lumma | hxxps://ssolaras[.]com/Bootstrapper

Analysis

max time kernel
65s
max time network
64s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26/01/2025, 05:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://ssolaras.com/Bootstrapper

Score

10^/10

lumma discovery execution stealer

Malware Config

Extracted

Family

lumma

https://kitestarepatt.click/api

https://toppyneedus.biz/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4436	powershell.exe

Downloads MZ/PE file 3 IoCs

flow	pid	Process
35	4868	Bootstrapper_V2.18.exe
36	4868	Bootstrapper_V2.18.exe
13	4736	chrome.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Bootstrapper_V2.18.exe

Executes dropped EXE 2 IoCs

pid	Process
4868	Bootstrapper_V2.18.exe
2124	TWbYXPVegU.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
34	raw.githubusercontent.com
35	raw.githubusercontent.com
36	raw.githubusercontent.com

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2124	TWbYXPVegU.exe
2124	TWbYXPVegU.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TWbYXPVegU.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bootstrapper_V2.18.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133823430394101074"	chrome.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
3160	chrome.exe
3160	chrome.exe
4436	powershell.exe
4436	powershell.exe
4436	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
3160	chrome.exe
3160	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeDebugPrivilege	4436	powershell.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeDebugPrivilege	4868	Bootstrapper_V2.18.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2124	TWbYXPVegU.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3160 wrote to memory of 3596	3160	chrome.exe	85
PID 3160 wrote to memory of 3596	3160	chrome.exe	85
PID 3160 wrote to memory of 3204	3160	chrome.exe	86
PID 3160 wrote to memory of 3204	3160	chrome.exe	86
PID 3160 wrote to memory of 3204	3160	chrome.exe	86
PID 3160 wrote to memory of 3204	3160	chrome.exe	86
PID 3160 wrote to memory of 3204	3160	chrome.exe	86
PID 3160 wrote to memory of 3204	3160	chrome.exe	86
PID 3160 wrote to memory of 3204	3160	chrome.exe	86
PID 3160 wrote to memory of 3204	3160	chrome.exe	86
PID 3160 wrote to memory of 3204	3160	chrome.exe	86
PID 3160 wrote to memory of 3204	3160	chrome.exe	86
PID 3160 wrote to memory of 3204	3160	chrome.exe	86
PID 3160 wrote to memory of 3204	3160	chrome.exe	86
PID 3160 wrote to memory of 3204	3160	chrome.exe	86
PID 3160 wrote to memory of 3204	3160	chrome.exe	86
PID 3160 wrote to memory of 3204	3160	chrome.exe	86
PID 3160 wrote to memory of 3204	3160	chrome.exe	86
PID 3160 wrote to memory of 3204	3160	chrome.exe	86
PID 3160 wrote to memory of 3204	3160	chrome.exe	86
PID 3160 wrote to memory of 3204	3160	chrome.exe	86
PID 3160 wrote to memory of 3204	3160	chrome.exe	86
PID 3160 wrote to memory of 3204	3160	chrome.exe	86
PID 3160 wrote to memory of 3204	3160	chrome.exe	86
PID 3160 wrote to memory of 3204	3160	chrome.exe	86
PID 3160 wrote to memory of 3204	3160	chrome.exe	86
PID 3160 wrote to memory of 3204	3160	chrome.exe	86
PID 3160 wrote to memory of 3204	3160	chrome.exe	86
PID 3160 wrote to memory of 3204	3160	chrome.exe	86
PID 3160 wrote to memory of 3204	3160	chrome.exe	86
PID 3160 wrote to memory of 3204	3160	chrome.exe	86
PID 3160 wrote to memory of 3204	3160	chrome.exe	86
PID 3160 wrote to memory of 4736	3160	chrome.exe	87
PID 3160 wrote to memory of 4736	3160	chrome.exe	87
PID 3160 wrote to memory of 2912	3160	chrome.exe	88
PID 3160 wrote to memory of 2912	3160	chrome.exe	88
PID 3160 wrote to memory of 2912	3160	chrome.exe	88
PID 3160 wrote to memory of 2912	3160	chrome.exe	88
PID 3160 wrote to memory of 2912	3160	chrome.exe	88
PID 3160 wrote to memory of 2912	3160	chrome.exe	88
PID 3160 wrote to memory of 2912	3160	chrome.exe	88
PID 3160 wrote to memory of 2912	3160	chrome.exe	88
PID 3160 wrote to memory of 2912	3160	chrome.exe	88
PID 3160 wrote to memory of 2912	3160	chrome.exe	88
PID 3160 wrote to memory of 2912	3160	chrome.exe	88
PID 3160 wrote to memory of 2912	3160	chrome.exe	88
PID 3160 wrote to memory of 2912	3160	chrome.exe	88
PID 3160 wrote to memory of 2912	3160	chrome.exe	88
PID 3160 wrote to memory of 2912	3160	chrome.exe	88
PID 3160 wrote to memory of 2912	3160	chrome.exe	88
PID 3160 wrote to memory of 2912	3160	chrome.exe	88
PID 3160 wrote to memory of 2912	3160	chrome.exe	88
PID 3160 wrote to memory of 2912	3160	chrome.exe	88
PID 3160 wrote to memory of 2912	3160	chrome.exe	88
PID 3160 wrote to memory of 2912	3160	chrome.exe	88
PID 3160 wrote to memory of 2912	3160	chrome.exe	88
PID 3160 wrote to memory of 2912	3160	chrome.exe	88
PID 3160 wrote to memory of 2912	3160	chrome.exe	88
PID 3160 wrote to memory of 2912	3160	chrome.exe	88
PID 3160 wrote to memory of 2912	3160	chrome.exe	88
PID 3160 wrote to memory of 2912	3160	chrome.exe	88
PID 3160 wrote to memory of 2912	3160	chrome.exe	88
PID 3160 wrote to memory of 2912	3160	chrome.exe	88
PID 3160 wrote to memory of 2912	3160	chrome.exe	88

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://ssolaras.com/Bootstrapper
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff829c4cc40,0x7ff829c4cc4c,0x7ff829c4cc58
  2⤵
  PID:3596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1884,i,1722430825668133498,2625720881534452491,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1880 /prefetch:2
  2⤵
  PID:3204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2124,i,1722430825668133498,2625720881534452491,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2136 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  PID:4736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2216,i,1722430825668133498,2625720881534452491,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2440 /prefetch:8
  2⤵
  PID:2912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3100,i,1722430825668133498,2625720881534452491,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3164 /prefetch:1
  2⤵
  PID:516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3108,i,1722430825668133498,2625720881534452491,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3188 /prefetch:1
  2⤵
  PID:1148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4744,i,1722430825668133498,2625720881534452491,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4872 /prefetch:8
  2⤵
  PID:388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4740,i,1722430825668133498,2625720881534452491,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5024 /prefetch:8
  2⤵
  PID:3524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5212,i,1722430825668133498,2625720881534452491,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5220 /prefetch:8
  2⤵
  PID:2816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5224,i,1722430825668133498,2625720881534452491,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5236 /prefetch:8
  2⤵
  PID:1392
- C:\Users\Admin\Downloads\Bootstrapper_V2.18.exe
  "C:\Users\Admin\Downloads\Bootstrapper_V2.18.exe"
  2⤵
  - Downloads MZ/PE file
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4868
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command " Add-MpPreference -ExclusionPath 'C:\kvqrwOxXzAC' Add-MpPreference -ExclusionPath 'C:\Users\Public\Desktop' "
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4436
- - C:\kvqrwOxXzAC\TWbYXPVegU.exe
    "C:\kvqrwOxXzAC\TWbYXPVegU.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2124

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4680

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1600

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
501b50facc27d01f5cb0a3ff8a027595

SHA1
fe5c97032cadfa68b0b4e421d8761e1d0f10f9f7

SHA256
9536340997091cad41f6918d6d71215a0cf37e8c0aa103ffbb61d8c3521f0391

SHA512
49453a4e808c6a7b424c4ca9c1152c56c3053a74585a8b4649a77e900eee32928df5c1e39bbd8183a67a4dedf6eb709121c7f2802b7b96ae8e338a4074293e1c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
561b7297502b352fe109cc0d5baf0d69

SHA1
ba3c0b3bee46129cef20dc04527a09f108879035

SHA256
47b6ef7ff5875df4eb9f5042b6785e488fee803322d88066f31aa0311b4163e7

SHA512
3695ade3c832481776add18db5b752aab371b105da47e0751357a9f7ea1c16d85d9dbca59435b50685c0f2b93d29af7ba6c36907d4205070dcc50042a7affbaf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2a85a2537a53b88626f4bea0aefc5d37

SHA1
c1c525860445a42944f1d46d4e5aade026220b3e

SHA256
2cbaa711c00edb22f6ec995a5f7cd02e742d511a25c207f7cdbb1d1695f7afbe

SHA512
ccba114c5d21d71c0b843221a670f3af51bb63fdbd9b273b3cea91a971d89ba86e1f3a10cdd0786a69c42a0ef0ac8dbd8817c2c3ee8d0b698439ab5cf2cd60a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b6f1d0a7f7dc138da6a4f9830238428b

SHA1
5088b16c430b60197e580f4a8332ff52afab1612

SHA256
c427dcaa1fcc022af7316798e62ce25318903689a9fcb7519ab84cd50270caee

SHA512
42f27ec01154be3dc1c1e559c190b50f31c3388740a2b8dbac530726776e5899082d03ba6f40a91abbd84ae37aff12285242b2c73b59c27c1a953b8f4705b710

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2bae68474b02f8113288df52b85543b8

SHA1
b3d17fe25ef127ca3ecfec8bdfb28b7158b7ddbd

SHA256
71475dab30d8340c9795d583a7a1d4fb600a7870743d65dd21d6f5db98eb14c4

SHA512
b474c3196a34c06ca01639ccc11b54503bcb17a4698f4e8ce4998dd2dbe135bc7ca80a08d69fb134bbb715a64ec59f8f298817b9650d0b65d689ab58afe41213

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
0aba0e64e021fdd25616ec0d4c2223bf

SHA1
4b2ffdbcb91d7ad2fd282847ff2058ba887e29b5

SHA256
be57884d6ee973cd015f60928c9ca658013ad14f3c824f4c493ae5f6919a4307

SHA512
af78eb0917dcb430e0d1e5407ea4462ebe816664fb0e1d5cf6de7772338c88f7278680ca0f85c6f63aef6ab574b7d7c305509b70d93df6c6506eb6ce83c5b1e1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
70fbd5c92c64ad4c8182f9cb5fa7f07a

SHA1
cd14ad3dc04e9c4d5515fe8c5c3f755d41250b87

SHA256
40404ed97426d3c28f4218c368971abe30e75b0eafcf0c1fe07490afd46555c6

SHA512
d4458fdadf7176ff6e0feb405bb00b03c70ec931b2e40fee03e56032c4eb848f89ef07b01ad345fdac6824c2020f06299a6cbe4c9c3ffe6985f764d9d3c9b56b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cb51lri2.0uk.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 334202.crdownload

Filesize
69KB

MD5
84b998b4dc934f972ee48b9d878bbfb5

SHA1
a2c3d8264440669d76df9da2dda0f3d7c76d8733

SHA256
ed6826983a502b13883f0fe4e57453d88c5a7d93fb1e3d9af5b9454a8cd322b7

SHA512
71dae1ade7618278119308f66d8c64203d1b9abfd614febb7676a1c9eb84fbb86e149f9da961d64d85c2420468f1ab54fbfe8d1e805d83d8d424efa86f197895

Download Submit
C:\kvqrwOxXzAC\TWbYXPVegU.exe

Filesize
1.2MB

MD5
82b458869553d5314ec2d7bcecd8d380

SHA1
541fc9fb1384ffc8e1f024695a7eace668ad5ec6

SHA256
fd4203e487f88fd893d2c2ce3dd1ddea934c93d8f29cae146cdadab813bee7d5

SHA512
6551dcdad84a019bedf104a8862a28c712ce8758c54df189583f0763ed93062ca2918cef290f619efeda15bd8091096671b425ea7f9f3e4bbaae47297d5529d8

