lumma | 3c5a551b8fee65ffc444a3c0730b990591c3a95e442426563539f0a2ca3871d2

Analysis

max time kernel
44s
max time network
69s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
29/03/2025, 13:44

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

2025-03-29_d62b289592043f863f302d7e8582e9bc_black-basta_cobalt-strike_ryuk_satacom.exe
Size

634KB
MD5

d62b289592043f863f302d7e8582e9bc
SHA1

cc72a132de961bb1f4398b933d88585ef8c29a41
SHA256

3c5a551b8fee65ffc444a3c0730b990591c3a95e442426563539f0a2ca3871d2
SHA512

63d389102c1b78ea5157aad0a3f45f351a5752ae896729d85be81b70721f19869efdb8dfa87906f891be9bec0d9154b7498e4ac4216fd3ec574fae64707e258c
SSDEEP

12288:SaQ9+ICJkAp0mBpehM8ppy+E4J/aDQy5b4WeZGl/GtWV3OH2JrZw9RlUR:Kw4GBpehMjcuP5b4Fty3pZwXlUR

Score

10^/10

lumma stealc vidar 928af183c2a2807a3c0526e8c0c9369d default credential_access discovery persistence spyware stealer

Malware Config

Extracted

Family

vidar

Version

13.3

Botnet

928af183c2a2807a3c0526e8c0c9369d

https://t.me/lw25chm

https://steamcommunity.com/profiles/76561199839170361

Attributes

user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/132.0.0.0 Safari/537.36 OPR/117.0.0.0

Extracted

Family

lumma

https://wxayfarer.live/ALosnz

https://byteplusx.digital/aXweAX

https://travewlio.shop/ZNxbHi

https://skynetxc.live/AksoPA

https://pixtreev.run/LkaUz

https://advennture.top/GKsiio

https://atargett.top/dsANGt

https://70sparkiob.digital/KeASUp

https://appgridn.live/LEjdAK

Extracted

Family

stealc

Botnet

default

http://77.90.153.241

Attributes

url_path
/612acd258782ade8.php

Signatures

Detect Vidar Stealer 44 IoCs

stealer

resource	yara_rule
behavioral2/memory/4916-0-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4916-1-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4916-2-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4916-9-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4916-10-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4916-15-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4916-16-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4916-19-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4916-20-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4916-24-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4916-25-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4916-29-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4916-32-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4916-368-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4916-369-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4916-370-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4916-371-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4916-374-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4916-378-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4916-379-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4916-380-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4916-384-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4916-386-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4916-747-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4916-885-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4916-882-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4916-888-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4916-889-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4916-890-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4916-891-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4916-892-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4916-893-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4916-894-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4916-971-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/15168-1608-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/15168-1628-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/15168-1629-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/15168-1634-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/15168-1635-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/15168-1638-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/15168-1642-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/15168-1643-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/15168-1644-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/15168-1648-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

Downloads MZ/PE file 2 IoCs

flow	pid	Process
236	4916	MSBuild.exe
236	4916	MSBuild.exe

Uses browser remote debugging 2 TTPs 26 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
30036	chrome.exe
30104	chrome.exe
4084	chrome.exe
2516	msedge.exe
396	msedge.exe
5352	msedge.exe
1336	chrome.exe
10964	msedge.exe
9880	msedge.exe
9876	msedge.exe
5568	chrome.exe
2352	chrome.exe
5068	chrome.exe
2932	msedge.exe
3932	chrome.exe
4080	chrome.exe
8324	msedge.exe
33180	chrome.exe
4772	msedge.exe
2532	chrome.exe
7796	chrome.exe
8472	msedge.exe
8896	msedge.exe
5948	chrome.exe
30028	chrome.exe
2404	chrome.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GoogleChrome.lnk	kVLzYgADuvPREqVN.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GoogleChrome.lnk	yocAffQmJNkTfQn4.exe

Executes dropped EXE 7 IoCs

pid	Process
2204	op8gvkxlx4.exe
1868	5fkx4ect2v.exe
5668	q1n7g4o8yu.exe
5512	kVLzYgADuvPREqVN.exe
1564	yocAffQmJNkTfQn4.exe
4436	kVLzYgADuvPREqVN.exe
3700	QjxjwlEbFRO0SWLj.exe

