hawkeye | ecfa5c1f460a2d96cfe17c13b7b77f1755ebf4a96d114a1d8814d85c78483ade

Analysis

max time kernel
263s
max time network
618s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28-10-2024 22:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

luna.exe
Size

469KB
MD5

e60cc75120901abeb61e9fb76cbf96ec
SHA1

228bb950e891943002c0c7f604f3c3feff6d135b
SHA256

ecfa5c1f460a2d96cfe17c13b7b77f1755ebf4a96d114a1d8814d85c78483ade
SHA512

6de5b0985238ba664985f5b0371765ecf8e6a31bafd5dd3688fefeb0c93cdfe011adc4aefa2258afacb6278e5f83199c96c1247671adc3e319ba45150c787b41
SSDEEP

12288:Wmnk7iLJbpIpiRL6I2WhSKQ9ZsfZQSdPn9:uiLJbpI7I2WhQqZ7dP9

Score

10^/10

hawkeye remcos remotehost discovery evasion keylogger persistence rat spyware stealer trojan

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

it-double.gl.at.ply.gg:37981

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
Security.exe
copy_folder
system64
delete_file
true
hide_file
true
hide_keylog_file
false
install_flag
true
install_path
%WinDir%\System32
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-Z7BY2N
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Windows Recovery
take_screenshot_option
false
take_screenshot_time
5

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye
Hawkeye family
hawkeye
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

UAC bypass 3 TTPs 5 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Adds policy Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	luna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Windows Recovery = "\"C:\\Windows\\SysWOW64\\system64\\Security.exe\""	luna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Security.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Windows Recovery = "\"C:\\Windows\\SysWOW64\\system64\\Security.exe\""	Security.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Windows Recovery = "\"C:\\Windows\\SysWOW64\\system64\\Security.exe\""	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Windows Recovery = "\"C:\\Windows\\SysWOW64\\system64\\Security.exe\""	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Security.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Windows Recovery = "\"C:\\Windows\\SysWOW64\\system64\\Security.exe\""	Security.exe

Deletes itself 1 IoCs

pid	Process
2084	WScript.exe

Executes dropped EXE 2 IoCs

pid	Process
2696	Security.exe
2388	Security.exe

Loads dropped DLL 3 IoCs

pid	Process
3044	cmd.exe
3044	cmd.exe
2664	svchost.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Recovery = "\"C:\\Windows\\SysWOW64\\system64\\Security.exe\""	luna.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Recovery = "\"C:\\Windows\\SysWOW64\\system64\\Security.exe\""	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Recovery = "\"C:\\Windows\\SysWOW64\\system64\\Security.exe\""	Security.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Recovery = "\"C:\\Windows\\SysWOW64\\system64\\Security.exe\""	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Recovery = "\"C:\\Windows\\SysWOW64\\system64\\Security.exe\""	luna.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Recovery = "\"C:\\Windows\\SysWOW64\\system64\\Security.exe\""	Security.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Recovery = "\"C:\\Windows\\SysWOW64\\system64\\Security.exe\""	Security.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Recovery = "\"C:\\Windows\\SysWOW64\\system64\\Security.exe\""	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Recovery = "\"C:\\Windows\\SysWOW64\\system64\\Security.exe\""	Security.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Recovery = "\"C:\\Windows\\SysWOW64\\system64\\Security.exe\""	iexplore.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3032	2804	WerFault.exe	39

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\system64\Security.exe	luna.exe
File opened for modification	C:\Windows\SysWOW64\system64\Security.exe	luna.exe
File opened for modification	C:\Windows\SysWOW64\system64	luna.exe
File opened for modification	C:\Windows\SysWOW64\system64	iexplore.exe
File opened for modification	C:\Windows\SysWOW64\system64\Security.exe	iexplore.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2696 set thread context of 2804	2696	Security.exe	39
PID 2804 set thread context of 2664	2804	iexplore.exe	44
PID 2388 set thread context of 1272	2388	Security.exe	67

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.app.log	dxdiag.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Security.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Security.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dxdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	luna.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 909e72dc8529db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{06498E41-9579-11EF-80CF-C28ADB222BBA} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "436315118"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000303eef0e2cd1a9499efdd285a56ddc5000000000020000000000106600000001000020000000f1f64d7427cfb0949cbe5dbed4a90cfe34120e4a3705a12b56994288c90319dd000000000e8000000002000020000000bbbcf4c22840bb2e6845bd2ade120d21649f51a00af215118040674dd23ff7bb20000000977a8b551f223a6f62d5e44cf00b7cb784a162702ec503184fa9549098eaf6cc400000005ba55b6715f16de9d94146a5cc6d8f77ab46104a2eb6b5f6b5c99450ff864d8a63fa4da589f913a27c6c7164c222d7a1df7332b77105868d884b7d120d5f8884	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000303eef0e2cd1a9499efdd285a56ddc50000000000200000000001066000000010000200000002eb4e1e9db1fb5189da4f7b421ec727a694d0002229fb78edc6295b8129c4f57000000000e80000000020000200000000d85f1a6d7f01fa589d7468adc9e8320c5458988ba03ba4af1822d85228f59f290000000a71fe6976e442b23bd5f4be0fab929919c565a607d27c049d1e57cabc40fe1cf68d5c5b9b2105bac9ce4b206aa6bda39ff2a5beacd26d6f692f9637cfe5ab0d7b8ff1dd7f6e56817f218b5d3c8828cbccf37ff070da69b5fc1df8b40d6aa9d29b4af08f0070cfb09f3a760dbdbf629ac59582bbbb6c98fdc4272bef32b3c7c58d9c5aecfcc32cf8a36c17821b1b6fdf5400000001f8a42d4c0d944adf7e15f7aa80e89a76dd4af196489241c7d605114fc2160ab90b35921498071863bf3573e98750fd8332df17fbc210c8ca2ebf3134157da86	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe

