lumma | hxxp://147[.]45[.]44[.]131/infopage/rsqcf[.]ps1

Analysis

max time kernel
291s
max time network
290s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
31-12-2024 12:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://147.45.44.131/infopage/rsqcf.ps1

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://cloudewahsj.shop/api

https://rabidcowse.shop/api

https://noisycuttej.shop/api

https://tirepublicerj.shop/api

https://framekgirus.shop/api

https://wholersorie.shop/api

https://abruptyopsn.shop/api

https://nearycrepso.shop/api

Extracted

Family

lumma

https://abruptyopsn.shop/api

https://wholersorie.shop/api

https://framekgirus.shop/api

https://tirepublicerj.shop/api

https://noisycuttej.shop/api

https://rabidcowse.shop/api

https://cloudewahsj.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Executes dropped EXE 1 IoCs

pid	Process
1640	PASS-1234.exe

Loads dropped DLL 1 IoCs

pid	Process
1640	PASS-1234.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
147	sites.google.com
146	sites.google.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1640 set thread context of 1240	1640	PASS-1234.exe	126

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2900	1640	WerFault.exe	122

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_regiis.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PASS-1234.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133801213750941067"	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 010000000200000000000000ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Mode = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1092616257"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\SniffedFolderType = "Generic"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000_Classes\Local Settings	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2 = 3a001f44471a0359723fa74489c55595fe6b30ee260001002600efbe10000000d3d58d60dd4bdb01341646e1e84bdb013a040c1c7f5bdb0114000000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 010000000200000000000000ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\NodeSlot = "5"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\LogicalViewMode = "3"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\NodeSlot = "4"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0 = 5c003100000000009f5931631000504153532d317e310000440009000400efbe9f592e639f5931632e000000f262040000002b000000000000000000000000000000ec94010150004100530053002d003100320033003400000018000000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 14002e8005398e082303024b98265d99428e115f0000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\MRUListEx = ffffffff	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = 00000000ffffffff	chrome.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

