lic

Filesize
146B

MD5
495af8d07dd6ad290fc43b80501ab42b

SHA1
1810993fc6dfed02317d3aaba79f65ffcc375dca

SHA256
a08f2c0e3195188b5c0d300f1eb883e85e35254c0ef1201c0a9b66859c771dea

SHA512
856a06da9b262602bb22eff64db8713eab6fec9704438b4daceecad2aa02322d5ccf6ed8cb04ea5e2c332a6a1883f2e216fad92343c45fb6ee47cee1ae7f0dbc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00003a

Filesize
17KB

MD5
950eca48e414acbe2c3b5d046dcb8521

SHA1
1731f264e979f18cdf08c405c7b7d32789a6fb59

SHA256
c0bbe530abfce19e06697bc4358eb426e076ccdb9113e22df4a6f32085da67a2

SHA512
27e55525ade4d099a6881011f6e2e0d5d3a9ca7181f4f014dc231d40b3b1907d0d437b0c44d336c25dd7b73209cd773b8563675ac260c43c7752e2d2d694d4d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
576B

MD5
7e2ad40bf4d54b493733267656c454cb

SHA1
44f001d22b57b8425229f4a4b8f91dcb17e05955

SHA256
0029474f45836cf74a5fd00ce089f994ee1299dd32ba65ba7d8821ed59b4f249

SHA512
190eb5acae10dfbaafffc1664dc98e19b5853867c786f044fdef4c2fe7f606e0086a3a8e8fca394bd68ec5b0b97cd50ea080d3a31d2702819d0361e2261c7c22

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
552B

MD5
99865b1b6b271d09b15820b196a29c6a

SHA1
228f52b2b63e95a9eb7968ed7c3bfea7f890a6d7

SHA256
c8cb367526e25780a79e8bab3cde5b44b814434df6ab0dd5e42aa85382b63a24

SHA512
a67856713403b81ac3e346161be9861b0faf0e57315dd981bd9962bfe205f85612bbb23fae0137038947618d5e49162b0c78c06ae28cdbd04a75350c58b62659

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\000\p\Paths\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
02bd896bbad0d32eb4d4f03cc713afec

SHA1
a178f77cfacdc6e2051acc4c20f9ac45613e7dcc

SHA256
8a929be1d3276964bb76df301e95f6aa3879c589de2dd21cac126bd5e7fa4f51

SHA512
709ae2d30a9b9fcaf87a5c381087dc09bd4473f3eb7f159b1c6bba1c883fd896a1c7d5740b50a4700e3a1e108123af44f6380f844ec821cfa3a779b8d3e67206

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
7bf4f585e1d8984b02122da6de0bc5d5

SHA1
36a7b31efee49e62ff583c795c627bf5d2f59b0f

SHA256
7a2b6e9c5a860e40f08ee9db9f82f3c687e4fc05637d6799ca85630c89a0e87e

SHA512
548ad5290fff72ea60d1e35c477ff933207ec09af061b5ea3bad1009d88a1f3ce7c273fe542873fb18e5ac7c869cd422f6b84a48bd5a864102ec90f7d1fb0f17

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
f68b3916b38388d686e9a599b0273702

SHA1
9bef4b174e3dc17297c63cc8b7b53afb22fd78ad

SHA256
5230a96a0ef83a147134cb3198daecaa7ffdc96b04fe0f88186d14b1b7213e4e

SHA512
91d6f64734196c3cd76daecf40c29f911ee7b520d5a15857815913211e9c1109b79ebd321c332bc1ec695cb4ddb4154b1e59ea96ea2baf7d4c73d8f67304836f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
858B

MD5
98a4bf81ea9a92c6a29dd9dac1d57935

SHA1
eb1c9bbaccd380bcfbc226248ca05e9270d43cd3

SHA256
87d1cd3204308e9ed804bcd46f16e9050797725ba3ef4e39fcd50c70f867fc74

SHA512
c9d5fb5375c7d64a81d48395672c6a69e4d720411070e1b0c7fd39b82e819bacd5d0a97e547b55f9e9066356489b1c0f1f83caa47d4a6d45d1fa82b46ce20332