Modifies registry class 34 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\ = "DxDiagProvider Class"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\ = "DxDiagClassObject Class"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ThreadingModel = "Apartment"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\CLSID	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\ = "DxDiagProvider Class"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CLSID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\VersionIndependentProgID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\ = "DxDiagClassObject Class"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ = "DxDiagClassObject Class"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ = "C:\\Windows\\SysWOW64\\dxdiagn.dll"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer\ = "DxDiag.DxDiagClassObject.1"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID\ = "DxDiag.DxDiagClassObject"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer\ = "DxDiag.DxDiagClassObject.1"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\ProgID	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID\ = "DxDiag.DxDiagClassObject.1"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove\ = "Programmable"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\InprocServer32	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID	dxdiag.exe

Modifies registry key 1 TTPs 5 IoCs

Modify Registry

T1112

pid	Process
2320	reg.exe
3064	reg.exe
2848	reg.exe
2488	reg.exe
1492	reg.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1108	dxdiag.exe
1108	dxdiag.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1816	iexplore.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
2696	Security.exe
2804	iexplore.exe
2388	Security.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	1108	dxdiag.exe
Token: SeRestorePrivilege	1108	dxdiag.exe
Token: SeRestorePrivilege	1108	dxdiag.exe
Token: SeRestorePrivilege	1108	dxdiag.exe
Token: SeRestorePrivilege	1108	dxdiag.exe
Token: SeRestorePrivilege	1108	dxdiag.exe
Token: SeRestorePrivilege	1108	dxdiag.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1816	iexplore.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1108	dxdiag.exe
1816	iexplore.exe
1816	iexplore.exe
1784	IEXPLORE.EXE
1784	IEXPLORE.EXE
1784	IEXPLORE.EXE
1784	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 868 wrote to memory of 2932	868	luna.exe	31
PID 868 wrote to memory of 2932	868	luna.exe	31
PID 868 wrote to memory of 2932	868	luna.exe	31
PID 868 wrote to memory of 2932	868	luna.exe	31
PID 2932 wrote to memory of 2320	2932	cmd.exe	33
PID 2932 wrote to memory of 2320	2932	cmd.exe	33
PID 2932 wrote to memory of 2320	2932	cmd.exe	33
PID 2932 wrote to memory of 2320	2932	cmd.exe	33
PID 868 wrote to memory of 2084	868	luna.exe	34
PID 868 wrote to memory of 2084	868	luna.exe	34
PID 868 wrote to memory of 2084	868	luna.exe	34
PID 868 wrote to memory of 2084	868	luna.exe	34
PID 2084 wrote to memory of 3044	2084	WScript.exe	35
PID 2084 wrote to memory of 3044	2084	WScript.exe	35
PID 2084 wrote to memory of 3044	2084	WScript.exe	35
PID 2084 wrote to memory of 3044	2084	WScript.exe	35
PID 3044 wrote to memory of 2696	3044	cmd.exe	37
PID 3044 wrote to memory of 2696	3044	cmd.exe	37
PID 3044 wrote to memory of 2696	3044	cmd.exe	37
PID 3044 wrote to memory of 2696	3044	cmd.exe	37
PID 2696 wrote to memory of 2788	2696	Security.exe	38
PID 2696 wrote to memory of 2788	2696	Security.exe	38
PID 2696 wrote to memory of 2788	2696	Security.exe	38
PID 2696 wrote to memory of 2788	2696	Security.exe	38
PID 2696 wrote to memory of 2804	2696	Security.exe	39
PID 2696 wrote to memory of 2804	2696	Security.exe	39
PID 2696 wrote to memory of 2804	2696	Security.exe	39
PID 2696 wrote to memory of 2804	2696	Security.exe	39
PID 2696 wrote to memory of 2804	2696	Security.exe	39
PID 2804 wrote to memory of 2784	2804	iexplore.exe	41
PID 2804 wrote to memory of 2784	2804	iexplore.exe	41
PID 2804 wrote to memory of 2784	2804	iexplore.exe	41
PID 2804 wrote to memory of 2784	2804	iexplore.exe	41
PID 2788 wrote to memory of 3064	2788	cmd.exe	43
PID 2788 wrote to memory of 3064	2788	cmd.exe	43
PID 2788 wrote to memory of 3064	2788	cmd.exe	43
PID 2788 wrote to memory of 3064	2788	cmd.exe	43
PID 2804 wrote to memory of 2664	2804	iexplore.exe	44
PID 2804 wrote to memory of 2664	2804	iexplore.exe	44
PID 2804 wrote to memory of 2664	2804	iexplore.exe	44
PID 2804 wrote to memory of 2664	2804	iexplore.exe	44
PID 2804 wrote to memory of 2664	2804	iexplore.exe	44
PID 2784 wrote to memory of 2848	2784	cmd.exe	45
PID 2784 wrote to memory of 2848	2784	cmd.exe	45
PID 2784 wrote to memory of 2848	2784	cmd.exe	45
PID 2784 wrote to memory of 2848	2784	cmd.exe	45
PID 2804 wrote to memory of 1108	2804	iexplore.exe	47
PID 2804 wrote to memory of 1108	2804	iexplore.exe	47
PID 2804 wrote to memory of 1108	2804	iexplore.exe	47
PID 2804 wrote to memory of 1108	2804	iexplore.exe	47
PID 1792 wrote to memory of 1132	1792	chrome.exe	50
PID 1792 wrote to memory of 1132	1792	chrome.exe	50
PID 1792 wrote to memory of 1132	1792	chrome.exe	50
PID 1792 wrote to memory of 908	1792	chrome.exe	51
PID 1792 wrote to memory of 908	1792	chrome.exe	51
PID 1792 wrote to memory of 908	1792	chrome.exe	51
PID 1792 wrote to memory of 908	1792	chrome.exe	51
PID 1792 wrote to memory of 908	1792	chrome.exe	51
PID 1792 wrote to memory of 908	1792	chrome.exe	51
PID 1792 wrote to memory of 908	1792	chrome.exe	51
PID 1792 wrote to memory of 908	1792	chrome.exe	51
PID 1792 wrote to memory of 908	1792	chrome.exe	51
PID 1792 wrote to memory of 908	1792	chrome.exe	51
PID 1792 wrote to memory of 908	1792	chrome.exe	51

