crimsonrat | b1d04321651e99004919ad0a9bac807ea0237b1e5dbc221f45338e7129db34ae

Analysis

max time kernel
357s
max time network
359s
platform
windows11-21h2_x64
resource
win11-20250218-en
resource tags

arch:x64arch:x86image:win11-20250218-enlocale:en-usos:windows11-21h2-x64system
submitted
01/03/2025, 06:24

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Software.zip
Size

8.1MB
MD5

b6a9639917df629fced5af38a3fa14b8
SHA1

78c898bdc5aa62c2567d81944439bc9db59fa76d
SHA256

b1d04321651e99004919ad0a9bac807ea0237b1e5dbc221f45338e7129db34ae
SHA512

2683e10be62d93e83fee1245a0a73652770f4a815e33ae028ba86eed7a9c6b06db0d93949a26c0379dd1cbc79740bf58ef62f1660b99d9b35ca64e16b41dd41e
SSDEEP

196608:kxIytNjPq5ld4V8ENo/0HP9bFWGMjMwXClO7etx5wx3wzvNQXwfn:itNjP84RasHxBMYwXAtQKzlQXw/

Score

10^/10

crimsonrat defense_evasion discovery persistence ransomware rat trojan

Malware Config

Extracted

Family

crimsonrat

185.136.161.124

Signatures

CrimsonRAT main payload 1 IoCs

resource	yara_rule
behavioral1/files/0x001700000002b35d-1805.dat	family_crimsonrat

CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
rat crimsonrat
Crimsonrat family
crimsonrat

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\system.exe"	reg.exe

UAC bypass 3 TTPs 1 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Disables Task Manager via registry modification
defense_evasion

Downloads MZ/PE file 5 IoCs

flow	pid	Process
123	1948	chrome.exe
123	1948	chrome.exe
123	1948	chrome.exe
123	1948	chrome.exe
123	1948	chrome.exe

Executes dropped EXE 6 IoCs

pid	Process
5448	$uckyLocker.exe
5748	CrimsonRAT.exe
4316	dlrarhsiva.exe
900	WinNuke.98 (1).exe
2100	7ev3n.exe
5576	system.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Users\\Admin\\AppData\\Local\\system.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000\Software\Microsoft\Windows\CurrentVersion\Run\tbibra_dreb = "C:\\ProgramData\\Hdlharas\\dlrarhsiva.exe"	dlrarhsiva.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	SearchIndexer.exe
File opened (read-only)	\??\L:	SearchIndexer.exe
File opened (read-only)	\??\q:	SearchIndexer.exe
File opened (read-only)	\??\R:	SearchIndexer.exe
File opened (read-only)	\??\s:	SearchIndexer.exe
File opened (read-only)	\??\S:	SearchIndexer.exe
File opened (read-only)	\??\u:	SearchIndexer.exe
File opened (read-only)	\??\v:	SearchIndexer.exe
File opened (read-only)	\??\a:	SearchIndexer.exe
File opened (read-only)	\??\b:	SearchIndexer.exe
File opened (read-only)	\??\e:	SearchIndexer.exe
File opened (read-only)	\??\E:	SearchIndexer.exe
File opened (read-only)	\??\H:	SearchIndexer.exe
File opened (read-only)	\??\J:	SearchIndexer.exe
File opened (read-only)	\??\V:	SearchIndexer.exe
File opened (read-only)	\??\x:	SearchIndexer.exe
File opened (read-only)	\??\B:	SearchIndexer.exe
File opened (read-only)	\??\g:	SearchIndexer.exe
File opened (read-only)	\??\j:	SearchIndexer.exe
File opened (read-only)	\??\M:	SearchIndexer.exe
File opened (read-only)	\??\W:	SearchIndexer.exe
File opened (read-only)	\??\y:	SearchIndexer.exe
File opened (read-only)	\??\I:	SearchIndexer.exe
File opened (read-only)	\??\k:	SearchIndexer.exe
File opened (read-only)	\??\m:	SearchIndexer.exe
File opened (read-only)	\??\o:	SearchIndexer.exe
File opened (read-only)	\??\P:	SearchIndexer.exe
File opened (read-only)	\??\Q:	SearchIndexer.exe
File opened (read-only)	\??\T:	SearchIndexer.exe
File opened (read-only)	\??\w:	SearchIndexer.exe
File opened (read-only)	\??\i:	SearchIndexer.exe
File opened (read-only)	\??\K:	SearchIndexer.exe
File opened (read-only)	\??\N:	SearchIndexer.exe
File opened (read-only)	\??\F:	SearchIndexer.exe
File opened (read-only)	\??\G:	SearchIndexer.exe
File opened (read-only)	\??\n:	SearchIndexer.exe
File opened (read-only)	\??\r:	SearchIndexer.exe
File opened (read-only)	\??\t:	SearchIndexer.exe
File opened (read-only)	\??\X:	SearchIndexer.exe
File opened (read-only)	\??\D:	SearchIndexer.exe
File opened (read-only)	\??\h:	SearchIndexer.exe
File opened (read-only)	\??\l:	SearchIndexer.exe
File opened (read-only)	\??\O:	SearchIndexer.exe
File opened (read-only)	\??\Y:	SearchIndexer.exe
File opened (read-only)	\??\z:	SearchIndexer.exe
File opened (read-only)	\??\Z:	SearchIndexer.exe
File opened (read-only)	\??\p:	SearchIndexer.exe
File opened (read-only)	\??\U:	SearchIndexer.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
106	raw.githubusercontent.com
123	raw.githubusercontent.com
40	raw.githubusercontent.com
48	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	ip-api.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000\Control Panel\Desktop\Wallpaper = "0"	$uckyLocker.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File created	C:\Windows\Setup\Scripts\ErrorHandler.cmd	lua.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 5 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\MadMan.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\WinNuke.98 (1).exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\7ev3n.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\$uckyLocker.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\CrimsonRAT.exe:Zone.Identifier	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 27 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lua.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lua.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	$uckyLocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SCHTASKS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shutdown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinNuke.98 (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7ev3n.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Launcher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpe	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpe\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ico\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b2300df2728adb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpeg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpeg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpg	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000087c667f2728adb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4a\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002e08e7f1728adb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp4	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3gp2	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ddfebff2728adb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m1v\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133852840786126361"	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dib\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe

NTFS ADS 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\WinNuke.98 (1).exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\7ev3n.exe:Zone.Identifier	chrome.exe
File created	C:\Users\Admin\AppData\Local\system.exe\:Zone.Identifier:$DATA	7ev3n.exe
File opened for modification	C:\Users\Admin\Downloads\$uckyLocker.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\CrimsonRAT.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\MadMan.exe:Zone.Identifier	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
180	schtasks.exe
5748	SCHTASKS.exe
3004	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4336	chrome.exe
4336	chrome.exe
5912	chrome.exe
5912	chrome.exe
5912	chrome.exe
5912	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: 33	2896	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2896	SearchIndexer.exe
Token: SeShutdownPrivilege	4336	chrome.exe
Token: SeCreatePagefilePrivilege	4336	chrome.exe
Token: SeShutdownPrivilege	4336	chrome.exe
Token: SeCreatePagefilePrivilege	4336	chrome.exe
Token: SeShutdownPrivilege	4336	chrome.exe
Token: SeCreatePagefilePrivilege	4336	chrome.exe
Token: SeShutdownPrivilege	4336	chrome.exe
Token: SeCreatePagefilePrivilege	4336	chrome.exe
Token: SeShutdownPrivilege	4336	chrome.exe
Token: SeCreatePagefilePrivilege	4336	chrome.exe
Token: SeShutdownPrivilege	4336	chrome.exe
Token: SeCreatePagefilePrivilege	4336	chrome.exe
Token: SeShutdownPrivilege	4336	chrome.exe
Token: SeCreatePagefilePrivilege	4336	chrome.exe
Token: SeShutdownPrivilege	4336	chrome.exe
Token: SeCreatePagefilePrivilege	4336	chrome.exe
Token: SeShutdownPrivilege	4336	chrome.exe
Token: SeCreatePagefilePrivilege	4336	chrome.exe
Token: SeShutdownPrivilege	4336	chrome.exe
Token: SeCreatePagefilePrivilege	4336	chrome.exe
Token: SeShutdownPrivilege	4336	chrome.exe
Token: SeCreatePagefilePrivilege	4336	chrome.exe
Token: SeShutdownPrivilege	4336	chrome.exe
Token: SeCreatePagefilePrivilege	4336	chrome.exe
Token: SeShutdownPrivilege	4336	chrome.exe
Token: SeCreatePagefilePrivilege	4336	chrome.exe
Token: SeShutdownPrivilege	4336	chrome.exe
Token: SeCreatePagefilePrivilege	4336	chrome.exe
Token: SeShutdownPrivilege	4336	chrome.exe
Token: SeCreatePagefilePrivilege	4336	chrome.exe
Token: SeShutdownPrivilege	4336	chrome.exe
Token: SeCreatePagefilePrivilege	4336	chrome.exe
Token: SeShutdownPrivilege	4336	chrome.exe
Token: SeCreatePagefilePrivilege	4336	chrome.exe
Token: SeShutdownPrivilege	4336	chrome.exe
Token: SeCreatePagefilePrivilege	4336	chrome.exe
Token: SeShutdownPrivilege	4336	chrome.exe
Token: SeCreatePagefilePrivilege	4336	chrome.exe
Token: SeShutdownPrivilege	4336	chrome.exe
Token: SeCreatePagefilePrivilege	4336	chrome.exe
Token: SeShutdownPrivilege	4336	chrome.exe
Token: SeCreatePagefilePrivilege	4336	chrome.exe
Token: SeShutdownPrivilege	4336	chrome.exe
Token: SeCreatePagefilePrivilege	4336	chrome.exe
Token: SeShutdownPrivilege	4336	chrome.exe
Token: SeCreatePagefilePrivilege	4336	chrome.exe
Token: SeShutdownPrivilege	4336	chrome.exe
Token: SeCreatePagefilePrivilege	4336	chrome.exe
Token: SeShutdownPrivilege	4336	chrome.exe
Token: SeCreatePagefilePrivilege	4336	chrome.exe
Token: SeShutdownPrivilege	4336	chrome.exe
Token: SeCreatePagefilePrivilege	4336	chrome.exe
Token: SeShutdownPrivilege	4336	chrome.exe
Token: SeCreatePagefilePrivilege	4336	chrome.exe
Token: SeShutdownPrivilege	4336	chrome.exe
Token: SeCreatePagefilePrivilege	4336	chrome.exe
Token: SeShutdownPrivilege	4336	chrome.exe
Token: SeCreatePagefilePrivilege	4336	chrome.exe
Token: SeShutdownPrivilege	4336	chrome.exe
Token: SeCreatePagefilePrivilege	4336	chrome.exe
Token: SeShutdownPrivilege	4336	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2904	Launcher.exe
2904	Launcher.exe
4336	chrome.exe
5364	PickerHost.exe
5064	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2896 wrote to memory of 2876	2896	SearchIndexer.exe	91
PID 2896 wrote to memory of 2876	2896	SearchIndexer.exe	91
PID 2896 wrote to memory of 2620	2896	SearchIndexer.exe	92
PID 2896 wrote to memory of 2620	2896	SearchIndexer.exe	92
PID 2896 wrote to memory of 3400	2896	SearchIndexer.exe	93
PID 2896 wrote to memory of 3400	2896	SearchIndexer.exe	93
PID 2904 wrote to memory of 2016	2904	Launcher.exe	98
PID 2904 wrote to memory of 2016	2904	Launcher.exe	98
PID 2904 wrote to memory of 2016	2904	Launcher.exe	98
PID 4336 wrote to memory of 4728	4336	chrome.exe	102
PID 4336 wrote to memory of 4728	4336	chrome.exe	102
PID 4336 wrote to memory of 1944	4336	chrome.exe	103
PID 4336 wrote to memory of 1944	4336	chrome.exe	103
PID 4336 wrote to memory of 1944	4336	chrome.exe	103
PID 4336 wrote to memory of 1944	4336	chrome.exe	103
PID 4336 wrote to memory of 1944	4336	chrome.exe	103
PID 4336 wrote to memory of 1944	4336	chrome.exe	103
PID 4336 wrote to memory of 1944	4336	chrome.exe	103
PID 4336 wrote to memory of 1944	4336	chrome.exe	103
PID 4336 wrote to memory of 1944	4336	chrome.exe	103
PID 4336 wrote to memory of 1944	4336	chrome.exe	103
PID 4336 wrote to memory of 1944	4336	chrome.exe	103
PID 4336 wrote to memory of 1944	4336	chrome.exe	103
PID 4336 wrote to memory of 1944	4336	chrome.exe	103
PID 4336 wrote to memory of 1944	4336	chrome.exe	103
PID 4336 wrote to memory of 1944	4336	chrome.exe	103
PID 4336 wrote to memory of 1944	4336	chrome.exe	103
PID 4336 wrote to memory of 1944	4336	chrome.exe	103
PID 4336 wrote to memory of 1944	4336	chrome.exe	103
PID 4336 wrote to memory of 1944	4336	chrome.exe	103
PID 4336 wrote to memory of 1944	4336	chrome.exe	103
PID 4336 wrote to memory of 1944	4336	chrome.exe	103
PID 4336 wrote to memory of 1944	4336	chrome.exe	103
PID 4336 wrote to memory of 1944	4336	chrome.exe	103
PID 4336 wrote to memory of 1944	4336	chrome.exe	103
PID 4336 wrote to memory of 1944	4336	chrome.exe	103
PID 4336 wrote to memory of 1944	4336	chrome.exe	103
PID 4336 wrote to memory of 1944	4336	chrome.exe	103
PID 4336 wrote to memory of 1944	4336	chrome.exe	103
PID 4336 wrote to memory of 1944	4336	chrome.exe	103
PID 4336 wrote to memory of 1944	4336	chrome.exe	103
PID 4336 wrote to memory of 1948	4336	chrome.exe	104
PID 4336 wrote to memory of 1948	4336	chrome.exe	104
PID 4336 wrote to memory of 2764	4336	chrome.exe	105
PID 4336 wrote to memory of 2764	4336	chrome.exe	105
PID 4336 wrote to memory of 2764	4336	chrome.exe	105
PID 4336 wrote to memory of 2764	4336	chrome.exe	105
PID 4336 wrote to memory of 2764	4336	chrome.exe	105
PID 4336 wrote to memory of 2764	4336	chrome.exe	105
PID 4336 wrote to memory of 2764	4336	chrome.exe	105
PID 4336 wrote to memory of 2764	4336	chrome.exe	105
PID 4336 wrote to memory of 2764	4336	chrome.exe	105
PID 4336 wrote to memory of 2764	4336	chrome.exe	105
PID 4336 wrote to memory of 2764	4336	chrome.exe	105
PID 4336 wrote to memory of 2764	4336	chrome.exe	105
PID 4336 wrote to memory of 2764	4336	chrome.exe	105
PID 4336 wrote to memory of 2764	4336	chrome.exe	105
PID 4336 wrote to memory of 2764	4336	chrome.exe	105
PID 4336 wrote to memory of 2764	4336	chrome.exe	105
PID 4336 wrote to memory of 2764	4336	chrome.exe	105
PID 4336 wrote to memory of 2764	4336	chrome.exe	105
PID 4336 wrote to memory of 2764	4336	chrome.exe	105
PID 4336 wrote to memory of 2764	4336	chrome.exe	105
PID 4336 wrote to memory of 2764	4336	chrome.exe	105

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Software.zip
1⤵
PID:1260

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --string-annotations --always-read-main-dll --field-trial-handle=3600,i,2269884594570411122,17736042394233610230,262144 --variations-seed-version --mojo-platform-channel-handle=760 /prefetch:14
1⤵
PID:4472

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1840

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Enumerates connected drives
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2896
- C:\Windows\System32\SearchProtocolHost.exe
  "C:\Windows\System32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2876
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 828 2772 2784 812 {0E5DCEC5-7795-4E38-9621-94DFD9F9A421}
  2⤵
  - Modifies data under HKEY_USERS
  PID:2620
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 828 2812 2816 812 {85EE815A-7738-4808-A14A-3AD87E32A3BF}
  2⤵
  - Modifies data under HKEY_USERS
  PID:3400

C:\Users\Admin\Documents\Software\Launcher.exe
"C:\Users\Admin\Documents\Software\Launcher.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Users\Admin\Documents\Software\bin\lua.exe
  "bin\\lua.exe" "cfg\\user-data.lua"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2016
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc daily /st 14:53 /f /tn MicrosoftEdgeUpdateTaskMachineCore_ODEz /tr ""C:\Users\Admin\AppData\Local\ODEz\ODEz.exe" "C:\Users\Admin\AppData\Local\ODEz\user-data.lua""
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:3004
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc daily /st 14:53 /f /tn Setup /tr "C:/Windows/System32/oobe/Setup.exe" /rl highest
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:180
- - C:\Users\Admin\Documents\Software\bin\lua.exe
    "C:\Users\Admin\Documents\Software\bin\lua.exe" "C:\Users\Admin\AppData\Local\Temp\debug.lua"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3968

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --string-annotations --always-read-main-dll --field-trial-handle=5564,i,2269884594570411122,17736042394233610230,262144 --variations-seed-version --mojo-platform-channel-handle=3892 /prefetch:14
1⤵
PID:3448

