lumma | 3a9369aefe2a1212ca0bfadc0925d0149caf6436d1d9934e35c976fc9194a344

Analysis

max time kernel
149s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-01-2025 21:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Browser_128_344_166.msi
Size

1.2MB
MD5

6265ad87754194af5bbd40aada2930a9
SHA1

211b19af5e77f153f431ac223b9c22e8a5275ae9
SHA256

3a9369aefe2a1212ca0bfadc0925d0149caf6436d1d9934e35c976fc9194a344
SHA512

fe16f9d906996db99c55ed815fbe5c3be722c49a1a916a89c71c46a7fd2b7c40f2dadabe54a7dfe38a78a85d2115dd34c276f881c910a8cd1505090a2db3779e
SSDEEP

24576:y/QsaepAxRKUMbZHkw92S1SBcKLmv47n4pQixafg9WPo7:BsTpAxrYMpmK41Mfg9N

Score

10^/10

lumma discovery persistence privilege_escalation stealer

Malware Config

Extracted

Family

lumma

https://handlequarte.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 456 set thread context of 1308	456	steamerrorreporter.exe	103
PID 3728 set thread context of 3168	3728	steamerrorreporter.exe	118
PID 3760 set thread context of 2336	3760	steamerrorreporter.exe	124
PID 700 set thread context of 4984	700	steamerrorreporter.exe	132

Drops file in Windows directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI6936.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDE96.tmp	msiexec.exe
File created	C:\Windows\Installer\e581373.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{1B0AFDE1-E780-4315-9F34-1F0901483490}	msiexec.exe
File opened for modification	C:\Windows\Installer\e581373.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1410.tmp	msiexec.exe
File created	C:\Windows\Installer\e581375.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8FBA.tmp	msiexec.exe

Executes dropped EXE 8 IoCs

pid	Process
4324	steamerrorreporter.exe
456	steamerrorreporter.exe
2652	steamerrorreporter.exe
3728	steamerrorreporter.exe
468	steamerrorreporter.exe
3760	steamerrorreporter.exe
2136	steamerrorreporter.exe
700	steamerrorreporter.exe

Loads dropped DLL 17 IoCs

pid	Process
4324	steamerrorreporter.exe
4324	steamerrorreporter.exe
456	steamerrorreporter.exe
456	steamerrorreporter.exe
2652	steamerrorreporter.exe
2652	steamerrorreporter.exe
3728	steamerrorreporter.exe
3728	steamerrorreporter.exe
3728	steamerrorreporter.exe
468	steamerrorreporter.exe
468	steamerrorreporter.exe
3760	steamerrorreporter.exe
3760	steamerrorreporter.exe
2136	steamerrorreporter.exe
2136	steamerrorreporter.exe
700	steamerrorreporter.exe
700	steamerrorreporter.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
3172	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	steamerrorreporter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	steamerrorreporter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	steamerrorreporter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	steamerrorreporter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	steamerrorreporter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	steamerrorreporter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	steamerrorreporter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	steamerrorreporter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Checks SCSI registry key(s) 3 TTPs 8 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000001a73a27760024bf60000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800001a73a2770000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809001a73a277000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d1a73a277000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000001a73a27700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133817077154901515"	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\MRUListEx = ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:PID = "0"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\MRUListEx = 00000000ffffffff	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0\MRUListEx = ffffffff	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0 = 820074001c004346534616003100000000004759d249120041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe4759d249325a10a82e00000065e101000000010000000000000000000000000000004f88a8004100700070004400610074006100000042000000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0 = 5000310000000000325a36a810004c6f63616c003c0009000400efbe4759d249325a36a82e00000078e101000000010000000000000000000000000000006e4b65004c006f00630061006c00000014000000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\IconSize = "48"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1092616257"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 010000000200000000000000ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2 = 3a001f44471a0359723fa74489c55595fe6b30ee260001002600efbe10000000ac8f87539918db01f02fc2aaa018db012150b848ec69db0114000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\NodeSlot = "3"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\LogicalViewMode = "3"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0\NodeSlot = "4"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\MRUListEx = 00000000ffffffff	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0 = 4e00310000000000325a4ea8100054656d7000003a0009000400efbe4759d249325a4ea82e00000079e101000000010000000000000000000000000000008a911300540065006d007000000014000000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 020000000100000000000000ffffffff	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\MRUListEx = 00000000ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Mode = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByDirection = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupView = "0"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
448	msiexec.exe
448	msiexec.exe
4324	steamerrorreporter.exe
456	steamerrorreporter.exe
456	steamerrorreporter.exe
456	steamerrorreporter.exe
1308	cmd.exe
1308	cmd.exe
1308	cmd.exe
1308	cmd.exe
448	msiexec.exe
448	msiexec.exe
2652	steamerrorreporter.exe
3728	steamerrorreporter.exe
3728	steamerrorreporter.exe
3728	steamerrorreporter.exe
448	msiexec.exe
448	msiexec.exe
468	steamerrorreporter.exe
3760	steamerrorreporter.exe
3168	cmd.exe
3168	cmd.exe
3168	cmd.exe
3168	cmd.exe
3760	steamerrorreporter.exe
3760	steamerrorreporter.exe
2336	cmd.exe
2336	cmd.exe
2336	cmd.exe
2336	cmd.exe
448	msiexec.exe
448	msiexec.exe
2136	steamerrorreporter.exe
700	steamerrorreporter.exe
700	steamerrorreporter.exe
700	steamerrorreporter.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4984	cmd.exe
4984	cmd.exe
4984	cmd.exe
4984	cmd.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4076	chrome.exe
4076	chrome.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe

Suspicious behavior: MapViewOfSection 8 IoCs

pid	Process
456	steamerrorreporter.exe
1308	cmd.exe
3728	steamerrorreporter.exe
3760	steamerrorreporter.exe
3168	cmd.exe
2336	cmd.exe
700	steamerrorreporter.exe
4984	cmd.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3172	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3172	msiexec.exe
Token: SeSecurityPrivilege	448	msiexec.exe
Token: SeCreateTokenPrivilege	3172	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3172	msiexec.exe
Token: SeLockMemoryPrivilege	3172	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3172	msiexec.exe
Token: SeMachineAccountPrivilege	3172	msiexec.exe
Token: SeTcbPrivilege	3172	msiexec.exe
Token: SeSecurityPrivilege	3172	msiexec.exe
Token: SeTakeOwnershipPrivilege	3172	msiexec.exe
Token: SeLoadDriverPrivilege	3172	msiexec.exe
Token: SeSystemProfilePrivilege	3172	msiexec.exe
Token: SeSystemtimePrivilege	3172	msiexec.exe
Token: SeProfSingleProcessPrivilege	3172	msiexec.exe
Token: SeIncBasePriorityPrivilege	3172	msiexec.exe
Token: SeCreatePagefilePrivilege	3172	msiexec.exe
Token: SeCreatePermanentPrivilege	3172	msiexec.exe
Token: SeBackupPrivilege	3172	msiexec.exe
Token: SeRestorePrivilege	3172	msiexec.exe
Token: SeShutdownPrivilege	3172	msiexec.exe
Token: SeDebugPrivilege	3172	msiexec.exe
Token: SeAuditPrivilege	3172	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3172	msiexec.exe
Token: SeChangeNotifyPrivilege	3172	msiexec.exe
Token: SeRemoteShutdownPrivilege	3172	msiexec.exe
Token: SeUndockPrivilege	3172	msiexec.exe
Token: SeSyncAgentPrivilege	3172	msiexec.exe
Token: SeEnableDelegationPrivilege	3172	msiexec.exe
Token: SeManageVolumePrivilege	3172	msiexec.exe
Token: SeImpersonatePrivilege	3172	msiexec.exe
Token: SeCreateGlobalPrivilege	3172	msiexec.exe
Token: SeBackupPrivilege	1140	vssvc.exe
Token: SeRestorePrivilege	1140	vssvc.exe
Token: SeAuditPrivilege	1140	vssvc.exe
Token: SeBackupPrivilege	448	msiexec.exe
Token: SeRestorePrivilege	448	msiexec.exe
Token: SeRestorePrivilege	448	msiexec.exe
Token: SeTakeOwnershipPrivilege	448	msiexec.exe
Token: SeRestorePrivilege	448	msiexec.exe
Token: SeTakeOwnershipPrivilege	448	msiexec.exe
Token: SeRestorePrivilege	448	msiexec.exe
Token: SeTakeOwnershipPrivilege	448	msiexec.exe
Token: SeRestorePrivilege	448	msiexec.exe
Token: SeTakeOwnershipPrivilege	448	msiexec.exe
Token: SeRestorePrivilege	448	msiexec.exe
Token: SeTakeOwnershipPrivilege	448	msiexec.exe
Token: SeRestorePrivilege	448	msiexec.exe
Token: SeTakeOwnershipPrivilege	448	msiexec.exe
Token: SeRestorePrivilege	448	msiexec.exe
Token: SeTakeOwnershipPrivilege	448	msiexec.exe
Token: SeRestorePrivilege	448	msiexec.exe
Token: SeTakeOwnershipPrivilege	448	msiexec.exe
Token: SeRestorePrivilege	448	msiexec.exe
Token: SeTakeOwnershipPrivilege	448	msiexec.exe
Token: SeRestorePrivilege	448	msiexec.exe
Token: SeTakeOwnershipPrivilege	448	msiexec.exe
Token: SeRestorePrivilege	448	msiexec.exe
Token: SeTakeOwnershipPrivilege	448	msiexec.exe
Token: SeRestorePrivilege	448	msiexec.exe
Token: SeTakeOwnershipPrivilege	448	msiexec.exe
Token: SeRestorePrivilege	448	msiexec.exe
Token: SeTakeOwnershipPrivilege	448	msiexec.exe
Token: SeRestorePrivilege	448	msiexec.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3172	msiexec.exe
3172	msiexec.exe
3172	msiexec.exe
1772	msiexec.exe
1772	msiexec.exe
4580	msiexec.exe
4580	msiexec.exe
2252	msiexec.exe
2252	msiexec.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
5464	chrome.exe
5464	chrome.exe
3280	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 448 wrote to memory of 2064	448	msiexec.exe	98
PID 448 wrote to memory of 2064	448	msiexec.exe	98
