lumma | 828b3c4a8e2c1eddc6bc54c1928ec562a9d4254f84a5545fa83d23419686240c

Analysis

max time kernel
151s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-01-2025 19:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Bootstrapper.exe
Size

120.0MB
MD5

6a4e34aa83f72c212e76e1c228af6666
SHA1

bff7c730078f0ccf5aa00c52ec0cc2fe38bd1f56
SHA256

828b3c4a8e2c1eddc6bc54c1928ec562a9d4254f84a5545fa83d23419686240c
SHA512

37f0d3ad8017357164aaed7664ce628491d5215c686fc798698db6d6b0f15705052dd6a10d39e8b5c98c6ba62e0f0eb451d581e3ecff530bd96cd4fb80998cfc
SSDEEP

24576:utnbbEhDUbdE6bLdFiClougeEqsseyHCIAtcVZ0EIrGFTb7Tb7j:MEs/PdlhgPqsseyQtxE/Fr

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://deedcompetlk.cyou/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Bootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Bootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Bootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Bootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Bootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Bootstrapper.exe

Executes dropped EXE 6 IoCs

pid	Process
1948	Folding.com
6004	Folding.com
5812	Folding.com
6088	Folding.com
6112	Folding.com
5168	Folding.com

Enumerates processes with tasklist 1 TTPs 12 IoCs

discovery

Process Discovery

T1057

pid	Process
5856	tasklist.exe
3060	tasklist.exe
4428	tasklist.exe
876	tasklist.exe
5788	tasklist.exe
5560	tasklist.exe
5900	tasklist.exe
5944	tasklist.exe
1968	tasklist.exe
5376	tasklist.exe
5472	tasklist.exe
5516	tasklist.exe