Download Submit
memory/2124-134-0x0000000000E60000-0x0000000001220000-memory.dmp

Filesize
3.8MB

Download
memory/2124-121-0x0000000000E60000-0x0000000001220000-memory.dmp

Filesize
3.8MB

Download
memory/4436-105-0x0000000007690000-0x0000000007726000-memory.dmp

Filesize
600KB

Download
memory/4436-103-0x0000000007410000-0x000000000742A000-memory.dmp

Filesize
104KB

Download
memory/4436-71-0x00000000027D0000-0x0000000002806000-memory.dmp

Filesize
216KB

Download
memory/4436-72-0x0000000005430000-0x0000000005A58000-memory.dmp

Filesize
6.2MB

Download
memory/4436-73-0x0000000005240000-0x0000000005262000-memory.dmp

Filesize
136KB

Download
memory/4436-74-0x0000000005360000-0x00000000053C6000-memory.dmp

Filesize
408KB

Download
memory/4436-75-0x0000000005AD0000-0x0000000005B36000-memory.dmp

Filesize
408KB

Download
memory/4436-110-0x0000000007730000-0x0000000007738000-memory.dmp

Filesize
32KB

Download
memory/4436-85-0x0000000005C90000-0x0000000005FE4000-memory.dmp

Filesize
3.3MB

Download
memory/4436-86-0x00000000060E0000-0x00000000060FE000-memory.dmp

Filesize
120KB

Download
memory/4436-87-0x0000000006110000-0x000000000615C000-memory.dmp

Filesize
304KB

Download
memory/4436-109-0x0000000007750000-0x000000000776A000-memory.dmp

Filesize
104KB

Download
memory/4436-89-0x00000000066A0000-0x00000000066D2000-memory.dmp

Filesize
200KB

Download
memory/4436-90-0x000000006C360000-0x000000006C3AC000-memory.dmp

Filesize
304KB

Download
memory/4436-100-0x00000000066F0000-0x000000000670E000-memory.dmp

Filesize
120KB

Download
memory/4436-101-0x00000000072F0000-0x0000000007393000-memory.dmp

Filesize
652KB

Download
memory/4436-102-0x0000000007A50000-0x00000000080CA000-memory.dmp

Filesize
6.5MB

Download
memory/4436-108-0x0000000007650000-0x0000000007664000-memory.dmp

Filesize
80KB

Download
memory/4436-104-0x0000000007480000-0x000000000748A000-memory.dmp

Filesize
40KB

Download
memory/4436-107-0x0000000007640000-0x000000000764E000-memory.dmp

Filesize
56KB

Download
memory/4436-106-0x0000000007610000-0x0000000007621000-memory.dmp

Filesize
68KB

Download
memory/4868-68-0x0000000009F30000-0x0000000009F38000-memory.dmp

Filesize
32KB

Download
memory/4868-70-0x0000000074E90000-0x0000000075640000-memory.dmp

Filesize
7.7MB

Download
memory/4868-88-0x0000000074E90000-0x0000000075640000-memory.dmp

Filesize
7.7MB

Download
memory/4868-69-0x0000000074E9E000-0x0000000074E9F000-memory.dmp

Filesize
4KB

Download
memory/4868-61-0x000000000A280000-0x000000000A2B8000-memory.dmp

Filesize
224KB

Download
memory/4868-66-0x000000000A250000-0x000000000A25E000-memory.dmp

Filesize
56KB

Download
memory/4868-55-0x0000000074E90000-0x0000000075640000-memory.dmp

Filesize
7.7MB

Download
memory/4868-133-0x0000000074E90000-0x0000000075640000-memory.dmp

Filesize
7.7MB

Download
memory/4868-54-0x0000000074E90000-0x0000000075640000-memory.dmp

Filesize
7.7MB

Download
memory/4868-53-0x0000000074E90000-0x0000000075640000-memory.dmp

Filesize
7.7MB

Download
memory/4868-52-0x0000000000C80000-0x0000000000C98000-memory.dmp

Filesize
96KB

Download
memory/4868-51-0x0000000074E9E000-0x0000000074E9F000-memory.dmp

Filesize
4KB

Download