lumma | hxxps://playstoreforpc[.]com/

Analysis

max time kernel
210s
max time network
209s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250113-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
17/01/2025, 10:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://playstoreforpc.com/

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://medicaljummtj.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-564748828-2201999071-3764224244-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-564748828-2201999071-3764224244-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-564748828-2201999071-3764224244-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-564748828-2201999071-3764224244-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-564748828-2201999071-3764224244-1000\Control Panel\International\Geo\Nation	Setup.exe

Executes dropped EXE 10 IoCs

pid	Process
1856	Setup.exe
2364	Glance.com
3532	Setup.exe
5112	Glance.com
544	Setup.exe
2728	Glance.com
3248	Setup.exe
1160	Glance.com
1324	Setup.exe
5068	Glance.com

Enumerates processes with tasklist 1 TTPs 10 IoCs

discovery

Process Discovery

T1057

pid	Process
4948	tasklist.exe
2200	tasklist.exe
2796	tasklist.exe
3028	tasklist.exe
5032	tasklist.exe
4484	tasklist.exe
1492	tasklist.exe
4652	tasklist.exe
468	tasklist.exe
2696	tasklist.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\DaleBriefly	Setup.exe
File opened for modification	C:\Windows\HighlightMandate	Setup.exe
File opened for modification	C:\Windows\DaleBriefly	Setup.exe
File opened for modification	C:\Windows\DaleBriefly	Setup.exe
File opened for modification	C:\Windows\HighlightMandate	Setup.exe
File opened for modification	C:\Windows\DaleBriefly	Setup.exe
File opened for modification	C:\Windows\HighlightMandate	Setup.exe
File opened for modification	C:\Windows\HighlightMandate	Setup.exe
File opened for modification	C:\Windows\DaleBriefly	Setup.exe
File opened for modification	C:\Windows\HighlightMandate	Setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Glance.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Glance.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Glance.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Glance.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Glance.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133815827012255700"	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-564748828-2201999071-3764224244-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-564748828-2201999071-3764224244-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
2364	Glance.com
2364	Glance.com
2364	Glance.com
2364	Glance.com
2364	Glance.com
2364	Glance.com
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
5112	Glance.com
5112	Glance.com
5112	Glance.com
5112	Glance.com
5112	Glance.com
5112	Glance.com
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
2728	Glance.com
2728	Glance.com
2728	Glance.com
2728	Glance.com
2728	Glance.com
2728	Glance.com
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1160	Glance.com
1160	Glance.com
1160	Glance.com
1160	Glance.com
1160	Glance.com
1160	Glance.com
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
2680	7zG.exe
676	7zG.exe
2364	Glance.com
2364	Glance.com
2364	Glance.com
5112	Glance.com
5112	Glance.com
5112	Glance.com
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
2364	Glance.com
2364	Glance.com
2364	Glance.com
5112	Glance.com
5112	Glance.com
5112	Glance.com
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
2728	Glance.com
2728	Glance.com
2728	Glance.com
1392	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4748	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4756 wrote to memory of 2424	4756	chrome.exe	81
PID 4756 wrote to memory of 2424	4756	chrome.exe	81
PID 4756 wrote to memory of 2892	4756	chrome.exe	82
PID 4756 wrote to memory of 2892	4756	chrome.exe	82
PID 4756 wrote to memory of 2892	4756	chrome.exe	82
PID 4756 wrote to memory of 2892	4756	chrome.exe	82
PID 4756 wrote to memory of 2892	4756	chrome.exe	82
PID 4756 wrote to memory of 2892	4756	chrome.exe	82
PID 4756 wrote to memory of 2892	4756	chrome.exe	82
PID 4756 wrote to memory of 2892	4756	chrome.exe	82
PID 4756 wrote to memory of 2892	4756	chrome.exe	82
PID 4756 wrote to memory of 2892	4756	chrome.exe	82
PID 4756 wrote to memory of 2892	4756	chrome.exe	82
PID 4756 wrote to memory of 2892	4756	chrome.exe	82
PID 4756 wrote to memory of 2892	4756	chrome.exe	82
PID 4756 wrote to memory of 2892	4756	chrome.exe	82
PID 4756 wrote to memory of 2892	4756	chrome.exe	82
PID 4756 wrote to memory of 2892	4756	chrome.exe	82
PID 4756 wrote to memory of 2892	4756	chrome.exe	82
PID 4756 wrote to memory of 2892	4756	chrome.exe	82
PID 4756 wrote to memory of 2892	4756	chrome.exe	82
PID 4756 wrote to memory of 2892	4756	chrome.exe	82
PID 4756 wrote to memory of 2892	4756	chrome.exe	82
PID 4756 wrote to memory of 2892	4756	chrome.exe	82
PID 4756 wrote to memory of 2892	4756	chrome.exe	82
PID 4756 wrote to memory of 2892	4756	chrome.exe	82
PID 4756 wrote to memory of 2892	4756	chrome.exe	82
PID 4756 wrote to memory of 2892	4756	chrome.exe	82
PID 4756 wrote to memory of 2892	4756	chrome.exe	82
PID 4756 wrote to memory of 2892	4756	chrome.exe	82