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff809cacc40,0x7ff809cacc4c,0x7ff809cacc58
  2⤵
  PID:4728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1780,i,4425944414051001093,12010563641851644464,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=1776 /prefetch:2
  2⤵
  PID:1944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2108,i,4425944414051001093,12010563641851644464,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=2120 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  PID:1948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2184,i,4425944414051001093,12010563641851644464,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=2200 /prefetch:8
  2⤵
  PID:2764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3088,i,4425944414051001093,12010563641851644464,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=3184 /prefetch:1
  2⤵
  PID:1272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3124,i,4425944414051001093,12010563641851644464,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=3384 /prefetch:1
  2⤵
  PID:2072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4476,i,4425944414051001093,12010563641851644464,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=4400 /prefetch:1
  2⤵
  PID:3900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3556,i,4425944414051001093,12010563641851644464,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=4280 /prefetch:8
  2⤵
  PID:1968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4728,i,4425944414051001093,12010563641851644464,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=4720 /prefetch:8
  2⤵
  PID:1868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4840,i,4425944414051001093,12010563641851644464,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=4856 /prefetch:8
  2⤵
  PID:3516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4848,i,4425944414051001093,12010563641851644464,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=5000 /prefetch:8
  2⤵
  PID:3444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5052,i,4425944414051001093,12010563641851644464,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=4900 /prefetch:8
  2⤵
  PID:5336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5000,i,4425944414051001093,12010563641851644464,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=4720 /prefetch:8
  2⤵
  PID:5400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4860,i,4425944414051001093,12010563641851644464,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=4732 /prefetch:8
  2⤵
  PID:5544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5356,i,4425944414051001093,12010563641851644464,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=4808 /prefetch:8
  2⤵
  PID:5620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5360,i,4425944414051001093,12010563641851644464,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=5432 /prefetch:8
  2⤵
  PID:5660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4716,i,4425944414051001093,12010563641851644464,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=5424 /prefetch:8
  2⤵
  PID:6036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=5344,i,4425944414051001093,12010563641851644464,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=5372 /prefetch:2
  2⤵
  PID:5780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=5472,i,4425944414051001093,12010563641851644464,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=4884 /prefetch:1
  2⤵
  PID:5216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=5364,i,4425944414051001093,12010563641851644464,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=5232 /prefetch:1
  2⤵
  PID:6036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=3328,i,4425944414051001093,12010563641851644464,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:5792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=3196,i,4425944414051001093,12010563641851644464,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=3344 /prefetch:1
  2⤵
  PID:5904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --field-trial-handle=4744,i,4425944414051001093,12010563641851644464,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=4820 /prefetch:1
  2⤵
  PID:5552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5796,i,4425944414051001093,12010563641851644464,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=5812 /prefetch:8
  2⤵
  PID:3988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5728,i,4425944414051001093,12010563641851644464,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=5884 /prefetch:8
  2⤵
  PID:3288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5592,i,4425944414051001093,12010563641851644464,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=5520 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:1784
- C:\Users\Admin\Downloads\$uckyLocker.exe
  "C:\Users\Admin\Downloads\$uckyLocker.exe"
  2⤵
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  PID:5448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5904,i,4425944414051001093,12010563641851644464,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=4676 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5556,i,4425944414051001093,12010563641851644464,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=5628 /prefetch:8
  2⤵
  PID:3392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5552,i,4425944414051001093,12010563641851644464,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=5596 /prefetch:8
  2⤵
  PID:4508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4692,i,4425944414051001093,12010563641851644464,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=5540 /prefetch:8
  2⤵
  PID:1916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5900,i,4425944414051001093,12010563641851644464,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=4588 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:5492
- C:\Users\Admin\Downloads\CrimsonRAT.exe
  "C:\Users\Admin\Downloads\CrimsonRAT.exe"
  2⤵
  - Executes dropped EXE
  PID:5748
- - C:\ProgramData\Hdlharas\dlrarhsiva.exe
    "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:4316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5852,i,4425944414051001093,12010563641851644464,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=3424 /prefetch:8
  2⤵
  PID:4364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4340,i,4425944414051001093,12010563641851644464,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=5832 /prefetch:8
  2⤵
  PID:3004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4608,i,4425944414051001093,12010563641851644464,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=4624 /prefetch:8
  2⤵
  PID:5952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5268,i,4425944414051001093,12010563641851644464,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=5712 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:3848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=6156,i,4425944414051001093,12010563641851644464,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=6136 /prefetch:8
  2⤵
  PID:948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5456,i,4425944414051001093,12010563641851644464,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=2712 /prefetch:8
  2⤵
  PID:1692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6252,i,4425944414051001093,12010563641851644464,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=6256 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:5364
- C:\Users\Admin\Downloads\WinNuke.98 (1).exe
  "C:\Users\Admin\Downloads\WinNuke.98 (1).exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5912,i,4425944414051001093,12010563641851644464,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=6184 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:5656
- C:\Users\Admin\Downloads\7ev3n.exe
  "C:\Users\Admin\Downloads\7ev3n.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  PID:2100
- - C:\Users\Admin\AppData\Local\system.exe
    "C:\Users\Admin\AppData\Local\system.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5576
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\del.bat
      4⤵
      System Location Discovery: System Language Discovery
      PID:3556
  - - C:\Windows\SysWOW64\SCHTASKS.exe
      C:\Windows\System32\SCHTASKS.exe /create /SC ONLOGON /TN uac /TR "C:\Users\Admin\AppData\Local\bcd.bat" /RL HIGHEST /f
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:5748
  - - C:\windows\SysWOW64\cmd.exe
      C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64
      4⤵
      System Location Discovery: System Language Discovery
      PID:4272
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64
        5⤵
        Modifies WinLogon for persistence
        System Location Discovery: System Language Discovery
        
        PID:4948
  - - C:\windows\SysWOW64\cmd.exe
      C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64
      4⤵
      System Location Discovery: System Language Discovery
      PID:4888
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:5676
  - - C:\windows\SysWOW64\cmd.exe
      C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:64
      4⤵
      System Location Discovery: System Language Discovery
      PID:5864
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:64
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6100
  - - C:\windows\SysWOW64\cmd.exe
      C:\windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:64
      4⤵
      System Location Discovery: System Language Discovery
      PID:5212
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:64
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:560
  - - C:\windows\SysWOW64\cmd.exe
      C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:64
      4⤵
      System Location Discovery: System Language Discovery
      PID:3772
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:64
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5784
  - - C:\windows\SysWOW64\cmd.exe
      C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:64
      4⤵
      System Location Discovery: System Language Discovery
      PID:4532
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:64
        5⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:5848
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted" /t REG_SZ /d 1 /f /reg:64
      4⤵
      System Location Discovery: System Language Discovery
      PID:4568
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted" /t REG_SZ /d 1 /f /reg:64
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1692
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c shutdown -r -t 10 -f
      4⤵
      System Location Discovery: System Language Discovery
      PID:5460
    - - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown -r -t 10 -f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --field-trial-handle=5808,i,4425944414051001093,12010563641851644464,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=6192 /prefetch:1
  2⤵
  PID:5620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --field-trial-handle=6140,i,4425944414051001093,12010563641851644464,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=6164 /prefetch:1
  2⤵
  PID:5804

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4736

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5416

C:\Windows\System32\PickerHost.exe
C:\Windows\System32\PickerHost.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:5364

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3991855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Hdlharas\dlrarhsiva.exe

Filesize
9.1MB

MD5
64261d5f3b07671f15b7f10f2f78da3f

SHA1
d4f978177394024bb4d0e5b6b972a5f72f830181

SHA256
87f51b4632c5fbc351a59a234dfefef506d807f2c173aac23162b85d0d73c2ad

SHA512
3a9ff39e6bc7585b0b03f7327652e4c3b766563e8b183c25b6497e30956945add5684f1579862117e44c6bac2802601fc7c4d2a0daa1824f16c4da1fd6c9c91a

Download Submit
C:\ProgramData\Hdlharas\mdkhm.zip

Filesize
56KB

MD5
b635f6f767e485c7e17833411d567712

SHA1
5a9cbdca7794aae308c44edfa7a1ff5b155e4aa8

SHA256
6838286fb88e9e4e68882601a13fa770f1b510a0a86389b6a29070a129bf2e5e

SHA512
551ba05bd44e66685f359802b35a8c9775792a12844906b4b53e1a000d56624c6db323754331c9f399072790991c1b256d9114a50fb78111652a1c973d2880af

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
83b87528e4f6870c53c70477458be022

SHA1
9d2dcd67f90256d97e31177e08ec312d7fa067a0

SHA256
3e379634ecc59ac54ffdfa32a3eddb284e271cd02965ecd842e17496ebd3c09d

SHA512
c782a65ef7dc11d18a0a67fe319720045a101aeb151d8a69e36d745879755e8736128c98c0f64547194034ee68ce64837dd4bfa50be13c7fd714d2ca1e1a4029

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000a

Filesize
24KB

MD5
87c2b09a983584b04a63f3ff44064d64

SHA1
8796d5ef1ad1196309ef582cecef3ab95db27043

SHA256
d4a4a801c412a8324a19f21511a7880815b373628e66016bc1785a5a85e0afb0

SHA512
df1f0d6f5f53306887b0b16364651bda9cdc28b8ea74b2d46b2530c6772a724422b33bbdcd7c33d724d2fd4a973e1e9dbc4b654c9c53981386c341620c337067