pid	Process
3964	chrome.exe
3964	chrome.exe
3152	chrome.exe
3152	chrome.exe
3152	chrome.exe
3152	chrome.exe
956	taskmgr.exe
956	taskmgr.exe
956	taskmgr.exe
956	taskmgr.exe
956	taskmgr.exe
956	taskmgr.exe
956	taskmgr.exe
956	taskmgr.exe
956	taskmgr.exe
956	taskmgr.exe
956	taskmgr.exe
956	taskmgr.exe
956	taskmgr.exe
956	taskmgr.exe
956	taskmgr.exe
956	taskmgr.exe
956	taskmgr.exe
956	taskmgr.exe
956	taskmgr.exe
956	taskmgr.exe
956	taskmgr.exe
956	taskmgr.exe
956	taskmgr.exe
956	taskmgr.exe
956	taskmgr.exe
956	taskmgr.exe
956	taskmgr.exe
956	taskmgr.exe
956	taskmgr.exe
956	taskmgr.exe
956	taskmgr.exe
956	taskmgr.exe
956	taskmgr.exe
956	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
976	chrome.exe
956	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
956	taskmgr.exe
956	taskmgr.exe
956	taskmgr.exe
956	taskmgr.exe
956	taskmgr.exe
956	taskmgr.exe
956	taskmgr.exe
956	taskmgr.exe
956	taskmgr.exe
956	taskmgr.exe
956	taskmgr.exe
956	taskmgr.exe
956	taskmgr.exe
956	taskmgr.exe
956	taskmgr.exe
956	taskmgr.exe
956	taskmgr.exe
956	taskmgr.exe
956	taskmgr.exe
956	taskmgr.exe
956	taskmgr.exe
956	taskmgr.exe
956	taskmgr.exe
956	taskmgr.exe
956	taskmgr.exe
956	taskmgr.exe
956	taskmgr.exe
956	taskmgr.exe
956	taskmgr.exe
956	taskmgr.exe
956	taskmgr.exe
956	taskmgr.exe
956	taskmgr.exe
956	taskmgr.exe
956	taskmgr.exe
956	taskmgr.exe
956	taskmgr.exe
956	taskmgr.exe
956	taskmgr.exe
956	taskmgr.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
976	chrome.exe
1116	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3964 wrote to memory of 5032	3964	chrome.exe	82
PID 3964 wrote to memory of 5032	3964	chrome.exe	82
PID 3964 wrote to memory of 4464	3964	chrome.exe	83
PID 3964 wrote to memory of 4464	3964	chrome.exe	83
PID 3964 wrote to memory of 4464	3964	chrome.exe	83
PID 3964 wrote to memory of 4464	3964	chrome.exe	83
PID 3964 wrote to memory of 4464	3964	chrome.exe	83
PID 3964 wrote to memory of 4464	3964	chrome.exe	83
PID 3964 wrote to memory of 4464	3964	chrome.exe	83
PID 3964 wrote to memory of 4464	3964	chrome.exe	83
PID 3964 wrote to memory of 4464	3964	chrome.exe	83
PID 3964 wrote to memory of 4464	3964	chrome.exe	83
PID 3964 wrote to memory of 4464	3964	chrome.exe	83
PID 3964 wrote to memory of 4464	3964	chrome.exe	83
PID 3964 wrote to memory of 4464	3964	chrome.exe	83
PID 3964 wrote to memory of 4464	3964	chrome.exe	83
PID 3964 wrote to memory of 4464	3964	chrome.exe	83
PID 3964 wrote to memory of 4464	3964	chrome.exe	83
PID 3964 wrote to memory of 4464	3964	chrome.exe	83
PID 3964 wrote to memory of 4464	3964	chrome.exe	83
PID 3964 wrote to memory of 4464	3964	chrome.exe	83
PID 3964 wrote to memory of 4464	3964	chrome.exe	83
PID 3964 wrote to memory of 4464	3964	chrome.exe	83
PID 3964 wrote to memory of 4464	3964	chrome.exe	83
PID 3964 wrote to memory of 4464	3964	chrome.exe	83
PID 3964 wrote to memory of 4464	3964	chrome.exe	83
PID 3964 wrote to memory of 4464	3964	chrome.exe	83
PID 3964 wrote to memory of 4464	3964	chrome.exe	83
PID 3964 wrote to memory of 4464	3964	chrome.exe	83
PID 3964 wrote to memory of 4464	3964	chrome.exe	83
PID 3964 wrote to memory of 4464	3964	chrome.exe	83
PID 3964 wrote to memory of 4464	3964	chrome.exe	83
PID 3964 wrote to memory of 1124	3964	chrome.exe	84
PID 3964 wrote to memory of 1124	3964	chrome.exe	84
PID 3964 wrote to memory of 1992	3964	chrome.exe	85
PID 3964 wrote to memory of 1992	3964	chrome.exe	85
PID 3964 wrote to memory of 1992	3964	chrome.exe	85
PID 3964 wrote to memory of 1992	3964	chrome.exe	85
PID 3964 wrote to memory of 1992	3964	chrome.exe	85
PID 3964 wrote to memory of 1992	3964	chrome.exe	85
PID 3964 wrote to memory of 1992	3964	chrome.exe	85
PID 3964 wrote to memory of 1992	3964	chrome.exe	85
PID 3964 wrote to memory of 1992	3964	chrome.exe	85
PID 3964 wrote to memory of 1992	3964	chrome.exe	85
PID 3964 wrote to memory of 1992	3964	chrome.exe	85
PID 3964 wrote to memory of 1992	3964	chrome.exe	85
PID 3964 wrote to memory of 1992	3964	chrome.exe	85
PID 3964 wrote to memory of 1992	3964	chrome.exe	85
PID 3964 wrote to memory of 1992	3964	chrome.exe	85
PID 3964 wrote to memory of 1992	3964	chrome.exe	85
PID 3964 wrote to memory of 1992	3964	chrome.exe	85
PID 3964 wrote to memory of 1992	3964	chrome.exe	85
PID 3964 wrote to memory of 1992	3964	chrome.exe	85
PID 3964 wrote to memory of 1992	3964	chrome.exe	85
PID 3964 wrote to memory of 1992	3964	chrome.exe	85
PID 3964 wrote to memory of 1992	3964	chrome.exe	85
PID 3964 wrote to memory of 1992	3964	chrome.exe	85
PID 3964 wrote to memory of 1992	3964	chrome.exe	85
PID 3964 wrote to memory of 1992	3964	chrome.exe	85
PID 3964 wrote to memory of 1992	3964	chrome.exe	85
PID 3964 wrote to memory of 1992	3964	chrome.exe	85
PID 3964 wrote to memory of 1992	3964	chrome.exe	85
PID 3964 wrote to memory of 1992	3964	chrome.exe	85
PID 3964 wrote to memory of 1992	3964	chrome.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://147.45.44.131/infopage/rsqcf.ps1
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x21c,0x220,0x224,0x1f8,0x228,0x7ffad9dfcc40,0x7ffad9dfcc4c,0x7ffad9dfcc58
  2⤵
  PID:5032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1960,i,10591808399740069711,13052554600604482081,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=1956 /prefetch:2
  2⤵
  PID:4464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1896,i,10591808399740069711,13052554600604482081,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=2008 /prefetch:3
  2⤵
  PID:1124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2272,i,10591808399740069711,13052554600604482081,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=2300 /prefetch:8
  2⤵
  PID:1992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3064,i,10591808399740069711,13052554600604482081,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=3084 /prefetch:1
  2⤵
  PID:4032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3080,i,10591808399740069711,13052554600604482081,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:4728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3896,i,10591808399740069711,13052554600604482081,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=4624 /prefetch:8
  2⤵
  PID:4040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4768,i,10591808399740069711,13052554600604482081,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=4860 /prefetch:1
  2⤵
  PID:3940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=3108,i,10591808399740069711,13052554600604482081,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=4036 /prefetch:1
  2⤵
  PID:564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=5012,i,10591808399740069711,13052554600604482081,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=4984 /prefetch:8
  2⤵
  PID:536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5180,i,10591808399740069711,13052554600604482081,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=5188 /prefetch:8
  2⤵
  PID:3792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5220,i,10591808399740069711,13052554600604482081,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=5252 /prefetch:8
  2⤵
  PID:4012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5464,i,10591808399740069711,13052554600604482081,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=5288 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5480,i,10591808399740069711,13052554600604482081,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=5384 /prefetch:1
  2⤵
  PID:4020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5456,i,10591808399740069711,13052554600604482081,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=5468 /prefetch:1
  2⤵
  PID:1184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5532,i,10591808399740069711,13052554600604482081,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=5524 /prefetch:1
  2⤵
  PID:4936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5568,i,10591808399740069711,13052554600604482081,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=5152 /prefetch:1
  2⤵
  PID:424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=5796,i,10591808399740069711,13052554600604482081,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=5820 /prefetch:1
  2⤵
  PID:2024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5192,i,10591808399740069711,13052554600604482081,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=6260 /prefetch:8
  2⤵
  PID:1264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=6392,i,10591808399740069711,13052554600604482081,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=6552 /prefetch:1
  2⤵
  PID:2852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=6256,i,10591808399740069711,13052554600604482081,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=6576 /prefetch:1
  2⤵
  PID:1152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5592,i,10591808399740069711,13052554600604482081,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=5660 /prefetch:8
  2⤵
  PID:4532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5676,i,10591808399740069711,13052554600604482081,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=6716 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6748,i,10591808399740069711,13052554600604482081,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=6100 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:1116