Drops file in Windows directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\PermalinkModerator	Bootstrapper.exe
File opened for modification	C:\Windows\NeitherRelax	Bootstrapper.exe
File opened for modification	C:\Windows\EmpiricalPl	Bootstrapper.exe
File opened for modification	C:\Windows\UploadedNegotiations	Bootstrapper.exe
File opened for modification	C:\Windows\PermalinkModerator	Bootstrapper.exe
File opened for modification	C:\Windows\NeitherRelax	Bootstrapper.exe
File opened for modification	C:\Windows\PermalinkModerator	Bootstrapper.exe
File opened for modification	C:\Windows\PermalinkModerator	Bootstrapper.exe
File opened for modification	C:\Windows\EmpiricalPl	Bootstrapper.exe
File opened for modification	C:\Windows\PermalinkModerator	Bootstrapper.exe
File opened for modification	C:\Windows\UploadedNegotiations	Bootstrapper.exe
File opened for modification	C:\Windows\NeitherRelax	Bootstrapper.exe
File opened for modification	C:\Windows\EmpiricalPl	Bootstrapper.exe
File opened for modification	C:\Windows\UploadedNegotiations	Bootstrapper.exe
File opened for modification	C:\Windows\UploadedNegotiations	Bootstrapper.exe
File opened for modification	C:\Windows\EmpiricalPl	Bootstrapper.exe
File opened for modification	C:\Windows\UploadedNegotiations	Bootstrapper.exe
File opened for modification	C:\Windows\PermalinkModerator	Bootstrapper.exe
File opened for modification	C:\Windows\EmpiricalPl	Bootstrapper.exe
File opened for modification	C:\Windows\NeitherRelax	Bootstrapper.exe
File opened for modification	C:\Windows\NeitherRelax	Bootstrapper.exe
File opened for modification	C:\Windows\NeitherRelax	Bootstrapper.exe
File opened for modification	C:\Windows\UploadedNegotiations	Bootstrapper.exe
File opened for modification	C:\Windows\EmpiricalPl	Bootstrapper.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Folding.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Folding.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Folding.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Folding.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bootstrapper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Folding.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bootstrapper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133817874918624238"	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1948	Folding.com
1948	Folding.com
1948	Folding.com
1948	Folding.com
1948	Folding.com
1948	Folding.com
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
4116	taskmgr.exe
4116	taskmgr.exe
4116	taskmgr.exe
4116	taskmgr.exe
4116	taskmgr.exe
4116	taskmgr.exe
4116	taskmgr.exe
4116	taskmgr.exe
4116	taskmgr.exe
4116	taskmgr.exe
4116	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2460	7zG.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
5220	chrome.exe
5220	chrome.exe
5220	chrome.exe
5220	chrome.exe
5220	chrome.exe
5220	chrome.exe
5220	chrome.exe
5220	chrome.exe
5220	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3060	tasklist.exe
Token: SeDebugPrivilege	4428	tasklist.exe
Token: SeDebugPrivilege	680	taskmgr.exe
Token: SeSystemProfilePrivilege	680	taskmgr.exe
Token: SeCreateGlobalPrivilege	680	taskmgr.exe
Token: SeRestorePrivilege	2460	7zG.exe
Token: 35	2460	7zG.exe
Token: SeSecurityPrivilege	2460	7zG.exe
Token: SeSecurityPrivilege	2460	7zG.exe
Token: 33	680	taskmgr.exe
Token: SeIncBasePriorityPrivilege	680	taskmgr.exe
Token: SeDebugPrivilege	4116	taskmgr.exe
Token: SeSystemProfilePrivilege	4116	taskmgr.exe
Token: SeCreateGlobalPrivilege	4116	taskmgr.exe
Token: SeDebugPrivilege	1968	tasklist.exe
Token: SeDebugPrivilege	876	tasklist.exe
Token: SeDebugPrivilege	5376	tasklist.exe
Token: SeDebugPrivilege	5472	tasklist.exe
Token: SeDebugPrivilege	5516	tasklist.exe
Token: SeDebugPrivilege	5560	tasklist.exe
Token: SeDebugPrivilege	5788	tasklist.exe
Token: SeDebugPrivilege	5856	tasklist.exe
Token: SeDebugPrivilege	5900	tasklist.exe
Token: SeDebugPrivilege	5944	tasklist.exe
Token: SeShutdownPrivilege	5220	chrome.exe
Token: SeCreatePagefilePrivilege	5220	chrome.exe
Token: SeShutdownPrivilege	5220	chrome.exe
Token: SeCreatePagefilePrivilege	5220	chrome.exe
Token: SeShutdownPrivilege	5220	chrome.exe
Token: SeCreatePagefilePrivilege	5220	chrome.exe
Token: SeShutdownPrivilege	5220	chrome.exe
Token: SeCreatePagefilePrivilege	5220	chrome.exe
Token: SeShutdownPrivilege	5220	chrome.exe
Token: SeCreatePagefilePrivilege	5220	chrome.exe
Token: SeShutdownPrivilege	5220	chrome.exe
Token: SeCreatePagefilePrivilege	5220	chrome.exe
Token: SeShutdownPrivilege	5220	chrome.exe
Token: SeCreatePagefilePrivilege	5220	chrome.exe
Token: SeShutdownPrivilege	5220	chrome.exe
Token: SeCreatePagefilePrivilege	5220	chrome.exe
Token: SeShutdownPrivilege	5220	chrome.exe
Token: SeCreatePagefilePrivilege	5220	chrome.exe
Token: SeShutdownPrivilege	5220	chrome.exe
Token: SeCreatePagefilePrivilege	5220	chrome.exe
Token: SeShutdownPrivilege	5220	chrome.exe
Token: SeCreatePagefilePrivilege	5220	chrome.exe
Token: SeShutdownPrivilege	5220	chrome.exe
Token: SeCreatePagefilePrivilege	5220	chrome.exe
Token: SeShutdownPrivilege	5220	chrome.exe
Token: SeCreatePagefilePrivilege	5220	chrome.exe
Token: SeShutdownPrivilege	5220	chrome.exe
Token: SeCreatePagefilePrivilege	5220	chrome.exe
Token: SeShutdownPrivilege	5220	chrome.exe
Token: SeCreatePagefilePrivilege	5220	chrome.exe
Token: 33	6020	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	6020	AUDIODG.EXE
Token: SeShutdownPrivilege	5220	chrome.exe
Token: SeCreatePagefilePrivilege	5220	chrome.exe
Token: SeShutdownPrivilege	5220	chrome.exe
Token: SeCreatePagefilePrivilege	5220	chrome.exe
Token: SeShutdownPrivilege	5220	chrome.exe
Token: SeCreatePagefilePrivilege	5220	chrome.exe
Token: SeShutdownPrivilege	5220	chrome.exe
Token: SeCreatePagefilePrivilege	5220	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1948	Folding.com
1948	Folding.com
1948	Folding.com
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
2460	7zG.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1948	Folding.com
1948	Folding.com
1948	Folding.com
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3920	OpenWith.exe
4744	AcroRd32.exe
4744	AcroRd32.exe
4744	AcroRd32.exe
4744	AcroRd32.exe
4744	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4748 wrote to memory of 2464	4748	Bootstrapper.exe	83
PID 4748 wrote to memory of 2464	4748	Bootstrapper.exe	83
PID 4748 wrote to memory of 2464	4748	Bootstrapper.exe	83
PID 2464 wrote to memory of 3060	2464	cmd.exe	89
PID 2464 wrote to memory of 3060	2464	cmd.exe	89
PID 2464 wrote to memory of 3060	2464	cmd.exe	89
PID 2464 wrote to memory of 1408	2464	cmd.exe	90
PID 2464 wrote to memory of 1408	2464	cmd.exe	90
PID 2464 wrote to memory of 1408	2464	cmd.exe	90
PID 2464 wrote to memory of 4428	2464	cmd.exe	92
PID 2464 wrote to memory of 4428	2464	cmd.exe	92
PID 2464 wrote to memory of 4428	2464	cmd.exe	92
PID 2464 wrote to memory of 1584	2464	cmd.exe	93
PID 2464 wrote to memory of 1584	2464	cmd.exe	93
PID 2464 wrote to memory of 1584	2464	cmd.exe	93
PID 2464 wrote to memory of 2456	2464	cmd.exe	94
PID 2464 wrote to memory of 2456	2464	cmd.exe	94
PID 2464 wrote to memory of 2456	2464	cmd.exe	94
PID 2464 wrote to memory of 4100	2464	cmd.exe	95
PID 2464 wrote to memory of 4100	2464	cmd.exe	95
PID 2464 wrote to memory of 4100	2464	cmd.exe	95
PID 2464 wrote to memory of 2152	2464	cmd.exe	96
PID 2464 wrote to memory of 2152	2464	cmd.exe	96
PID 2464 wrote to memory of 2152	2464	cmd.exe	96
PID 2464 wrote to memory of 1768	2464	cmd.exe	97
PID 2464 wrote to memory of 1768	2464	cmd.exe	97
PID 2464 wrote to memory of 1768	2464	cmd.exe	97
PID 2464 wrote to memory of 3412	2464	cmd.exe	98
PID 2464 wrote to memory of 3412	2464	cmd.exe	98
PID 2464 wrote to memory of 3412	2464	cmd.exe	98
PID 2464 wrote to memory of 1948	2464	cmd.exe	99
PID 2464 wrote to memory of 1948	2464	cmd.exe	99
PID 2464 wrote to memory of 1948	2464	cmd.exe	99
PID 2464 wrote to memory of 1800	2464	cmd.exe	100
PID 2464 wrote to memory of 1800	2464	cmd.exe	100
PID 2464 wrote to memory of 1800	2464	cmd.exe	100
PID 4012 wrote to memory of 2316	4012	Bootstrapper.exe	115
PID 4012 wrote to memory of 2316	4012	Bootstrapper.exe	115
PID 4012 wrote to memory of 2316	4012	Bootstrapper.exe	115
PID 1708 wrote to memory of 1144	1708	Bootstrapper.exe	118
PID 1708 wrote to memory of 1144	1708	Bootstrapper.exe	118
PID 1708 wrote to memory of 1144	1708	Bootstrapper.exe	118
PID 2052 wrote to memory of 2756	2052	Bootstrapper.exe	121
PID 2052 wrote to memory of 2756	2052	Bootstrapper.exe	121
PID 2052 wrote to memory of 2756	2052	Bootstrapper.exe	121
PID 4568 wrote to memory of 1584	4568	Bootstrapper.exe	124
PID 4568 wrote to memory of 1584	4568	Bootstrapper.exe	124
PID 4568 wrote to memory of 1584	4568	Bootstrapper.exe	124
PID 3004 wrote to memory of 4432	3004	Bootstrapper.exe	127
PID 3004 wrote to memory of 4432	3004	Bootstrapper.exe	127
PID 3004 wrote to memory of 4432	3004	Bootstrapper.exe	127
PID 4744 wrote to memory of 4732	4744	AcroRd32.exe	131
PID 4744 wrote to memory of 4732	4744	AcroRd32.exe	131
PID 4744 wrote to memory of 4732	4744	AcroRd32.exe	131
PID 4732 wrote to memory of 3760	4732	RdrCEF.exe	132
PID 4732 wrote to memory of 3760	4732	RdrCEF.exe	132
PID 4732 wrote to memory of 3760	4732	RdrCEF.exe	132
PID 4732 wrote to memory of 3760	4732	RdrCEF.exe	132
PID 4732 wrote to memory of 3760	4732	RdrCEF.exe	132
PID 4732 wrote to memory of 3760	4732	RdrCEF.exe	132
PID 4732 wrote to memory of 3760	4732	RdrCEF.exe	132
PID 4732 wrote to memory of 3760	4732	RdrCEF.exe	132
PID 4732 wrote to memory of 3760	4732	RdrCEF.exe	132
PID 4732 wrote to memory of 3760	4732	RdrCEF.exe	132