PID 4756 wrote to memory of 2892	4756	chrome.exe	82
PID 4756 wrote to memory of 2892	4756	chrome.exe	82
PID 4756 wrote to memory of 2452	4756	chrome.exe	83
PID 4756 wrote to memory of 2452	4756	chrome.exe	83
PID 4756 wrote to memory of 4184	4756	chrome.exe	84
PID 4756 wrote to memory of 4184	4756	chrome.exe	84
PID 4756 wrote to memory of 4184	4756	chrome.exe	84
PID 4756 wrote to memory of 4184	4756	chrome.exe	84
PID 4756 wrote to memory of 4184	4756	chrome.exe	84
PID 4756 wrote to memory of 4184	4756	chrome.exe	84
PID 4756 wrote to memory of 4184	4756	chrome.exe	84
PID 4756 wrote to memory of 4184	4756	chrome.exe	84
PID 4756 wrote to memory of 4184	4756	chrome.exe	84
PID 4756 wrote to memory of 4184	4756	chrome.exe	84
PID 4756 wrote to memory of 4184	4756	chrome.exe	84
PID 4756 wrote to memory of 4184	4756	chrome.exe	84
PID 4756 wrote to memory of 4184	4756	chrome.exe	84
PID 4756 wrote to memory of 4184	4756	chrome.exe	84
PID 4756 wrote to memory of 4184	4756	chrome.exe	84
PID 4756 wrote to memory of 4184	4756	chrome.exe	84
PID 4756 wrote to memory of 4184	4756	chrome.exe	84
PID 4756 wrote to memory of 4184	4756	chrome.exe	84
PID 4756 wrote to memory of 4184	4756	chrome.exe	84
PID 4756 wrote to memory of 4184	4756	chrome.exe	84
PID 4756 wrote to memory of 4184	4756	chrome.exe	84
PID 4756 wrote to memory of 4184	4756	chrome.exe	84
PID 4756 wrote to memory of 4184	4756	chrome.exe	84
PID 4756 wrote to memory of 4184	4756	chrome.exe	84
PID 4756 wrote to memory of 4184	4756	chrome.exe	84
PID 4756 wrote to memory of 4184	4756	chrome.exe	84
PID 4756 wrote to memory of 4184	4756	chrome.exe	84
PID 4756 wrote to memory of 4184	4756	chrome.exe	84
PID 4756 wrote to memory of 4184	4756	chrome.exe	84
PID 4756 wrote to memory of 4184	4756	chrome.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://playstoreforpc.com/
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x21c,0x220,0x224,0x1f8,0x228,0x7fffcdbecc40,0x7fffcdbecc4c,0x7fffcdbecc58
  2⤵
  PID:2424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1940,i,2763760693037168409,4896347594285746311,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=1932 /prefetch:2
  2⤵
  PID:2892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1556,i,2763760693037168409,4896347594285746311,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=2212 /prefetch:3
  2⤵
  PID:2452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2272,i,2763760693037168409,4896347594285746311,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=2244 /prefetch:8
  2⤵
  PID:4184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3132,i,2763760693037168409,4896347594285746311,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=3168 /prefetch:1
  2⤵
  PID:3412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3140,i,2763760693037168409,4896347594285746311,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=3180 /prefetch:1
  2⤵
  PID:1564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4664,i,2763760693037168409,4896347594285746311,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=4668 /prefetch:8
  2⤵
  PID:1588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4968,i,2763760693037168409,4896347594285746311,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=5096 /prefetch:1
  2⤵
  PID:3880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=5092,i,2763760693037168409,4896347594285746311,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=4960 /prefetch:1
  2⤵
  PID:4804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4928,i,2763760693037168409,4896347594285746311,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=5168 /prefetch:1
  2⤵
  PID:1556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5112,i,2763760693037168409,4896347594285746311,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=5032 /prefetch:1
  2⤵
  PID:3672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4672,i,2763760693037168409,4896347594285746311,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=5124 /prefetch:1
  2⤵
  PID:1028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=5504,i,2763760693037168409,4896347594285746311,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=5328 /prefetch:1
  2⤵
  PID:1116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=4944,i,2763760693037168409,4896347594285746311,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=4996 /prefetch:1
  2⤵
  PID:1972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5368,i,2763760693037168409,4896347594285746311,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=5400 /prefetch:8
  2⤵
  PID:876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5828,i,2763760693037168409,4896347594285746311,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=5396 /prefetch:8
  2⤵
  PID:3916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5036,i,2763760693037168409,4896347594285746311,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=5492 /prefetch:8
  2⤵
  PID:1780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5080,i,2763760693037168409,4896347594285746311,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=5136 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3724