PID 448 wrote to memory of 4324	448	msiexec.exe	101
PID 448 wrote to memory of 4324	448	msiexec.exe	101
PID 448 wrote to memory of 4324	448	msiexec.exe	101
PID 4324 wrote to memory of 456	4324	steamerrorreporter.exe	102
PID 4324 wrote to memory of 456	4324	steamerrorreporter.exe	102
PID 4324 wrote to memory of 456	4324	steamerrorreporter.exe	102
PID 456 wrote to memory of 1308	456	steamerrorreporter.exe	103
PID 456 wrote to memory of 1308	456	steamerrorreporter.exe	103
PID 456 wrote to memory of 1308	456	steamerrorreporter.exe	103
PID 456 wrote to memory of 1308	456	steamerrorreporter.exe	103
PID 1308 wrote to memory of 1180	1308	cmd.exe	115
PID 1308 wrote to memory of 1180	1308	cmd.exe	115
PID 1308 wrote to memory of 1180	1308	cmd.exe	115
PID 448 wrote to memory of 2652	448	msiexec.exe	116
PID 448 wrote to memory of 2652	448	msiexec.exe	116
PID 448 wrote to memory of 2652	448	msiexec.exe	116
PID 2652 wrote to memory of 3728	2652	steamerrorreporter.exe	117
PID 2652 wrote to memory of 3728	2652	steamerrorreporter.exe	117
PID 2652 wrote to memory of 3728	2652	steamerrorreporter.exe	117
PID 3728 wrote to memory of 3168	3728	steamerrorreporter.exe	118
PID 3728 wrote to memory of 3168	3728	steamerrorreporter.exe	118
PID 3728 wrote to memory of 3168	3728	steamerrorreporter.exe	118
PID 1308 wrote to memory of 1180	1308	cmd.exe	115
PID 3728 wrote to memory of 3168	3728	steamerrorreporter.exe	118
PID 448 wrote to memory of 468	448	msiexec.exe	122
PID 448 wrote to memory of 468	448	msiexec.exe	122
PID 448 wrote to memory of 468	448	msiexec.exe	122
PID 468 wrote to memory of 3760	468	steamerrorreporter.exe	123
PID 468 wrote to memory of 3760	468	steamerrorreporter.exe	123
PID 468 wrote to memory of 3760	468	steamerrorreporter.exe	123
PID 3760 wrote to memory of 2336	3760	steamerrorreporter.exe	124
PID 3760 wrote to memory of 2336	3760	steamerrorreporter.exe	124
PID 3760 wrote to memory of 2336	3760	steamerrorreporter.exe	124
PID 3760 wrote to memory of 2336	3760	steamerrorreporter.exe	124
PID 3168 wrote to memory of 1316	3168	cmd.exe	126
PID 3168 wrote to memory of 1316	3168	cmd.exe	126
PID 3168 wrote to memory of 1316	3168	cmd.exe	126
PID 3168 wrote to memory of 1316	3168	cmd.exe	126
PID 2336 wrote to memory of 4288	2336	cmd.exe	128
PID 2336 wrote to memory of 4288	2336	cmd.exe	128
PID 2336 wrote to memory of 4288	2336	cmd.exe	128
PID 448 wrote to memory of 2136	448	msiexec.exe	130
PID 448 wrote to memory of 2136	448	msiexec.exe	130
PID 448 wrote to memory of 2136	448	msiexec.exe	130
PID 2136 wrote to memory of 700	2136	steamerrorreporter.exe	131
PID 2136 wrote to memory of 700	2136	steamerrorreporter.exe	131
PID 2136 wrote to memory of 700	2136	steamerrorreporter.exe	131
PID 700 wrote to memory of 4984	700	steamerrorreporter.exe	132
PID 700 wrote to memory of 4984	700	steamerrorreporter.exe	132
PID 700 wrote to memory of 4984	700	steamerrorreporter.exe	132
PID 2336 wrote to memory of 4288	2336	cmd.exe	128
PID 700 wrote to memory of 4984	700	steamerrorreporter.exe	132
PID 4076 wrote to memory of 3804	4076	chrome.exe	138
PID 4076 wrote to memory of 3804	4076	chrome.exe	138
PID 4076 wrote to memory of 4408	4076	chrome.exe	139
PID 4076 wrote to memory of 4408	4076	chrome.exe	139
PID 4076 wrote to memory of 4408	4076	chrome.exe	139
PID 4076 wrote to memory of 4408	4076	chrome.exe	139
PID 4076 wrote to memory of 4408	4076	chrome.exe	139
PID 4076 wrote to memory of 4408	4076	chrome.exe	139
PID 4076 wrote to memory of 4408	4076	chrome.exe	139
PID 4076 wrote to memory of 4408	4076	chrome.exe	139

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Browser_128_344_166.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3172