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
691B

MD5
2d0753b7a0c981a66a13ead39cee788d

SHA1
e8184a8d280a94152273b11b71f1e3b6ba897a51

SHA256
a3acc8803cc26be2bcaf7903233b307ef0da073d8bf41d6ede0e2cebc4d84bfe

SHA512
a20aa1bc6624c08155ef81d9f8a66a20bbf712eaec46ea703a08f7771d9af8fa3e06313431671767cfe5306f59353f5d82e2bc32f1d5c361b5ca1f81cbbc2896

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
03467b451ddfbdf9643324464d853ac4

SHA1
26504c7d9c508325d6e49e529a4c56e39fd52b68

SHA256
454059d224b3c6a9e69d1b7d144b1cece406851b4250808954ce4fd6c6c76e00

SHA512
b0fb699e53a09df0f138eddc5174d0ad3f5955e37d0e66cf134e4864fb10a7ca0a21dbe19e4aa3003e3aec8f0bb73fea120034e3f94cea867da14a71bdf6b6f8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
cbe5fe0b594bc4a4212d27b6a97922ce

SHA1
cba967edc513c9e440e4e732c52a977034802cd8

SHA256
607793d2f34ada1cb9422efcdac6b2393b4db366a47bc41c507e97580b841e72

SHA512
5299e0c753ac1a51cfb9c18e53222f399339e53ac8cc96eed27725a5d2c9bc259a2613ceb92abe4c86762ed48db486c5762228a60ec9057e233dd563c72ef94a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
da0394fb6ac47cf9ab930bc843d15e5c

SHA1
445649e70f994be96bb0f3f8a9d6e6dbae157b1a

SHA256
803f3ba239441eb6e4ae15c7a7efa8b66e1d51c83df02ae461e2485760b9695b

SHA512
8760824f91b4a9107c5de49d31be0f5248a06fe75a444d2e2cb65d7e72b101f36b0064020362d6663a29e39bcdc374cde46adbe7ffa5e173b7c946895255901f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
bdcfebd6492299825982932a4830cb76

SHA1
7b8f429feb2687b7d13442ecf9b8baccb1cde4f5

SHA256
09a9baa82e9f15291352aa761dd5393ce2aeba94d152fbdc88ba719cc7fdc70c

SHA512
cae346d4305fd6dbb5fae50e2cd7687b0b2694131342b070c4218e6316fd170368b0050ffb1457dea8d4898f1000f8174ea86a62480b24268207fb73b04f1cb7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
138KB

MD5
03a9c0f2bacda93ab6c25fa2df1d7ad3

SHA1
730f167f1b410efb5ca5e59c6c22d1af07e66716

SHA256
f84e3917bb9439b9c438a197187ae0bb7fdb7edbdee1987f775d9bffd807da67

SHA512
22a7d5b376368c1c73c914e6137bc4d490bef08866c4929c04e8a47a676e7ba2d6b4061dde1cf7ed32cebbce1a33b76e1ab4b048c52d934ddc3a2fddbc3bfea9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
138KB

MD5
78fec0e3ff7411e1c73051e3b2fdc99c

SHA1
30cc47340cdd9df40660c12b5dc13e5c368af678

SHA256
7c68736f0b191e15b83ac8403a2568bb0191c7f34e16013d79aa762e16cc7bca

SHA512
7b6437b3d7ab67b87cebe8071aa02dd13b9a54372e8aa473f3ab110effbd9aef4a309351e1fd684d5f349d340bea3eb89adbcc670f4765bb151673c71ce19852

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
100KB

MD5
6cddf4220f3f8667d6bb0ca327cbe453

SHA1
70306dcdc4c74a244b53066d148e3f396b7bd624

SHA256
c9dd14d03006b15126231d246de4665c5503b6df625d04a3c776458f9efbed1e

SHA512
eefb1d6c08ca9572b8f418b5f9a07410ee55b2711e096f332293b9e3f0e0d66485d4d087b67ae7761663243914f775e083362a3cdfb3593f3c763c51569095d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe58214e.TMP