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000c

Filesize
71KB

MD5
40e127d26cfb391501c5742a9b0bd4e1

SHA1
804fd30edea2f8fcc750462b66e8c0b892b41f58

SHA256
2b0cdccbc113c0aaffb4a76a446619f64448f455aef1e8918ad8970fbb9f27ae

SHA512
3cc6f73804e8278ef31c971f329d2d078f6cf46a7b2900fcac5d23a8696d64ff1ea4ad4259174a25bf33bab378289749a5fa4f129e7acff8d91422460d793670

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000d

Filesize
410KB

MD5
658ddb116f6325d6489af18777e06ae4

SHA1
f97e9a397ac47f9deacb219ace9658e65e1b12cf

SHA256
b005fa6c965d83c93cec4312fd4706398f69ead75511bdb10821ea7455b6fcbc

SHA512
75041925d2a21ba52dd3d8d1f95d9bac67d70cb6058ca91a7da37c1ab88885700742a32fa462807854f93d995132e03e12c38852e1d0362b8d65706d3e5b7480

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000011

Filesize
18KB

MD5
355909e19fc9f4d46e927db79cb73606

SHA1
a18370ead9583ba4a4420a0b1e59a1e90d06ce9d

SHA256
3c3609c5ddeddc046aeb15b7e39e0bae14bd4d8029f7936f6536fdc4240fed97

SHA512
b9d2d5760a4aa3400a965dbef678e3ecfd483f392d498740024b7251a8270d6deb34c69e36ccaa19c9c7236de4e1e86c14a6604271365f416079eb25ec57ecbd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000013

Filesize
114KB

MD5
55431c3e6ec72c88f07fe5845acb873a

SHA1
d9289d1cf84a6aeedc0d4a911cc88c8106399bd7

SHA256
86bf246ab24c688d3f45e64f9d95c4687f6af8f7c3fd0f2a7c0a9c13d5f46254

SHA512
80b44c8d8362190f02e6456831621305bee12831e9ae313b3303981854e3f78544921bdf20047ec093247273c69ae94a0ccacd692f904d27f4e5af71c76bd5dc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000025

Filesize
21KB

MD5
129b8f911d37c967012f421cca576dfd

SHA1
024ba8955d15a12248906daa0bc0b460545bf7e3

SHA256
71facf58bfabe7fdab9a319f549e4acc1ddc69b9faaf4bc5dc4cb9a4a361ea66

SHA512
531732fbd9f7846af064131d00c3c233a7d06a3676b10836529e6c1b768c0684cc88202f69bf37b0deef245052e5c448acfcbbe5127a3c034eafb6af89fea899

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000026

Filesize
38KB

MD5
adf2df4a8072227a229a3f8cf81dc9df

SHA1
48b588df27e0a83fa3c56d97d68700170a58bd36

SHA256
2fd56ac4d62fec83843c83054e5548834a19001c077cdb224901237f2e2c0e4c

SHA512
d18ffc9a41157ea96014a503640b3a2a3931f578293e88cc05aa61c8223221d948c05637875d8e3ee5847b6a99341ea22b6a1aee67c170e27bde5e154cf1b9ca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000027

Filesize
21KB

MD5
8e01662903be9168b6c368070e422741

SHA1
52d65becbc262c5599e90c3b50d5a0d0ce5de848

SHA256
ed502facbeb0931f103750cd14ac1eeef4d255ae7e84d95579f710a0564e017a

SHA512
42b810c5f1264f7f7937e4301ebd69d3fd05cd8a6f87883b054df28e7430966c033bab6eaee261a09fb8908d724ca2ff79ca10d9a51bd67bd26814f68bcbdb76

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000028

Filesize
37KB

MD5
a565ccff6135e8e99abe4ad671f4d3d6

SHA1
f79a78a29fbcc81bfae7ce0a46004af6ed392225

SHA256
a17516d251532620c2fd884c19b136eb3f5510d1bf8b5f51e1b3a90930eb1a63

SHA512
e1768c90e74c37425abc324b1901471636ac011d7d1a6dc8e56098d2284c7bf463143116bb95389f591917b68f8375cfb1ce61ba3c1de36a5794051e89a692d8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000029

Filesize
26KB

MD5
398c110293d50515b14f6794507f6214

SHA1
4b1ef486ca6946848cb4bf90a3269eb3ee9c53bc

SHA256
04d4526dc9caa8dd4ad4b0711e929a91a3b6c07bf4a3d814e0fafeb00acc9715

SHA512
1b0f7eb26d720fbb28772915aa5318a1103d55d167bec169e62b25aa4ff59610558cf2f3947539886255f0fa919349b082158627dd87f68a81abac64ba038f5d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00002a

Filesize
60KB

MD5
80ececc1294d34fe3288ffef1cb694fb

SHA1
c6a10deccbbd0bac69715bf1d1a19fd447671c59

SHA256
dcfac6747a1caba216a8edfcfcc7581131866b6eab02fe82064cc3b97e6c56a5

SHA512
1470098136343f624191d690f45b71dc60c7a55260bd03d0c335603838b7983f6640c60636fe6763abb3d7af9f68600ef60da3ef55aa47635d33ac82295e956b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00002b

Filesize
18KB

MD5
8bd66dfc42a1353c5e996cd88dc1501f

SHA1
dc779a25ab37913f3198eb6f8c4d89e2a05635a6

SHA256
ef8772f5b2cf54057e1cfb7cb2e61f09cbd20db5ee307133caf517831a5df839

SHA512
203a46b2d09da788614b86480d81769011c7d42e833fa33a19e99c86a987a3bd8755b89906b9fd0497a80a5cf27f1c5e795a66fe3d1c4a921667ec745ccf22f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00002c

Filesize
18KB

MD5
217be7c2c2b94d492f2727a84a76a6cf

SHA1
10fd73eb330361e134f3f2c47ba0680e36c243c5

SHA256
b1641bab948ab5db030ec878e3aa76a0a94fd3a03b67f8e4ac7c53f8f4209df0

SHA512
b08ea76e5b6c4c32e081ca84f46dc1b748c33c1830c2ba11cfeb2932a9d43fbb48c4006da53f5aac264768a9eb32a408f49b8b83932d6c8694d44a1464210158

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00002d

Filesize
44KB

MD5
f3f46b59c528ab2459c60d077a3954b0

SHA1
1fcdeaf67afb0555f282ddaa642c837fb1b4f246

SHA256
8afa0760141515f1bdcbf60641fc6f224340d1cf5f2c9cc6174046533ee76dbc

SHA512
0f25999c7555407e2245f0ca19d4dc46309110280288cf9c1184f027fea8f55302c5630178cdbd961d258d9b4324cc5a0dc762076225d8d4abf632c5bbcba787

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00002e

Filesize
55KB

MD5
92e42e747b8ca4fc0482f2d337598e72

SHA1
671d883f0ea3ead2f8951dc915dacea6ec7b7feb

SHA256
18f8f1914e86317d047fd704432fa4d293c2e93aec821d54efdd9a0d8b639733

SHA512
d544fbc039213b3aa6ed40072ce7ccd6e84701dca7a5d0b74dc5a6bfb847063996dfea1915a089f2188f3f68b35b75d83d77856fa3a3b56b7fc661fc49126627

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00002f

Filesize
109KB

MD5
07a241480e6cb8e8850e10c26896ef76

SHA1
55c55b15bf17b9df7c18223819a57794fd6483b3

SHA256
ef3c1a0c63d71600ee199a2d493767db0f867d3e632362790ecf520011cb5d78

SHA512
a693d4736408d68907484a0b8c52118000213b262115a13dedcd3197fabf4ebb686a2005b6f10428760abcf8e7689ef04f929447d0a4e59d22e97ba5a2ee3c52

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000030

Filesize
16KB

MD5
dde035d148d344c412bd7ba8016cf9c6

SHA1
fb923138d1cde1f7876d03ca9d30d1accbcf6f34

SHA256
bcff459088f46809fba3c1d46ee97b79675c44f589293d1d661192cf41c05da9

SHA512
87843b8eb37be13e746eb05583441cb4a6e16c3d199788c457672e29fdadc501fc25245095b73cf7712e611f5ff40b37e27fca5ec3fa9eb26d94c546af8b2bc0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000031

Filesize
87KB

MD5
65b0f915e780d51aa0bca6313a034f32

SHA1
3dd3659cfd5d3fe3adc95e447a0d23c214a3f580

SHA256
27f0d8282b7347ae6cd6d5a980d70020b68cace0fbe53ad32048f314a86d4f16

SHA512
e5af841fd4266710d181a114a10585428c1572eb0cd4538be765f9f76019a1f3ea20e594a7ee384d219a30a1d958c482f5b1920551235941eec1bcacd01e4b6f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000032