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GoogleChrome = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Rk1j78Od\\kVLzYgADuvPREqVN.exe"	kVLzYgADuvPREqVN.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 6092 set thread context of 4916	6092	2025-03-29_d62b289592043f863f302d7e8582e9bc_black-basta_cobalt-strike_ryuk_satacom.exe	87
PID 2204 set thread context of 6092	2204	op8gvkxlx4.exe	137
PID 1868 set thread context of 4872	1868	5fkx4ect2v.exe	143

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
16136	1564	WerFault.exe	148
17200	3700	WerFault.exe	151
29688	6552	WerFault.exe	204
29672	9028	WerFault.exe	205

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kVLzYgADuvPREqVN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yocAffQmJNkTfQn4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kVLzYgADuvPREqVN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	QjxjwlEbFRO0SWLj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	q1n7g4o8yu.exe

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MSBuild.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	MSBuild.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	MSBuild.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	chrome.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
6064	timeout.exe

Enumerates system info in registry 2 TTPs 11 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133877294902213868"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-83325578-304917428-1200496059-1000\{F2553B60-FE98-404F-AF5E-7D28E0F6F98F}	msedge.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

pid	Process
4916	MSBuild.exe
4916	MSBuild.exe
4916	MSBuild.exe
4916	MSBuild.exe
5568	chrome.exe
5568	chrome.exe
4916	MSBuild.exe
4916	MSBuild.exe
4916	MSBuild.exe
4916	MSBuild.exe
4916	MSBuild.exe
4916	MSBuild.exe
4916	MSBuild.exe
4916	MSBuild.exe
6092	MSBuild.exe
6092	MSBuild.exe
6092	MSBuild.exe
6092	MSBuild.exe
4872	MSBuild.exe
4872	MSBuild.exe
5512	kVLzYgADuvPREqVN.exe
5512	kVLzYgADuvPREqVN.exe
1564	yocAffQmJNkTfQn4.exe
1564	yocAffQmJNkTfQn4.exe
1564	yocAffQmJNkTfQn4.exe
1564	yocAffQmJNkTfQn4.exe
4436	kVLzYgADuvPREqVN.exe
4436	kVLzYgADuvPREqVN.exe
4436	kVLzYgADuvPREqVN.exe
4436	kVLzYgADuvPREqVN.exe
3700	QjxjwlEbFRO0SWLj.exe
3700	QjxjwlEbFRO0SWLj.exe
4872	MSBuild.exe
4872	MSBuild.exe
3932	chrome.exe
3932	chrome.exe
4872	MSBuild.exe
4872	MSBuild.exe
4872	MSBuild.exe
4872	MSBuild.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

pid	Process
5568	chrome.exe
5568	chrome.exe
5568	chrome.exe
5568	chrome.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5568	chrome.exe
Token: SeCreatePagefilePrivilege	5568	chrome.exe
Token: SeShutdownPrivilege	5568	chrome.exe
Token: SeCreatePagefilePrivilege	5568	chrome.exe
Token: SeShutdownPrivilege	5568	chrome.exe
Token: SeCreatePagefilePrivilege	5568	chrome.exe
Token: SeShutdownPrivilege	5568	chrome.exe
Token: SeCreatePagefilePrivilege	5568	chrome.exe
Token: SeShutdownPrivilege	5568	chrome.exe
Token: SeCreatePagefilePrivilege	5568	chrome.exe
Token: SeShutdownPrivilege	5568	chrome.exe
Token: SeCreatePagefilePrivilege	5568	chrome.exe
Token: SeShutdownPrivilege	5568	chrome.exe
Token: SeCreatePagefilePrivilege	5568	chrome.exe
Token: SeShutdownPrivilege	3932	chrome.exe
Token: SeCreatePagefilePrivilege	3932	chrome.exe
Token: SeShutdownPrivilege	3932	chrome.exe
Token: SeCreatePagefilePrivilege	3932	chrome.exe
Token: SeShutdownPrivilege	3932	chrome.exe
Token: SeCreatePagefilePrivilege	3932	chrome.exe
Token: SeShutdownPrivilege	3932	chrome.exe
Token: SeCreatePagefilePrivilege	3932	chrome.exe
Token: SeShutdownPrivilege	3932	chrome.exe
Token: SeCreatePagefilePrivilege	3932	chrome.exe
Token: SeShutdownPrivilege	3932	chrome.exe
Token: SeCreatePagefilePrivilege	3932	chrome.exe
Token: SeShutdownPrivilege	3932	chrome.exe
Token: SeCreatePagefilePrivilege	3932	chrome.exe