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3436

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4684

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x32c 0x2f4
1⤵
PID:2880

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3384

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\PASS-1234\" -spe -an -ai#7zMap32432:80:7zEvent803
1⤵
PID:3040

C:\Users\Admin\Downloads\PASS-1234\PASS-1234.exe
"C:\Users\Admin\Downloads\PASS-1234\PASS-1234.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1640
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1240
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1640 -s 1196
  2⤵
  - Program crash
  PID:2900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1640 -ip 1640
1⤵
PID:3116

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
PID:956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\9b51b79d-2ab3-4216-8bcb-8e7242ffcb2e.tmp

Filesize
12KB

MD5
bf4f680c4428199611f7baa679a3bc6c

SHA1
923241ea386c8b478131d3af1a8e312270284453

SHA256
1556188d8755a8bc2cbed5621c9b79e2f179d52f5075806ccfc7111edb395855

SHA512
f96257ac800b70db9c6efb923fe91abf7d8c0c18d882fad8c30d1ca31e80706078bcdbf2da5e0a54065fd2c6c82b0ed40f9841048807df763bc3c23fbf1c5627

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
7939ff6bb34b18876fe532e25aeed07e

SHA1
904b1faa307c7cd1a521feff634ae87ca083c655

SHA256
42730656829918ff0ecdd124dda5c6b6d4d675d99a9331740a7fb423f335826d

SHA512
cd77040bffb2759679aa107da9e622b25d130f93f41fc9ceb40f3c27c8b37b7160118bd8bcafefa00e34b0c495637565e9ee84694cbfb05602d6447946b36eb9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001f

Filesize
18KB

MD5
8eff0b8045fd1959e117f85654ae7770

SHA1
227fee13ceb7c410b5c0bb8000258b6643cb6255

SHA256
89978e658e840b927dddb5cb3a835c7d8526ece79933bd9f3096b301fe1a8571

SHA512
2e4fb65caab06f02e341e9ba4fb217d682338881daba3518a0df8df724e0496e1af613db8e2f65b42b9e82703ba58916b5f5abb68c807c78a88577030a6c2058

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000024

Filesize
18KB

MD5
115c2d84727b41da5e9b4394887a8c40

SHA1
44f495a7f32620e51acca2e78f7e0615cb305781

SHA256
ae0e442895406e9922237108496c2cd60f4947649a826463e2da9860b5c25dd6

SHA512
00402945111722b041f317b082b7103bcc470c2112d86847eac44674053fc0642c5df72015dcb57c65c4ffabb7b03ece7e5f889190f09a45cef1f3e35f830f45

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000036

Filesize
215KB

MD5
d79b35ccf8e6af6714eb612714349097

SHA1
eb3ccc9ed29830df42f3fd129951cb8b791aaf98

SHA256
c8459799169b81fdab64d028a9ebb058ea2d0ad5feb33a11f6a45a54a5ccc365

SHA512
f4be1c1e192a700139d7cff5059af81c0234ed5f032796036a1a4879b032ce4eedd16a121bbf776f17bc84a0012846f467ad48b46db4008841c25b779c7d8f5a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000049

Filesize
41KB

MD5
ca9e4686e278b752e1dec522d6830b1f

SHA1
1129a37b84ee4708492f51323c90804bb0dfed64

SHA256
b36086821f07e11041fc44b05d2cafe3fb756633e72b07da453c28bd4735ed26

SHA512
600e5d6e1df68423976b1dcfa99e56cb8b8f5cd008d52482fefb086546256a9822025d75f5b286996b19ee1c7cd254f476abf4de0cf8c6205d9f7d5e49b80671

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
2aff2120c95cd9f2b8f4c5aad6594b5d

SHA1
ef1f49c8f4c04a64b65976d27509967603bb21a4

SHA256
101a3ff3d9caa0588021f6a5d95d87739e8e29f3cdeda27f787e56a632df6a9d

SHA512
b97b0e57260cec677ecb5a1c42cd5150c6769baffc7cf55a19f213b948dc074d18212b138425598e9ee11597a5251a70b79791a0f9e0e66502828dfd1c94d1c2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
504B

MD5
27e06589ede75dc9ee611ccf1d7a8c7e

SHA1
4dc00734e2f4ca554aa717eef17a2ecd4fe6fbc3

SHA256
4219ec83d460771b3c568d7586e60a0d96eca63edf1a56345f4fca9343a40f4f

SHA512
c463098b523f1e7de802c9e023cbb2ecfbcebf778ac0ecc9dbb2cab5e315f73ae4a177af78a03d8de4061ed75beb037439f0f4683bcd1f743708de096e5b9756