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:876

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2252

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1588

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4748

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap18237:126:7zEvent13280
1⤵
- Suspicious use of FindShellTrayWindow
PID:2680

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap16642:122:7zEvent20959
1⤵
- Suspicious use of FindShellTrayWindow
PID:676

C:\Users\Admin\Downloads\Old_Setup\Setup.exe
"C:\Users\Admin\Downloads\Old_Setup\Setup.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1856
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c move Sofa Sofa.cmd & Sofa.cmd
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2056
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    PID:4652
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3376
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    PID:2796
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1976
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 662089
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3788
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E Donna
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1568
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "Scotia" Kerry
    3⤵
    - System Location Discovery: System Language Discovery
    PID:100
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 662089\Glance.com + Newsletters + Confident + They + Looks + Fiscal + Coordination + Rainbow + Outsourcing + Hot + Star + Simple 662089\Glance.com
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4868
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Underground + ..\Jobs + ..\Significantly + ..\Testimony + ..\Sunset + ..\Quickly + ..\Reconstruction B
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4232
- - C:\Users\Admin\AppData\Local\Temp\662089\Glance.com
    Glance.com B
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2364
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4948

C:\Users\Admin\Downloads\Old_Setup\Setup.exe
"C:\Users\Admin\Downloads\Old_Setup\Setup.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3532
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c move Sofa Sofa.cmd & Sofa.cmd
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4604
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    PID:3028
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3788
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    PID:5032
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2328
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 662089
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4288
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E Donna
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4972
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "Scotia" Kerry
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3636
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 662089\Glance.com + Newsletters + Confident + They + Looks + Fiscal + Coordination + Rainbow + Outsourcing + Hot + Star + Simple 662089\Glance.com
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3892
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Underground + ..\Jobs + ..\Significantly + ..\Testimony + ..\Sunset + ..\Quickly + ..\Reconstruction B
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2056
- - C:\Users\Admin\AppData\Local\Temp\662089\Glance.com
    Glance.com B
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:5112
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2200

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1392

C:\Users\Admin\Downloads\Old_Setup\Setup.exe
"C:\Users\Admin\Downloads\Old_Setup\Setup.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:544
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c move Sofa Sofa.cmd & Sofa.cmd
  2⤵
  - System Location Discovery: System Language Discovery
  PID:344
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    PID:4948
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3824
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    PID:468
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2252
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 662089
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3112
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E Donna
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2172
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "Scotia" Kerry
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4540
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 662089\Glance.com + Newsletters + Confident + They + Looks + Fiscal + Coordination + Rainbow + Outsourcing + Hot + Star + Simple 662089\Glance.com
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2808
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Underground + ..\Jobs + ..\Significantly + ..\Testimony + ..\Sunset + ..\Quickly + ..\Reconstruction B
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4856
- - C:\Users\Admin\AppData\Local\Temp\662089\Glance.com
    Glance.com B
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SendNotifyMessage
    PID:2728
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2328

C:\Users\Admin\Downloads\Old_Setup\Setup.exe
"C:\Users\Admin\Downloads\Old_Setup\Setup.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3248
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c move Sofa Sofa.cmd & Sofa.cmd
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5112
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    PID:2696
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3588
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    PID:4484
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1964
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 662089
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3768
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E Donna
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3732
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 662089\Glance.com + Newsletters + Confident + They + Looks + Fiscal + Coordination + Rainbow + Outsourcing + Hot + Star + Simple 662089\Glance.com
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2660
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Underground + ..\Jobs + ..\Significantly + ..\Testimony + ..\Sunset + ..\Quickly + ..\Reconstruction B
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1064
- - C:\Users\Admin\AppData\Local\Temp\662089\Glance.com
    Glance.com B
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1160
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1976

C:\Users\Admin\Downloads\Old_Setup\Setup.exe
"C:\Users\Admin\Downloads\Old_Setup\Setup.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1324
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c move Sofa Sofa.cmd & Sofa.cmd
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2696
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    PID:1492
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1964
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    PID:2200
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2796
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 662089
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4712
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E Donna
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3616
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "Scotia" Kerry
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3488
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 662089\Glance.com + Newsletters + Confident + They + Looks + Fiscal + Coordination + Rainbow + Outsourcing + Hot + Star + Simple 662089\Glance.com
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2808
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Underground + ..\Jobs + ..\Significantly + ..\Testimony + ..\Sunset + ..\Quickly + ..\Reconstruction B
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2728
- - C:\Users\Admin\AppData\Local\Temp\662089\Glance.com
    Glance.com B
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5068
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\3db37a4a-4d0f-4c20-a690-5c5f29177ff7.tmp

Filesize
10KB

MD5
96d08f9f6fc9fabcc0528c42e4dfb0f8

SHA1
f6eda21c74848bdba1810c2ac9eacef24084e3f6

SHA256
3d11576a4151bbff4792c378dcf77981a6e3412254be8c8f272a3171640d85d0

SHA512
534dbb956c3aecf81ff05d854ee61c14d73c7df9e122154504e33205466561e4804d15e8f64f8803c45b5f540a5b47e83206613b262e988f443a8405d4c6fb7f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000019

Filesize
20KB

MD5
87e8230a9ca3f0c5ccfa56f70276e2f2

SHA1
eb116c8fd20cb2f85b7a942c7dae3b0ed6d27fe7

SHA256
e18d7214e7d3d47d913c0436f5308b9296ca3c6cd34059bf9cbf03126bafafe9

SHA512
37690a81a9e48b157298080746aa94289a4c721c762b826329e70b41ba475bb0261d048f9ab8e7301e43305c5ebf53246c20da8cd001130bf156e8b3bd38b9b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
1KB

MD5
8735320ca90fc0ca6f82358f107729cc

SHA1
773badccd1b545e9d7ffeb628719ae9a234ec930

SHA256
78365f96d985869a7a0f21b4afa6216143a770ec29da3c4afc6f879219ef1b8c

SHA512
c0b2adfcd4941e501ca9aa1e834bf4fb5f8508a6e275036221d46ee18bb76ef17dd9f290a096ca922c7ecfdb7aa3de2cba2c4a4ef3d115f5744f42edd00aad8f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
9KB

MD5
04e42331d6f390f9017ea713b00e5dd3

SHA1
a40084ba105b1396ebd3ac4173880984d0d8b11e

SHA256
43894518ac76c20a8cf1db9433518c381a7d1bb2113683bf32342cb2efcd6347

SHA512
603b3cc8f52b16601c923528f40972a93d6798589703929d2d0d7c02ad3a4519ce05278c1e7cdc8a770906f83d5ec1fd398b519589193820fe7996a919b6bf8a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
858B