Suspicious use of FindShellTrayWindow 55 IoCs

pid	Process
5568	chrome.exe
5568	chrome.exe
5568	chrome.exe
5568	chrome.exe
5568	chrome.exe
5568	chrome.exe
5568	chrome.exe
5568	chrome.exe
5568	chrome.exe
5568	chrome.exe
5568	chrome.exe
5568	chrome.exe
5568	chrome.exe
5568	chrome.exe
5568	chrome.exe
5568	chrome.exe
5568	chrome.exe
5568	chrome.exe
5568	chrome.exe
5568	chrome.exe
5568	chrome.exe
5568	chrome.exe
5568	chrome.exe
5568	chrome.exe
5568	chrome.exe
5568	chrome.exe
2516	msedge.exe
2516	msedge.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
10964	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 6092 wrote to memory of 4864	6092	2025-03-29_d62b289592043f863f302d7e8582e9bc_black-basta_cobalt-strike_ryuk_satacom.exe	86
PID 6092 wrote to memory of 4864	6092	2025-03-29_d62b289592043f863f302d7e8582e9bc_black-basta_cobalt-strike_ryuk_satacom.exe	86
PID 6092 wrote to memory of 4864	6092	2025-03-29_d62b289592043f863f302d7e8582e9bc_black-basta_cobalt-strike_ryuk_satacom.exe	86
PID 6092 wrote to memory of 4916	6092	2025-03-29_d62b289592043f863f302d7e8582e9bc_black-basta_cobalt-strike_ryuk_satacom.exe	87
PID 6092 wrote to memory of 4916	6092	2025-03-29_d62b289592043f863f302d7e8582e9bc_black-basta_cobalt-strike_ryuk_satacom.exe	87
PID 6092 wrote to memory of 4916	6092	2025-03-29_d62b289592043f863f302d7e8582e9bc_black-basta_cobalt-strike_ryuk_satacom.exe	87
PID 6092 wrote to memory of 4916	6092	2025-03-29_d62b289592043f863f302d7e8582e9bc_black-basta_cobalt-strike_ryuk_satacom.exe	87
PID 6092 wrote to memory of 4916	6092	2025-03-29_d62b289592043f863f302d7e8582e9bc_black-basta_cobalt-strike_ryuk_satacom.exe	87
PID 6092 wrote to memory of 4916	6092	2025-03-29_d62b289592043f863f302d7e8582e9bc_black-basta_cobalt-strike_ryuk_satacom.exe	87
PID 6092 wrote to memory of 4916	6092	2025-03-29_d62b289592043f863f302d7e8582e9bc_black-basta_cobalt-strike_ryuk_satacom.exe	87
PID 6092 wrote to memory of 4916	6092	2025-03-29_d62b289592043f863f302d7e8582e9bc_black-basta_cobalt-strike_ryuk_satacom.exe	87
PID 6092 wrote to memory of 4916	6092	2025-03-29_d62b289592043f863f302d7e8582e9bc_black-basta_cobalt-strike_ryuk_satacom.exe	87
PID 6092 wrote to memory of 4916	6092	2025-03-29_d62b289592043f863f302d7e8582e9bc_black-basta_cobalt-strike_ryuk_satacom.exe	87
PID 6092 wrote to memory of 4916	6092	2025-03-29_d62b289592043f863f302d7e8582e9bc_black-basta_cobalt-strike_ryuk_satacom.exe	87
PID 6092 wrote to memory of 4916	6092	2025-03-29_d62b289592043f863f302d7e8582e9bc_black-basta_cobalt-strike_ryuk_satacom.exe	87
PID 4916 wrote to memory of 5568	4916	MSBuild.exe	96
PID 4916 wrote to memory of 5568	4916	MSBuild.exe	96
PID 5568 wrote to memory of 4000	5568	chrome.exe	97
PID 5568 wrote to memory of 4000	5568	chrome.exe	97
PID 5568 wrote to memory of 3544	5568	chrome.exe	99
PID 5568 wrote to memory of 3544	5568	chrome.exe	99
PID 5568 wrote to memory of 1164	5568	chrome.exe	98
PID 5568 wrote to memory of 1164	5568	chrome.exe	98
PID 5568 wrote to memory of 3544	5568	chrome.exe	99
PID 5568 wrote to memory of 3544	5568	chrome.exe	99
PID 5568 wrote to memory of 3544	5568	chrome.exe	99
PID 5568 wrote to memory of 3544	5568	chrome.exe	99
PID 5568 wrote to memory of 3544	5568	chrome.exe	99
PID 5568 wrote to memory of 3544	5568	chrome.exe	99
PID 5568 wrote to memory of 3544	5568	chrome.exe	99
PID 5568 wrote to memory of 3544	5568	chrome.exe	99
PID 5568 wrote to memory of 3544	5568	chrome.exe	99
PID 5568 wrote to memory of 3544	5568	chrome.exe	99
PID 5568 wrote to memory of 3544	5568	chrome.exe	99
PID 5568 wrote to memory of 3544	5568	chrome.exe	99
PID 5568 wrote to memory of 3544	5568	chrome.exe	99
PID 5568 wrote to memory of 3544	5568	chrome.exe	99
PID 5568 wrote to memory of 3544	5568	chrome.exe	99
PID 5568 wrote to memory of 3544	5568	chrome.exe	99
PID 5568 wrote to memory of 3544	5568	chrome.exe	99
PID 5568 wrote to memory of 3544	5568	chrome.exe	99
PID 5568 wrote to memory of 3544	5568	chrome.exe	99
PID 5568 wrote to memory of 3544	5568	chrome.exe	99
PID 5568 wrote to memory of 3544	5568	chrome.exe	99
PID 5568 wrote to memory of 3544	5568	chrome.exe	99
PID 5568 wrote to memory of 3544	5568	chrome.exe	99
PID 5568 wrote to memory of 3544	5568	chrome.exe	99
PID 5568 wrote to memory of 3544	5568	chrome.exe	99
PID 5568 wrote to memory of 3544	5568	chrome.exe	99
PID 5568 wrote to memory of 3544	5568	chrome.exe	99
PID 5568 wrote to memory of 3544	5568	chrome.exe	99
PID 5568 wrote to memory of 3560	5568	chrome.exe	100
PID 5568 wrote to memory of 3560	5568	chrome.exe	100
PID 5568 wrote to memory of 3560	5568	chrome.exe	100
PID 5568 wrote to memory of 3560	5568	chrome.exe	100
PID 5568 wrote to memory of 3560	5568	chrome.exe	100
PID 5568 wrote to memory of 3560	5568	chrome.exe	100
PID 5568 wrote to memory of 3560	5568	chrome.exe	100
PID 5568 wrote to memory of 3560	5568	chrome.exe	100
PID 5568 wrote to memory of 3560	5568	chrome.exe	100
PID 5568 wrote to memory of 3560	5568	chrome.exe	100
PID 5568 wrote to memory of 3560	5568	chrome.exe	100
PID 5568 wrote to memory of 3560	5568	chrome.exe	100
PID 5568 wrote to memory of 3560	5568	chrome.exe	100