Filesize
17KB

MD5
05a8dd0c6b08f902f4328fbd34855afa

SHA1
e040335501db4aeec1086187ebf57f9a5e47a4f7

SHA256
3f95ab964f1cc391140f6c345a1cf018aefbd2ed234daeb0b3bc22a0fb3e8dd8

SHA512
b40807d3e0facc5d3ffbf166239f80289dd8b41525942d5e3b9a05dfd6b5a43887c64e10305280de7a65bfc125fc1264e2ecad1e376c90e869856321aee7e30d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000033

Filesize
22KB

MD5
b18d19b69821407dd026741f95d2a8d8

SHA1
253127599ca30c8131f7ab7bf18b4ff50c725af5

SHA256
7075c57b147f8140cb6b5ccbe3d0bb1654d0bb99bc1b96f49839492d3284403f

SHA512
ea5164bb6d09e03036d46fc6c782f9b9352290f411220f3a9d37d60d017c2cd2cb66d1babb8c44e922b01d8bd9b9b432d43cf6f77f4b0d80d95f9ef0d2a746ac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000034

Filesize
16KB

MD5
58795165fd616e7533d2fee408040605

SHA1
577e9fb5de2152fec8f871064351a45c5333f10e

SHA256
e6f9e1b930326284938dc4e85d6fdb37e394f98e269405b9d0caa96b214de26e

SHA512
b97d15c2c5ceee748a724f60568438edf1e9d1d3857e5ca233921ec92686295a3f48d2c908ff5572f970b7203ea386cf30c69afe9b5e2f10825879cd0d06f5f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\44d5079ad5841b25_0

Filesize
8KB

MD5
c1c8bf339493ee3b995fcc1481dd6363

SHA1
73174d05b2bf04e760b3f4325e86b146aa0171a3

SHA256
eb928e7a9010c6b5427a3827f3eb1a4ef9f8982e8b00fd74ea4e6d3771ca0cff

SHA512
2895140f459a53f8fa81c629ee1aa6cba2d9a904653aec258f1d0d743353d80d9e75b7d3ca90e36865c2d40053116839f1df80168c120b23f9cb469f6bdfabb7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
f041df28d2937101877bb4cbeead18cf

SHA1
55031ca4a78aea070b36be27d9d8e347608a2ae1

SHA256
8778963a3953822a3dd4ce80c7c4b538514a091b7d38c66d4796d889b1e9f606

SHA512
1eeacb2693340955f9391a6c20a1b42c8b60204628bd6b2f051ab2caf652c2b0f961e5f74fa588b33d367dc3dc293f061ad9e4982b52571371be195e183614ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.89.1_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.89.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
ccb85f2aa214c1507348c16d2ca84dd3

SHA1
a0308bddcd7c6bfda4d217c32e5e14bdf058af5e

SHA256
0ab8fbf07b1d786c17c50dd2e9a1167ce8db5199132ac794d8a3360def8fb6de

SHA512
7633b304c93f752a6aa30f8e2efef6319d1dfeeea5c0c7f9a9ec2625d4e709a965f64146acf9ce4f3df5afedebdaf1cdc6e968cbadc976c0056c8e14098a0fd6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
253868e398c4901e183d48019906bd10

SHA1
f04b09be0dd35819a281033cc49e9be4274bfd39

SHA256
9cdaa60ef9045ce306ddea6962238767bd6ea7acda88c5b8ef8f3e81df408ce2

SHA512
47e0ce883124b59260223cd3b363eaf46f98dc4aad742b49343ebb3cbd9f196ab409c50f8b9ead4b2851d6d870ed5b2972944272fac936ec6c90ae0f34c50714

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
59b8ec8fe650ad3527e82839dafa9099

SHA1
2345d94079c7ad99aa8cf2922634ba4cc63ebfc2

SHA256
572c01e35b5df0f01c966efdc9bf67bca76981c6dc47486406e5770b1308e017

SHA512
bbd9c8ed19cbff89d402f4f9e12b689f271517f097d84ef8feea0bede85d2273b16afff9ab8a8a525bc6cd0a6781430cff4cfd01128d3cdd085d669cb334c682

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
9f1aa4976e6e1dc65744f1291c962974

SHA1
e65e7387dec5788287386f723ec3d7f44cc0a86a

SHA256
1de72f79b142e3adb5638cbe7f43b756f81ecb633d1640326c08db4878b2ba78

SHA512
9b9b765e98ffd3ce4a59e016b596fdeb14c55ad483eb2a989a682c7645fe5a026bea4b515bb14bf47c0f92e03a8417c6629426b50752a97c3177729aa9b8b45d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
e7a8303b9c547dd72deb05a450ecf9c9

SHA1
70cca111e7bd5cdde49951003beef45b2b6f9e14

SHA256
ec851f619f6ac7294309e2bf728a1265205fa6118b8145f3b0190f204a418547

SHA512
eb705891aee95d76067b7d075bc72e493df0da24b63d775591b88b80e9c85cbc35d103442c69b8ef5c04b0b00cc26a44a0c9edb93c8826ae556eb897ec114d57

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
35a8078ca7ea31dfc18b7f341fb3db32

SHA1
3e6086facc8dd48ead4003581aab20032732c20c

SHA256
162c241d275e0805760f869e563d1c68d8fe00d7e1e60ebf3fc23e585796920e

SHA512
b1ae56940c679494bdc32dcbd1ac2e410db0dc5b6e4d4818100ed94d8c326156d6b896081dbe585db817d0c1910e240af9d4c384025849725276d22046beb0c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
04a3ccb379dabbee432f3812ab92b057

SHA1
44e7a0adb65fd3c2812db1b662f8f329393725f7

SHA256
aa7744feee2006c2732fe50f702308485f71f40337742dc113862ea571aa5820

SHA512
3deae308122123ce5b74e48e9a1ce1223a32584142843f8076dae5f4654a2c98e7de340eec73a2107a15111539f0ed75818017acddee48c29844330d9c624aaf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
f514e6c84b8e37ef498780729b4534b1

SHA1
13c2e973bad1cd82e6327860aeb0a8c16b67520f

SHA256
a388a7999ffc7fa50ca5c914d2bb90e9ab4a5e432f051357c947ce96099a3530

SHA512
613827aee4748dcf605d8e3f35edaac40f6f343ee8923d1f0d81f41539e37806e1555494dac41717eeedd9118bee278103a66dd382a202427c7f5fff717e45e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
dba97a72de6da7ad335244feb01b2df6

SHA1
6370f0db293dacacebc7d6ffa17aaf42a972a9ec

SHA256
2ee1d58f2059ecfd01a6c75efbfc1082478f4b1911af39de8cdbd78a40df4767

SHA512
db3366de09fcde4f9a55c863dbb0fd4954301ec1ce0400939c067177f014d628916cf3ccc678bc2500ece69338b4bc0014fd537d311b4843f79b7849396cfbbf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
050825865b8756bff67c5f52ec1b701f

SHA1
3874c86ea2f03bffdbe0153f8cf34cc2af9c5b33

SHA256
4bf3ba1634acb6a3aaf1784d106416dc7e44ea71fda7d149e305782eafdbfec5

SHA512
1b9416b1e70b7404a6b94146a005dae843327e74f94214412517c7f9d41f8c892ab53a50d01eb454f1f3c8d5964a566e19cbd15da3a9e1cddf24cfb7a7597c76

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
40cc0437d5b549e2381182d8369d0643

SHA1
e162bb00533d8beca03fa1505008b6e2e41af7fc

SHA256
3e2d26a76db957fae8d6e14e338c81fef5eed3dce338607e5ca9bada04fcaeb3

SHA512
39df075f80fa15ddb350dca76d01499c9f4565008a417c8d3c0f863c2068fe44555035cc993928a91190389a2ff61ceabf46584d75b20adca4c8df38eb38627e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
3c3fca083de5ea9e8a8f8811a9381b26

SHA1
e60d117580ea33918d0c9333561b95fcf60b8580

SHA256
9de262dce713aa20a018864a9e279a2d15a267aba6894aa5f667ab5f2dedd426

SHA512
fdd16e77dad818d4551d505648ce434e52ce3bd75ef04b1aa0b7b35059e5c4949362c61f2d94a91cf67a1f5efd9ab1cfe4c6393c66a4be1d65fdc4d2e0fed929

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
cf0bc6c5d2e8fd3896cbe5f3bbc28dac

SHA1
e0e982446fae59a4cdb107903cc432fdb281bfb3

SHA256
520c08b13189e060bc4f6d51aa2d69b1c8ca832cbb1d8e3bfdf59f1655cbb312

SHA512
001b79bf2e18c97f8dada8a218ea2495c4ff89fea46dd1200072da05ecf776986690e69b79bc4561b1543b1f3e90aa65c4ef54741990bbd53ae6628a5d189076

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
4bfc077b5faaa0f9834a39d383357f8b