MD5
5bc46ad3d615768077a5b445a34abe7e

SHA1
70a573044f5e210867cc7a8fe1cf5a549c7b9cb0

SHA256
9ac0aa0bf6b5a3ddfc50ff86d10733767c05b3135498e06cc5b8dfb5a9d82ca5

SHA512
451b8ac2d6c34a961f0671f99e2dfeee40a76760aa7010d1a62e4be64c329f5ae1b366d754b8369839d003a8dbb84dbb089b722caa42321be2d8dbbcd6243f05

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
3d88d0724f8c8c7005b95419ca1d4bb3

SHA1
d6e1910856d7c055c5dc4f230a4fced763a472bd

SHA256
f5f9dde3c334057fc9a3fbaff6865e31f478c9dd5e18bc81a7b58da13172d05c

SHA512
610ef0a37b18561dbd0b7789f7fd2368b608783442316e0b65601ceb46a4678f31f9df52baec0fa076fd6e6eb560446e81ec831ed4b7303584ac7c641a851a01

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
858B

MD5
a5f0af9080aebcdd42bf5a5349e3797b

SHA1
f684a8b01435a79d273ad9492750c09d4ea742eb

SHA256
eaae2e2d8093ca45486e81b649e6c1dd4fee8e19639f34b0254b2e8cbf795959

SHA512
2e51d902bc53fe4e8fcf819cc1486dd156c8f431afe348b1ca1cbe519d68a45fe5c07b77d7ea8a148f2fb121da52a6b4e4c5f027530660041809d53dc5a6476f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
a1c7d6ba345908fdb77d5c22d6917c87

SHA1
3caaed0307032f591a00416555d0f8c0990d362c

SHA256
3759c2b4737973294a4a6f33d4c9c6beb3545159f47930168b8ce2aa8f3c0d36

SHA512
4d1c4bfc74a3d3d5ee304dc8bb961766a8d4c7064ba982cf68fc037d118dabafede9a5fc0410a56ddefcddc89fc457a1e5db105fbe2fd7771219e99b4994f338

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
d1d0e29fa721a1422579eaed1bdaae82

SHA1
c65f5583b796a719a10a136fc886f763a4575d66

SHA256
fe16419f4207bc298c9d5ea09cd933d5d5c04ad25932ed304b376c2e6600b193

SHA512
098041f932b5d1a29d9b60c28ed5ed022f07dc2fc49b4b89d1717270249c34bbff294216c54d5ebb8afa637af049ca93df0fa3669a0b8b896028a2b582239d9e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
24262167b103ee8d98c6636e59f69f66

SHA1
5241c0e889c486f47ceadba654621432f6f1bcfe

SHA256
cf8ae12d16f454571a81ceb12c36d87a71086701faa56fb88974ecbe61bd07b1

SHA512
1d6dc89071e6c6fcbfb222bbdb9c847f86f295ea3cbd4ec27eaf80134728384b0924298823b950912bf92c0ab49db714a7d6f7d64952df5fc91271110472a3dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
6536fc0a37216e09cfe25019d236f123

SHA1
47a1fb950abd3bd9d88986db12cf00f79d687391

SHA256
eb56e9c2d8c4a941aef9cad7946c6fb5fd8b41e30f46b13b274b462a6a0c0563

SHA512
04da5447f02625266140fdb28b23ccffe506022ecc606bbefd29fd1a58caa1acfc89c85210f40f787fea6888c1570133b47ab3249293cd4a62a7ed7349cca030

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
8afa008e539fd971bcc9e6939f8517cc

SHA1
446944a555f0d5f14e1b8d2f9caa42385dfa27f5

SHA256
c993dea79b8351a42d8fafa588e20b09f5404107a595dbeb0b44808a607ce8e0

SHA512
394e8077cecd0e8df08c2c1bbec4c25537dcbd8b9c91e5ad07a7e239749fd112aee25bf5002ab1afbbf7184996fd5a857ca64148adaaa785a4ed2619489244b3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b3e63f46865fbfc0145ca51b76c33916

SHA1
205e11fe9f879c567154cef4f735271e9dd5a2f6

SHA256
38b286d5951377a573421d4dfd0e3cb0bfaa84bce8ec60756af4ba37cc61d91e

SHA512
cf691533cf7986e19c4d4b364f665c0f9cb113c91a243f5a74b3371a0405d8430f9f632d7e3293e29a195172ba6b10edd782b87d0cd8d9079ca6354da84f086f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
28a8b0056e98e3e570d6448bcb7866ed

SHA1
0a8a6f6bb4b0abc4eb02f2adea72cfe59e267771

SHA256
1df5b5ec6209ce04cf5e1a77335ff0ab7c03e70ac763e695535e08211e7eb061

SHA512
5dfb255b197418ca85c8b5fed7eda0099a52297bc299d38eebf3e8aa8eea42e8fb8aead554555a7073f2785972e5e1a679858130c7a999db5abc7b167ac8d854

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
55225a20901aae25a8482529cb6f0c53

SHA1
9546b8ab031eb0624b1bc25c1a199bc7dbff5e5e

SHA256
1bb1185d54f35f857be55b758c0de83348568eb85278710039d684031ac36803

SHA512
5fe27b41d772215b2425a8c01169d83db8d1fd323f8701e4a821a982b7e3505759d2f01f63c075088754b720f625f555f8e60932af207c2c6218ef4efbe0f994

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
bfd5e3fc5784eecbed373916fd61418d