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:448
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:2064
- C:\Users\Admin\AppData\Local\Pulu\steamerrorreporter.exe
  "C:\Users\Admin\AppData\Local\Pulu\steamerrorreporter.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4324
- - C:\Users\Admin\AppData\Roaming\protectwriter\steamerrorreporter.exe
    C:\Users\Admin\AppData\Roaming\protectwriter\steamerrorreporter.exe
    3⤵
    - Suspicious use of SetThreadContext
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:456
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\SysWOW64\cmd.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:1308
    - - C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SysWOW64\explorer.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1180
- C:\Users\Admin\AppData\Local\Pulu\steamerrorreporter.exe
  "C:\Users\Admin\AppData\Local\Pulu\steamerrorreporter.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2652
- - C:\Users\Admin\AppData\Roaming\protectwriter\steamerrorreporter.exe
    C:\Users\Admin\AppData\Roaming\protectwriter\steamerrorreporter.exe
    3⤵
    - Suspicious use of SetThreadContext
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:3728
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\SysWOW64\cmd.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:3168
    - - C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SysWOW64\explorer.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1316
- C:\Users\Admin\AppData\Local\Pulu\steamerrorreporter.exe
  "C:\Users\Admin\AppData\Local\Pulu\steamerrorreporter.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:468
- - C:\Users\Admin\AppData\Roaming\protectwriter\steamerrorreporter.exe
    C:\Users\Admin\AppData\Roaming\protectwriter\steamerrorreporter.exe
    3⤵
    - Suspicious use of SetThreadContext
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:3760
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\SysWOW64\cmd.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:2336
    - - C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SysWOW64\explorer.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4288
- C:\Users\Admin\AppData\Local\Pulu\steamerrorreporter.exe
  "C:\Users\Admin\AppData\Local\Pulu\steamerrorreporter.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2136
- - C:\Users\Admin\AppData\Roaming\protectwriter\steamerrorreporter.exe
    C:\Users\Admin\AppData\Roaming\protectwriter\steamerrorreporter.exe
    3⤵
    - Suspicious use of SetThreadContext
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:700
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\SysWOW64\cmd.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      PID:4984
    - - C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SysWOW64\explorer.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2032

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1140

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4000

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\Browser_128_344_166.msi"
1⤵
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
PID:1772

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\Browser_128_344_166.msi"
1⤵
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
PID:4580

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\Browser_128_344_166.msi"
1⤵
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
PID:2252

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4872

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffdf393cc40,0x7ffdf393cc4c,0x7ffdf393cc58
  2⤵
  PID:3804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2092,i,14667447199273902334,4559973639867124554,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2088 /prefetch:2
  2⤵
  PID:4408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2096,i,14667447199273902334,4559973639867124554,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2188 /prefetch:3
  2⤵
  PID:4564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2328,i,14667447199273902334,4559973639867124554,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2312 /prefetch:8
  2⤵
  PID:4960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3172,i,14667447199273902334,4559973639867124554,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3184 /prefetch:1
  2⤵
  PID:1308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3276,i,14667447199273902334,4559973639867124554,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:2652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3752,i,14667447199273902334,4559973639867124554,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3716 /prefetch:1
  2⤵
  PID:3008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4140,i,14667447199273902334,4559973639867124554,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4812 /prefetch:8
  2⤵
  PID:468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4536,i,14667447199273902334,4559973639867124554,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4872 /prefetch:8
  2⤵
  PID:2212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4600,i,14667447199273902334,4559973639867124554,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4872 /prefetch:8
  2⤵
  PID:1684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5288,i,14667447199273902334,4559973639867124554,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4512 /prefetch:8
  2⤵
  PID:4952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5172,i,14667447199273902334,4559973639867124554,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4876 /prefetch:8
  2⤵
  PID:3620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5316,i,14667447199273902334,4559973639867124554,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5168 /prefetch:8
  2⤵
  PID:3280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5516,i,14667447199273902334,4559973639867124554,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5492 /prefetch:2
  2⤵
  PID:5424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5152,i,14667447199273902334,4559973639867124554,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5740 /prefetch:1
  2⤵
  PID:5888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=4540,i,14667447199273902334,4559973639867124554,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4584 /prefetch:1
  2⤵
  PID:5984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5732,i,14667447199273902334,4559973639867124554,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5084 /prefetch:1
  2⤵
  PID:4732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=5300,i,14667447199273902334,4559973639867124554,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3524 /prefetch:1
  2⤵
  PID:5316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5108,i,14667447199273902334,4559973639867124554,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5660 /prefetch:8
  2⤵
  PID:5344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3492,i,14667447199273902334,4559973639867124554,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5680 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:5464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3748,i,14667447199273902334,4559973639867124554,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5420 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:3280

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2436

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e581374.rbs

Filesize
8KB

MD5
cba52c4f34239b969efe8b2cc33287b5

SHA1
d92d7cc6fe1451aa7ba87bcdaaa33d18948566b7

SHA256
dfbcbf7dab887a7f4788657e6742cbda2ffc342e7f7d08006cc21401ce314a96

SHA512
2e78e6b0d66efa9ad640f4173568f8aa3f2987da108a53776b1c2d5f85c9e89474f2d9086c814b3db390c6dec03343f9f91dc14485bc55e1e0cb143da6169138