C:\Users\Admin\AppData\Local\Temp\luna.exe
"C:\Users\Admin\AppData\Local\Temp\luna.exe"
1⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:868
- C:\Windows\SysWOW64\cmd.exe
  /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2932
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2320
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2084
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c "C:\Windows\SysWOW64\system64\Security.exe"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3044
  - - C:\Windows\SysWOW64\system64\Security.exe
      C:\Windows\SysWOW64\system64\Security.exe
      4⤵
      Adds policy Run key to start application
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:2696
    - - C:\Windows\SysWOW64\cmd.exe
        
        /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2788
      - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        6⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3064
    - - \??\c:\program files (x86)\internet explorer\iexplore.exe
        
        "c:\program files (x86)\internet explorer\iexplore.exe"
        5⤵
        Adds policy Run key to start application
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:2804
      - C:\Windows\SysWOW64\cmd.exe
        
        /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2784
        
        C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        7⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2848
      - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2664
        
        C:\Windows\SysWOW64\system64\Security.exe
        
        "C:\Windows\SysWOW64\system64\Security.exe"
        7⤵
        Adds policy Run key to start application
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        
        PID:2388
        
        C:\Windows\SysWOW64\cmd.exe
        
        /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1764
        
        C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        9⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2488
        
        \??\c:\program files (x86)\internet explorer\iexplore.exe
        
        "c:\program files (x86)\internet explorer\iexplore.exe"
        8⤵
        Adds policy Run key to start application
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1272
        
        C:\Windows\SysWOW64\cmd.exe
        
        /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1584
        
        C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        10⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1492
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" https://a9fm.github.io/lightshot
        9⤵
        Modifies Internet Explorer settings
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:1816
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1816 CREDAT:275457 /prefetch:2
        10⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1784
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\rrsxaerpnyafnfgizi.vbs"
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1852
      - C:\Windows\SysWOW64\dxdiag.exe
        
        "C:\Windows\System32\dxdiag.exe" /t C:\Users\Admin\AppData\Local\Temp\sysinfo.txt
        6⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1108
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2804 -s 736
        6⤵
        Program crash
        
        PID:3032

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef61d9758,0x7fef61d9768,0x7fef61d9778
  2⤵
  PID:1132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1132 --field-trial-handle=1300,i,17084386513942052127,4783271228080966553,131072 /prefetch:2
  2⤵
  PID:908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1548 --field-trial-handle=1300,i,17084386513942052127,4783271228080966553,131072 /prefetch:8
  2⤵
  PID:2348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1588 --field-trial-handle=1300,i,17084386513942052127,4783271228080966553,131072 /prefetch:8
  2⤵
  PID:928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2148 --field-trial-handle=1300,i,17084386513942052127,4783271228080966553,131072 /prefetch:1
  2⤵
  PID:2420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2228 --field-trial-handle=1300,i,17084386513942052127,4783271228080966553,131072 /prefetch:1
  2⤵
  PID:1860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1332 --field-trial-handle=1300,i,17084386513942052127,4783271228080966553,131072 /prefetch:2
  2⤵
  PID:2684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=988 --field-trial-handle=1300,i,17084386513942052127,4783271228080966553,131072 /prefetch:1
  2⤵
  PID:2620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3444 --field-trial-handle=1300,i,17084386513942052127,4783271228080966553,131072 /prefetch:8
  2⤵
  PID:2052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3568 --field-trial-handle=1300,i,17084386513942052127,4783271228080966553,131072 /prefetch:8
  2⤵
  PID:1256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3540 --field-trial-handle=1300,i,17084386513942052127,4783271228080966553,131072 /prefetch:8
  2⤵
  PID:2660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=1044 --field-trial-handle=1300,i,17084386513942052127,4783271228080966553,131072 /prefetch:1
  2⤵
  PID:1564