C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4748
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy Briefly Briefly.cmd & Briefly.cmd
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2464
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3060
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1408
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4428
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1584
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 347157
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2456
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E National
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4100
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "Cheese" Difficulties
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2152
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 347157\Folding.com + Saddam + Visa + Bowling + Rt + Chapters + Advertise + Continuous + Accessibility + Destruction + Architectural + Any 347157\Folding.com
    3⤵
    PID:1768
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Basement + ..\Florida + ..\Passenger + ..\Msg + ..\Welding + ..\Terrace + ..\Stretch j
    3⤵
    PID:3412
- - C:\Users\Admin\AppData\Local\Temp\347157\Folding.com
    Folding.com j
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1948
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1800

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:680

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:364

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\Basement~\" -ad -an -ai#7zMap19491:88:7zEvent3854
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2460

C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4012
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy Briefly Briefly.cmd & Briefly.cmd
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2316
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1968
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    PID:3680
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:876
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2156
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 347157
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5604
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E National
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5620
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 347157\Folding.com + Saddam + Visa + Bowling + Rt + Chapters + Advertise + Continuous + Accessibility + Destruction + Architectural + Any 347157\Folding.com
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5844
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Basement + ..\Florida + ..\Passenger + ..\Msg + ..\Welding + ..\Terrace + ..\Stretch j
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5988
- - C:\Users\Admin\AppData\Local\Temp\347157\Folding.com
    Folding.com j
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:6004
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6128

C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy Briefly Briefly.cmd & Briefly.cmd
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1144
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:5560
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5568
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:5900
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5908
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 347157
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5272
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E National
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5288
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 347157\Folding.com + Saddam + Visa + Bowling + Rt + Chapters + Advertise + Continuous + Accessibility + Destruction + Architectural + Any 347157\Folding.com
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5808
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Basement + ..\Florida + ..\Passenger + ..\Msg + ..\Welding + ..\Terrace + ..\Stretch j
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4784
- - C:\Users\Admin\AppData\Local\Temp\347157\Folding.com
    Folding.com j
    3⤵
    - Executes dropped EXE
    PID:6088
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2412

C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2052
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy Briefly Briefly.cmd & Briefly.cmd
  2⤵
  PID:2756
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:5472
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5484
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:5944
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5952
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 347157
    3⤵
    PID:5628
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E National
    3⤵
    PID:5676
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 347157\Folding.com + Saddam + Visa + Bowling + Rt + Chapters + Advertise + Continuous + Accessibility + Destruction + Architectural + Any 347157\Folding.com
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6024
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Basement + ..\Florida + ..\Passenger + ..\Msg + ..\Welding + ..\Terrace + ..\Stretch j
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5140
- - C:\Users\Admin\AppData\Local\Temp\347157\Folding.com
    Folding.com j
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5168
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5188

C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4568
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy Briefly Briefly.cmd & Briefly.cmd
  2⤵
  PID:1584
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:5376
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5384
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:5788
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5796
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 347157
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6112
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E National
    3⤵
    PID:3028
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 347157\Folding.com + Saddam + Visa + Bowling + Rt + Chapters + Advertise + Continuous + Accessibility + Destruction + Architectural + Any 347157\Folding.com
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5248
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Basement + ..\Florida + ..\Passenger + ..\Msg + ..\Welding + ..\Terrace + ..\Stretch j
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1948
- - C:\Users\Admin\AppData\Local\Temp\347157\Folding.com
    Folding.com j
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5812
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4324

C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy Briefly Briefly.cmd & Briefly.cmd
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4432
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:5516
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5524
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:5856
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5864
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 347157
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5768
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E National
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5736
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 347157\Folding.com + Saddam + Visa + Bowling + Rt + Chapters + Advertise + Continuous + Accessibility + Destruction + Architectural + Any 347157\Folding.com
    3⤵
    PID:4980
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Basement + ..\Florida + ..\Passenger + ..\Msg + ..\Welding + ..\Terrace + ..\Stretch j
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6072
- - C:\Users\Admin\AppData\Local\Temp\347157\Folding.com
    Folding.com j
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:6112
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5136