SHA1
7f12a6be440a0920f47857d20f750aace9010e2a

SHA256
e97e736938344222fdfd824676dbdd560b2bba8e1c33263fa5909b0966f8ffdd

SHA512
8d51cba5ac659c26bed32fa18dc9e5a6fcf149933a136195b68aa7452607649c170e0a9134598ee3cf6b7087e7255acdb9c9f4f221d1e843e366a6809cb42f29

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
4cd2bb1f84809b064f1df39d8898ad39

SHA1
a8244586d7feeefa92e0889f5dbf2f7555270832

SHA256
031e047f293e099c39757bcabd78a63c2dda507c461ece002ac02c2bb99ec52b

SHA512
05e0c5b645ce4dbb2aac8bb7b213eb0d06263a7b7b543aa498a24f16935f639d1b0ae479a81d779c43c4eb55a9aa348138f68eba558f70920cebffacc88878cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
524f290b6c72180a6fae2333d0e58138

SHA1
3438706defd36cb848d55921a5751e983d98db17

SHA256
6849d388ada35c1bb459abf9117e9ee0e6a2a922297f812c380f808143b43bed

SHA512
01b588ed9db75dae5156f1a9c52316f1b2405a1bed7ca12a0d8599512bd04a73e43ec1d8bdd509b8707037810247a7a2af9261e1f7e023937bd0b0920646883c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
4e17135a7d1011e6c95717f8ca4b2422

SHA1
44be0a065ee74fbf94ede0c9c79c0dc32cb58444

SHA256
49d86f3093c86d586171d74a88f262af870cb3ee9beca87bd6e0dd1589c0e456

SHA512
b5813437ec8bb9c2de8259706fb53c0fdf8e845d219458281461976d960ede0e0e582afe8ec17ef864ad19bca6c72e2a383609ff07662cfb8b7f5acfed111c11

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
b2668e4b50cdfb936afae271dfcfed20

SHA1
93ea3a12588f3634d155ad0fa731f9135e3d1281

SHA256
d93b34f47d2eba7c427f6c47e16008bf3688eb1d545c2435497fb1a3f74ed9ba

SHA512
01256980f86b6752e87f7395bd171ea36d2103f54935b8709202a991eca0033b852b2f740413a2f046f454af792af30f181b22b3615331545996da8080448c7c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d27512ab8f466f01abc8d62ce7875903

SHA1
d233b540c3b53fc14ab6fd180caf6d22842d5e97

SHA256
9e1efcd3d04906567f0c7a18aa449fe25125b7d99c0e0d9a4c06c9623f44157a

SHA512
242333ea01c8d989ecc9833833aa6ed1347c815f890ab0d1c00a9ae0662893bff897f9a56ed2f68300c325c78de7e4139f53794cd6389aace4351401e327c246

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
8e916559d3c6c36b49d7f912a29ec7cf

SHA1
847bd769221c96283c2263671f3365f4e0e7f934

SHA256
d13584b0f8447cb83acfa1d009061bdd16b2bd281b6ec9915f824a6ff1761db8

SHA512
748cb45c7660138c8700a79b5f5f45217147b7b4764dd497f18aa7792ef2e285ae99b5cea09e4224fcb27fefbdf45f395f4a6de6f7500f5c05f1dd215c1e6bdf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
475fdb3cff64bbfa170cf7e936ca8a6e

SHA1
b6e01709dcaa95e0cdbd6ee6062a91472ad92c0f

SHA256
397d0b3c0b6f166ea6293be25e9fc3342ae31909b29d9bb92e58ffc4e1428594

SHA512
7203c96b5da06b3e7c3854093574d42e0ed4998aa4faf6cbb0351b4a98ae3571c34282ecca3161b6154bc57729edeb1b9ede2664060ce08c3ad94c492eb95531

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
25cda8a8b52eae48e962a395b75611d9

SHA1
69615dd56e41ed339e77f5d7d1d91e8c6a2587a6

SHA256
f09b0711c401f7235b2b10342ac5f6cc14ec592bd1009a0ca49ab6511b50a36a

SHA512
f2706e5dfbe1f2e9421b24bf7bf68d864dae1ebd68bc27e9e809fa65f30aa74b894e015214eb4c55b948a628a0bdc1cc0877a6b1a90ad952651a47da6e476331

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f8873a0746de71f5c1f969b789be9df2

SHA1
b3b74789615c92852032c9668817bf7748f98b23

SHA256
a767b2c97e4a201eb895b4241d71905345ccce8131bfb251770d359077f3f9a6

SHA512
7c027727f37f7f17820d401a60793f6273b2b47b1b915e4eaf76d540c27fca6481671f1c26a4fc8fde6b660fcba0cf100de015338e468c54cb76dd52d759962a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
cf5c7572fa9276ff904044842044baee

SHA1
8e903adb238bd82346c43a393349377fe18aad57

SHA256
89229fcddb002d2cc5fa9ce3c143e465d07e72807b0525c5f2dc6c0f35380362

SHA512
211f0706151c2b972bec2637e32cc74cc1d555f9c48904b93f2b7e5169058fb9416ac4b71bfd935a26e38e76940a289df15a9b181af5d8961550e1a4f56f1858

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
31a53ed565bdfdc9b50c3d712428cc94

SHA1
3263c1abbf241f39e3c18d8133a1ce65d202ef52

SHA256
fd9f28673c405a46e81c8e9b34a11765eef57ab96b5687c2175de28ca17c2eb8

SHA512
6c93bd7a83e2dae9e96a7301d4bcdf60e6a84ed640a3e4f82999083e22ad29f502a04b845ba665910b86cfe851b74c4199c78a00b30a0fbef2db3eb5944eff38

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
a1f095d4134383280b9ac9f09f722fdb

SHA1
82763c9e244b8aaa36af6cb2bf33d9b05e5f5724

SHA256
be987896245ee8eb1345f5a0c7112dd38fd3c4a03c542ab4fcf0a1c34b75acdd

SHA512
e8ce3fc8295c578ea73bb49f95b4538d2cf69359594b08ce25b73aae80fd22b20a1a8f9ef24dd4c578eeeb0794aed8985c45be0ffb517700abd4352a36f9a617

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
d292258f2a1e3b781ac88d57c8b9c235

SHA1
9d55e7af839bc275162633fffb97d19340220423

SHA256
80ed3982ba2b079568cbb9677fb58afa589071a17e391b9c195a63c48dcd3882

SHA512
94d791ddd6c320f7c6870de44a260162ecfde4c31165c0c7a7cf8ddc073dec53ec089caf5139146539e9e4b5ef8a447932127d65f824b9f0dfa50661b3360488

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
434ce1ae86d391546771087aa4cfcaea

SHA1
aeebfe58db7ffbe6437e2a503b5aad19972fe327

SHA256
1349337427af3c74d794b640e9ad40b40559a8cf511e43569b874a6b96cdcf3e

SHA512
32b95491ac9c79602b43a17a0a929e9ee07dc2b3539d64f4f60f528b112196aa7146b84fce64ddf384b8f2947538831f25c61b950a618a7c95fad6ae1a1d14a3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
528b98b56cce9710215c389269a072b1

SHA1
eec94bd68fdb2b40d1a7282a333b89c7ca897812

SHA256
65e89e1dcd5529540356f04b07ec03e0613db036f551d6653efa923f14f6bbef

SHA512
dc3b4812c65aa50578f4cd0470fdb5859210e01ac824a7cca520df89e82d1a9d0f3238212d4afdbbe4d5ef2c169a4a5dd2f3afd99d18692ad22dba0fc92ab7d0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
7c7a587384800d33da6b383f575d3373

SHA1
662ce19a8c83d8893a8ee1b1e36693606df0d654

SHA256
ea735bfb898903e5eb237ef389b907272aaf65bb6340aecdc295807496592b41

SHA512
9fec1ea2359082281a52c422538361c771575addbad4cf4ed60faae523c685ca9bfa6161f65866b59c7eaaae4876f864cafb56c56b6f7ee79ce0e6d6a1ddc1db

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
30a9be98bdd5dfa990081e9ad78d7fce

SHA1
2c27163dd25e6da102d6f4d0ef7937e3e8a0ef8a

SHA256
47c97e84a52770f7109603a457b79518f427ac1e5d6252152a6d5a9a9db073b0

SHA512
c00724d1e1c8f124682b5b87c4818873981f04b163076237eef81c86de9d75ff39d6c7391100318fbd937f2e263aebc0bab2dfe40a6ea797a44c0162d5e62fee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
6a5eda85bb8a60c3097186a3d929193f

SHA1
df4137317eb52880886f4c71cf6aa299c4c7614b

SHA256
ab3745de7dd10597b33d9ec3649ca5b3d6739a42722b49cecba035fb5b551e5a

SHA512
54b7efe461469fd6d0df5afb88a3935ecf2b36f7be942bdbf257ff8353dcd7b670d9a565fe2fd0c075f77b244be69e96663434e5df2f587ab4336d4f0e01abe6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
0b926724fb1de7f9d3aebc6ae212b782