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
7e8e40a1441347c33aaeea497bd632db

SHA1
f7951e1d8e8f8aa88c543c578af0b49eafc98b39

SHA256
7a74bc4e74bdfab622be24a6ae28f79136f822fd8e560b7d7aa235a5bd8a02cd

SHA512
70ddb28a880ad20885987726e661d2fa81400fbc2c130fbb42def6415516f93e8489627e318a3de5e5fd10301f61037d1e4382af7dbaff539803941427302d81

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\942e2e06-e3d1-4b1e-9735-55e19c1e4f50.tmp

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
16KB

MD5
05947f6fe22757b10221254de459265c

SHA1
0253795d6d3e3d4d91c671e0f79e6f7dfe65cdb7

SHA256
163925dea8a9fd870e9cba3d28098393d36c92917b030a2d3d0e4bb7430f9cb9

SHA512
386a98140d110216c8c42d141e2cac06a33a785c495111b5ccd9c209b40aad94f4ad8cbc4b5de66ae5672cfedbca9db9a168ee138da55da9f099d1e69b64ca3b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
f94d1e13a8790fcac3dd661da8d0a9ff

SHA1
c23a64f24fd329b6754a115d912e33f1078131c2

SHA256
bab82a19e2e5ede3c74606b74929c2434800f806d410560b00eab87a93d2fa1c

SHA512
aa63dafac3e6caf193e2eb398773477ad897edd3e3dc98a403f7feb00c44b56be530b3c6931052f24f17d4b02752c8eb23313c6c7dfcd86514e631cad43403bb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
11KB

MD5
bd4c06b6daf74be226250c0c9761f937

SHA1
ab531250fec72547141b818fa75c5acd82a2ec50

SHA256
b6c041ae99244d5629158cc3de3d43d5797bb14f0acf6634cbd7b5868c157e29

SHA512
3f421ec78c8f510671b952cc1b82188e42cdf92502a77457b5c61fa355f7c6570f7c556305f23d0604f45e6c69d49267d0a7e2285e354a49222a06a4b38398f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
859B

MD5
2b35fd4480b523720018362b3a5b5066

SHA1
5096c4e13bd74493d5c502fd22f5d7be448bf255

SHA256
8287cfea8aa46e93aee4b10e712d908806c4f210d71891a7b0feb036f97acf52

SHA512
7118b619650ae38825a4aa8a7f86525da2c3781be8110cd8532e0ca47064efc6a147b14b1506a22acb747786faefc579c3aeab5ad720ac596614a77456f96f86

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
b072e09fb1aaa4655d8108a51f338582

SHA1
ec971bd8ba04aac8d499b7976f47eedc8cbce7f9

SHA256
e12e8501acac19e8e14a5d399585c46719a1eb34fe58bfbd11986a51a81542f1

SHA512
a882945c7a21e93db5d5a8617402b68eea25db58a3d42b8ca5c532866dbea58568e33ef0d9d2ed28412d574926cfbafefc196dc3f8257f9de6a6d1e10e0f6191

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
76c5faa5801eb0c856c237ca4ca9b801

SHA1
3e8c87817a921fd1a92df5efea925f73a0844e25

SHA256
eb05ba789f035ac035653ddfbcb1550e03787cebb2ca8f2bfc1a257df2c534e0

SHA512
1853fbd7f3f4f76941dc581a2c5c9a53852f70e58a8cae626aae1ba7891138e0fb24041648e9e66fe5e50a5dabc753c268c475cc1c9841e12cfe1e8ce08c2734

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
1a08e4c834b0aab82382f29d20eaad59

SHA1
f676cbbbe3bcfb8f3bc112dfbd84ab3efa491475

SHA256
83f5378d40b4de6f2d1c46d8c2f62c652f7f2f40ff6add0d4077ca37fc75cedb

SHA512
5482fe56c9871d9bb93060ec01461418028e5c9252b827d033647bb7ba25512652ce5ce0737dbb23ba5487f35cb821e50a46d6aaedf7e561190e0ac1d342f598

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
6d4a11b46a291c746a9ba0a1be017a74

SHA1
9324721a8b54b0eb346c41199836fbf8810dc479

SHA256
b195d8522e1864538b345d283d645a3e52acacc9eb7ce845a3d9400299ba0052

SHA512
6229d83082950b8238f9524717b72e6c9eca0554f803a42a93f4c4e30d7c1312ae945abee7a975dd578a628628af36a45b3dbe20df63c0c6fddce374367df2a2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
0ed4126e1ce2934b3387cd78fcf38c45

SHA1
bca48233e95eeeb790b0d52c2578d430da23eb2a

SHA256
dfe905cec6f9772c06b73f76b641caa11597e065a9c5ec2596b3d827cb005c50

SHA512
059869b1e5a54c9d7f74e2c66cd4cab3875fda5b6d6a666c14db35aafddbe4fb71ae901949e09c1437bb3cfad30f974076cf419e46f207cf3f3ab46ecfaca530

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
483dda7a8b4f46c1b77633213ca862bd

SHA1
bad16a67f37e07a3e10f2bfd33893a81ca1369fd

SHA256
0c6aeeb793c9e9dbc707d5d4d0c2ff06fb702c725b421b4537758818533a898b

SHA512
d2632f7e8d44ca86ebadd21e92013c9b3e1e7ef224a1103efd4b8214220b50f2fa47f3347cd8580299c9b7d2059a63010b3d994edd9ba2862b7a64e2a01d65a5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
41fd50290c399481df9b31d6361d07c9