Download Submit
C:\Config.Msi\e581376.rbs

Filesize
3KB

MD5
7f3a90a07830d0cf171c21524d013af2

SHA1
f725fe1ab052b5dec17d76adcba3e611d745e189

SHA256
e09168d83f65f9ab7057d062ca4176c1b262b7337778f735cb28f80b1c6d5a3f

SHA512
e0812442804cae45f78380ea4fa4cdf5fad0c702e918091de63fc20cd79280d6a6e4e615793d91b798d0b814a7da46d4ad1f1be7c54d2c55083dce02b7e8dc1c

Download Submit
C:\Config.Msi\e581377.rbs

Filesize
3KB

MD5
745c4edbf26a32fb7066e20f79ec04ed

SHA1
b23a87c1b6643bc0237512918dc01f39f75bda15

SHA256
79aa6ce3573fdac50b536a6470653fe28320fb2cdeb37c087d61afcb88903666

SHA512
e865e47920850fd82dd66796419e5a4522347e46329978a433d1a75fcd5cae2e49d8248e1f862d158cf9b1147ec805d931e9f99083594011d5ff2330b0ec5630

Download Submit
C:\Config.Msi\e581378.rbs

Filesize
3KB

MD5
17f5d9fe539c93a8ba81fdfa6629dc71

SHA1
5affaec8921f953a76b3135c70be6970515a49da

SHA256
91867d1aae1fa87c7853fe11afe3b855819b34c9b5a6e1788a416891e8bfadad

SHA512
bb59dd4eab1db97fc656f735899b10d9bdbfb4e2e32011c4c0efe6a9f52e3a730e11e51cbd437dbf1f1e2bee81ecd459dc24b8e3b2c8dc1c784c6c4b0fd7437e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\006da1b7-dbce-44fb-b96a-6080fcedda5f.tmp

Filesize
9KB

MD5
b0a8396c00337b606b80f8fac6f73940

SHA1
0ab7bfd0ef4be2c4ce79ff4c75fb2836d68d3013

SHA256
dc29415bea02fec2056d923172dc86c518997d41b4247ba2a388fa00d0fa12e0

SHA512
b1e983d756a04eda6239ce32b293870da85123f0cd911db36bbab6e052da3d99617e214175e1c992afb115718df3bd93ef7dce854d370d7fadb33a444cd018a9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
8fc9fe5bbdad551c25b1a8a678463c4f

SHA1
64b63bdea1d3135c604eef92db85ccb15ef55799

SHA256
94ff33d4be685d76a18162b51567da686184b830ecbfd99bfe29484d73f58421

SHA512
380a9fea062f684811360630211d3c77bb85902f500201583be81cbcb76e3651de6ada4fac0a015573ce5932a954f43f5d7aa2560d5fd5154d696b2504718d7a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000008

Filesize
35KB

MD5
f78c90fe0099fe7b7d2656c4bfd7cdbe

SHA1
d2e71022e121e9ed1b6e354fb7a2371e0ee1f904

SHA256
288bac336fb5b5cce37c17f569aac865ab7c40731dc3664a0ef707fd8de0db72

SHA512
7da3674cb965d83993a5e01527c2c34eac7bd4300449190b949e45cc227d9c65e0edef9937a4a3addb1c4171c8955e77656f14e140470276f87a3bbf2196f59a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_locales\en\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
5c5f9b794d58cb7dcaf90698ee427b74

SHA1
0af85c9494f9ebf695d143ffe36910f2df9fcc97

SHA256
b5f12301bcf774c0ae6db799a31b268e5b6d078e101b19973433c40a4a4f0294

SHA512
9122798d72e3c67c9f1c7fe235974f49988771d22827679551c7c331319fca8a7934eb5acdb74151190d293dd3521d9ddd3e24d63fe4581f7d393cafd72053f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e9a01d6881fccd2ac5232c3aa0b875f6

SHA1
ffb72b4b08a7eefdafbb5d98414d7b7b35631855

SHA256
8f778e0bebfeba0b5bfddc9b431fcf14b2079c73cef058d429e608293bf09eec

SHA512
5f46660d2da24dbb5bab681225d0ea80a77d50f9b2fff40b2c576911b89515fcba9dd65581c38266167080a8ce72ecb42072c166ee06989835e1a787359490db

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
dafe0ba2d10fdb07e4a9b302dd2c115a

SHA1
6075de8db8f8dec07734e1fe1716780fb0a97985

SHA256
e07e77941eead3dd354b731c20483ca8cae03edb56735c52de8d3a99869e3f99

SHA512
8da8ab3614ed7bf48d58946e2d194d0289135392a9c0fba22f373156e7c0cfd206e69f88b30382ec62271d13a7b90090d3ae624c9d4edc2b45cf686b085a9368

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
15cd2a609668117fe34cf098af1afe25