Filesize
91KB

MD5
33d64a3b1112f02acbd0d84e3483b3c4

SHA1
fd14a24420ca5df417b7cd8da6e37ebc5bf25338

SHA256
e703be8fca131a111d6cd8aefd49e2d886df12de305e87e69969c6285820d739

SHA512
caf150cc68f567cae3fed785dd14e2d94850b0fd17280f77490efca8af8adecf47b77d2226c4f04e6281a6855742c753e34e8301fe07cfb690c1ca416c82c903

Download Submit
C:\Users\Admin\AppData\Local\Temp\4c96ca62

Filesize
2.0MB

MD5
ec29233cf3b728eb76a59e920b0ed736

SHA1
8878b68eabc5179244ed4bd5249534604320820e

SHA256
1a5178bde8adb62b31e9a3eb056d8b025d931712da33d3e9e6abe17a8cea88ca

SHA512
db0d466ed08750e0ce069edc7e4803a1ab643e185f620c9a0954a735f56e67a66ec6ce6c1b24ddde5a7a0d0b39b112a376cc79f170d2102415ea7df9fff39124

Download Submit
C:\Users\Admin\AppData\Local\Temp\dc19dcec

Filesize
2.0MB

MD5
6a559c6effd4570831d71e3fa1161979

SHA1
ce207c7aa1238dea66121db0cba5718963ca8235

SHA256
bb25e16a14fa9f40535f9b3a831ab9848f821b86d3ae9501c4186530476a50b4

SHA512
2d5d5448a7d94b6f4d6448e60bb201c31ac88b1d4901bb45fd6f0df3313aedd8229723a3b3d66193cf183a11219892dbd283df79a106db563d42d07c47fa6c83

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpd.au3

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Roaming\loadctrltb\WQUJWFIJUKEKAX\Setup.exe

Filesize
111KB

MD5
9f262921a7fbd432c3a694a372caf1b9

SHA1
dfd75a8835a5553d457f4f702c7fe5785227854f

SHA256
56cff82b9e3ee0ed5e74a3e55115e96fd198598be26492cca7b15d9b9023a238

SHA512
cabeaef6132444dc06e7a53332eb58446f7046069044c44b7a27693866a1d66aad7b3ebb5fe7bb79b780548a75b206528f176f5505c574b1c7ad3bcc6fc628b8

Download Submit
C:\Users\Admin\Downloads\!ṨetUp_5572--#PaSꞨW0rd!$$.zip

Filesize
10.6MB

MD5
b026dedd392dc1881aec2682cb4fb1db

SHA1
4cc9e80ffec95e00e73314017ad6156af04887d3

SHA256
814e8fb7093e30e8dd74bdb755151a4fb5e75c3e0e11c0e8297eb80d30126883

SHA512
6a0957b74a79200556cddfb9e796fe8b397446291f6e243c93d708e2598a1299abf668fb78edb0bad470fe06471db8ff1feb9b94caee78f1f5fa9d83ba985266

Download Submit
C:\Users\Admin\Downloads\!ṨetUp_5572--#PaSꞨW0rd!$$\0pen___file\!Ŝetüp-5572_PaS$Ḵḙy!#$$\Setup.exe

Filesize
8.5MB

MD5
98169506fec94c2b12ba9930ad704515

SHA1
bce662a9fb94551f648ba2d7e29659957fd6a428

SHA256
9b8a5b0a45adf843e24214b46c285e44e73bc6eaf9e2a3b2c14a6d93ae541363

SHA512
7f4f7ac2326a1a8b7afc72822dae328753578eb0a4ffcec5adb4e4fb0c49703070f71e7411df221ee9f44d6b43a0a94921fe530877c5d5e71640b807e96def30

Download Submit
C:\Users\Admin\Downloads\!ṨetUp_5572--#PaSꞨW0rd!$$\0pen___file\!Ŝetüp-5572_PaS$Ḵḙy!#$$\acdbase.dll