SHA1
67f3af88734d057923ea9196a19d87433f777c66

SHA256
0d670fe237bf3e73ef87461c2237a2882737ad16ee29d73ea18de796b9d2338e

SHA512
5ff5f62160588d3af181930806e19ac6aa3daea0707fb6401d4477f3c5ad94f42d97388ef879afc66dae3e7c5109a4a386595a4105c7259ad80d354ad787f6cc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Platform Notifications\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ac4c0397d98b6b172f4a31573615c100

SHA1
f032e4b11e0797698ddf735aface468d4a2917f3

SHA256
b47e72fda6f4fed68ea980e7697025f727b02a237a0d18caadf5eb8f1f544687

SHA512
09bf8f630f9ff4730a87123b2236d7a7137c6d77552bbc5f532473cc18e84ba0a9009b87213f9b7369d37bb2c7f7c40585b85a5e0b03aa36dd39486196373311

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
fc9b50f05977433341c440ec6a8575ae

SHA1
3fc9f99eef4d36f00b6fe018100609a154de8adc

SHA256
218165224275110bd9c0570870e8862676229daaf6fd0f4b2910d865576b6baa

SHA512
85e9240c3b2b1b968d2b727bd4297d5caf384c178da68c14eafca6579b7e66b0d54820eac13446ec8623b6367976e6d06fa9d4723e7e38bed990634dbb8fbd57

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
c3710b77aab6a6facdcab1bb84fec207

SHA1
4066cb910f5d26ea53f6cda5e36dc4aef04cef5f

SHA256
de0b47462108ebe82517f8b816cd313bd2d2567f0136b520740095f16cbcd0e7

SHA512
7fa15f4a2fa43b266fbdddf01ac76838982613c47b7f0e92b2cae035622fb5a7ced9c7c131a62d8ba1f1e76bc99eb472457ae038c030b591af4c8546015a3c7f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
9482d6fe9179da5109cd4143ed29ce6c

SHA1
57079feffc164171abbd18d3488b788c8854dec1

SHA256
f3f5cd1d280d5f5f8a2bd24c1643472b660dccd35cf8b2cf8ccf6c21a94e4ca2

SHA512
a8ca2c0e3ee57d088bef2ff9f5c14979e308dd37f8e4d5bc98afafdbbd9027f36a0d5a4fe4530294651e9a74282c562fc2a08c96f3271c0ed6efb7aa2f706afe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
75d859163eb5e4d04a2da4828395f113

SHA1
158a58113725efa367b0b19bd494d08478358c5a

SHA256
4797e9848b6625292b9649529a7cf8ed4fb91b86518906a45e46ea59ace2956a

SHA512
49d73a7932bd8a6d60e3d962f3a8dca8b9ff5b6348e5ee516b1f05ae3d9d5f4bbd39e9c4c0d540630f16336877ea6a98b8b650022a3e94524720920a5e0a3903

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
1d7d245ec6e6ca41727010ef53ba95a9

SHA1
2cddabc296dc8eafaa69d2046f3c5233f4504479

SHA256
2c129b20845ccb8179f4b85c4d14e2b0747e9d5329ba5f162b59badebc9b348c

SHA512
dd35852aadc5e0d228f34b9c6b4b53173c1b74186b777f7104c7ce9b2c2288033680aee4b57a849bb49b9d1a0a7e6dde6baea7749fbbacd7a157605b237279ef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
3a53212401e8e061495cf76f6f73dc73

SHA1
f2b6c98da0c9088f1a65c1819f29152064e93472

SHA256
6ddfe9aa56721b49978114dc9ed79c3e7b0a33ce43d722969d5e6e7079de926f

SHA512
fef457284160e2d7ed49e7e3a1683a14455e50dee0b92e977bc3a33585cf737aae93a9c01cf5a0763a18f2a80a5a9339eeb51879a974eb5464ed23c9abf52012

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
3050ed5869b3b29de03b8335375ec0ef

SHA1
e31c8e2c150cc10bc4b26d2257c7316900d41972

SHA256
0af21b39b9442f28ccee4bcd5023fe3fe066e56b2514acab3c8cf0890712befb

SHA512
730dfa6de8d82d27186c67695e0763ef9405ddc35a4c36d8870885e167e5782bd700dce8860465d379f4d06d28a92e7d08e2e2570263941476543189cf1e9763

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
2170e1ecc5d506ddc3de91b5dd727566

SHA1
fe35eb5be17229cb07ebd308d3d583c2f52a8c21

SHA256
1e8eeda456e7920f897a8975640923ae042456e11b5f709f78681927d481fcf7

SHA512
49e89131065442001b08acb695aefcd0baa127de0a0099b365aeee59c1568c78c91909ff24ac73e84ea4807303679128a59e32589167170d8ad14ed9d3a19a5c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
c000beaabe261b31dfd29a27138d6930

SHA1
824873ec26dc4e8a275db3559718b1216d445951

SHA256
b12cf4dc320e41255de518648c15d4b6a92f3273c085066ca1af38cd750f3573

SHA512
2bdde3dd13373802c0469fcb5144f5e2b975571cc945d67146bfed0088c642143d1c9f5abaa82a58081caac27bd69fe72ec832d2be7432fad1665da69f962e88