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3920

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4744
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4732
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=5379A5C6E93D11906696DB8EB4622EBE --mojo-platform-channel-handle=1728 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3760
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=DDC8F6A654668DC1DE0EF22B04749EEB --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=DDC8F6A654668DC1DE0EF22B04749EEB --renderer-client-id=2 --mojo-platform-channel-handle=1908 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:1772
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=0994731A679EFCFE5679295A7EEC7858 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=0994731A679EFCFE5679295A7EEC7858 --renderer-client-id=4 --mojo-platform-channel-handle=2296 --allow-no-sandbox-job /prefetch:1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2108
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=3E3379B912AC7D5B9990EFD2C871051C --mojo-platform-channel-handle=2940 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4784
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=5D1F2C9A9E4399B34F413B557BA23FA3 --mojo-platform-channel-handle=1784 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6028
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=3D8789DFB12869C37DDC2F7A831E4649 --mojo-platform-channel-handle=2100 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5300

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4116

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1776

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
PID:5220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffa19efcc40,0x7ffa19efcc4c,0x7ffa19efcc58
  2⤵
  PID:5240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2336,i,14636827818237108634,7951615003351695465,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2332 /prefetch:2
  2⤵
  PID:5360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1748,i,14636827818237108634,7951615003351695465,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2540 /prefetch:3
  2⤵
  PID:5328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2008,i,14636827818237108634,7951615003351695465,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2568 /prefetch:8
  2⤵
  PID:5344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3116,i,14636827818237108634,7951615003351695465,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3136 /prefetch:1
  2⤵
  PID:5724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3256,i,14636827818237108634,7951615003351695465,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:5652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4584,i,14636827818237108634,7951615003351695465,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4572 /prefetch:1
  2⤵
  PID:5592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4812,i,14636827818237108634,7951615003351695465,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3720 /prefetch:8
  2⤵
  PID:3612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4848,i,14636827818237108634,7951615003351695465,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3716 /prefetch:1
  2⤵
  PID:5988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4444,i,14636827818237108634,7951615003351695465,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3728 /prefetch:1
  2⤵
  PID:5820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5232,i,14636827818237108634,7951615003351695465,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5240 /prefetch:1
  2⤵
  PID:5164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4912,i,14636827818237108634,7951615003351695465,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5584 /prefetch:1
  2⤵
  PID:3368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=5448,i,14636827818237108634,7951615003351695465,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4864 /prefetch:8
  2⤵
  PID:2432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4696,i,14636827818237108634,7951615003351695465,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4668 /prefetch:8
  2⤵
  PID:4520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=6344,i,14636827818237108634,7951615003351695465,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5664 /prefetch:1
  2⤵
  PID:5148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5068,i,14636827818237108634,7951615003351695465,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6352 /prefetch:1
  2⤵
  PID:1076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5692,i,14636827818237108634,7951615003351695465,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6472 /prefetch:8
  2⤵
  PID:4268

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
PID:5668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa19efcc40,0x7ffa19efcc4c,0x7ffa19efcc58
  2⤵
  PID:5728

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:5376

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x504 0x500
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6020

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
56KB

MD5
c26ed30e7d5ab440480838636efc41db

SHA1
c66e0d00b56abebfb60d2fcc5cf85ad31a0d6591

SHA256
6a3c5c4a8e57f77ecc22078fbf603ecc31fb82d429bd87b7b4b9261447092aef

SHA512
96cdb78bca3e01d4513c31661987e5646e6a8ff24708918aa0d66dfa3ca5d98af4862c9f38c4f41f933c345d2d3adfb1d34d1430b33f45f916f41a9872a030df

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
56KB

MD5
752a1f26b18748311b691c7d8fc20633

SHA1
c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

SHA256
111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

SHA512
a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
3ba3cee68d295fddc249d3f23ee3b8e2

SHA1
03b801d8d6d0a6b10872f8a8c66a7e6a2008d133

SHA256
e2bf98bd5753bd22f33674a3d01e9af62ad5da15be16aec0d56a549788d982f4

SHA512
28f42d1f9bff35d8514eaf80b74903f4ae2a6918bb1d682394578d8ea3ae23a3609916ab7f1269cecf37bfda5f822dcdc05f593d94fbd51f02a5bf7ff0859989

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents

Filesize
12KB

MD5
352910a612e456a9635be59d4b9cf76f

SHA1
edac052e186e185218868de5100ae917085840f4

SHA256
a36742e0d5535f7b8713644a1f402b67d73ac2f40920fee91400f4b62ae6dddc

SHA512
8f8e295011d0589d4d86e14a9701db693d4c9a0efd8686c4ec5d41977f876d7c2d98fe9bc9ee2b9a57eddf3fa569eea11276dba9b8350876db903a7ac878e7bc

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents

Filesize
12KB

MD5
fc102a631502441515de88f1e4f7839a

SHA1
62db0d02951774b9dcaf15256d903a5ac3711e9b

SHA256
1d0b442886732852b189cce4185d2f5d5ac41f3691a5aa3c4fd44f10be0b1904

SHA512
4dcfbcfa9f1906b9c77b1d504f6adb8610459ebc925fdb1cc283a5894a6b1227c7a1d6d537bb568169480981903db7ae38adba4f95e3c876427bc3f2ecd304d5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
1fd2bcf7be677e004a5421b78e261340

SHA1
4e5abd04329ee1ffaebe9c04b67deef17f89ff84

SHA256
f539c848f584add20b43d5daefd614526b67adbf22b0c89eaa7802a8a653cd31

SHA512
929499946e38281bd808b37b362c4a86f3b6382eb1ecd5fc094410d3688906d14a114ca930a2cf38b6241ab734bc5959e6fe541270d47ca9538e82a68c99cc77