SHA1
46f8b87954c8ae024d0bcbbf7824d02005ecde1c

SHA256
09229d2068fcd1ec86d5bafacc1e952521add855856fcf7e1bc2e6c51ec3d332

SHA512
bb0879e678e567709e04ac29ac3707b505ab41ea80787756b175beb6900e897c27cad4e01029b5635a90e889e8ed2a2f773c26ad613d7e3881deddd559be9bc8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1298217e4dfd6166c8b80010714ef954

SHA1
0646ada612bb66530a443b1e39104ff08babef8a

SHA256
301df17161cdb44472435a9b12d74e6c734a56d68f2b45203b7c241b6c4aa150

SHA512
30a6f3918a0bea77b191e027eccc43fa77448d4ccf97f56c563317ad9b9960316bc5d9a14e949ae5af03e66cabe230592cbdc511c6ebff413d95190f5e2ab810

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
d71ed632f26ebaa4a4a3925b9ce252f8

SHA1
0f9b95fb8f4bf53b96fff113aa7467487852e6d2

SHA256
1f37f8efca07b862933fcf9e82ed8148099e7823c0ca8df118d2de330567d287

SHA512
c36fed68edbe88524a1ef053dbf9f296e19f819d606e724e9e31b402af2cef61e2a6e6caca1eef069bb3f9908a6cb09ebe6102fcba429d6719496be3b7de5c89

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\temp-index

Filesize
72B

MD5
d7c058ae6b632486ef3bbd8a407918c6

SHA1
b1a6fd2c4b849ac069f96aa1372440fe267112a8

SHA256
8a1f38b8b883dec22744f8b43ee9c81fcccb2d7335f11c786726f9f5979ad184

SHA512
1304e362039b59594e4e3f9f98acf2b96db79f7b0d489f175c7ac634e5510a16a6d377e0ce61bb85da860648e63b144d31d311dd026f5f7d61bb4ac77ebe123c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
230KB

MD5
feda6d4fcd6ede261bdc7c04fb184676

SHA1
355c385ecb13a5bdad833f474dc1bc232f71db33

SHA256
7fc48da04ae4e3db37b62b9115f86e3505205b5fe1d527ca7da728247cce708d

SHA512
23d8f47044ee1f66fe31e3df4d6e915b6abcd097fc8fca2589328e0751dd9d4b873ab4e5b26951630ef8a304f04b0e14e9c4af6dabfa1be306d951a1415f6648

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
230KB

MD5
8160c4832c3b08ae6977868e24c38a76

SHA1
fb75b7dd4368f508f97038fae7ac5d400d7db72a

SHA256
82b794fc175054344bfdc358ea8f354051bf0e785fcb1f1f5594c4ecdafb379c

SHA512
001467c14c0ca99ad72146f2b911d2260e06a966fa7e28c1f1963983793b8caaa0888014e7fc2bea4019fb5478aa7ab3abf27a9de47ed1164155e769bbf02761

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db

Filesize
28KB

MD5
6ab184baddecb69d811113a0e0226ba6

SHA1
362b810f47ba297703a65a7197fcea84f1f00cdb

SHA256
fb6acbb2e952e904c71f440d1324980136d6e04972af5bec109a4788e7c1ccfe

SHA512
5ab33a10c816ba646062d8875715c0e24214b92c5304d1bb98e4376d88d170a2622a0cbb9f8268e850bdb76f76abd10f2aeff26e9135b907fc2beee462162675

Download Submit
C:\Users\Admin\AppData\Local\Pulu\bookmark.pkg

Filesize
807KB

MD5
bfa7cf4e086bfa4d7d705c00a8804993

SHA1
bab0b20067646f0ce6667bf295e1b1e27c8c8d45

SHA256
b522c814134b6f0ccfd956b332125a7b79875a50c546339547bacc75f0e4724f

SHA512
c1f23e06071fb5d1158a0c9d671e7c72924a45c335fc01cb5037a45755700d3aa8ffd24d4534394682625da42fbecfb01e4995a2ffaeb6416340ca3412533c33

Download Submit
C:\Users\Admin\AppData\Local\Pulu\camellia.ai

Filesize
35KB

MD5
ef4cc2dc2376885bd5fe462f2e2c2306

SHA1
569c6142aad7df78e15248e1ec330aa257c822c6

SHA256
a4e58970b06198c3ba9ccea820107cbb9ffd3e6a573cb88fac2b9cf1189bfdb9

SHA512
75c3911ff3d8fe1cdf3ac658f0ba8be7c1e23ada08fbac5ec0ef7315728c74e8a470b5f96c287f3e8c93e95bb08f5c60eba4246260e83d949dd980440cadb489

Download Submit
C:\Users\Admin\AppData\Local\Pulu\steamerrorreporter.exe

Filesize
560KB

MD5
dc1681b98049f1df46dd10d7f4c26045

SHA1
4c7f5cf7c00b6139979f8aa41f46979666369224

SHA256
594f9853124e0a81deeaaecb8ec3d192169e7393778214ef6d8f6460450ef080

SHA512
c9a2086326acbab8aba801da0d8bd2aa06951ec7fd7f32a3150f9521498c0b6711552695fbf9d0de7668503630c508bcd68e1d715796ef34f9945035da3fe1ed