SHA1
8412a7ed6b7a3c36765cd462842f3be3523202d8

SHA256
7208159ac4cf909318033c2716d9821275c6a227db272657c1018acbfed4549b

SHA512
a0c36a086f2747cd3115071b3ac96e38db445e72d60328f6954976d68d9ac5f5b8e2e30567729da42b7f3927232a8ae5db798e8a6c2a9f4702b7b7d18681bb86

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
8828e47403dd004f5acabf51735a3ffd

SHA1
76f2a59a1829f49a601186b193b1bd81f0f83335

SHA256
667897222d5f56e7f4a82d5e534b313e74c6a84f59c002427182b9cf7bf357f4

SHA512
beafbb80666915bc369a8d5082b3f371ebc380fe432ad95fb0623207065456a874f5d65d2025f2f43685ccacddb4f5354a6cc6f3f2123531ec847930d66784c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
1e1bf422645e969907e94aaa5fbd5a74

SHA1
d91c2680f4990df76836abb5cb8b0bbff6ff019b

SHA256
31788a85ab1c01397d48b1af8a64cf163353267c09c64c672addef56689955d5

SHA512
784c368c863c2ac5b791a3e7fc4e34f415e6b65d27f68dff4d21ccf2dc10de701a3b4bec0831632e7398a7a6b7334ce86a387b3917b1a986702582f88c6d6da5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
1b8a8e3233a16d17ce06fe90ca9046cd

SHA1
a2689314e0195c25ba3f95b93f5da4229c04d1e1

SHA256
a2003980d24b048a85e00673cafb23a1840b2fe0a501d49fef862991a2b126cc

SHA512
8337006ff868810f22098d744234d1a1159c538f4af36d6e8256c56bdcd42d84220cf63462a8557eece9358349228d6fe0c379f2d9af4f02089cbc99ef70ea9a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
245KB

MD5
35ae2beb44c1dd08f4f10f477fe470c0

SHA1
389d093eb396b8434bf196b833759f3e28e16b9e

SHA256
10b9cfc2c1e3974a81d1fdcbc5bcc764ae4c6df8d20fe39ceb5095164845c253

SHA512
8b0038afdcae0cf5ba580139f628dd9e47f3222926450765f99ce72ac4c4d2ce458825836ab01bf0bb8d8d35262f5d798c051dac39eda994c545446742b60bc4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
245KB

MD5
fe0c1edfec2dc4b4c06a0544ea48ed4d

SHA1
b306286542b9575801a6cad6fdef11fb43852c8d

SHA256
e1d2831f34e7f2f36067047c4f02ae2a030874fd5f3e796f4d9662d432596be9

SHA512
86bf343ae5e9daeef8a39b8010a4b32c5c7f7ac159eaae3b338bf64949af044cb4cd3e253c40dde395330f40b0874aa2536a61c9413ee26018ff80405abf0fd8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
245KB

MD5
bf8a82e2f72dbdbf08c5a4baa395c771

SHA1
fb55ebeeea1d85d61350105ab61e31cef8d74238

SHA256
7ffa35f699c397b6cb0f3d69111ae103f6593400b61a78e68abefafd7e6d88ee

SHA512
958a5ef7a71a17291ff05a934adf463dce56d0687f1ba7db7258afb2f5bf5d4f88b8fa1fda4dd6885e4f6a4af4a994a188ac1a0b77a908dc5ecaedfaec7e2f96

Download Submit
C:\Users\Admin\AppData\Local\Temp\debug.lua

Filesize
238KB

MD5
65ef85f0bcbd3d322cadacd7bc50b300

SHA1
cf4d8813d0f000e7ef1913806f055a2c11f08a06

SHA256
fd30c5e7fb557b769dc0c0f2c0e6a576165245f5135f7820bd8bfd38646fd9a3

SHA512
dd0f8f8c351662524376581cedb269669e6527fa2b5367dac1a42f36d0de6999b03cc36bded3487565262cd292f5661312c8f97f5826468413b7f1c9a65fa497

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4336_2065892767\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4336_2065892767\b9b4d171-5edb-4489-b2f8-f38b550270bf.tmp

Filesize
150KB

MD5
eae462c55eba847a1a8b58e58976b253

SHA1
4d7c9d59d6ae64eb852bd60b48c161125c820673

SHA256
ebcda644bcfbd0c9300227bafde696e8923ddb004b4ee619d7873e8a12eae2ad

SHA512
494481a98ab6c83b16b4e8d287d85ba66499501545da45458acc395da89955971cf2a14e83c2da041c79c580714b92b9409aa14017a16d0b80a7ff3d91bad2a3

Download Submit
C:\Users\Admin\AppData\Local\system.exe

Filesize
315KB

MD5
cef788d5cd3d2f6396af1f67c80e1aa2

SHA1
c34c41896bcf08cf0ba26419daede601556e198a

SHA256
e0e31cb640dd80ecc719dd7d23dd0aec78ba6fb087d00678b074e608d38d2d5b

SHA512
e43b5d8e733d8b36b1f54e54d809b50a6258a4f51255c03b7bfe9a8e44b9bab4c70fb700f1f55d318a282988e60a39e86bfada71b44bcab69259d63ddb914b5d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms

Filesize
22KB

MD5
9cd09b94685211241453408a46a0b5bf

SHA1
9f7ec03a01564a4b842bad2aa26a29af1e718d44

SHA256
2fc2b4640e55ca3c14e0b1268d0ad08d12c7dbcd3138ff6be2cc46f0eef54de4

SHA512
1011e1fcdd4acd6203d2d7098c2dffcf7e5da7ec7e972ee81e1740e2bc20a93e3580d1ff86a0ff79df514aa16ee5251a8803953a363e7f231893e84fec9e673d

Download Submit
C:\Users\Admin\Desktop\CheckpointOpen.xlsx.WINDOWS

Filesize
13KB

MD5
d63829e22e5994debd542b8b1efe8e1f

SHA1
983fc38cd2a1a44ef669e5e869c766927b72fb3e

SHA256
e555a778644b03ee7c115a76d002a10855372ca51e3a1664c9e417e6002fd216

SHA512
766005cec81e7594dd4016110f906dfc5bf01a767a12e2b34073ac59fbd5b10cdf5b101995e6962685989d8f37d91fcbaff982178b3f9eab4d03177855714963

Download Submit
C:\Users\Admin\Desktop\ConvertFromShow.docx.WINDOWS

Filesize
18KB

MD5
b73becf135ad2a7a71bbaf45cd3ce379

SHA1
e6d0c1505d556aaf3b24f498fbb04bd8439af630

SHA256
b0d6229d81cb40e8b2ebbdaa23a763adf764f74765cd6e8dbadece82073db9ea

SHA512
9906ef79b8c1a140ef32b86c1e356b9d74e0a0a4d6a41519d6008df212aa73512bf69bdb3d1d86cc4ad8d7673bcf76056fd02e86dcd45fae2477d1f87e636217

Download Submit
C:\Users\Admin\Desktop\GrantDisable.xlsx.WINDOWS

Filesize
9KB

MD5
a397d178e8bdcdcfaf762ed4f5980029

SHA1
3a63ed5a88618696365f568c4123f4b40696b792

SHA256
601ae7773c41e6f99ac89a9e633c8b2e30550117c8237506cce71516957d2b91

SHA512
d82cb01455be0d0a2033b111bcb60901870213d1951a6f3ead2eea9bf12274189ae660b3c32741e0020b094ae9f77b3c961c416dc81983665cd60fe58c0262ec

Download Submit
C:\Users\Admin\Desktop\ImportEnable.docx.WINDOWS

Filesize
16KB

MD5
7c47366cab71ec355078ec7b055b0eef

SHA1
582b36110d4c4b611d012595ba19b8f7a5dabe73

SHA256
485bf6ed3ad22316da81f716a68e8f687c45b495b1c04b9def6976182f75bd46

SHA512
584b805e5f94f30dee7ccb28dc2dcc07d4482ab02aafe5717c115e9ff8ec265d9ddeaafff41d2a034095ac33314599ec78ac49b99ae591130f1a05b464501dd9

Download Submit
C:\Users\Admin\Desktop\READ_IT.txt

Filesize
108B

MD5
d845190db42d07b1f4a34292d8f335c7

SHA1
fa97f5c6d4aa832a0a1451730e8ba2a32b2f9339

SHA256
6bd70f8e5afcaf2bac76a5e40649be7ad4d59fb10d37e4f18ed3b1027b714b9a

SHA512
9d9310f6885084665a54cba5c33ce55d2de89978b82d59c70746f1e9ca2abdd094713e562f802f5e723654824ab872b9ab453cb32e279b5960edc196f683a08c