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
9b42e5e3b274f7f08b957822c0c6ec1d

SHA1
e33609b7986a5d9b861b806ff1ac90909ca63f4a

SHA256
8fb9e1782592027899488fb99d535206f962fe633dc03c66a4a2cf8ba59013f9

SHA512
3f3d00404cd9e903b7c8c89f9ce8f678a607188034ec5b0ae265fafc7480bd0447fb3e4a00f0b675775ddcf9a23d7e0bc6a06c06d892906a4d3d7b616e4785d5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
599043e9b3614b23ff771765594b02c2

SHA1
63961446f611d78bf3007a83aa99279db80a9d36

SHA256
626e4800bcd8954aed65cc1f073e26763ad9854f3556eab5ccb722916077e70e

SHA512
05c48928fd514b7978d56394f9f5598a26fd2c400a2aca0d750ea063a7b146f260634cced5f8bbb60ce22f0f91039b9695a2f08929198353aa7c2f8f280b01ab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f73d4890b975d35871b244690e58ea03

SHA1
ad51ee6aa81f07d836e821f2d6009edd531c0037

SHA256
6c151ddeab963bfb25b21e2b4eb3328872e4da990739eff75455423b5fd662a6

SHA512
123fa87f21a8a82505bbeeacbda8745591198854aa62b525ca56133f0073b1bd997c49bb803d8536968321de22ceddc9896b748134ca6263598cc323b2f22050

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d8a9059ca547ee86643ead37c593174e

SHA1
fdb753bf43d04b9ddc057ebcfca9a8623853f0be

SHA256
2133bb5cb0eb9727960452a3cea65261f95113153dfa08eddabb4d8107a3daf7

SHA512
a741f95d491e9e396570c07c817d31b7d212607057d9e8f1657e6c410a3e981c09ecdb1b350b840b06ecec67067ce7a4a8c61185a34b75f5794078641a2b110f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3864be0eebeb69da4f613a8b87449bfc

SHA1
4afdfe2bd563815969157aebb126bf25e92f9e08

SHA256
f9f9d8854a6c48b1b62c7de9e180161c0fc82fd41e42df5729bb959df87fd9f3

SHA512
0d08c0e3cf3a1cf61d4a3d4215582c1f4e2464573154f93c02010d8fceca9f0b14f7c018f60c4a9723d6f02f6c872d0ff6635f85a7978886c7f87b39132248d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3e293d026a3609902a0a6cfcee62d9b0

SHA1
0ee1e1cd694add67de56b9fe91c4b2feeb85dbef

SHA256
f2afb5df7d07f3e9e1a31c961dba12bf2aaa3b9323d4b1c0e64ecbf9fd02a274

SHA512
38b6de07808f156ddce9d6e5306447882e9c930ee42b675989b0440cbe847a9d68c1205c589eeba0d1a837ae1214a6002c83f2ccebcc86436b82398ad05f583e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0f35fd7e5dd61cadfad572f2e305beec

SHA1
c74f7a3f88f4e7967df86f8cd1b5184d08d4a4ff

SHA256
76dc1c5de22e625aaab858bc20e7213adfa363fe94122c67b3a05c5e873ae98e

SHA512
db4a1e135ad86eb7f4fd16230cd739ab69b782ed2c5e1a8df12a7733e29f6310843575a231d34e1ec80abbb4da6b662a5a5358c0e72caae781942b0b6e32f96c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7fe1b3ba5b3f051b7f29aafe5b8bc594

SHA1
203e284b95224275b97b71f38e63534cfad11ec4

SHA256
e950037f4f2fe7157afdabf941051fca4425fc18c179a03a4497dd1a460221b5

SHA512
f893b832e3d09d88a742d241736312318393dc542d9e75b8ab6c9fb810fb49bdaaa67e81d2afa3dea1c03218889518c43d274132e3ee952251fb02b03f70d696

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
55b7a772422d2d44023d7102db90672b

SHA1
1fe07704ff2e2f8e5af0e13cc5108d700e0742ef

SHA256
415aceb4961a5ad969bcbb62f7b81a007fda2c1cbe389d463fd70a31fe1922eb

SHA512
34e8a1df0b8706d7795a94a55f92585f97983758b488cc9694ac63458167a71124c73516b052435569becb0a805e6787d7898f06c47ba97f84958fdff961b669

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
43d2f84ad8918bc05dd57aa8af066b07

SHA1
9cc9e366260cf9b9bb52a126da3da66ca43e2f95

SHA256
01aafcd666eb3fce70ad8ccca3959d86e334b0031ec2f776f2ceb00de548c42f

SHA512
c05f3995d901252fc208445498e6b5cdc9422747c69f9859ed4faf8d03aa46f99bacd5b194dea7d98f68d513ed7188eb7d4d0b17555c880467ec04ab0d90cd88

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8ef127cb6d4555c07f53f18a0f4515a4

SHA1
df2f3f6345e447e04a12c6e6138fe4b447a17c59

SHA256
e258f783990b8cdbe8e60936918f1254b0c2cfc6b067b7d1f1f48e8810441776

SHA512
b772eff4f46bd8b1abe37b6518b15389aa855eaca4a67c8eaa0c013f7f8d664ead345a8c4a47dd0c7ea1ecdb66389182fac33cc269cb4d7b1f49ee78e3778fa6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
01156354afbf85e216ff2ec69dc5bd5b

SHA1
ffa16781032916ffa26cd6d5d0a41bc87296c2d3

SHA256
e239efe9236b6d55746d0d4380547ae871369dc1d6e774d500318c7990b5cb90

SHA512
c967f0a9cac40b95678170d8009390abdd6fcdd5f82d96d1cb5440397e82e839c421c4251e422bf72d35445bd9bf3c6c00dc7dcc7462aac6d876f1bd70edbca3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
84662cb29c625f787c4edbf5e411c8a7

SHA1
f594ccdf4b2447b31fb79763245f727413067937

SHA256
ea22b9aea7314a1c13bb7562544aca5fd2eff63fb8165703199343eb7a18d50e

SHA512
d074f38077226c7c31625055a5751880aea7d65cf7e712542aaca617125a465ec9c1b0994f08cc74ff9bacac0c303109d19da151e1d450a274014dea64fc6f53

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f6f4cda0396723e95cefedf59aa43b23

SHA1
0785b6cd85247a5f85913aa238c7c3eaf9b61fb2

SHA256
901b9a997d719f91ddcb7ec7ee0002472d025131a29c22631bcaabe3dd5c0dc5

SHA512
cca265c2c61017d44af040989249229b4e356ab196f1ed72c0e86184ef62386d608d38313954da5dc3c5b511286f5eb5e579e0b057f9ea3f540deecc0b1b056f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
53b8a3cc6e743bdef9523476871f217f

SHA1
ab7592a2a06a852f1b21f08a335003321e68fce0

SHA256
2ae4427c14685d961b71353b86399c80591ae8b36a619fc02759f6752dd56139

SHA512
36541350c8767fe1440a7c2bea8fadb72f491d388f0ae59cc76e228ea98be8a2430d2a0dcd82a99acbe7795585340c1c68f74ee230c57348e8987072aabf3d54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6066796cdec349e8302ab25d21a106b8

SHA1
e24c4c108da5e9fbd6c31998019f19ef9adac1f6

SHA256
9cca1218d7f36ee6fdf087c3753aab3a52810aab46706d261057ac55a0e90d03

SHA512
ff6c27404b884336ee643fc9b5a5f0ff8d8cba053bea7f87f0aa928c1615fc29885e9ba4854fa146932814d061ce53b043a4f9efea51565f0a41c90acb21d0a3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
84c7de4d4aa5a76e748d2b3cfb87c484

SHA1
8f5723c978094d258c3bec77b28b83eeb378fd1e

SHA256
1661c43f96f17fc36b78a851a87a7319f58cf0b91d8ec61adcd0f27afcadca93

SHA512
a85e8eab820916c4dfd59671425973d2fd45dba3d33133831ce92c4c99635ac9b66c29443aeff513d9cdd004249e3b95e45124bb5d1bca09bc3bc8b6790a8f62

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
24602f5fc448176bcab4c36d02756e50

SHA1
8d57ae10953e2e6f23f7f00b5bec9641ca0eea27

SHA256
032aafd0b4131e48a6c67785ca3460bbba2f1b090e9db0e5b19027d0b7dde84e

SHA512
76bd4a6bd85e1ea58eb419334a910c2d0043b30cebeb1d07731af10d4f4ab949f69330b76d726185efa07ff89867f0a70fca68bf98bf6eade5a65e4725342137

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6016615d6d6d024e1403420633a75cdc

SHA1
9fcf849f18eaf43fbde6cf695783911b27f48df2

SHA256
3201ce72f1344a4169e6238322be37c52c6eee0f9b8920a760d4be72724b2e9e

SHA512
fd912e5fe0091c9fa90369c60f26b098ea76ab36510ed10254a3b0d9d36cff90f384c1da89e6ae09dcbd91142da4206f159e39135e6e71ee486583b5b9edd9f0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ce62f910410760d5a0217cc6576fa4b4

SHA1
c63ee446b79af0e1af6145e39a41bef9f4fea763

SHA256
26257a912ff317268a99ce54888bbc40b9c8e74afc92f65a1d1a1e919419dedc

SHA512
76883b889302cf3b71af06ffbe00e42e4cf4eee717d88da8d2e8bfbc335e6a5f9b2843a1ba8dbb8bea619814823c75d6a3b1c710bdebb2b28ed8c994faa10ba7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ef0ff3369f35017617fcd47c0204a2bf

SHA1
c42ee9c846b9b821ce16433d6a7e5f1774977795

SHA256
d0ae9e8d2ee80fe2029a3f77cb572d4da8ba651bc5a5ccde58ab2d7a269153b6

SHA512
7d9da896a44926508f1e907c14a73c2aba3ea2c2c8fb06cc6880497fe2376e5199996065d79965c87c9cde9c0200544d02663cdfd5429f41c000518a5f419f19

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0a46b44e780a99076bfbb72e15d6a561

SHA1
5093573275254c2a9ecad04e2bb71264afa62655

SHA256
cbffc0814d180842516aecd4d22369bd99272bd90fa512f3f4dbf4b8762aa7c1

SHA512
cf65fce501f7c569fc9b7725da161530d51db37c3e51bfdb71252bed860f817bd4fa1710da72882b57e62968816daa4cf7a8af85b0818b669079945fb847bd93

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2fc7fee6f7ec244881b66ac85bca19a1

SHA1
978db715e2c885076d30698fcb1e674be9da2e8d

SHA256
39cbd3c49e03dc0741244a9badfdce5d3e595bef668ab22bc4fb7edecd8cce15

SHA512
1a9ef84419c3e2c752e65d91b25d4493edf83fe25033f2e2d82197d2589d51d12b6f902e75b63c21f4f0d60f67511e856cd8144a4f6ba5aff4c4a8a412ebf119

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
16c38736f9cd58f7a15dc4c3048e8cd6

SHA1
4d22caf6454f96c74659180787d8a9f2b0e445ff

SHA256
6dac288b74eb4941e985846d3a8a1531b68bd4d57bc1033353a1a72681510b1d

SHA512
55c592d3e7804f0571c3fd7ae0ff8d0df3cdd513762dfbbb899b44fc3b7e99b37e292f9836add5d8d769692e270e5952805ccf5297fa670d811fb40041b5a180

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
750a9a1dcd83d069d313d6f112fd9461

SHA1
6a17de6ad1c34c25698aff9fd3c03e7f67d7d2f0

SHA256
a9e958a64e4e67b2a801e196c4be735e2d869314ef03954dd8de48ff7538a1b3

SHA512
ae37966378843a672aa93fe7eaf282c07f87f32319d6134a599c8c6baba0fda912857eb7d780d71fdac9e78d50c35e82b9130eed4bbb3e5cf4ddbc8aa7298be3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4570ce9b26c7c76b8d1f4bbdecdf3e9f

SHA1
494a9e522fdc28b78a7cc23caccb6b1a264963ae

SHA256
d329f1c9d768cf8174206e5d9eb133cac84efa8bed9778f2b95ede016d9f0bae

SHA512
9c6f8f9917c4c4b04541b1789624d3a407c5de277c7ae8adeb08815ea358cf04ba074b7f248f682bc8e29ded266f2d83eccee77eaa9a3319212c1411e8cb2bf1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
87cd66a746601721d0ab640154a9f578

SHA1
1bf11015cbc8336e28896563fd115a6c71e76bef

SHA256
a12d6a70ec0b83bf80005c9f4655bb43ee84ffda774dc2a4eee47f233ff6d6f0

SHA512
63e53b66bdd3a65b3d61260986f8250f6a2c9a95c9f31e7bd7061a76e3c0df7c2c4b23c8d794c866cb03d60929b7f2281e0d6edb3f3a7c17a7a8aa6065b8f9ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\6666aacb-9f1a-41b7-9109-6cb22a984f27.tmp

Filesize
5KB

MD5
d68cfe5143530684b4f39269a59d59cb

SHA1
d824e558734b401fee88a02388de72a530b33682

SHA256
5f4c5e35a1b3de9e716b5df8b3e5c55269bb0a11ac1e03f65263776b4af11cbc

SHA512
d18c94e353b20572c7a5730d4f9c56666061fd0dc36e3639c91889a5a4d9515904de82722141e9de39d15c1aebe2038585f7816990beac6068b6229db236ea0e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
8abd1cf2da58aab6b21673b358539d57

SHA1
d9aa62d42162406837c4c51f7c239ad410ba1755

SHA256
11281edcb471f46c5e3697ba60b08d0c87af84c5795bbbc9493ebfd85477cbe0

SHA512
369d955afc8d127cfe51e45ff6c8de070294375eba5a027b1a084c6a3f0a219c968269ffc241a0ffd8366424db18ef49b0efe029223701b48f1a1552a4d923cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
7d0e130958dc4f2fe6fa8d02204b89ba

SHA1
a9e93eba21c8d3564eb7afac6257f068f741ab00

SHA256
e7889a2372d4efca0e25b620ab09f4d1d8c064df194b3536d72437ba219c3466

SHA512
6d38153fba49ff2cce47acf6a120da355b1d0671d4b72158b5a735888b228d98b3d73a4a0e25e809ed6dd33164437495116d26b675e9b1ee769892b92b44a01d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
c9098088c3c26a1246b5ce41cc002b03

SHA1
75c2aca36860fff5f4ad0a39de5f7009df83c8ae

SHA256
601193bf8dd7c0461c6a3a4b179c54b01de1a2653c2ac5d167d7e8e785f49966

SHA512
be30be52026c2ef1bd263dd537abac50e278ad7174b7a31d426b742b75ac864669a89eb98a46db5e1c8878595808d752eec7cd04d0bcbc08090d7b726b9e2e2a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
363B

MD5
edea9d69f347eeee17db5369cc00c6bb

SHA1
e847da1110768006f0af4899b29d7edede6b8e39

SHA256
f4aa6593f37dfb177d9a95b94db55ebec147c6830c20154770fa8ed6cb1ef57b

SHA512
d6583b03122b845007a333154b05addca6e0674388f277999ea5461ea81c9045f01c1431bd51389e8f5e91b979e0449dca450a672554270b895bbc92d9c19071

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
0309fa541842aa75d1d538995f512745

SHA1
291da0659a8ba39302c9cd609ce3a31e934f1f12

SHA256
ef1645c7b1a86c1b21895259a03f5563df1de87f387946cec7b96706a039289a

SHA512
b92af307c107031f611df14e4c72d4d12c8061ed0ad94d0a4543c69d423c22aa6a015a383e870c00e87d58348bb7abb565499186951f0eec5bb52a3c22475053

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
bf54f069df7a127e07a818a1fb20b4ac

SHA1
6f7ca651c6a76ccb251fe0db0f4d68c93574a6fc

SHA256
154448cc91ebc17785f496a9ef0506c0866e4f85af01167c9984555fe8773dac

SHA512
26c86d7df1509507017de3f2318738ec7f52e66142255cac264cc6a2dc22794530156b86041b4c58a4d2db52a1e1d7b0e6a1f74b194ca87b039839ac96aeaca9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabEDEA.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarEDD9.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.vbs

Filesize
524B

MD5
97627fc71d5e90498616baf1e6fd73f8

SHA1
b75fdc55147ede7ba9eb9904d1b045246f5ba156

SHA256
e1d0bd471d22160ca18c4f4e3fc727a4c66df66f9afb84816ba91e8fe201522f

SHA512
8e41fd1ab5534213fe0921688d4adc72a2937765cfd7eb7bcb1448e5cc599cb705cba4415f2022d70f8b61d66b819e460cf7ba43a439a072a889f013c00ea948

Download Submit
C:\Users\Admin\AppData\Local\Temp\rrsxaerpnyafnfgizi.vbs

Filesize
580B

MD5
43c21bcf73b5a6ac8b243377bfca1b70

SHA1
a93c4253568fc1a4efa43f397e9af397198c50fc

SHA256
cc42f66a6a29c515747ba232b697056f1a83aadde3977a0ff35a46c1bdc007a1

SHA512
bab7a8bb3ac9ac8ce7f98842defa70fd86daca56291ca2696f66b29e33626626823aa3b527d3f7ae0cbbaac86edfab936e3acbead02e348ea46bd525a533ce10

Download Submit
C:\Users\Admin\AppData\Local\Temp\sysinfo.txt

Filesize
15KB

MD5
84372731f4d3b54c61834acee0b434dc

SHA1
71e9289e486df5eadeff10e2ad6bdd1a00933f30

SHA256
6879d0edcaf91509826b5703cd5155dee467a3bc7040e91083f8fd5c7dca9a64

SHA512
165c8910c06abb766e87b14ab29613b87803392cd7dd4236a37abcde71ff0aeaa948bc2965e34998dc57cab587df24133b8b2f40e19881007044659a5da9b5ef

Download Submit
C:\Windows\SysWOW64\system64\Security.exe

Filesize
469KB

MD5
e60cc75120901abeb61e9fb76cbf96ec

SHA1
228bb950e891943002c0c7f604f3c3feff6d135b

SHA256
ecfa5c1f460a2d96cfe17c13b7b77f1755ebf4a96d114a1d8814d85c78483ade

SHA512
6de5b0985238ba664985f5b0371765ecf8e6a31bafd5dd3688fefeb0c93cdfe011adc4aefa2258afacb6278e5f83199c96c1247671adc3e319ba45150c787b41