SHA1
34e1218da8fe6a8f6e539d10b6e4c4c56da9061c

SHA256
43000f3c6cf9782ad59695bb0806bb6d3d4a2d44c4fa9a8479ab3655ec2d5014

SHA512
92ff2532e4040911bc61025393efa7b95ce66493774ca3f56c686a58822af89b6aa141b1184e80f1014bcb3974bdc277a58636638bffb049fc7653c8af6fcb2f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
7704ddea000aca7542ae1c4d43f66b7f

SHA1
1139dcc83833ec488585608d802d0c2176fa744e

SHA256
82283dd988916d0fba31977b321c466574498f752a843129ee091a1f329508f2

SHA512
f715e954d0e4987f496ed9d8da791b53769895f694f21d1fae239db8634eb4e4d4a54ce3a2a846fb9712eef75438508c30a29290ba377deba43e7afda4109f50

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
a1a8c156da0cfb3e0bf67261c555a76f

SHA1
e7ab5d4e119b94ff112022027081f3a97585a562

SHA256
23480ad68a26ab91e199516da748291a67c268fbe0139b48955459563fbbe2d0

SHA512
ca5f4f45fba7b98447924b147d075c3f219e31c80544666482db816365bc50a335f81da6904985901c146f8dbebcf0a92306f6b8be53580149b6631df3eaabc5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
d965d5c99e927a022c3522d1e4dc292d

SHA1
923a13dcd076000483b65de2ad359e1b4c303087

SHA256
4f13cc216f23a1880c85bd7de815f37d464eec21247c8e1b3834fd2f94063229

SHA512
68f6c4fc60c0fbf012657712acfdfc6959650c330285b955e558149d9d69eb7a38149e967f9dc5549dde681158764999c89d0c864ef46a305dcae74f40e6ee7b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
47ef49e51a402cf29521d1e1b4ab8c32

SHA1
9d777ca7e115b96ff6735d82995f136e7d3fcead

SHA256
e93f4d9e9c30df39d0c319395c52e091ad04fc4ccf955355bc8aad970a5f2f89

SHA512
6e421f2c9e683e6c397d5b297bdb54fad5164d3004bba4fc0bb5aee686268299af19c12b8802b161eb40304186bbd33e74903069a226497b65bf4bb352ea5c82

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
e47a98c18da4880ced433c6d720d4eeb

SHA1
bd7b6d0ebe89f605b6b78a1dc7ffd3b05e8b4085

SHA256
3b11f0b209320905de08ee7ae7b3ac6563f3ed0c951ff08f14c7ea1f3db2da23

SHA512
0a1502f24c8e807ae8da46ac3e47bbabf04b704659f050f838e3777f85f9bae2aa83b0b4041496e975064d4f171bebfe87b18986b9b13db18e76b44446065013

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
149KB

MD5
f220f41f4f8239e61026e858a47e9e08

SHA1
f6db27e6e73165a4e1d854e1e8d390825a89e19e

SHA256
50aa57e273fa36461b7c4d83148251c894ec789f7d59f6eb14b7069e154fc566

SHA512
712b86ee015b0162d2589960f9397fdefa3334b133e7fd8cd2bb781a3301bbe1e4437fd87f0f7c722c2397c2805d28fa34d374f1c4d394baa1a44ce9645398c7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
120KB

MD5
e07849581bbcdb320f9cd82a86ec6dc9

SHA1
97c387476b00abd3564677df5415c3f718ba5a0c

SHA256
032780497e1a8a41db065c36184dda0c7c5f5d5d9b533e4d503db44ea99ccbf9

SHA512
d616b0df8a178b659d241574fd02ddef669fea66f8978208248abb6cc847aded613fc6cee5864cdd9aee28646a9d3532e77242752e13caa7d74f00eb0d1d0463

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
120KB

MD5
5d4e9e0ebaeccb741a49497ff6d054dc

SHA1
9389cf487a6bf1a7c4ae751964e0249220f6212c

SHA256
1a5ab2a11721aee4967da414258393054417048f86bc9d51093d7039e95ce222

SHA512
d7f93d197cc4e1f127c395f1df5c6a637626567dda134ecc03f6867322dd3e3d4cb9eddc300f29e2bbe72217792125393c33e964d1ebf35d2e2f09319ade4fd9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
120KB

MD5
ec82f373c61d6bdb47a3059ee3a95463

SHA1
4c94ac4f4f7c0ee7a504bc75d6df5cc38f0b670e

SHA256
0d650c452780d095c5b6dd9c09d650512c0100928f6a3d658a111c4ccb6ae191

SHA512
c6222936445f86623fa03302b1c2fd4fcdbbd4aead37aaa936b828aa7e5e2bf19ab77b00b7ada35d37cc3f2fc13d17b76a0fd8c37964e5d83f85bf4029ba98bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
120KB

MD5
f4465b70af52b0f4295835e73aa3e0a3

SHA1
300dee4265e6e5259d17e896f6d6a110d39e89cc

SHA256
1be7b3d35fd233fde1184ee7d17da8227b7a658a094d7cbd2414b3a03e41b3f1

SHA512
cfaadf65e78e606f6d44fa7ac1bc53457bfe136860d5faa88e30dd289ce119989da670610fe4a32d1d901d37d89a0331e222dfef7bd640253d1715e2df96d922

Download Submit
C:\Users\Admin\AppData\Local\Temp\662089\B

Filesize
484KB

MD5
6721d6a6aee8eb18cd680f8e47e41900

SHA1
ecdedda3b8e2b1b3175a3bdf122a61af069659c0

SHA256
5616d3b8fa4b1a69dd4cef275c3cb9fbf42106ca90aa14b2934d15c2c24de202

SHA512
173669c0a365a979cc7c2fcb2e5901a1734b295febb57117bead7f6a37d97e0b8fd9be334df74c3d0fc649e6c3e4fc26b6163eb6637cde6fe4c09831652d1236

Download Submit
C:\Users\Admin\AppData\Local\Temp\662089\Glance.com

Filesize
2KB

MD5
81fb33ab1b8e447ebc1196b7e0072863

SHA1
97f9e668cd448c1f965eb0e57da4d7230d967e1e

SHA256
c86f5a839aa31cd698503ce609ab120781fd40982e2ede65af71468fcf81348c

SHA512
c277e3b4062071733498077d0ba0d0808d32124cf67ffc1bfa28e682c2610285490c0b5bda05f0d9940c7918e1329819eedd41cf7ad5407c534bca740a3e8a65

Download Submit
C:\Users\Admin\AppData\Local\Temp\662089\Glance.com

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
C:\Users\Admin\AppData\Local\Temp\662089\Glance.com

Filesize
195KB

MD5
01f30bde29df4bba7bb81f35715a2591

SHA1
d771b099d92c7949051f590304bde2e3f19352ab

SHA256
cad2fab1ed4fcf9d1d2ed2b75efc7d64ead53ab9efacdbd1682e73b13d855cff

SHA512
de3aaa07ec3121ef3ebb1828aa76b1a55e5ea28d09348ae9a9f7f4a562bcfcc26954d2f354caf59f2e5bb7d2e1d430d17ffe5a05dc1a1ce7bc8c4f35ce2a63bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Confident

Filesize
84KB

MD5
b8dd23bf9f8987b44dbcd57aae5a9603

SHA1
1f3147312ad471c887f9790ec2c97dc5898553ba

SHA256
ae180b46f41f64fc0cb5ccc2ada3edee6e386c34ed08633c6baad54c2315a965

SHA512
f72d8b8640d40ad116c99ea78e3e017d6bcd91906dab473a2f6c717ec00aefec79bb62eeb1a2de63c1c1ac2fedd162a95284b94e7ac08036decdb86a8b292de7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Coordination

Filesize
53KB

MD5
cb87c5c955c3f0b61722cc49aff39930

SHA1
d157ba45ff683db37afd802fdc337d91411ad529

SHA256
71ed2697d973920689c6d641b0b92dbd115e663648811188e8869f42e9b35e71

SHA512
a7614b51a62069af326fc14b5212911432ac888c7b2febef6728350add3e4c06557eb600bf8f102a55983278cbe6b8bfaa941ac548e9a86691a2ecee4e38fcaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Donna

Filesize
478KB

MD5
3ee7e8a0a479633f971e71e5706b42f0

SHA1
340677eaec37419f9cfb4d0809910ec23d1d2544

SHA256
f68d7703526e02d0a79895a27c8d6e61f67a60d2f14201040f9cf4bd52e5fb34

SHA512
223e39248e77f40a5149cee179b7bca995073adb064d6bb2d5dfb58ae8c08ef09a23f5cd0604d6e7c175fdf91d584f0332fec2f81caa6c2388537f58f1f057d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fiscal

Filesize
96KB

MD5
5bc8c09634e7ea7eff02b4aa6555e09a

SHA1
8dfa4f9f89c2a5d5094b23bd3b339c523ccfa6b7

SHA256
0c3299f7f02667f71627e3cea98ff3a394b2787c7e647a41670cf95d65b70eae

SHA512
cd425049b7b8d40514e5478dce425c42074684420bcad81981cf72f2accbcd13c62d13bf304bb88d378b8ad2910ca2a81763038e0f5183dbd4f6b0fc871d092f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hot

Filesize
52KB

MD5
26d6a7feb0f7bbd40907ac2fab3a2ab1

SHA1
a73a6918879a59a56452fef26959a2b58ba3c0c0

SHA256
54e6658c4adeb0383f736629665b96f34595943bab0d98e658b17eb3dd13a80f

SHA512
344ce3375869f344b6928dbd6d59aa66722ac07657339895d3b433802532c81aa93c9ca959fdcfc94df137a6aab2f5171a547145f463331f0ef929a180e1a0f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jobs

Filesize
95KB

MD5
3da609b41e7d979606240c85d5a93426

SHA1
6475e1b99874db3ae195bb1f22d4ce36e943e3ea

SHA256
bef6909a96ff632e28f3c8699bf495a77d3777a7bdb1bbbe27f415ee5da7dc46

SHA512
aaab4ff37106473e8d9932eee8814405abd795e1534655fd3d2af5425f9f38ac4e472a6bdc951dcdd6fde8338680338963d8f02e76a09c6350230f66de111c0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kerry

Filesize
2KB

MD5
300f8880e66df7e470355ec6dd272701

SHA1
e5c136f164dda626329ab3e882c5a145f8fecdd5

SHA256
e00ecbac750e9b4096c41a5f89828dffcafdf2925e66d6615efeeeaaee2d5856

SHA512
cc8ab587675a8500f65b07770cbddc446975eec7b7b60df4ea59b0f08edee01fe5de61d33768bc11d2cf91f696f91dd1cff802d6e189b402b3cb6e205f6351f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Looks

Filesize
125KB

MD5
79e30f81ccf127e13fdae0896c84c2bd

SHA1
83882731053a27536d8054913281812a50e81a9e

SHA256
ed28f73b17bff9b49cdf9972989f5c2e203bf9031509c0fdb2a82c68bdd413e2

SHA512
89413f776b73a42b9d822e1624b7b90cf5731ac4b0343a3b3edac712e14a0c233c8331ddcd9e33274fcc6d6ae3194b25be8e1ed7a83aab7604f52e55ba59f587

Download Submit
C:\Users\Admin\AppData\Local\Temp\Newsletters

Filesize
109KB

MD5
6c9a3aa7ea1d6626afd25c082b9f3540

SHA1
1c004a9d4cf840c5c9bc6fd6d3068c14ac7df151

SHA256
ab1cd21bc09c99f050082bbb4e7d349d505a372242f48948a26b773370200186

SHA512
8a2bc2c2d4747e3855f273508343be75eb77d356681db32d9c13b4706a66a682ce5bf53994e97ea9ff6581c9aaf52f7de0022d4424bd6eff0050b8a243b53675

Download Submit
C:\Users\Admin\AppData\Local\Temp\Outsourcing

Filesize
70KB

MD5
c6949f440ee3f0a99296e7afcd9a0f05

SHA1
a4533084786f615ef4c3121d9e9acf9d10e6071b

SHA256
6cbd1a39f02fd7ea0fb6066625d1871a1fa91df6bc07ce5b31f561b5a21d7baf

SHA512
7accdc7bea28f57be753bb0104807ea357420219f1027ce5e6f2e9f9550e2452d08628d3783d467fb87fb3c7204e78c7e0e37f44139b109a5d46b4114c502cb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Quickly

Filesize
93KB

MD5
aff6d8a7ce8fc37a45a229cac8a64f6f

SHA1
4e8af9694f208b5e06cc3bd1611875f2eadee11f

SHA256
621c1e00e425d003d2a65128be5c4d75e66199d5bacc2d1233436c9e07c7c3b9

SHA512
1df7468cafb9460cf3009c4ba2ded857055084c75f7ee8d5a29c9c6d6bb89e8a4ee4b236a3d162c35c787c874d009d3f5db5a7c065861c0033addbe045c65b7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rainbow

Filesize
111KB

MD5
1f31fe3fdfc141a352224b82c318aa93

SHA1
26ed1cc36060b9e3e967740524f27d9d6b2b8577

SHA256
c899a05d803c189d797bd8fc797d636971d70de4841cc5da540e09d6c0cf5319

SHA512
1978fe693ccb52120f22c33871516305705bfa0635bc54edfb68ce6b4630759232a97d72a84368cd4c7c329d376a99279ec0e513677e090dcb0fa651e5d744d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Reconstruction

Filesize
15KB

MD5
281d7fb65f8a3b3cb83b4e204a04e03e

SHA1
04d9f001a5e2f15c81f6d892dab396b5cee52de0

SHA256
a3e8f583b7e42a9cda2290a9984ec27d2d596e3a792f0eab11ababfe5269b650

SHA512
e493304f5c63d9db4f6702a1f8eb1787c682980202c3f70b3b44475aaa06b99e82023132c0dba75c11442a96d3db6ffbd3ba911b2f8485d73d5e145fe43dcc51

Download Submit
C:\Users\Admin\AppData\Local\Temp\Significantly

Filesize
94KB

MD5
8eccb46a9a06ca37934c77942b44e971

SHA1
00482114540fcfe817e4ea417c24691d2776bcca

SHA256
59cf182448170ed844f9dbe0fee260587badbd396bd28fca62b9ad8f2f3d6ceb

SHA512
6a5da22cdc381588803147c2f4049b7d68e770867e79bc502f14d4758bc3c6910132cf699f60ac1a9a9ee89921fd69226f9c26e3d68863d9e46bf93c29db74c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Simple

Filesize
36KB

MD5
368fa8779828be6eec5323d035cfa1f6

SHA1
0314593f949df1398108aefff9db767c308e752e

SHA256
8ed0622f5a9230a7ee88a37eaddb8f829c8d4498594483fb11ac190b2ac224dc

SHA512
3d0173c2d452e186f54779a95fbf4c27e13a2a772c764f116fc0b550eabdbcef148f076885a515448b11236f44a4d62719de5b980793ac175522089937d878f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sofa

Filesize
23KB

MD5
ec5f7b6be07602504dcc265bf91c52ff

SHA1
109edd48cdabd3de6791720043f146e2faeb7208

SHA256
4f2cc68fb7a0faa9cd800391ef8fbcde8ea55230550c9f4fc4acbb10dac85e7a

SHA512
00701ff6a1cd79dbd92a9da8d500ccf92daf38853c1c80987f97527cad9a3f1193a73b54b72957ffe7fd668165dea5f7df8c6e7b24f2e1a197eac7cdcaebc544

Download Submit
C:\Users\Admin\AppData\Local\Temp\Star

Filesize
134KB

MD5
29a22a63e02144a1be83a5e50976fd34

SHA1
ae4f8eb649039729706cbc3541285aef0db5f931

SHA256
44214e537953ac1f1eaede135d510fafdd2a403bb04cb8f068e79bf0b4718d31

SHA512
977dee176d8c8d47e92a160063c956fee0ea699aaf6f4b9a5e0006a4c6353bc5f70f7c6db01a9a30546d6ac90436135a2979aa2cd6c2eafc7f7c5af8c838f8a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sunset

Filesize
73KB

MD5
78e739b58f16c8f84e7dc6628057f0db

SHA1
de7ee3fd925a79a5e36b4ab0b20b65e302e34a32

SHA256
e3f8111a48abb9e046a3532d424b6082c842dd2781c95fcd3b85bf205408bb29

SHA512
48999da9615ce0786dc7237e101af5c3d48f2f4418f5b7e37e2d52751b8cfb6f906a286aaf7d3444d52758cd9b9b90731f1657ffd07c9b52d8429f5efe1016a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Testimony

Filesize
59KB

MD5
9e0d013ff234b1e10d6f48308cc6d1c2

SHA1
4a34ffed52e116b720a4c0beb92d2b75512994d5

SHA256
4b00696ab11fc217c3cdccf8a30f22cdd9c4c779d966744dbddc1339d91b839e

SHA512
2c2826b2a296554f365f2d91aae769c1728a7005587bb412ed77c15afb394fc16ec30172b4c626df15e06a7ff641df8efea671d47cd8fd843a772f4032c434f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\They

Filesize
52KB

MD5
751ca264b71743af86dc3f07368a2954

SHA1
6ec329709940295d97278474c6bed683ba00c439

SHA256
907c44e6cad52bfe00465838c4254a33481d33f4816fd553aa0624e6e15aa1ba

SHA512
a8ab6ea0facd5680d711fa6f9470ff6236359b9844e17b549b53d4afbb81984c554e4f94f2f3da976d08ca6770ecd2f9a1bd5460c2403940fe378ad4276ac6a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Underground

Filesize
55KB

MD5
27313b54c7f2b0c8c957c2171f797c8d

SHA1
3cd39dc6c65b2a4ce8c0560d56053abd995779d3

SHA256
f1697eeb00c2fdcbd293d7138dd04f57cbd63d98705ba19987b915989b2ca7ec

SHA512
07b36ffd28563a7212be1ba2c66c2c98ce2615f70cc802c654ad1d2abf60b412fd875d9b2b60728f20576258468d2a0395cc840224ddbaa5f793783de98ded76

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\Downloads\!Ǵe𝔱-Set𝓤p--8477__Pǎ$$w0ɾD#!!.7z

Filesize
12.3MB

MD5
169e531bec39cb744d23abad9ece21b0

SHA1
02a620eec8027225b91def71b79ffcc3c056d673

SHA256
19bf426f5d7beb68b97cb0a823f8937cf54d5a49caf908e98d87bd27378645db

SHA512
4864f4abb1a59ca9ec43a6ec45a2a47414e4659a6b7d855a81098034ce1947f9b746e06669e59d925c6e8c99abe4733f15dbb37f277dafd278bbbe5a7d5de348

Download Submit
C:\Users\Admin\Downloads\@!Ǵe𝔱-Set𝓤p--8477__Pǎ$$w0ɾD#!!.zip

Filesize
12.3MB

MD5
1c071f44c1eea49665517561db723a33

SHA1
f09a74fdc3da6aa1bd83152e2968293f958e1211

SHA256
a088cd3df279ca6e8f127819ca0960d0cdd2fd4865b24857eca1f41d56538193

SHA512
5b8362faa164e53bc55d7149990b43f928ab19dd66036597796013b2816687c0ccb1b6cb0fb579c3673d517038ab0a0291697d24c1e65fe3692ba5840086d6d6

Download Submit
C:\Users\Admin\Downloads\Old_Setup\htwj

Filesize
2.4MB

MD5
ceea78710c5247be6a4dda72a209f3d5

SHA1
92d6cc42c820df8fee42748e1f778d3265cf582a

SHA256
6bf12cad0c848c4ff37152c30d263188d07da8c5f17dac4f49c2ba0691221add

SHA512
e2164edb3eee4bbf97aca6da81b1d2cb7b35bd2569d72c8f0a9fdf42738ae83100a399c7c831229706d857a4d4adbd5ea5cf1ab50b7c0feb43954bb9a7f44471

Download Submit
memory/1392-899-0x000001BC2C850000-0x000001BC2C851000-memory.dmp

Filesize
4KB

Download
memory/1392-888-0x000001BC2C850000-0x000001BC2C851000-memory.dmp

Filesize
4KB

Download
memory/1392-887-0x000001BC2C850000-0x000001BC2C851000-memory.dmp

Filesize
4KB

Download
memory/1392-896-0x000001BC2C850000-0x000001BC2C851000-memory.dmp

Filesize
4KB

Download
memory/1392-889-0x000001BC2C850000-0x000001BC2C851000-memory.dmp

Filesize
4KB

Download
memory/1392-898-0x000001BC2C850000-0x000001BC2C851000-memory.dmp

Filesize
4KB

Download
memory/1392-897-0x000001BC2C850000-0x000001BC2C851000-memory.dmp

Filesize
4KB

Download
memory/1392-894-0x000001BC2C850000-0x000001BC2C851000-memory.dmp

Filesize
4KB

Download
memory/1392-895-0x000001BC2C850000-0x000001BC2C851000-memory.dmp

Filesize
4KB

Download
memory/1392-893-0x000001BC2C850000-0x000001BC2C851000-memory.dmp

Filesize
4KB

Download
memory/2364-788-0x00000000050B0000-0x0000000005107000-memory.dmp

Filesize
348KB

Download
memory/2364-789-0x00000000050B0000-0x0000000005107000-memory.dmp

Filesize
348KB

Download
memory/2364-787-0x00000000050B0000-0x0000000005107000-memory.dmp

Filesize
348KB

Download
memory/2364-786-0x00000000050B0000-0x0000000005107000-memory.dmp

Filesize
348KB

Download
memory/2364-785-0x00000000050B0000-0x0000000005107000-memory.dmp

Filesize
348KB

Download