Filesize
2.9MB

MD5
dace23695dcfa0f7309b65366ac75bc0

SHA1
c5b1bad2dec36852fae90f81f0dbd00518479c01

SHA256
cf8b85beeff99b13d06ed15c79e555ab74e30dfa1491a36c4332f54ed09887e4

SHA512
0e1e5fc158fb39c3c3c7733226cb846407cd01ca1c49800fb7668134ebef129ab43030f2768a8b149b5ba9a18b2d1b0f8bf23d1a8de487a482e9268e0b679bbb

Download Submit
C:\Users\Admin\Downloads\!ṨetUp_5572--#PaSꞨW0rd!$$\0pen___file\!Ŝetüp-5572_PaS$Ḵḙy!#$$\api-ms-win-crt-convert-l1-1-0.dll

Filesize
25KB

MD5
9f812bd3815909e559b15cb13489f294

SHA1
df751c956f59b4e3c82496d86895adc7cc1a1619

SHA256
ce6fcc2ddf21720c92bee04f5736a4787acffa970a1b0dbeea39ff5efec52c75

SHA512
0a360e8b81bf80cb6bdf240d627ddcf71b1a4ca42759de61b2d27fab521a8e6e3afa308cc69caf5a7c8b14d98d3d448f0d400ae1826cbe7d0f0ceafd14682064

Download Submit
C:\Users\Admin\Downloads\!ṨetUp_5572--#PaSꞨW0rd!$$\0pen___file\!Ŝetüp-5572_PaS$Ḵḙy!#$$\api-ms-win-crt-environment-l1-1-0.dll

Filesize
21KB

MD5
1a72e5f24214eb723e03a22ff53f8a22

SHA1
578d1dbfb22e9ff3b10c095d6a06acaf15469709

SHA256
fda46141c236a11054d4d3756a36da4412c82dd7877daad86cb65bf53d81ca1a

SHA512
530e693daecc7c7080b21e39b856c538bb755516aafdb6839a23768f40bcfc38d71b19586e8c8e37bb1c2b7a7c31fcb8e24a2315a8dd90f50fec22f973d86cb4

Download Submit
C:\Users\Admin\Downloads\!ṨetUp_5572--#PaSꞨW0rd!$$\0pen___file\!Ŝetüp-5572_PaS$Ḵḙy!#$$\api-ms-win-crt-heap-l1-1-0.dll

Filesize
21KB

MD5
9d136bbecf98a931e6371346059b5626

SHA1
2466e66bfd88dd66c1c693cbb95ea8a91b9558cd

SHA256
7617838af1b589f57e4fe9fee1e1412101878e6d3287cdc52a51cd03e3983717

SHA512
8c720c798d2a06f48b106a0a1ef38be9b4a2aebe2a657c8721278afa9fdbab9da2a672f47b7996ca1ce7517015d361d77963c686e0ae637a98c32fd75e5d0610

Download Submit
C:\Users\Admin\Downloads\!ṨetUp_5572--#PaSꞨW0rd!$$\0pen___file\!Ŝetüp-5572_PaS$Ḵḙy!#$$\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
25KB

MD5
6b39d005deb6c5ef2c9dd9e013b32252

SHA1
79a0736454befd88ba8d6bd88794d07712e38a67

SHA256
b0e50572eb82a46ed499775e95bfde7cb25c498957432c18c20cf930f332efd0

SHA512
50bc1f669499589a480379d72166dae701914427d51223994d63a0363420ca6fdde07010803270a62451afea9e4ae55206d8a4c00ca4680e7a9120cd33f99a0f

Download Submit
C:\Users\Admin\Downloads\!ṨetUp_5572--#PaSꞨW0rd!$$\0pen___file\!Ŝetüp-5572_PaS$Ḵḙy!#$$\api-ms-win-crt-stdio-l1-1-0.dll

Filesize
25KB

MD5
97f24295c9bd6e1acae0c391e68a64cf

SHA1
75700dce304c45ec330a9405523f0f22e5dcbb18

SHA256
189d551fb3cba3dbb9b9c1797e127a52ac486d996f0ac7cba864fe35984a8d28

SHA512
cac75f623545c41b2597a25c14f2af7eb93e3e768b345d3b0e1928d8fd1f12bec39b18b8277f9550aa6a66d9cfe1bf6c3db93ae1eb2a6c07019d4f210b3e5998