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
153c551366d264423f73d8fe39193f00

SHA1
ff9f5ccab237c60a3fbd795d3932bac511b93b75

SHA256
6b6db679254cc83b75f5b033a11b94d2575eb7ec44750c0e17dc7ca1bad86263

SHA512
d64255045faa2e1116cb6fe2d451e168b974d3ed30d94f70bb73f7ef7aa263d9b0799705ce654558b25b166a28e340269bb5ebf03db3f10f5b62352061ae2fbf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5f1a03e1e96dd4b61c8ea6095ef825d3

SHA1
9447e0eda361c5426626a61475dae37ebbf5ceb3

SHA256
eef771e67281a9ba2393eead4ba6745be70b45dff47906f5f29a83d7e09b168f

SHA512
9f36cc04524a64b3dd6b3301789fea42cb4b35bb9d05c77f593bf6a74191270f49e45323361f7792dd2daff7b99fb7549c3367e0d3b006b41bc70b7bf61b34b7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
93386b456ae1243ed86f7c03c729cfdf

SHA1
4ecb190922207628a079c7b9e2b3a46c618412cf

SHA256
f0fe2d1dc4696a6ec4dd6eb602e9effcadcee204d2aaf71208e6f8f519d04e98

SHA512
a6829e1a8ee08564fe7d5d695856c1a7780f4c5cc4b4b181f961f0eae409ecf502c3fb27e11c11b057097d6a23f9584c29fb0b9f857a418022f38df2551ebc6d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
35c0363115428ce02c3552010137297c

SHA1
9ba213b3dd7f2615cc0ce84bda60151d91852606

SHA256
0f4eadb591cf5358e5dc93b9d70ee484b8005ddb4b88188338fa5adad9921816

SHA512
0566960bd3fa1c7b2baabbe002a70812743ccab5bda3e19c93e757e383e6dcf2ccb302e479dfa741c1a1b374f8b0cb69307d54f05055f08917faf0c514d17617

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
6a73086e634368d2520f6b216e45828c

SHA1
62826f2dcccad10b48d6a88dd84b71a1f70a0745

SHA256
39516531c3177de03f42939069ce9914a25d6163d99cac67545e047bea9c5855

SHA512
a76bfb019399131f26b95e817f63c90fdc6b4a4181e26164e1d951fa4be29492eddcdb30c5bc47869df658f8cac5c4b86becd77222b586c2b88ae823e7d5e5d3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
977a3a30b395d3934e43e975af597305

SHA1
3e2c17c2fded984e304396f553dabf2b70eaa5da

SHA256
38818269440862b4a38b1e3e275e2cb62e6cdefde555a0f3400528718857320e

SHA512
0a1dfe9d0995a7b1ff41ab1dfc4c679ffa1b5d4b85409679c890eb88ccd8681d8feac562c693c05a84da5948fe8ee1d31a2d8efdc30f108e310fcf75fd686f76

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
9ba84f19fb04afdf07611432534bf988

SHA1
0bc193ce7315031e1fbe2032cdbb2c4e015ac08c

SHA256
473715114cfa35dcad22e304cfc8610122c16e7b6a4cc2e43179f07cbbbd2a69

SHA512
c12f42fb2d24ceab399283d431176f61b48b63db5fd04591153484f9797c01f7244425235a6f7dc6fe5d613dbf22754226b09994834ee6044c472127f582a761

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\3545aaa8-8d59-44b0-97bd-732261bbc29d\index-dir\the-real-index

Filesize
3KB

MD5
9078c5936f9cc8a38b947b4c4c836ac1

SHA1
fcf9b1cf2096478be678e690304fca965f15b4f1

SHA256
869eebfaf6392e5b650a91931e8e2f52dd9691337803ba9feb568567bc0720c3

SHA512
074c42af326008d75964bafa0887837aaae63cd9f5d5088f427a27b4f5b2ebb021b8ab112d4eb85402aafb9aaa5ae30bd39ccc2a998d400b68c2cf17be0bfdf7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\3545aaa8-8d59-44b0-97bd-732261bbc29d\index-dir\the-real-index~RFe59c28b.TMP

Filesize
48B

MD5
c2e19963ac9fa98a87744fcc41dd1307

SHA1
03c246c0ab8060b3bbd8406feadc45c14342683e

SHA256
3657d7f1af5cc407b11c1afb22817618f7205a1dfd33c08185670ddb178ec2fc

SHA512
509cafcee058e3d3032f8667b8efa248d072c5422245267ef785fb75550fb8fe0174d2afef5507e4e9a88ed97ba963bc4d2f93d4ae4cb1f0c24127c218b9f32b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
176B

MD5
785ddbbf3ce66f0d84c0a054cce9db25

SHA1
fa4519f0ee54237906ff7cf3934bbbc6d1b4691e

SHA256
ba0899bc7fe56d5b4036e88e4e4f60a389871beb34170478e8edda4c5af33c2a

SHA512
6be6feee498269adfd9f56e9bac562ff54dd64765064d14c9e95eae657e8f27e8d705550a72a92acd99ce298d36e19e84b1dee03505f9d3bc9939136373e1bbb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
193B

MD5
dc5e21032a56d322e9a6b70f9c4910bd

SHA1
322010790d620656e78fa36c5b6e38b021c131e0

SHA256
3afa37c3e71e3b1668dd98c17e3251c9aaa8e6afa00b8f00dd132c6695a88af4

SHA512
c8a5ce624fd8fc8877415e38a90d3ca37420fa16ffa054749d746c5e692eb5dc6b0f516d69dcbb8c2f6bc552c7bdd3affae83d2c6e55092035a124610cb5db5a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
200B

MD5
bec11abc664b35a4aa8dabfeefb99d51

SHA1
fc01627c02ad459b80f8e6b46727db89cac95081

SHA256
55ec11d4dea2623a495bde3feff1049076098f0f627a9ba2722c2c53a890586a

SHA512
25585b9d4dc0ad50b5ba8d5f60dc11b0f9311ccab66b3dfb5b0147e1f0bf28cbd06d897289bdbd531122d9ee10fc11f71be8c83681eb91cf54b75c56947bace6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt.tmp

Filesize
112B

MD5
218427c048db8dcaf2923e03934d5e4c

SHA1
c3fdd569cf23cba45ac3a586aa7b683169716f02

SHA256
a51af1d89e284b64d4627bed0f0b7c6bbdd349e2bb9cd95ea4420dc0e4e0df9a

SHA512
96f83b4f116b7159d395dbe644e6b664d3c7b46f4659a160f75af985c1fb905d25b1255339b3f3f8588a8d84924ac355707416ffe90bcb2533866b9d6b3b9bac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe58e625.TMP

Filesize
119B

MD5
b1d27538503136e4c0ae81c295aed721

SHA1
b8afdd9828e2fd8c45cc04ad3d12f6ca51517442

SHA256
a63a528bed480cbae505c72080dbd1b936ed8c3682229b7e86c4f23151c9fe9a

SHA512
6acc084c01e8083190c4829bc86a646c27ae2b894d77b4664949f90d6a2bfa7a9eb4f22b153930eaccee78beecc609cba151d2b1b930540b04b53f0c270156aa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
dad736d20c24006d1727c8ac6ae47128

SHA1
cbb0b2e04ddbda550d015fbfe77dc61528e19057

SHA256
25be172eb95ed6090733548693795d41e99243bbf55e7464cf6a169582d042fc

SHA512
77c5b3f33f7a945fe3fc888951c473a34b6c9cbe0b3a30d7524bbd7d64720ef1c0eba4f16fac9d9002ca27b974d7a6d994d3c18e9df327e1f2595836dc272cca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
120B

MD5
a497bc447505f9acdd1b994341e72229

SHA1
c6da65d12ee28cb33057ff1f0262e7ea4418b30c

SHA256
c25e93323159f866b6f17137be6ec59b00e661e16176d0d4394bb340c7220c52

SHA512
31bc8b93b653488d680fcb630753347378c66d245f5e0a636a37527444cb4486c039f2b1da2b23174cc6c883a78cab7883a413c431d43c78431887a37bb05b95

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
144B

MD5
25f7af7405aae1e4a7df3a3b1419c0d0

SHA1
e11c00838eef691e5d4d0f3369e8a337506119bb

SHA256
16fb487d60638e7d526d5f67dde14c7907d36f242cfd81ccd0b067a654218977

SHA512
15bf4b7a23f451bb65439ed3567eca02929132b9a1d4059f995a1aa4a2a8c173fba9023f6309416a9d3fc882fbda99d3a55f30f73dd9b70616134d08b9e03257

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp\scoped_dir3964_2079818719\Shortcuts Menu Icons\1\512.png

Filesize
10KB

MD5
529a0ad2f85dff6370e98e206ecb6ef9

SHA1
7a4ff97f02962afeca94f1815168f41ba54b0691

SHA256
31db550eb9c0d9afd316dc85cdfd832510e2c48e7d37d4a610c175667a4599c6

SHA512
d00e2d741a0a6321c92a4aab632f8f3bafd33c0e2875f37868e195ed5e7200a647b4c83358edcef5fc7acbc5c57f70410903f39eac76e23e88a342ac5c9c21cd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp\scoped_dir3964_2079818719\Shortcuts Menu Icons\Monochrome\0\512.png

Filesize
2KB

MD5
206fd9669027c437a36fbf7d73657db7

SHA1
8dee68de4deac72e86bbb28b8e5a915df3b5f3a5

SHA256
0d17a989f42bc129aca8e755871a7025acb6292ce06ca2437e95bedbc328fa18

SHA512
2c89878ec8466edf1f214d918aefc6a9b3de46d06ffacff4fdb85566560e94068601b1e4377d9d2eabefdc1c7f09eb46b00cf4545e377cc84a69edf8e57e48b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\e516d0d8-8887-40d5-89f5-c591463d42ea.tmp

Filesize
12KB

MD5
35b2b0a0d02503d381cd377790024295

SHA1
bac8abe328b6f30bfb7e267d0f1e4baddef4138d

SHA256
c59c52db860cfada03b0ba8aa1fe8e6e26f0a3beda9d9aaf0f7db04382597999

SHA512
12a7870840dbec992aabf4aa266dfd2ff4451fd29cc27b3b60aaf259125236516352d47429548ae485ac71db5e5fbae5726e6ab738cff3e501895989dcbf275e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
118KB

MD5
141d92ee8ade1999c7783df20244ba03

SHA1
a5c7deb62db7018d945e08288d66c3dc3612783e

SHA256
b4a9851036f2b5557a8757a988685ad4fc34173b1e97c5f6c0df469f6c5542d6

SHA512
4b1de6896276b5259f683e158365633a0d3fe3200f660f0463e216852c00f420548652db9528582844cac95a5524841471f35c3275ac61a0d116cdb8e8790d1f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
118KB

MD5
bfb444a4171055e8e1162ca637118bc0

SHA1
0551c50b21ed57186c6d2b4bcc609fe6698eade4

SHA256
50ffe628b025166375b5a9d46bad3635cfc34015d0a9c5b7b8ff8fb4e4660865

SHA512
3b9e3c9054298443c904764afa2cb73d6455a1ca337c3ec4a25d25550991ad11cf6b7449be2ee4aadf7ec9f109613fc6f05e90a3fa85ca217e2379b9876779cb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
118KB

MD5
05c10909eef4c83be196b07e9c9103d3

SHA1
1eb60d6f54f45e201729e6be3138e8da38bebefc

SHA256
d02caa8992e694af5cc0a9d7c9d2f9707dc10cd30f4567cc1718692a1a1ff6d6

SHA512
0127bc6ff86b72131d5291c5046f13bb10be7e3ec92f77c9625417a28ad987baa1761b9996ee1a1fbb01ceafbe30eba7485dfcae55b1dcdaa325b7462309ef15

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\gdi32.dll

Filesize
440KB

MD5
83dc86f237cb3fa341341ab483f5f9c8

SHA1
cc7fed2a41050e91eec7610bfa512504e7e09276

SHA256
64b2eb92664876a239471d161f9ba53f6e5ac689a0f478d99bebdce10eb26ffe

SHA512
d262d592063622b9e7eb818fe7ba87c64bfeb9e701fe8460580bd8483aeda4356e4da03b9bc173aaa4ffc91d454104713da14f3433d719a35a7bf2d30de30a08

Download Submit
C:\Users\Admin\Downloads\PASS-1234.zip

Filesize
37.2MB

MD5
7e5548fc95de475be4aa4c4f35c32929

SHA1
0537634096d1ee41dbe444403189718d234455a0

SHA256
1994f509f9a7bcb4672cc096ab3f7acfe895ce29ad8db95c134f8d06f2bd6eab

SHA512
31215a9c4362018867c6b8fa61909eedbef991aa89a451e2af54c7ec73286dd7934b60f1ba53b7aeeba0c0067f1cb231efd210bce4bd887041af2710fde408fc

Download Submit
C:\Users\Admin\Downloads\PASS-1234\PASS-1234.exe

Filesize
720KB

MD5
0a6969efcebfe17a241fa4d9588f052c

SHA1
42bbebbd7e5ff618751ff30b4ff2ce5a0ddffa24

SHA256
c1dafa22b34694a280147ef4dcdf421d9326b219eadc68841de35151b9c5db26

SHA512
490d8ac860064638d392be1fbcc9ad4af0133dbc583751007242b022363f52521261d2dceec1da531430f24ad662bd80022cebac85321a9deb8e6e4f3695f4ef

Download Submit
C:\Users\Admin\Downloads\PASS-1234\libbry\libb3.dll

Filesize
21.2MB

MD5
d048a16cf471fca67d6805385a2488b1

SHA1
3385cd047d14909ccfc0f28d552c2301272e0af7

SHA256
f00a35a9725ab3ba68cf340c547e88e8916adc5c2e8c9220d0a76f0f83ff14e5

SHA512
1249f917a600a7abaeb88e2efba9583f840bb39c769aa481b991eea40567a286c831749f7950ead4f83d4b6407209a517303a5e8ce7c3830882ff6627a189ddc

Download Submit
memory/956-1002-0x000002289BF00000-0x000002289BF01000-memory.dmp

Filesize
4KB

Download
memory/956-1009-0x000002289BF00000-0x000002289BF01000-memory.dmp

Filesize
4KB

Download
memory/956-1004-0x000002289BF00000-0x000002289BF01000-memory.dmp

Filesize
4KB

Download
memory/956-1003-0x000002289BF00000-0x000002289BF01000-memory.dmp

Filesize
4KB

Download
memory/956-1008-0x000002289BF00000-0x000002289BF01000-memory.dmp

Filesize
4KB

Download
memory/956-1014-0x000002289BF00000-0x000002289BF01000-memory.dmp

Filesize
4KB

Download
memory/956-1013-0x000002289BF00000-0x000002289BF01000-memory.dmp

Filesize
4KB

Download
memory/956-1012-0x000002289BF00000-0x000002289BF01000-memory.dmp

Filesize
4KB

Download
memory/956-1011-0x000002289BF00000-0x000002289BF01000-memory.dmp

Filesize
4KB

Download
memory/956-1010-0x000002289BF00000-0x000002289BF01000-memory.dmp

Filesize
4KB

Download
memory/1240-992-0x00000000010F0000-0x0000000001157000-memory.dmp

Filesize
412KB

Download
memory/1240-989-0x00000000010F0000-0x0000000001157000-memory.dmp

Filesize
412KB

Download
memory/1240-988-0x00000000010F0000-0x0000000001157000-memory.dmp

Filesize
412KB

Download
memory/1640-981-0x00000000013F0000-0x00000000013F6000-memory.dmp

Filesize
24KB

Download
memory/1640-980-0x0000000000C80000-0x0000000000D3C000-memory.dmp

Filesize
752KB

Download