Download Submit
C:\Users\Admin\AppData\Local\Pulu\tier0_s.dll

Filesize
330KB

MD5
86e38e6248c90cf7b79541f5cf565cce

SHA1
a746e8e6ee1a5010e5fa34cee7a3d29a11e9d035

SHA256
021152ff66cc6a397f1f2e26575d73c19c7e065ad23e2d811340abf759d6b2e8

SHA512
2d0d3238988e41ad47f0f35c6271e7f25379d3de5b949b63f795d80fbdb02594398fa3c7830418ff8feb67c6cac2ccd7d4ec64ade9fec2a1b072718215a9a54d

Download Submit
C:\Users\Admin\AppData\Local\Pulu\vstdlib_s.dll

Filesize
530KB

MD5
bf433279dfa1820d93ef9417fceaf306

SHA1
21dfda7d0ce11dba8f786c72d0a4db1dd3a82308

SHA256
3fa60435cba38c85310eeba1032bf1d305aeea2e4cf890c17966366d63d43963

SHA512
dd1823f68a25cb9d25d125267e9ea4fb0803ec0133b5fd183cf0d832ad1dceca53a8a7d4d79b94ce0b67ef3050334373ec80c211fa1ff8888c4a724d64a1b250

Download Submit
C:\Users\Admin\AppData\Local\Temp\5ed6c9b4

Filesize
1.0MB

MD5
3ed15eb9c2cf7a2e84141f636552916e

SHA1
9b544bb310e339f72562459144ba0648a4bdfba0

SHA256
e0d6d3d8e65c70c2b3d32d5480d8457d608f410d95ba6e91891438587f4f6784

SHA512
db37a8c11c97da7965a9406e289fc1f1d993ff5eeebf5e9405eb4020074a035713f3ea2ab012a07c57a8eb2f1f02fb0c1d0083c3f300cccee78dc15e97118e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd7dcab1

Filesize
1.0MB

MD5
1aee383c02c6ded2331eb007fdbd9f32

SHA1
9012f0d912dd3efb283b37ac8192cbb9d783e02b

SHA256
a996f50e052b20b729669d3acc5e8fbabca2e87fdecf359739084fd898ce6130

SHA512
581bb32c2313ba6fafccb23c9f597c14b8d7f0e3b0e4183b6677cef704f01b48887f68882b0a18545d1e449882875881cd56b1230ee52116533d4a48ab635a05

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4076_1608679477\CRX_INSTALL\_locales\en\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4076_1608679477\e9dac696-cbc3-4824-904f-ee498bfb70c2.tmp

Filesize
150KB

MD5
14937b985303ecce4196154a24fc369a

SHA1
ecfe89e11a8d08ce0c8745ff5735d5edad683730

SHA256
71006a5311819fef45c659428944897184880bcdb571bf68c52b3d6ee97682ff

SHA512
1d03c75e4d2cd57eee7b0e93e2de293b41f280c415fb2446ac234fc5afd11fe2f2fcc8ab9843db0847c2ce6bd7df7213fcf249ea71896fbf6c0696e3f5aee46c

Download Submit
C:\Windows\Installer\e581373.msi

Filesize
1.2MB

MD5
6265ad87754194af5bbd40aada2930a9

SHA1
211b19af5e77f153f431ac223b9c22e8a5275ae9

SHA256
3a9369aefe2a1212ca0bfadc0925d0149caf6436d1d9934e35c976fc9194a344

SHA512
fe16f9d906996db99c55ed815fbe5c3be722c49a1a916a89c71c46a7fd2b7c40f2dadabe54a7dfe38a78a85d2115dd34c276f881c910a8cd1505090a2db3779e

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.1MB

MD5
06f71f282fb63b4333dbfd2c61d644b1

SHA1
6a2dce1bf9ab71ac953eebb475783ef7b0bf004d

SHA256
5dd517b69d20991283dd6ebe276b0d4bead778df2f3f30150241258555aa2e42

SHA512
efa38a9968280f431f7ed7bf60cfcc94f40261bd09ab5ea2b4cc81575fa48078f1630aab0f7d3a7fe02ba4667fa5f6189a5c7cd4872f9ebf41d0a4777597c48f

Download Submit
\??\Volume{77a2731a-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{defcce8e-12c9-4792-85e2-1aead8f1f586}_OnDiskSnapshotProp

Filesize
6KB

MD5
d776b41ce35fcb8ebae5ba072554a26b

SHA1
6cf6af10229f2620098bf1d23224a9debbb969a3

SHA256
a2c3b6ab52921f4e89a7b9849f4a74b256aae777168e4a14c55ed104502bbdb7

SHA512
5474edf3827c02ec08ee814e1d945292dd54bcb3b480c68718b00a10f8475faefefb13104651486d13739764933698eef650b4f6099575562db00cf92aa17e2a