Download Submit
C:\Users\Admin\Downloads\!ṨetUp_5572--#PaSꞨW0rd!$$\0pen___file\!Ŝetüp-5572_PaS$Ḵḙy!#$$\api-ms-win-crt-string-l1-1-0.dll

Filesize
25KB

MD5
d282a4fa046d05d40d138cc68c518914

SHA1
d5012090399f405ffe7d2fed09650e3544528322

SHA256
8b1471101145343da5f2c5981c515da4dfae783622ed71d40693fe59c3088d7a

SHA512
718926e728627f67ba60a391339b784accd861a15596f90d7f4e6292709ac3d170bcbca3cbf6267635136cb00b4f93da7dfd219fa0beee0cf8d95ce7090409e4

Download Submit
C:\Users\Admin\Downloads\!ṨetUp_5572--#PaSꞨW0rd!$$\0pen___file\!Ŝetüp-5572_PaS$Ḵḙy!#$$\api-ms-win-crt-time-l1-1-0.dll

Filesize
21KB

MD5
6d35a57a6d8d569f870b96e00e7f1f4d

SHA1
8407bdb3cd5ec15b2ce738b3dbd704aa289ce3e1

SHA256
f41511e477a164eb9451ca51fb3810437f3b15f21e6f5c6ce0956e84ec823723

SHA512
4317b86d32ca93e5f0d832819cf1ab8af68e853a19eb07dd1fa4d168a0b2a8eab309194884ed3a613b09fc6d511be872a053f76f00ea443499006cdd226fea8f

Download Submit
C:\Users\Admin\Downloads\!ṨetUp_5572--#PaSꞨW0rd!$$\0pen___file\!Ŝetüp-5572_PaS$Ḵḙy!#$$\api-ms-win-crt-utility-l1-1-0.dll

Filesize
21KB

MD5
8ed70910380aa0b28317512d72762cc0

SHA1
0421518370f24f9559f96459d0798d98b81ea732

SHA256
f15af0db93d9385ff9d8efdc06aacd0729d0dfcb66e91ca0243bb160f2ed89d0

SHA512
b31ef07eaac310fdd3df3546246e7dc696595b8e92141e3db79a44ddc3358b12129e3829a53c76d0fef214e3f29dba77fa5d556211830a140ea34ff62258d9d7

Download Submit
C:\Users\Admin\Downloads\!ṨetUp_5572--#PaSꞨW0rd!$$\0pen___file\!Ŝetüp-5572_PaS$Ḵḙy!#$$\cantor.ics

Filesize
1.4MB

MD5
259465ff6746867c17270958f8008f74

SHA1
ebcf4992813c61a25a71795405ca4cbb7f4abfb9

SHA256
e9942085b904d286539086e35dca4750dda59f9e08cbab5db33553d3fa1544e7

SHA512
e6ae9e3ff5a38414212585010831005694c2ae12114e3c63830f9050526b14960c12433a300a0414051a6ee6eee8b7f8b803934327ca590c075d19677da951be

Download Submit
C:\Users\Admin\Downloads\!ṨetUp_5572--#PaSꞨW0rd!$$\0pen___file\!Ŝetüp-5572_PaS$Ḵḙy!#$$\kurrajong.tar

Filesize
26KB

MD5
55da488b2d4a0930b4f10270381126ce

SHA1
8481be35ad21c3297d00cea813c94745c4c37380

SHA256
bac0380095f2daae2cc5a0c02cc7f702ff4d61393c187373d89ba0dde00ef4e9

SHA512
54ab2791793c3be7df8c88ace192b62f755e91669de04f682479993bdf2dcd56277bd00748d6f520ebfee6ec74253426423e66823ee7bdd0b6a5985313491a5d

Download Submit
C:\Users\Admin\Downloads\!ṨetUp_5572--#PaSꞨW0rd!$$\0pen___file\!Ŝetüp-5572_PaS$Ḵḙy!#$$\libmmd.dll