Download Submit
memory/1108-47-0x0000000002B00000-0x0000000002B5C000-memory.dmp

Filesize
368KB

Download
memory/1108-52-0x0000000000AA0000-0x0000000000ACA000-memory.dmp

Filesize
168KB

Download
memory/1108-32-0x0000000000520000-0x000000000052A000-memory.dmp

Filesize
40KB

Download
memory/1108-31-0x0000000000520000-0x000000000052A000-memory.dmp

Filesize
40KB

Download
memory/1108-45-0x00000000009A0000-0x00000000009AA000-memory.dmp

Filesize
40KB

Download
memory/1108-44-0x00000000009A0000-0x00000000009AA000-memory.dmp

Filesize
40KB

Download
memory/1108-46-0x0000000002B00000-0x0000000002B5C000-memory.dmp

Filesize
368KB

Download
memory/1108-50-0x0000000000AA0000-0x0000000000ACA000-memory.dmp

Filesize
168KB

Download
memory/1108-54-0x0000000000520000-0x000000000052A000-memory.dmp

Filesize
40KB

Download
memory/1108-53-0x0000000000520000-0x000000000052A000-memory.dmp

Filesize
40KB

Download
memory/1272-770-0x0000000000080000-0x00000000000FF000-memory.dmp

Filesize
508KB

Download
memory/1272-211-0x0000000000080000-0x00000000000FF000-memory.dmp

Filesize
508KB

Download
memory/1272-216-0x0000000000080000-0x00000000000FF000-memory.dmp

Filesize
508KB

Download
memory/1272-217-0x0000000000080000-0x00000000000FF000-memory.dmp

Filesize
508KB

Download
memory/1272-218-0x0000000000080000-0x00000000000FF000-memory.dmp

Filesize
508KB

Download
memory/1272-203-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1272-853-0x0000000000080000-0x00000000000FF000-memory.dmp

Filesize
508KB

Download
memory/1272-213-0x0000000000080000-0x00000000000FF000-memory.dmp

Filesize
508KB

Download
memory/1272-1217-0x0000000000080000-0x00000000000FF000-memory.dmp

Filesize
508KB

Download
memory/1272-1216-0x0000000000080000-0x00000000000FF000-memory.dmp

Filesize
508KB

Download
memory/1272-1060-0x0000000000080000-0x00000000000FF000-memory.dmp

Filesize
508KB

Download
memory/1272-214-0x0000000000080000-0x00000000000FF000-memory.dmp

Filesize
508KB

Download
memory/1272-212-0x0000000000080000-0x00000000000FF000-memory.dmp

Filesize
508KB

Download
memory/1272-207-0x0000000000080000-0x00000000000FF000-memory.dmp

Filesize
508KB

Download
memory/1272-210-0x0000000000080000-0x00000000000FF000-memory.dmp

Filesize
508KB

Download
memory/2664-18-0x0000000000080000-0x00000000000FF000-memory.dmp

Filesize
508KB

Download
memory/2664-17-0x0000000000080000-0x00000000000FF000-memory.dmp

Filesize
508KB

Download
memory/2664-16-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2804-146-0x0000000000210000-0x000000000028F000-memory.dmp

Filesize
508KB

Download
memory/2804-58-0x0000000000210000-0x000000000028F000-memory.dmp

Filesize
508KB

Download
memory/2804-148-0x0000000000210000-0x000000000028F000-memory.dmp

Filesize
508KB

Download
memory/2804-191-0x0000000000210000-0x000000000028F000-memory.dmp

Filesize
508KB

Download
memory/2804-33-0x0000000000210000-0x000000000028F000-memory.dmp

Filesize
508KB

Download
memory/2804-49-0x0000000000210000-0x000000000028F000-memory.dmp

Filesize
508KB

Download
memory/2804-147-0x0000000000210000-0x000000000028F000-memory.dmp

Filesize
508KB

Download
memory/2804-30-0x0000000000210000-0x000000000028F000-memory.dmp

Filesize
508KB

Download
memory/2804-29-0x0000000000210000-0x000000000028F000-memory.dmp

Filesize
508KB

Download
memory/2804-56-0x0000000000210000-0x000000000028F000-memory.dmp

Filesize
508KB

Download
memory/2804-28-0x0000000000210000-0x000000000028F000-memory.dmp

Filesize
508KB

Download
memory/2804-27-0x0000000000210000-0x000000000028F000-memory.dmp

Filesize
508KB

Download
memory/2804-57-0x0000000000210000-0x000000000028F000-memory.dmp

Filesize
508KB

Download
memory/2804-48-0x0000000000210000-0x000000000028F000-memory.dmp

Filesize
508KB

Download
memory/2804-26-0x0000000000210000-0x000000000028F000-memory.dmp

Filesize
508KB

Download
memory/2804-25-0x0000000000210000-0x000000000028F000-memory.dmp

Filesize
508KB

Download
memory/2804-24-0x0000000000210000-0x000000000028F000-memory.dmp

Filesize
508KB

Download
memory/2804-22-0x0000000000210000-0x000000000028F000-memory.dmp

Filesize
508KB

Download
memory/2804-21-0x0000000000210000-0x000000000028F000-memory.dmp

Filesize
508KB

Download
memory/2804-20-0x0000000000210000-0x000000000028F000-memory.dmp

Filesize
508KB

Download
memory/2804-19-0x0000000000210000-0x000000000028F000-memory.dmp

Filesize
508KB

Download
memory/2804-59-0x0000000000210000-0x000000000028F000-memory.dmp

Filesize
508KB

Download
memory/2804-144-0x0000000000210000-0x000000000028F000-memory.dmp

Filesize
508KB

Download
memory/2804-145-0x0000000000210000-0x000000000028F000-memory.dmp

Filesize
508KB

Download
memory/2804-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2804-13-0x0000000000210000-0x000000000028F000-memory.dmp

Filesize
508KB

Download
memory/2804-11-0x0000000000210000-0x000000000028F000-memory.dmp

Filesize
508KB

Download
memory/2804-12-0x0000000000210000-0x000000000028F000-memory.dmp

Filesize
508KB

Download