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
e92d1349324c9574ef62f678ed6b5f6b

SHA1
64ad186d70ea6ce3c9cc9baaa1717f5938685699

SHA256
ca9a36fe937c3bae44c013363de8de27857b6ad5450cf979d1369e8eb9221118

SHA512
73a84eb0096f5599f23b38353de70fbc89f407b427260fcd01801bd550d2ac98e7470750b51ab84d714e20abaf76872fa8a74eb840563d73c6a6543cf10dde05

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
a6300c35410f047772902d5b4121c357

SHA1
fd80b9a6651d8ee1c8b6d9fb4fe9a9bfd536b3ee

SHA256
b32237aa43701d24b9016d1a457727c79702ff0d76acf2ad21d04e07f0e82e94

SHA512
ef665e808d0e3df6f77a7606dfef73a66a551fb41737b9e29016c1b476c1b88527efcd949ba3796f8b38f3166686c98a165f7a6f01a4e7e73ca78a3926f1c88b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
895a9fc49b264cacdd6c07e6006cce78

SHA1
59bf6bea8dab9754ba90628c1905a7908a6c0725

SHA256
801596f584bcebe901c736a3b29d8bc3985ff71b6c51030ac5c1f625487ceaa1

SHA512
802067bf9629b12aa00752b1a2817e0581ea9905b403699ef9a517b231b2e81ae67f0111e75b4adf7c5c13eaf0da2346da5797800a59276580056d255cd41830

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
11KB

MD5
49fe19eb6b7d6f46a05fcb47d0debee4

SHA1
5ce46bb5230fcbac83ce537d0c9f24f686be8003

SHA256
340a02c1eb93cf4cbcc28ca38ad03f04626cf2dc847b449391eac3ff1d8ae3a5

SHA512
fa0b60ed4f57e0f5e321451faca75272b55f08879f862f8f242dafd0bab0a05369c3280791e04801091646fed12cc25bdc9e99a612462e73708bbb113e4e767d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
26d9ed768b41cafdb8906873c7edadf9

SHA1
c7db5bc2c312872aa449cc37ad3856061df31f30

SHA256
67094a85c14a1aed6ad61bc85be0341062b2f7861858b2729fda2fb51c2cac0f

SHA512
d0b7a250d43f4ab7c41141ba8e241bf6df2da3c0e0f9585912dfa73f80af45482323495bd92134a283052ee7d3b976113486a57d7a802093469ed12d90c5e1fe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
67f922e745a4d2110a8d490f4fc1bbe0

SHA1
48e646f5baeca06167d64da2366dff069c216ae1

SHA256
fc9780383e2059c1af28530ced64876ba567a0cef46bf9960ad2af42110d287d

SHA512
eca43eabaae82c8f02acf128a4c1fd9743586adfe157c4210696c293ef73b0e8baa48e5ce1d8047ec13c9310fd8e6d81ce7ff5363d3204d0f68bb876670f0d75

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
3a902c9b71e8d1756a7d7a2b557478a5

SHA1
28d2b6c9f8bea0a8983c842c352ba3ec057ac44f

SHA256
dbf3ea70ce358c4a5683f5cb9838283fdfebb6774c341de9e8ec5bd025e5b092

SHA512
9311408721972811709f6defbd1495b9ab0d4ea0833348cc554ebffcd622df3cb3ba0fc57e58cdfff147a1f588c86eb21db43199da0eb74cd0676d86ba686727

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
555313d1d3b62c625b43a35a4cf45485

SHA1
4a5e2dfdd9a1577af99fa60bf09665b22ee5f372

SHA256
b07025edaf93fcdf4ce31da30e62996a642a9bbe318ae4a533aba9a583d9a048

SHA512
1f6714522c05b52cd5adc514b6de08d5bcd22ca6d4e3a83d36c76a2cfca24992eeb6136cbcbb06033b60629d24e98106278cd9a4c65131369ad20d4d9dc64251

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
92a4982c9b83c237efecbcfb91a344bc

SHA1
e9d6d9d86731a913fdfe99425967ce96e29f0403

SHA256
a8b526fc428eadaf57371b2ba39d9e71726545b544c85065818c00ba0df02fe3

SHA512
7ad2b32e222ba777cdb7c98ae6f4941d0b387e90df8901169f6fda0689c97bc028fd1c9724defd89db90d88fab8d5060d93c5dba7a892992544bb9b7a645ba04

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0dc32cdb725f289540f2f9969b73ffcf

SHA1
40b19a1a8d17780acdef918467c06072847f0d1e

SHA256
4d1beef18dec64ee70b44f6e4359e5d5cc016c923cbfb56f03e33526ccce36e0

SHA512
3a34a8837ea75813ed8197c82b83baab5baa164ad5ff4f14403bb1fc255c25fec3850c80e910504d5adbb327da2c3bc3dd48c24763b07ec64671f7122656bd09

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
97113d536826a75b0772afa787537ffe

SHA1
59bb13bd1e5843990d3e14231233316b5c7e0f60

SHA256
9026772231067467ef5b1c3ab9cc3de6c3876e6d6d8b58ef3f04c01faa9352ee

SHA512
40ee284ad29bd09b27d9698fc6e874ecabc7fd6acb29a95434391777fa8de51ad23ebfbb2daba41863604d3345006e8c22161dc489d7312908756ab38f9afed3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
97865e6ef518c176a659f609487bb42b

SHA1
594afa885a6b91f4833e37c912c4ef211db685b0

SHA256
506b35c8c5c84939e1ae5e0a0f8af58cc87bb4f959c488e832e6bcec7aad51c8

SHA512
3189f828887bdfcec7f9409f12fa3399ba5b5354ea78229e3eb3f00b821014c4781daa57d762eb4cf351f198e336f206d4773d25c71daae380fa048d679df258

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
256220018695612f43b8df3ddd3efccf

SHA1
b537e27bbfd594b2a35d060c92a4214467b222df

SHA256
b9eaf1f435032d72563ff5040f836ac1a1d9b389e47ab3f140104614b5020873

SHA512
484ca672c97c0f4f0abb3e499fc5138e652f6625daf93773f11497c6ecd2d724f078325af1d398bc0c4eba32498bb1bfb8314b3e27968bae96e4619c1fdbd57c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
89c74abfbb11b9aaf6e9bee2fb113f96

SHA1
37539f86f5eb655890326f0fd0ab240f867b1d31

SHA256
b778e3a55310ab025167e1b1821c7370383637516341e6553b6c816122f88002

SHA512
dee0d79aa34320aa6e51c68a70ed6cb04356abd039f1f1d1ded0632d890b2fa45ddeeb9a5e1762018df4f0e7cf30306fd76244cd6791999c61f4393141b3b643

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
230KB

MD5
8b1fe30486a5eb014a6ad02a179c8c6c

SHA1
a99f3b61824610ceec0ea51637d75c7739acb69f

SHA256
b1599f9371a57bb869675323b46aadea7af3dca64d76f6c9df65bd0b038f9d5c

SHA512
9056313051cac1211a7bb1418f45702985eb4a829dcb0ac698567852609cb731688c8816588d895353a251a6981bc63cfb99f32c9efcbc58411b4098507b993a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
230KB

MD5
b90a08696865c3bb66799ecae50389fb

SHA1
50e4f5880c55acce1cfba84d04ad521ef10bf32c

SHA256
e75886b06a860c0e940e71997c001fe112ff8d97c5c81d422c748fd30c65a4f6

SHA512
a07b50881ca8f68fdc9c6aff4d747beb5a0021a088fde21aad59995fbd9617eabe42df4e65f29edc1a47935fc7049784727d62cdcab027bc53ae0ab5c5142314

Download Submit
C:\Users\Admin\AppData\Local\Temp\347157\Folding.com

Filesize
1KB

MD5
bc0c466ea461f70dc2bab92020f1e643

SHA1
f17c66912508e95eac59bda2e773849600471a88

SHA256
f3c6eb4b4f81b5e1aa458d46225dccd651a2d44d1367a14718b6bb76beec1de1

SHA512
b1d03c359b8fcf46e7f07536004f7d11ab7bdd0cb044ca7bcfe63501428c4c93e43591e8367e5676478da8d554e4bd579cb6e37dc617f97f8a54a372361073c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\347157\Folding.com

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
C:\Users\Admin\AppData\Local\Temp\347157\j

Filesize
494KB

MD5
549720d78c44a4ca96f98a02d7376be0

SHA1
c18a7ddd59ea61df41acfac5544aadc72bb6acba

SHA256
37204d5c24cd97f012e61ba6c4aab3f6bd8778237ecbec3080fa54bfa5dcaf67

SHA512
392674f314a993f0eb2e22354a9922b006e28b01cb2abdf416a188e48b8fbbea8df93cb793cefd6e91259b7de71c502ac1e5c33273d94e1a3671ee1147cbdab4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Accessibility

Filesize
118KB

MD5
539587208032af4b529a60d530f100a4

SHA1
ef39ddfa82f53bde5a674e51318aa3ce9a8789b2

SHA256
bcee5e27e34159419173575bf6e22e23f0dad46cf6fa6aa84a1bb01c96516662

SHA512
4c261199485e6a40ce46147c98e244f1297446115ebd6c944a29e4242b361816980ccb6096286c8f9dbec00f13ea9fdfa417648980bf06721abc866630c5e53f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Advertise

Filesize
55KB

MD5
eaab0c7db38adca2364923dc1bb8bacf

SHA1
182819623bdee90678ae233b8094d05e51d48d68

SHA256
5a5c226453b9c7c7f7bdb980ad2a02838456f9420d182d14c7336f8264a894f0

SHA512
53d2c6559e2d1e71b62f91444608f1e61a246433499b75d6e3193cfd645ac4af3c4e4e1359da02b522d1e121de31f51d0010d96e8ef435a92328cef69aba4910

Download Submit
C:\Users\Admin\AppData\Local\Temp\Any

Filesize
15KB

MD5
59051edf957c7f4fec5e278f07cfdaa9

SHA1
409217185334c187412941583e5814753d3f670f

SHA256
71cb36f1506fa645a90a6f06619b67c4f2f0e1e0140bac2e6f8a91ed1988446f

SHA512
f1897fa7dcc38c845cc3862f1eb33d493ca6c09338a6a7817fac6e99a72ecd07001a84e1935eccddf58e163fd8396c3333fad4c365cd5c8ade281dbc84735aba

Download Submit
C:\Users\Admin\AppData\Local\Temp\Architectural

Filesize
102KB

MD5
ac3b8c0b9d965801a696519bc3bce457

SHA1
c2fb54f9d7ffbbea6e5db175ca214eccc0b8ee7c

SHA256
fbc3b647efe255870931d9dfa77a43c7248a7d8613712bcf0663862a4e97fb66

SHA512
0aeeb7d05c46063a892b3aae756bfb92f245aae66c2fcd4c34610a348ad0c0904addabb99d97ca0c9c3cba3df7e8e96500f084b840487a9ed2582d1badf638c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Basement

Filesize
63KB

MD5
44a805a4e5ba191661485ef167275506

SHA1
45c2594c944f02e5260bd97a185c2f21ab232182

SHA256
e394dccd197c59fa4e2da7146174485a6681946d34faa3007bd5c1419d7125e0

SHA512
a3a8f7283ca0a0ae16b21f2b81b9cd48b953112c50e64b99daba378cd0e098108512566208365db4bb7b78355439f94bbcace6f5169091fab0202cf7d55f1952

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bowling

Filesize
106KB

MD5
7cbcc0fbb084bead6d5bbb8a00cbb997

SHA1
75bfaaa5232ab2cf9f2291ee1ce08f2acb076ebb

SHA256
e0a98926b1e0968481640078ac6b833af96773a7f715851634346379f282795d

SHA512
6b33f8afe19a28e5b300e8a32c3ec98a0365fc1594c693c4527d9b0275f46f6558c50e29417499650d9c1ea7091ea7af340c4111b90af06c5ab4277170170c9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Briefly

Filesize
23KB

MD5
bb009bb1ab11657dd763b3a85e90f26f

SHA1
32fb786e48105f1574e8d345e66d2b16fc051d6e

SHA256
e7b3f1da61a207080f7859d12764b1243ce5c84beaf1a7f026b3d0da5f9dec4c

SHA512
ac73396967c496b93f8d4084537a286b4d5fe1315b0fd5992b03cc019521c1c25bafcb9826f85af59495a01ec711a2ec789c43af5befa46557f99224d0ce92bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Chapters

Filesize
56KB

MD5
19f399e75e91c4917cce10422db7b0fb

SHA1
145fb431681a91d64a77b0ca99ba31b4ed7457b9

SHA256
bbe32640a1be9b9dc5570043a2c72bd3d1da1e3480e61e41a1dc8daa42b07bd7

SHA512
25b85fe872e3e9fc5e70d3dfd1647a6bbf2919d67126bb9007dcc61aae549d64a9b79fd3c05bc996202b03630420ecb4eb5b5613d0a1adeab0d2670e6a5aff6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Continuous

Filesize
119KB

MD5
87cfc9cbddca81f037640e23869fd727

SHA1
e71c0a8106944e238edba3b2d6194cf5cb383168

SHA256
f648aed5047fa8e5b99ce81cf85f05f4cfb193b8b349e6e5656e5c6dd0917cb2

SHA512
2a3c9bbdbd222f9328b1379de025bff3f8d2c693fe68558cdb24a516ee7c9ac6615a9d1d62e4682532f8567138e67e6c26b6c7068d87b00415fc915172928e4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Destruction

Filesize
75KB

MD5
e9ed56e42470ceb7a46263c49b9d8110

SHA1
13794b6f705be789af214a4f81585dee3710512b

SHA256
d97494026b70f37cabc0ac614f54206ae2c5a5ab601b71888ae6491241dc2b20

SHA512
ca1c0f00a68267274e9d31f3a2de0fb34ccfce0a57d67ffe76633fe1a156c05f1381b0c696f75898fd8b370cb8a6e56174bdfb43729ab2668e444ee6748d8040

Download Submit
C:\Users\Admin\AppData\Local\Temp\Difficulties

Filesize
1KB

MD5
d2ac6356ed5ed3a32e46acb2f47d68f5

SHA1
e41205fe32c1ed0cc4a265e942dd472a76a22592

SHA256
6b6a43352b0b87107609d9c91992b30069200b308e5a2a50ed5a931315f82bdc

SHA512
47bafca4c789c7fad4db0534a93b8c7b659abb999393425f58d9b28ba553be1cc45b9001da1d5820e65b107034f48cd441c6855c7d7fc08117985d81054394a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Florida

Filesize
81KB

MD5
35ee0a5fee1964bd57f2c66347d726df

SHA1
d37bb5ba2456a310891f93d8e9ae1ad196dabcf6

SHA256
9b8ab89609b074479bc9fe749e12792c34ab4799ea7ea5ac67cdd3758a1c1181

SHA512
2006b993a36599a56131d744ea750a3de3d5eeb629d111d751d552e86cf3a4ea1c7d9b9dbb727e77b65ec8684cf0f22476840aed73df15186041b087476c0689

Download Submit
C:\Users\Admin\AppData\Local\Temp\Msg

Filesize
91KB

MD5
478eae0d2d8bc46181226c275688315d

SHA1
674d1c954b6ba8bc77ea6e112912b2fbde64fbeb

SHA256
aae6d5fc0e80a6033d55b81e05db13c66604f5fe453f78440de3912a44c553c1

SHA512
9833ef8d0d29cbf1b1738eefd4c175a169c770f70f2699bde703092e5102439c779e7474866534bba6b58f49d160a49be0750b686c171415191ddb10469eb26d

Download Submit
C:\Users\Admin\AppData\Local\Temp\National

Filesize
478KB

MD5
f5406ccecddc6c9bd30ed30343c756ab

SHA1
080ebf3593ee3c272e7e4f7c98fee6d326da45f8

SHA256
a46bd5c1472f8b655ace3314ca667d39b10d989b6f8ed17b6c753b8b947a6938

SHA512
a25eba5ea58855e65c529b858399b1574ccbed89038e90d50170562eceb11efba4f16242d54ad3b5232edc11f3f61109bbafc4398124c1bb45e43693657b1e81

Download Submit
C:\Users\Admin\AppData\Local\Temp\Passenger

Filesize
68KB

MD5
355fafaeefdaaa291b3f48356e24216c

SHA1
c675a50bffcf18f357966ec51e0adaf05a25b86b

SHA256
d3210c22706049ab7ca2304fd17507bfa4a842af579a00b60644e09178f9fddb

SHA512
f2fb4e46b4d6b24cba584e51c6a43e8ed1174a5048a69bd61a6e24e2772f389e55c2f6384d1ffe7c6f44eab8a6fe059608e39a0a60ad30f06eb63589c723ab4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rt

Filesize
86KB

MD5
fc6c4e0bdb11443834c6af5b2ff6e6bb

SHA1
3c4bf0970e36371844c9a27a041fd09cbf65cf56

SHA256
445d2c74ae1ba5af2eba4cc4a4deeabbda1ef920e272ce9f54a7d9374eb23402

SHA512
9588272669bf2ecf277c83c836be28d4757a21b033e9919747fc11a7767abaf5d3af002d3379626b65e537aaa8fd2e30113994353592bcee577f3fbdd02dea5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Saddam

Filesize
54KB

MD5
7b8c4652937f053027395d23ef6c5b93

SHA1
3e203439da403069184a56d40d00b51e8a03a2cf

SHA256
733b3e2f49984688e345d1acb07d22c9d5e44742f572fd610c114c50c04c3024

SHA512
67b5aac27923f00fa7e39cefb6adc6714845cc9e3db51aa2fe8c910e09f95b2fe46ddc901257afa63ede0988792ee6245089ea419bd257e53f05c926793de929

Download Submit
C:\Users\Admin\AppData\Local\Temp\Stretch

Filesize
58KB

MD5
110f9b2d470e415d55f8a0d78ae1f8a1

SHA1
eeb9c0bf82f9a797fceed7d9725221348f45dcf1

SHA256
fbafdc9359e5294e8410d3862aee050c5cc03aec557bd83345bdca27981c0138

SHA512
1a8bf9fe93ff1b8cff52191bae71fed8822f4d99dd59ee6420709d037e26a185695e819535c793ffbe849e63637725e9ebdf487b57bb8f1ec3b4852e93954551

Download Submit
C:\Users\Admin\AppData\Local\Temp\Terrace

Filesize
50KB

MD5
6f3b4f30afb0c2fc164daaee95348815

SHA1
c59e8d78f11d5af9aca282d52752c0846292d5e6

SHA256
987fdfe4cb214563ecd4ba6d1990284e485a7701c323c1564d9d4afd3554c890

SHA512
ce51ba253dc008b82ae51ac797362f93515b1ef481d6189f596f74c1172379bfa4bb86aa713ea62520a11c24281047aaee0d203d48fa1f3dcdc5121fff385809

Download Submit
C:\Users\Admin\AppData\Local\Temp\Visa

Filesize
137KB

MD5
0fffca2125ec2d790c02b2bcd12ec8aa

SHA1
55883ab44b36fa0efe4747e2653786fbda5b60a5

SHA256
9dc03047dec2d31586916298828447b291b3eadae317bab07f8917e4bf4dde96

SHA512
53d6bb959d2d5ad5b3be4dde2b6c877eee4ae65e411f095bad980fc6ee58f49437dc8503186d544ab60aa6824cd70e616bf79cc13b713e27c5f75640db8ed70f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Welding

Filesize
83KB

MD5
9a2d8d245f55c0918e6a7e8b9e22ed25

SHA1
827ace99c5e1570e3ea912e67dcf7ef6851c3ee1

SHA256
e252cd74c35df37627de02488911ecfc1d57320be7dec21a7de03ccb9664d84b

SHA512
076fba85e84cb31486a947e31c39464e08faacdad7b26645699f39fbe6f3d6bc6a7b926f46909f227e9c78f2ce8d9c2af0871e057db10345504db2226a2272c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Welding

Filesize
78KB

MD5
2b06dad1abdb10106987fd786ff4fb2c

SHA1
0bb88cc7d0cf82d83b93a6d2986a155dad661678

SHA256
a22314fff0de2eb79bb7e9a3242c11c0f9649c0c221677d83de062375b9fc672

SHA512
86e2114c4539f8e4ffc11686ce3a3051ea28fd0107cc4639dbc66e07f93458793598b3025983cd155b9856479b7debc12569510805352858893775382c5c5355

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5220_1477376904\27995854-f912-4bfe-8de1-6f1a6596637e.tmp

Filesize
150KB

MD5
14937b985303ecce4196154a24fc369a

SHA1
ecfe89e11a8d08ce0c8745ff5735d5edad683730

SHA256
71006a5311819fef45c659428944897184880bcdb571bf68c52b3d6ee97682ff

SHA512
1d03c75e4d2cd57eee7b0e93e2de293b41f280c415fb2446ac234fc5afd11fe2f2fcc8ab9843db0847c2ce6bd7df7213fcf249ea71896fbf6c0696e3f5aee46c

Download Submit
memory/680-581-0x000001C9EB1D0000-0x000001C9EB1D1000-memory.dmp

Filesize
4KB

Download
memory/680-579-0x000001C9EB1D0000-0x000001C9EB1D1000-memory.dmp

Filesize
4KB

Download
memory/680-571-0x000001C9EB1D0000-0x000001C9EB1D1000-memory.dmp

Filesize
4KB

Download
memory/680-572-0x000001C9EB1D0000-0x000001C9EB1D1000-memory.dmp

Filesize
4KB

Download
memory/680-570-0x000001C9EB1D0000-0x000001C9EB1D1000-memory.dmp

Filesize
4KB

Download
memory/680-576-0x000001C9EB1D0000-0x000001C9EB1D1000-memory.dmp

Filesize
4KB

Download
memory/680-580-0x000001C9EB1D0000-0x000001C9EB1D1000-memory.dmp

Filesize
4KB

Download
memory/680-582-0x000001C9EB1D0000-0x000001C9EB1D1000-memory.dmp

Filesize
4KB

Download
memory/680-578-0x000001C9EB1D0000-0x000001C9EB1D1000-memory.dmp

Filesize
4KB

Download
memory/680-577-0x000001C9EB1D0000-0x000001C9EB1D1000-memory.dmp

Filesize
4KB

Download
memory/1948-597-0x00000000004F0000-0x000000000054B000-memory.dmp

Filesize
364KB

Download
memory/1948-593-0x00000000004F0000-0x000000000054B000-memory.dmp

Filesize
364KB

Download
memory/1948-594-0x00000000004F0000-0x000000000054B000-memory.dmp

Filesize
364KB

Download
memory/1948-595-0x00000000004F0000-0x000000000054B000-memory.dmp

Filesize
364KB

Download
memory/1948-596-0x00000000004F0000-0x000000000054B000-memory.dmp

Filesize
364KB

Download