Filesize
4.0MB

MD5
19c31c58313c58fc88cf27e77befb0c3

SHA1
b0711e10ef98b86e76ad28665285598d8809ae36

SHA256
c2684b143c3417c588a3c0ae0a9c4329e71a04fc304aa3a69eae61ede1d0b290

SHA512
97c954d009d10aed8fdbe02efe3b8d74840c2dce03da8fe5a5001d390afb4598a5bb3d74dacb740dec10e86aadc54b792bcc3c6815b2dfff036f14dace31ac86

Download Submit
C:\Users\Admin\Downloads\!ṨetUp_5572--#PaSꞨW0rd!$$\0pen___file\!Ŝetüp-5572_PaS$Ḵḙy!#$$\vcruntime140.dll

Filesize
116KB

MD5
699dd61122d91e80abdfcc396ce0ec10

SHA1
7b23a6562e78e1d4be2a16fc7044bdcea724855e

SHA256
f843cd00d9aff9a902dd7c98d6137639a10bd84904d81a085c28a3b29f8223c1

SHA512
2517e52f7f03580afd8f928c767d264033a191e831a78eed454ea35c9514c0f0df127f49a306088d766908af7880f713f5009c31ce6b0b1e4d0b67e49447bfff

Download Submit
C:\Users\Admin\Downloads\!ṨetUp_5572--#PaSꞨW0rd!$$\0pen___file\!Ŝetüp-5572_PaS$Ḵḙy!#$$\x86\HDHelper_[0MB]_[1].exe

Filesize
566KB

MD5
8a179892518a2c4e8a63afa91de7bdce

SHA1
e9b095c966ccc4c4900b4cf741c067d2a0f43cd4

SHA256
72ece91f65a461c5023695bf5f31b5b6b5bd629dba8407524e8144f6d1e160e8

SHA512
91abb220c222a89a2df27818b8385b4015128a35b7d4c43d0f497717a4e5a55dfb9dc1da3f47a49a2400ea8300d41d52277331a6c7c3437ac5cb867a4027b220

Download Submit
memory/1508-512-0x00007FFB25A30000-0x00007FFB25C25000-memory.dmp

Filesize
2.0MB

Download
memory/1508-513-0x0000000000150000-0x00000000001AB000-memory.dmp

Filesize
364KB

Download
memory/1508-526-0x0000000000150000-0x00000000001AB000-memory.dmp

Filesize
364KB

Download
memory/1960-502-0x00007FFB05F00000-0x00007FFB06072000-memory.dmp

Filesize
1.4MB

Download
memory/1960-457-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/1960-466-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/1960-449-0x0000000003FA0000-0x0000000004188000-memory.dmp

Filesize
1.9MB

Download
memory/1960-461-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/1960-498-0x00007FFB05F00000-0x00007FFB06072000-memory.dmp

Filesize
1.4MB

Download
memory/1960-462-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/1960-464-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/1960-463-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/1960-459-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/1960-475-0x00007FFB05F00000-0x00007FFB06072000-memory.dmp

Filesize
1.4MB

Download
memory/1992-597-0x00007FFB25A30000-0x00007FFB25C25000-memory.dmp

Filesize
2.0MB

Download
memory/4200-561-0x00007FFB05970000-0x00007FFB05AE2000-memory.dmp

Filesize
1.4MB

Download
memory/4200-550-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/4200-554-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/4200-553-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/4200-538-0x0000000004050000-0x0000000004238000-memory.dmp

Filesize
1.9MB

Download
memory/4200-557-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/4200-555-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/4200-552-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/4200-548-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/4200-589-0x00007FFB05970000-0x00007FFB05AE2000-memory.dmp

Filesize
1.4MB

Download
memory/4200-593-0x00007FFB05970000-0x00007FFB05AE2000-memory.dmp

Filesize
1.4MB

Download
memory/5104-508-0x00000000759A0000-0x0000000075B1B000-memory.dmp

Filesize
1.5MB

Download
memory/5104-506-0x00007FFB25A30000-0x00007FFB25C25000-memory.dmp

Filesize
2.0MB

Download