Download Submit
C:\Users\Admin\Desktop\SuspendRestore.jpg.WINDOWS

Filesize
549KB

MD5
3be05cf3b7ce7fd8d60a7b361c2a2516

SHA1
711b73946c342ab47ff2505e862b0f7614c6f028

SHA256
af9e7092d19c7010c677248475bbab140505d849c5fe5eeeeafb7adf9514a8a8

SHA512
b55c46fd0008fdb7addf84bd8b40ac43890aed994831c3426d3a2a7e0e4e71736f567bf3ddb7ff9563bf5751e858f9d0014a78ebb149ebe08964e182dc15cf6a

Download Submit
C:\Users\Admin\Documents\286E760F32CC46F0A95F94391BDC6F4C.json

Filesize
1KB

MD5
1861a044c7be5a2defc7800985e5bef5

SHA1
ba30596b2765ab44db000a8a982509ebb7ba5858

SHA256
a3a78624ca6cbe6a76981b596abf608b32525dee9eabd7bd36bf92aee2228976

SHA512
472fa98113bc1a24d198f7b1adc6a60bf861e03ed59adc3bd82b4ec8e064ba3a8fbc27d941d15cbcc3ed325aa6609594ba1d0589a4981d344d79760607fec05d

Download Submit
C:\Users\Admin\Downloads\4cf3a7da-ebe3-4ff5-864e-ba3b142837bd.tmp

Filesize
32KB

MD5
eb9324121994e5e41f1738b5af8944b1

SHA1
aa63c521b64602fa9c3a73dadd412fdaf181b690

SHA256
2f1f93ede80502d153e301baf9b7f68e7c7a9344cfa90cfae396aac17e81ce5a

SHA512
7f7a702ddec8d94cb2177b4736d94ec53e575be3dd2d610410cb3154ba9ad2936c98e0e72ed7ab5ebbcbe0329be0d9b20a3bcd84670a6d1c8d7e0a9a3056edd2

Download Submit
C:\Users\Admin\Downloads\MadMan.exe:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 869752.crdownload

Filesize
414KB

MD5
c850f942ccf6e45230169cc4bd9eb5c8

SHA1
51c647e2b150e781bd1910cac4061a2cee1daf89

SHA256
86e0eac8c5ce70c4b839ef18af5231b5f92e292b81e440193cdbdc7ed108049f

SHA512
2b3890241b8c8690aab0aed347daa778aba20f29f76e8b79b02953b6252324317520b91ea60d3ef73e42ad403f7a6e0e3f2a057799f21ed447dae7096b2f47d9

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 87957.crdownload

Filesize
315KB

MD5
9f8bc96c96d43ecb69f883388d228754

SHA1
61ed25a706afa2f6684bb4d64f69c5fb29d20953

SHA256
7d373ccb96d1dbb1856ef31afa87c2112a0c1795a796ab01cb154700288afec5

SHA512
550a891c1059f58aa983138caf65a7ea9c326cb1b94c15f3e7594128f6e9f1295b9c2dbc0925637dba7c94e938083fffc6a63dc7c2e5b1e247679931cce505c6

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 933852.crdownload

Filesize
2KB

MD5
a56d479405b23976f162f3a4a74e48aa

SHA1
f4f433b3f56315e1d469148bdfd835469526262f

SHA256
17d81134a5957fb758b9d69a90b033477a991c8b0f107d9864dc790ca37e6a23

SHA512
f5594cde50ca5235f7759c9350d4054d7a61b5e61a197dffc04eb8cdef368572e99d212dd406ad296484b5f0f880bdc5ec9e155781101d15083c1564738a900a

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 964447.crdownload

Filesize
84KB

MD5
b6e148ee1a2a3b460dd2a0adbf1dd39c

SHA1
ec0efbe8fd2fa5300164e9e4eded0d40da549c60

SHA256
dc31e710277eac1b125de6f4626765a2684d992147691a33964e368e5f269cba

SHA512
4b8c62ddfc7cd3e5ce1f8b5a1ba4a611ab1bfccf81d80cf2cfc831cffa1d7a4b6da0494616a53b419168bc3a324b57382d4a6186af083de6fc93d144c4503741

Download Submit
memory/2620-63-0x0000028C2CB30000-0x0000028C2CB40000-memory.dmp

Filesize
64KB

Download
memory/2620-38-0x0000028C2CB30000-0x0000028C2CB40000-memory.dmp

Filesize
64KB

Download
memory/2620-53-0x0000028C2CB30000-0x0000028C2CB40000-memory.dmp

Filesize
64KB

Download
memory/2620-52-0x0000028C2CB30000-0x0000028C2CB40000-memory.dmp

Filesize
64KB

Download
memory/2620-44-0x0000028C2CB30000-0x0000028C2CB40000-memory.dmp

Filesize
64KB

Download
memory/2620-58-0x0000028C2CB30000-0x0000028C2CB40000-memory.dmp

Filesize
64KB

Download
memory/2620-48-0x0000028C2CB30000-0x0000028C2CB40000-memory.dmp

Filesize
64KB

Download
memory/2620-57-0x0000028C2CB30000-0x0000028C2CB40000-memory.dmp

Filesize
64KB

Download
memory/2620-59-0x0000028C2CB30000-0x0000028C2CB40000-memory.dmp

Filesize
64KB

Download
memory/2620-49-0x0000028C2CB30000-0x0000028C2CB40000-memory.dmp

Filesize
64KB

Download
memory/2620-36-0x0000028C2CB30000-0x0000028C2CB40000-memory.dmp

Filesize
64KB

Download
memory/2620-37-0x0000028C2CB30000-0x0000028C2CB40000-memory.dmp

Filesize
64KB

Download
memory/2620-39-0x0000028C2CB30000-0x0000028C2CB40000-memory.dmp

Filesize
64KB

Download
memory/2620-50-0x0000028C2CB30000-0x0000028C2CB40000-memory.dmp

Filesize
64KB

Download
memory/2620-51-0x0000028C2CB30000-0x0000028C2CB40000-memory.dmp

Filesize
64KB

Download
memory/2620-47-0x0000028C2CB30000-0x0000028C2CB40000-memory.dmp

Filesize
64KB

Download
memory/2620-40-0x0000028C2CB30000-0x0000028C2CB40000-memory.dmp

Filesize
64KB

Download
memory/2620-45-0x0000028C2CB30000-0x0000028C2CB40000-memory.dmp

Filesize
64KB

Download
memory/2620-41-0x0000028C2CB30000-0x0000028C2CB40000-memory.dmp

Filesize
64KB

Download
memory/2620-56-0x0000028C2CB30000-0x0000028C2CB40000-memory.dmp

Filesize
64KB

Download
memory/2620-54-0x0000028C2CB30000-0x0000028C2CB40000-memory.dmp

Filesize
64KB

Download
memory/2620-46-0x0000028C2CB30000-0x0000028C2CB40000-memory.dmp

Filesize
64KB

Download
memory/2620-61-0x0000028C2CB30000-0x0000028C2CB40000-memory.dmp

Filesize
64KB

Download
memory/2620-62-0x0000028C2CB30000-0x0000028C2CB40000-memory.dmp

Filesize
64KB

Download
memory/2620-60-0x0000028C2CB30000-0x0000028C2CB40000-memory.dmp

Filesize
64KB

Download
memory/2620-43-0x0000028C2CB30000-0x0000028C2CB40000-memory.dmp

Filesize
64KB

Download
memory/2620-42-0x0000028C2CB30000-0x0000028C2CB40000-memory.dmp

Filesize
64KB

Download
memory/2620-65-0x0000028C2CB30000-0x0000028C2CB40000-memory.dmp

Filesize
64KB

Download
memory/2620-55-0x0000028C2CB30000-0x0000028C2CB40000-memory.dmp

Filesize
64KB

Download
memory/2620-66-0x0000028C2CB30000-0x0000028C2CB40000-memory.dmp

Filesize
64KB

Download
memory/2620-64-0x0000028C2CB30000-0x0000028C2CB40000-memory.dmp

Filesize
64KB

Download
memory/2896-16-0x000002D953540000-0x000002D953550000-memory.dmp

Filesize
64KB

Download
memory/2896-32-0x000002D957900000-0x000002D957908000-memory.dmp

Filesize
32KB

Download
memory/2896-0-0x000002D953310000-0x000002D953320000-memory.dmp

Filesize
64KB

Download
memory/4316-1815-0x0000023C9FF10000-0x0000023CA0824000-memory.dmp

Filesize
9.1MB

Download
memory/5448-1620-0x00000000002B0000-0x000000000031E000-memory.dmp

Filesize
440KB

Download
memory/5448-1621-0x0000000005440000-0x00000000059E6000-memory.dmp

Filesize
5.6MB

Download
memory/5448-1622-0x0000000004DB0000-0x0000000004E42000-memory.dmp

Filesize
584KB

Download
memory/5448-1623-0x0000000004E70000-0x0000000004E7A000-memory.dmp

Filesize
40KB

Download
memory/5748-1774-0x000001E7A4EC0000-0x000001E7A4EDE000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads