Overview

overview

10

Static

static

1

URLScan

urlscan

1

https://ssolaras.com...

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/01/2025, 05:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://ssolaras.com/Bootstrapper

Score
10/10
lummadiscoveryexecutionstealer

Malware Config

Extracted

Family

lumma

C2

https://kitestarepatt.click/api

https://toppyneedus.biz/api

Signatures

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Lumma family
    lumma
  • Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Downloads MZ/PE file 15 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 10 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 33 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 34 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://ssolaras.com/Bootstrapper
    1⤵
    • Enumerates system info in registry
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4240
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa3031cc40,0x7ffa3031cc4c,0x7ffa3031cc58
      2⤵
        PID:3684
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2024,i,14488070596446514597,11133074471140828021,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2020 /prefetch:2
        2⤵
          PID:4660
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1884,i,14488070596446514597,11133074471140828021,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2128 /prefetch:3
          2⤵
          • Downloads MZ/PE file
          PID:4200
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1728,i,14488070596446514597,11133074471140828021,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2240 /prefetch:8
          2⤵
            PID:4348
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3108,i,14488070596446514597,11133074471140828021,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3120 /prefetch:1
            2⤵
              PID:4996
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3104,i,14488070596446514597,11133074471140828021,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3172 /prefetch:1
              2⤵
                PID:4288
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4752,i,14488070596446514597,11133074471140828021,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4892 /prefetch:8
                2⤵
                  PID:3280
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4936,i,14488070596446514597,11133074471140828021,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4964 /prefetch:8
                  2⤵
                    PID:2728
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4968,i,14488070596446514597,11133074471140828021,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4980 /prefetch:8
                    2⤵
                      PID:1868
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5084,i,14488070596446514597,11133074471140828021,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4908 /prefetch:8
                      2⤵
                        PID:2420
                      • C:\Users\Admin\Downloads\Bootstrapper_V2.18.exe
                        "C:\Users\Admin\Downloads\Bootstrapper_V2.18.exe"
                        2⤵
                        • Downloads MZ/PE file
                        • Checks computer location settings
                        • Executes dropped EXE
                        • System Location Discovery: System Language Discovery
                        PID:3544
                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command " Add-MpPreference -ExclusionPath 'C:\iCvpnClxFKmA' Add-MpPreference -ExclusionPath 'C:\Users\Public\Desktop' "
                          3⤵
                          • Command and Scripting Interpreter: PowerShell
                          • System Location Discovery: System Language Discovery
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4072
                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command " Add-MpPreference -ExclusionPath 'C:\iCvpnClxFKmA' Add-MpPreference -ExclusionPath 'C:\Users\Public\Desktop' "
                          3⤵
                          • Command and Scripting Interpreter: PowerShell
                          • System Location Discovery: System Language Discovery
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4480
                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command " Add-MpPreference -ExclusionPath 'C:\iCvpnClxFKmA' Add-MpPreference -ExclusionPath 'C:\Users\Public\Desktop' "
                          3⤵
                          • Command and Scripting Interpreter: PowerShell
                          • System Location Discovery: System Language Discovery
                          • Suspicious behavior: EnumeratesProcesses
                          PID:5000
                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command " Add-MpPreference -ExclusionPath 'C:\iCvpnClxFKmA' Add-MpPreference -ExclusionPath 'C:\Users\Public\Desktop' "
                          3⤵
                          • Command and Scripting Interpreter: PowerShell
                          • System Location Discovery: System Language Discovery
                          • Suspicious behavior: EnumeratesProcesses
                          PID:1956
                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command " Add-MpPreference -ExclusionPath 'C:\iCvpnClxFKmA' Add-MpPreference -ExclusionPath 'C:\Users\Public\Desktop' "
                          3⤵
                          • Command and Scripting Interpreter: PowerShell
                          • System Location Discovery: System Language Discovery
                          • Suspicious behavior: EnumeratesProcesses
                          PID:1664
                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command " Add-MpPreference -ExclusionPath 'C:\iCvpnClxFKmA' Add-MpPreference -ExclusionPath 'C:\Users\Public\Desktop' "
                          3⤵
                          • Command and Scripting Interpreter: PowerShell
                          • System Location Discovery: System Language Discovery
                          • Suspicious behavior: EnumeratesProcesses
                          PID:764
                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command " Add-MpPreference -ExclusionPath 'C:\iCvpnClxFKmA' Add-MpPreference -ExclusionPath 'C:\Users\Public\Desktop' "
                          3⤵
                          • Command and Scripting Interpreter: PowerShell
                          • System Location Discovery: System Language Discovery
                          • Suspicious behavior: EnumeratesProcesses
                          PID:2040
                        • C:\iCvpnClxFKmA\IDSKEJgJFG.exe
                          "C:\iCvpnClxFKmA\IDSKEJgJFG.exe"
                          3⤵
                          • Executes dropped EXE
                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of SetWindowsHookEx
                          PID:5360
                        • C:\iCvpnClxFKmA\oVjrBzqyLQ.exe
                          "C:\iCvpnClxFKmA\oVjrBzqyLQ.exe"
                          3⤵
                          • Executes dropped EXE
                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of SetWindowsHookEx
                          PID:5496
                          • C:\Windows\SysWOW64\WerFault.exe
                            C:\Windows\SysWOW64\WerFault.exe -u -p 5496 -s 1364
                            4⤵
                            • Program crash
                            PID:5932
                          • C:\Windows\SysWOW64\WerFault.exe
                            C:\Windows\SysWOW64\WerFault.exe -u -p 5496 -s 1340
                            4⤵
                            • Program crash
                            PID:5956
                        • C:\iCvpnClxFKmA\PpcMKJsbbp.exe
                          "C:\iCvpnClxFKmA\PpcMKJsbbp.exe"
                          3⤵
                          • Executes dropped EXE
                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of SetWindowsHookEx
                          PID:5600
                        • C:\iCvpnClxFKmA\ofEepQGfvW.exe
                          "C:\iCvpnClxFKmA\ofEepQGfvW.exe"
                          3⤵
                          • Executes dropped EXE
                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of SetWindowsHookEx
                          PID:6076
                        • C:\iCvpnClxFKmA\ggVuQOyWpv.exe
                          "C:\iCvpnClxFKmA\ggVuQOyWpv.exe"
                          3⤵
                          • Executes dropped EXE
                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of SetWindowsHookEx
                          PID:5460
                      • C:\Users\Admin\Downloads\Bootstrapper_V2.18.exe
                        "C:\Users\Admin\Downloads\Bootstrapper_V2.18.exe"
                        2⤵
                        • Downloads MZ/PE file
                        • Checks computer location settings
                        • Executes dropped EXE
                        • System Location Discovery: System Language Discovery
                        PID:5292
                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command " Add-MpPreference -ExclusionPath 'C:\wTJiqiaFEOsc' Add-MpPreference -ExclusionPath 'C:\Users\Public\Desktop' "
                          3⤵
                          • Command and Scripting Interpreter: PowerShell
                          • System Location Discovery: System Language Discovery
                          • Suspicious behavior: EnumeratesProcesses
                          PID:5740
                        • C:\wTJiqiaFEOsc\oXchkNgXLJ.exe
                          "C:\wTJiqiaFEOsc\oXchkNgXLJ.exe"
                          3⤵
                          • Executes dropped EXE
                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of SetWindowsHookEx
                          PID:4448
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4428,i,14488070596446514597,11133074471140828021,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5316 /prefetch:8
                        2⤵
                        • Suspicious behavior: EnumeratesProcesses
                        PID:4088
                    • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
                      "C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
                      1⤵
                        PID:3672
                      • C:\Windows\system32\svchost.exe
                        C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
                        1⤵
                          PID:2956
                        • C:\Windows\SysWOW64\WerFault.exe
                          C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 5496 -ip 5496
                          1⤵
                            PID:5840
                          • C:\Windows\SysWOW64\WerFault.exe
                            C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5496 -ip 5496
                            1⤵
                              PID:5848
                            • C:\Windows\System32\rundll32.exe
                              C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                              1⤵
                                PID:4472
                              • C:\Users\Admin\Downloads\Bootstrapper_V2.18.exe
                                "C:\Users\Admin\Downloads\Bootstrapper_V2.18.exe"
                                1⤵
                                • Downloads MZ/PE file
                                • Checks computer location settings
                                • Executes dropped EXE
                                • System Location Discovery: System Language Discovery
                                PID:4636
                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command " Add-MpPreference -ExclusionPath 'C:\mHCWxhieplF' Add-MpPreference -ExclusionPath 'C:\Users\Public\Desktop' "
                                  2⤵
                                  • Command and Scripting Interpreter: PowerShell
                                  • System Location Discovery: System Language Discovery
                                  • Suspicious behavior: EnumeratesProcesses
                                  PID:5704
                                • C:\mHCWxhieplF\IpnTCszkol.exe
                                  "C:\mHCWxhieplF\IpnTCszkol.exe"
                                  2⤵
                                  • Executes dropped EXE
                                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                                  • System Location Discovery: System Language Discovery
                                  • Suspicious use of SetWindowsHookEx
                                  PID:5500

                              Network

                              MITRE ATT&CK Enterprise v15

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState
                                Filesize

                                649B

                                MD5

                                b83d3e0a520b26bac5180c6ca65b7e64

                                SHA1

                                ee119311398662851585eb09a1bb57c3330ea38a

                                SHA256

                                ef7996588959ef8e46daab1fdc4d3ff8b44354ebfad2f28b253237d17c139193

                                SHA512

                                f15bc107543751fbb7872f677b1c383c9d3293bac3ffbda95ce4f496a94de70977128fe96097a5ba82da7fbbdb10efe907d0e1fe51181d31070504f24afd0bf7

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
                                Filesize

                                1KB

                                MD5

                                6ebaeb3f953fd10adf72e92919a11913

                                SHA1

                                4881fab9658ca08c901d06db3775432af8bdfeac

                                SHA256

                                58e255e019c091df825a6daae0d464d50cc89fd61ef74faf1666eef26c51ded6

                                SHA512

                                508f573e2e1b643c2d461421ab2ea19d8d40c34d0162b1a61f425b4ab31e1b7c1513a1d909468bc1eaa997ef7b3c4187fbe748c06fe74a4f5a3d3d87a51268e9

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
                                Filesize

                                2B

                                MD5

                                d751713988987e9331980363e24189ce

                                SHA1

                                97d170e1550eee4afc0af065b78cda302a97674c

                                SHA256

                                4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                                SHA512

                                b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                                Filesize

                                9KB

                                MD5

                                f7052dac11d9b690811a00aff4a22382

                                SHA1

                                85dd771926359c5fe20a6ea80d668c66cae0f4d8

                                SHA256

                                4d20897a713f8e9d1dd26764fa8a14492757ecade906c5e7be73801d8f63dd90

                                SHA512

                                9898af5e7b400c7bc5e24ace340bac6dd1433aee7e18dc3369f8e535fe164b988b783227f44b41d1f30811ead029c54c2f1caadf58c134ebe7fc88422132198e

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                                Filesize

                                9KB

                                MD5

                                ef833d85bc10083ded23a03b6b48b141

                                SHA1

                                453624282981f0bdba7fbd4842cc3dea86a2b79d

                                SHA256

                                1821ffa756595a7636a934e21b22986d98a9f7cbf9a426530798a801e133530d

                                SHA512

                                4a431348187229d4265c485c05f8837d4df7d4494bcc6771fc0304533ea9753b48c5806c4bf2f8483d21548cfd7b43f32e35cbc65d18d4ab43dcd1325b27107a

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                                Filesize

                                9KB

                                MD5

                                3235aadb045c2ef21cdc14bbe501c570

                                SHA1

                                0edfb3b14ae9b21be942e97c4bb7a94ef584ab64

                                SHA256

                                f0c36f8355e04e19b9623f9756486dc9b45e8c26c4673b99f2b705b1ef426bc3

                                SHA512

                                659bdb0b5fcf1d3448776403403e9980d28fda7692b8ac733bbdc8e85c58d389f7242eee5f379aa93c15d33f0b2400a93fbede7a26fc390d8013f86e1dda37c4

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                                Filesize

                                9KB

                                MD5

                                6f2eb5ef06b6cb284073117fd121a012

                                SHA1

                                c58e24462bebc8ed5bbd6a8350a214ba2513f796

                                SHA256

                                51da7e34ca1d3e66f6b085e4c14afcb0625d5dfc90624bfb1036f353ce8f40b1

                                SHA512

                                8c21cb6f637e2f6c83ea2ca4e024ac8cec44227ed558ae1c4f4c524de23b6f864d92c45b2388e774735992714324d86f5daee4979e2490642fb71623947d9480

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                                Filesize

                                9KB

                                MD5

                                9ded452b90b3c411f6efa284a9525ba4

                                SHA1

                                700acfb07ba5c078a08895c463b8ac941b3b1536

                                SHA256

                                44b0baf52543b044db8dfa216a6f683a0a90aedbfc864f2b692a10774489f4e7

                                SHA512

                                eaa50ddf0efa7ba1e580ec772f3bf1e6ca59d71f10cb22c815dbdea59d9ca9547a9d1356ba33c34e3a3d53b53e74a632866d77208e86b7028b8266a5e00d68a0

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                                Filesize

                                9KB

                                MD5

                                765e7314475217c5e64e3fd2b6b0ef49

                                SHA1

                                66dfd22021d8d3e0ecde64d2521f6203dbd28234

                                SHA256

                                0ee6fc79667c7f02718bcc1f08049677b0f3afe7fe5f64587c6d365c1cde99e8

                                SHA512

                                82c3c825b9047805d8bd94a574f56f12ded94e7d011ee221cfd7021d1b22eac32b2842160ab849be6b689e90b5687c942116fad8d85c393c62ab7fa611971dca

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                                Filesize

                                9KB

                                MD5

                                596f196a11acec02d1da95ec23126c95

                                SHA1

                                6a4f733d519e2a462fdc93c9a71b98fa92894f17

                                SHA256

                                f41349238f9c4c90c89fc0668c5219ccf0531a2b7b5f2eae028507193d5f0709

                                SHA512

                                9fb838dea11fa818624abac5ef78f81634fd4f20dace030587cced6bd5f3f4a96372cd84da10de72e617a117c13cb7bbb3d4eb005d9d4dc6b6c8a02fc2996dfb

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                                Filesize

                                9KB

                                MD5

                                3a61800541ac10e56bfcde562baf1897

                                SHA1

                                3d31486e5a3a6656904a23b9a38fc3a9d64035b8

                                SHA256

                                ea26974238383d1a334a161c2ccf584db552560874d85615a2fbb561898ff74d

                                SHA512

                                df605ffa921230ca62790a38755524535d3b2a906cb6761a9155651f334edf2583ee707ccd8a04a5e48c303affec660cbe96da17a225789d3d4bf34de399111a

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                                Filesize

                                9KB

                                MD5

                                f9c22bee7a1e9935e092101acbf747d5

                                SHA1

                                83de716cf0357becc6e09803cc72a49caa1c021f

                                SHA256

                                7111f4c4bb326bea87caee1658be2e878a13ec401ec24fdc9f5323e0cad3edde

                                SHA512

                                7a3e7f5ab405b2bc0efda129c9b945b07cc7c4fc07bb6e809246e878374e9cc8237b9681b64ff54b1f53030f87105fe37a7b2ad71f91e23f763441475d10df8a

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                                Filesize

                                9KB

                                MD5

                                1b12090cc1a92ece83b54727258079d5

                                SHA1

                                a3fb41020aa14b1fcea93ea7a7a7e9b02bea30a6

                                SHA256

                                4d64b5f8c26b90714788bcc2029c2aea119844b0827facac03d180136faba69c

                                SHA512

                                986ea6188a0f9c08e75bde9e9f08f30106e3a342c2ef59b07633addd836d06a291b350496131ea3a875fc40b1e30566e689b1398fb41e8ba31adff5c62813b95

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
                                Filesize

                                116KB

                                MD5

                                fd7e5bd485a8a985486f54d88a7ca103

                                SHA1

                                327b1c60b6e98719c400faa337645fd109bb01c0

                                SHA256

                                85c150abb8d5552a6ce744ea4bb92b96d87525caedec9151642a35ab3d3fa4b7

                                SHA512

                                ad1a7bbda386cd795035a989802611240d7435f1aae33ff34b2b2179670ef881db4fafe4abf68d7189e783a12b93eec2dddfb807953ddb06afd297669cf24523

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
                                Filesize

                                116KB

                                MD5

                                9743efa2a579b8d3cd5b3a36fb39a2a3

                                SHA1

                                ff316fb108c6ab6130dcb2e1267f6b795453140f

                                SHA256

                                8c071520f9bb5011c2efa2a7d5c4a8be33bbe97fad8d931c46cd771da106f6d7

                                SHA512

                                9455fc1c5ba3b29413bfc56d1b024149aa92e9137fc5ed9f03d05a82739aac207928977e4bbff200ec51657b07dfd2c4a1d0ca07f4d1c8d790ed89cd4e845133

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Bootstrapper_V2.18.exe.log
                                Filesize

                                2KB

                                MD5

                                6e957d7b34ad939ded9328054ac65553

                                SHA1

                                6e66bb6df941c5a3a520280e3dd1755d6e9bfa3c

                                SHA256

                                2fa9c451e2e6ff9b2d0940592bf4a2dd13dedf9bd3319b97f7403b3ce97a79a0

                                SHA512

                                422dd1095f95088b3c230303fd9f889bc09accf90338a6c4b0fe1e5303dff54a0814459b6b1bc5d30e08aacfb69d0aaf8672ce459aee1f2c9c828306a3086dd8

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
                                Filesize

                                2KB

                                MD5

                                968cb9309758126772781b83adb8a28f

                                SHA1

                                8da30e71accf186b2ba11da1797cf67f8f78b47c

                                SHA256

                                92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

                                SHA512

                                4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                Filesize

                                18KB

                                MD5

                                7509c0dcb7865c0b9d834390bf104c5f

                                SHA1

                                6867ccef1e7d8fbd50d01068dee0a8636d2a8ad6

                                SHA256

                                581679af133f86da256e2e30d0502582ae0d6a547704e20f01e01423c1aee65e

                                SHA512

                                e58ee403b16685a50af1626fd8fdfefdd4b2862a30724b4251d42bd5e179e124f7fd8749dcffe5d2ddefe74819cce46bc3be1329f395bacc6542fae02400d875

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                Filesize

                                18KB

                                MD5

                                15b338b3fbdf82560e4ffaa4018a2637

                                SHA1

                                d7310a39fea3c8e9f60b5405065cab95510e3ed2

                                SHA256

                                fe22bea70e0dc421bcd0f53a5fc898377d1eef36b59647214bc0aedcf0ebe9ec

                                SHA512

                                76514372bc85f2663e63127dd5b71122c5fb80b3d07a14e71aad41519b3a077b45d6c6a85c80ab30498f7e1e743916eca64a9381513f393857cc54c876989bcb

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                Filesize

                                18KB

                                MD5

                                a1f16efe39182187a6a3bb8880cbe81a

                                SHA1

                                ee03baa8c2bfa9ad32c865ee7656040e7a54aa9c

                                SHA256

                                629ae3f271c4c8df3fe426b641f7f9c296896259737b33666e3325a329791873

                                SHA512

                                196dc303d9c370356bec913b568e44523dae93c1f4b4e2d1d11ed59e0e512a9c02afbd61ce40f97a2eccf8c07af2d034c6f2e56691322398bbe889e4fa82c0fc

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                Filesize

                                18KB

                                MD5

                                d19a35f9839758eb4c4ba4a53397b5fc

                                SHA1

                                20a432f5b309f39e78742580dcd3822b2ccdab74

                                SHA256

                                1dca06c47bdade943254257a8670107882d22f02f7cdb56f92bc870921db53e3

                                SHA512

                                b3393f84ef8c33436eaee412d589fcaf813b77f8de48b6f4d907f320e50b4fe669cb90dbb69799051d7e5d251ef50ca9014895ad3bfe0c8bf9d5e8beee5cea45

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                Filesize

                                18KB

                                MD5

                                387d346d56b7e0247bbe5a1db0357897

                                SHA1

                                018c45268e47351065a9b202b1d2a45189567566

                                SHA256

                                e3092507d353ac3b4a779c63974b13046291d81d37191fdadb3f56570268542e

                                SHA512

                                85a2ae0da0e072981d526138d840af3e53b09a8c69a361433b516a869bdf11b08844c2f86b8c46867bb2e7e0640682cdda200ddcac4c83970f67de0bab888309

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                Filesize

                                18KB

                                MD5

                                3e5f670ae899e513e6c12754fdd09f27

                                SHA1

                                ca91510a2b9f8ea447ef4df2988803401733692f

                                SHA256

                                26bafd476c09fa11620e09364989c244e35242c20fb5dd9f1d078443ab1fde45

                                SHA512

                                4281ce41e722907f6b8cda29dbb173ed0039a5ddd997dfb07d6afbbd70fa09fabef769543b808e964751e565ab27cdcbf26631e895709351056c6d33f1c366dd

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                Filesize

                                18KB

                                MD5

                                0dd73b27df787dd23fc8cf418bb3a260

                                SHA1

                                9d636c9c6db28b587e05aed47771e653798b647d

                                SHA256

                                48ef2a79a37fd6a7140c2053c0f47ab0ad5edf06c56d51e573e775b2aa5677e8

                                SHA512

                                2281b19f9e4f11609b47d084bdb6cd415ee182eb1b3806bc316cec179d8a39665bb9ed0e892ce8914816576327fc4f3909f19b3df88e52d064b92eeae98d78a6

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dn0d0hm0.jni.ps1
                                Filesize

                                60B

                                MD5

                                d17fe0a3f47be24a6453e9ef58c94641

                                SHA1

                                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                SHA256

                                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                SHA512

                                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                Download Submit

                              • C:\Users\Admin\Downloads\Unconfirmed 933518.crdownload
                                Filesize

                                69KB

                                MD5

                                84b998b4dc934f972ee48b9d878bbfb5

                                SHA1

                                a2c3d8264440669d76df9da2dda0f3d7c76d8733

                                SHA256

                                ed6826983a502b13883f0fe4e57453d88c5a7d93fb1e3d9af5b9454a8cd322b7

                                SHA512

                                71dae1ade7618278119308f66d8c64203d1b9abfd614febb7676a1c9eb84fbb86e149f9da961d64d85c2420468f1ab54fbfe8d1e805d83d8d424efa86f197895

                                Download Submit

                              • C:\Users\Public\Desktop\BootstrapperV1.16.exe
                                Filesize

                                800KB

                                MD5

                                2a4dcf20b82896be94eb538260c5fb93

                                SHA1

                                21f232c2fd8132f8677e53258562ad98b455e679

                                SHA256

                                ebbcb489171abfcfce56554dbaeacd22a15838391cbc7c756db02995129def5a

                                SHA512

                                4f1164b2312fb94b7030d6eb6aa9f3502912ffa33505f156443570fc964bfd3bb21ded3cf84092054e07346d2dce83a0907ba33f4ba39ad3fe7a78e836efe288

                                Download Submit

                              • C:\iCvpnClxFKmA\IDSKEJgJFG.exe
                                Filesize

                                1.2MB

                                MD5

                                82b458869553d5314ec2d7bcecd8d380

                                SHA1

                                541fc9fb1384ffc8e1f024695a7eace668ad5ec6

                                SHA256

                                fd4203e487f88fd893d2c2ce3dd1ddea934c93d8f29cae146cdadab813bee7d5

                                SHA512

                                6551dcdad84a019bedf104a8862a28c712ce8758c54df189583f0763ed93062ca2918cef290f619efeda15bd8091096671b425ea7f9f3e4bbaae47297d5529d8

                                Download Submit

                              • memory/764-232-0x000000006C480000-0x000000006C4CC000-memory.dmp

                                Filesize

                                304KB

                                Download

                              • memory/1664-216-0x000000006C480000-0x000000006C4CC000-memory.dmp

                                Filesize

                                304KB

                                Download

                              • memory/1956-180-0x000000006C480000-0x000000006C4CC000-memory.dmp

                                Filesize

                                304KB

                                Download

                              • memory/2040-261-0x000000006C480000-0x000000006C4CC000-memory.dmp

                                Filesize

                                304KB

                                Download

                              • memory/3544-68-0x000000000B400000-0x000000000B408000-memory.dmp

                                Filesize

                                32KB

                                Download

                              • memory/3544-65-0x000000000A300000-0x000000000A338000-memory.dmp

                                Filesize

                                224KB

                                Download

                              • memory/3544-66-0x0000000074FB0000-0x0000000075760000-memory.dmp

                                Filesize

                                7.7MB

                                Download

                              • memory/3544-67-0x000000000A2D0000-0x000000000A2DE000-memory.dmp

                                Filesize

                                56KB

                                Download

                              • memory/3544-64-0x0000000074FB0000-0x0000000075760000-memory.dmp

                                Filesize

                                7.7MB

                                Download

                              • memory/3544-63-0x0000000074FB0000-0x0000000075760000-memory.dmp

                                Filesize

                                7.7MB

                                Download

                              • memory/3544-80-0x0000000074FB0000-0x0000000075760000-memory.dmp

                                Filesize

                                7.7MB

                                Download

                              • memory/3544-78-0x0000000074FBE000-0x0000000074FBF000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/3544-79-0x0000000074FB0000-0x0000000075760000-memory.dmp

                                Filesize

                                7.7MB

                                Download

                              • memory/3544-62-0x0000000000E30000-0x0000000000E48000-memory.dmp

                                Filesize

                                96KB

                                Download

                              • memory/3544-61-0x0000000074FBE000-0x0000000074FBF000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/3544-329-0x0000000074FB0000-0x0000000075760000-memory.dmp

                                Filesize

                                7.7MB

                                Download

                              • memory/4072-85-0x0000000006010000-0x0000000006076000-memory.dmp

                                Filesize

                                408KB

                                Download

                              • memory/4072-110-0x0000000007680000-0x0000000007723000-memory.dmp

                                Filesize

                                652KB

                                Download

                              • memory/4072-81-0x00000000030A0000-0x00000000030D6000-memory.dmp

                                Filesize

                                216KB

                                Download

                              • memory/4072-82-0x0000000005850000-0x0000000005E78000-memory.dmp

                                Filesize

                                6.2MB

                                Download

                              • memory/4072-83-0x00000000056B0000-0x00000000056D2000-memory.dmp

                                Filesize

                                136KB

                                Download

                              • memory/4072-84-0x0000000005EF0000-0x0000000005F56000-memory.dmp

                                Filesize

                                408KB

                                Download

                              • memory/4072-86-0x0000000006080000-0x00000000063D4000-memory.dmp

                                Filesize

                                3.3MB

                                Download

                              • memory/4072-146-0x0000000007CA0000-0x0000000007CA8000-memory.dmp

                                Filesize

                                32KB

                                Download

                              • memory/4072-145-0x0000000007CC0000-0x0000000007CDA000-memory.dmp

                                Filesize

                                104KB

                                Download

                              • memory/4072-135-0x0000000007BC0000-0x0000000007BD4000-memory.dmp

                                Filesize

                                80KB

                                Download

                              • memory/4072-134-0x0000000007BB0000-0x0000000007BBE000-memory.dmp

                                Filesize

                                56KB

                                Download

                              • memory/4072-124-0x0000000007B80000-0x0000000007B91000-memory.dmp

                                Filesize

                                68KB

                                Download

                              • memory/4072-123-0x0000000007C00000-0x0000000007C96000-memory.dmp

                                Filesize

                                600KB

                                Download

                              • memory/4072-96-0x0000000006670000-0x000000000668E000-memory.dmp

                                Filesize

                                120KB

                                Download

                              • memory/4072-97-0x00000000066F0000-0x000000000673C000-memory.dmp

                                Filesize

                                304KB

                                Download

                              • memory/4072-98-0x0000000007640000-0x0000000007672000-memory.dmp

                                Filesize

                                200KB

                                Download

                              • memory/4072-99-0x000000006C480000-0x000000006C4CC000-memory.dmp

                                Filesize

                                304KB

                                Download

                              • memory/4072-122-0x00000000079F0000-0x00000000079FA000-memory.dmp

                                Filesize

                                40KB

                                Download

                              • memory/4072-120-0x0000000007FD0000-0x000000000864A000-memory.dmp

                                Filesize

                                6.5MB

                                Download

                              • memory/4072-121-0x0000000007980000-0x000000000799A000-memory.dmp

                                Filesize

                                104KB

                                Download

                              • memory/4072-109-0x0000000006C10000-0x0000000006C2E000-memory.dmp

                                Filesize

                                120KB

                                Download

                              • memory/4448-377-0x0000000000DB0000-0x0000000001170000-memory.dmp

                                Filesize

                                3.8MB

                                Download

                              • memory/4448-393-0x0000000000DB0000-0x0000000001170000-memory.dmp

                                Filesize

                                3.8MB

                                Download

                              • memory/4480-170-0x0000000007510000-0x0000000007524000-memory.dmp

                                Filesize

                                80KB

                                Download

                              • memory/4480-147-0x000000006C480000-0x000000006C4CC000-memory.dmp

                                Filesize

                                304KB

                                Download

                              • memory/5000-159-0x000000006C480000-0x000000006C4CC000-memory.dmp

                                Filesize

                                304KB

                                Download

                              • memory/5360-285-0x0000000000AD0000-0x0000000000E90000-memory.dmp

                                Filesize

                                3.8MB

                                Download

                              • memory/5360-230-0x0000000000AD0000-0x0000000000E90000-memory.dmp

                                Filesize

                                3.8MB

                                Download

                              • memory/5460-324-0x0000000000E50000-0x0000000001210000-memory.dmp

                                Filesize

                                3.8MB

                                Download

                              • memory/5460-327-0x0000000000E50000-0x0000000001210000-memory.dmp

                                Filesize

                                3.8MB

                                Download

                              • memory/5496-249-0x0000000000BF0000-0x0000000000FB0000-memory.dmp

                                Filesize

                                3.8MB

                                Download

                              • memory/5496-283-0x0000000000BF0000-0x0000000000FB0000-memory.dmp

                                Filesize

                                3.8MB

                                Download

                              • memory/5500-438-0x0000000000960000-0x0000000000D20000-memory.dmp

                                Filesize

                                3.8MB

                                Download

                              • memory/5500-436-0x0000000000960000-0x0000000000D20000-memory.dmp

                                Filesize

                                3.8MB

                                Download

                              • memory/5600-260-0x0000000000760000-0x0000000000B20000-memory.dmp

                                Filesize

                                3.8MB

                                Download

                              • memory/5600-286-0x0000000000760000-0x0000000000B20000-memory.dmp

                                Filesize

                                3.8MB

                                Download

                              • memory/5704-415-0x000000006C520000-0x000000006C56C000-memory.dmp

                                Filesize

                                304KB

                                Download

                              • memory/5704-404-0x0000000005680000-0x00000000059D4000-memory.dmp

                                Filesize

                                3.3MB

                                Download

                              • memory/5740-366-0x0000000007070000-0x0000000007084000-memory.dmp

                                Filesize

                                80KB

                                Download

                              • memory/5740-365-0x0000000007030000-0x0000000007041000-memory.dmp

                                Filesize

                                68KB

                                Download

                              • memory/5740-364-0x0000000006D80000-0x0000000006E23000-memory.dmp

                                Filesize

                                652KB

                                Download

                              • memory/5740-354-0x000000006C520000-0x000000006C56C000-memory.dmp

                                Filesize

                                304KB

                                Download

                              • memory/5740-353-0x0000000005B60000-0x0000000005BAC000-memory.dmp

                                Filesize

                                304KB

                                Download

                              • memory/5740-351-0x0000000005550000-0x00000000058A4000-memory.dmp

                                Filesize

                                3.3MB

                                Download

                              • memory/6076-326-0x0000000000190000-0x0000000000550000-memory.dmp

                                Filesize

                                3.8MB

                                Download

                              • memory/6076-296-0x0000000000190000-0x0000000000550000-memory.dmp

                                Filesize

                                3.8MB

                                Download