Download Submit
memory/456-52-0x0000000075430000-0x00000000755AB000-memory.dmp

Filesize
1.5MB

Download
memory/456-50-0x0000000075430000-0x00000000755AB000-memory.dmp

Filesize
1.5MB

Download
memory/456-51-0x00007FFE153B0000-0x00007FFE155A5000-memory.dmp

Filesize
2.0MB

Download
memory/468-138-0x00007FFE153B0000-0x00007FFE155A5000-memory.dmp

Filesize
2.0MB

Download
memory/468-137-0x0000000075430000-0x00000000755AB000-memory.dmp

Filesize
1.5MB

Download
memory/700-175-0x00007FFE153B0000-0x00007FFE155A5000-memory.dmp

Filesize
2.0MB

Download
memory/700-191-0x0000000075430000-0x00000000755AB000-memory.dmp

Filesize
1.5MB

Download
memory/700-174-0x0000000075430000-0x00000000755AB000-memory.dmp

Filesize
1.5MB

Download
memory/1180-127-0x0000000000A20000-0x0000000000A7E000-memory.dmp

Filesize
376KB

Download
memory/1308-55-0x00007FFE153B0000-0x00007FFE155A5000-memory.dmp

Filesize
2.0MB

Download
memory/1308-59-0x0000000075430000-0x00000000755AB000-memory.dmp

Filesize
1.5MB

Download
memory/1316-156-0x0000000001020000-0x000000000107E000-memory.dmp

Filesize
376KB

Download
memory/2032-634-0x00007FFE153B0000-0x00007FFE155A5000-memory.dmp

Filesize
2.0MB

Download
memory/2032-640-0x0000000000220000-0x000000000027E000-memory.dmp

Filesize
376KB

Download
memory/2032-652-0x0000000000220000-0x000000000027E000-memory.dmp

Filesize
376KB

Download
memory/2136-166-0x0000000075430000-0x00000000755AB000-memory.dmp

Filesize
1.5MB

Download
memory/2136-167-0x00007FFE153B0000-0x00007FFE155A5000-memory.dmp

Filesize
2.0MB

Download
memory/2336-150-0x00007FFE153B0000-0x00007FFE155A5000-memory.dmp

Filesize
2.0MB

Download
memory/2652-72-0x0000000075430000-0x00000000755AB000-memory.dmp

Filesize
1.5MB

Download
memory/2652-73-0x00007FFE153B0000-0x00007FFE155A5000-memory.dmp

Filesize
2.0MB

Download
memory/3168-145-0x00007FFE153B0000-0x00007FFE155A5000-memory.dmp

Filesize
2.0MB

Download
memory/3728-92-0x0000000075430000-0x00000000755AB000-memory.dmp

Filesize
1.5MB

Download
memory/3728-89-0x0000000075430000-0x00000000755AB000-memory.dmp

Filesize
1.5MB

Download
memory/3728-90-0x00007FFE153B0000-0x00007FFE155A5000-memory.dmp

Filesize
2.0MB

Download
memory/3760-148-0x0000000075430000-0x00000000755AB000-memory.dmp

Filesize
1.5MB

Download
memory/3760-146-0x0000000075430000-0x00000000755AB000-memory.dmp

Filesize
1.5MB

Download
memory/3760-147-0x00007FFE153B0000-0x00007FFE155A5000-memory.dmp

Filesize
2.0MB

Download
memory/4288-177-0x00000000009E0000-0x0000000000A3E000-memory.dmp

Filesize
376KB

Download
memory/4324-34-0x0000000075390000-0x000000007550B000-memory.dmp

Filesize
1.5MB

Download
memory/4324-35-0x00007FFE153B0000-0x00007FFE155A5000-memory.dmp

Filesize
2.0MB

Download
memory/4872-178-0x000002D3DCC70000-0x000002D3DCC71000-memory.dmp

Filesize
4KB

Download
memory/4872-187-0x000002D3DCC70000-0x000002D3DCC71000-memory.dmp

Filesize
4KB

Download
memory/4872-188-0x000002D3DCC70000-0x000002D3DCC71000-memory.dmp

Filesize
4KB

Download
memory/4872-185-0x000002D3DCC70000-0x000002D3DCC71000-memory.dmp

Filesize
4KB

Download
memory/4872-189-0x000002D3DCC70000-0x000002D3DCC71000-memory.dmp

Filesize
4KB

Download
memory/4872-179-0x000002D3DCC70000-0x000002D3DCC71000-memory.dmp

Filesize
4KB

Download
memory/4872-186-0x000002D3DCC70000-0x000002D3DCC71000-memory.dmp

Filesize
4KB

Download
memory/4872-184-0x000002D3DCC70000-0x000002D3DCC71000-memory.dmp

Filesize
4KB

Download
memory/4872-180-0x000002D3DCC70000-0x000002D3DCC71000-memory.dmp

Filesize
4KB

Download
memory/4872-190-0x000002D3DCC70000-0x000002D3DCC71000-memory.dmp

Filesize
4KB

Download
memory/4984-193-0x00007FFE153B0000-0x00007FFE155A5000-memory.dmp

Filesize
2.0MB

Download