C:\Users\Admin\AppData\Local\Temp\2025-03-29_d62b289592043f863f302d7e8582e9bc_black-basta_cobalt-strike_ryuk_satacom.exe
"C:\Users\Admin\AppData\Local\Temp\2025-03-29_d62b289592043f863f302d7e8582e9bc_black-basta_cobalt-strike_ryuk_satacom.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:6092
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:4864
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - Downloads MZ/PE file
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4916
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Checks processor information in registry
    - Enumerates system info in registry
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:5568
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xf8,0xfc,0x100,0xe0,0x104,0x7ffb4a50dcf8,0x7ffb4a50dd04,0x7ffb4a50dd10
      4⤵
      PID:4000
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1832,i,8138205996068504341,7829579177225937113,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=1984 /prefetch:3
      4⤵
      PID:1164
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2020,i,8138205996068504341,7829579177225937113,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=1580 /prefetch:2
      4⤵
      PID:3544
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2388,i,8138205996068504341,7829579177225937113,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2544 /prefetch:8
      4⤵
      PID:3560
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3156,i,8138205996068504341,7829579177225937113,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3200 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:2352
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3164,i,8138205996068504341,7829579177225937113,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3252 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:4084
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3984,i,8138205996068504341,7829579177225937113,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4020 /prefetch:2
      4⤵
      Uses browser remote debugging
      PID:2404
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4560,i,8138205996068504341,7829579177225937113,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4648 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:5068
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5296,i,8138205996068504341,7829579177225937113,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5312 /prefetch:8
      4⤵
      PID:2836
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5308,i,8138205996068504341,7829579177225937113,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5436 /prefetch:8
      4⤵
      PID:2556
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5336,i,8138205996068504341,7829579177225937113,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5604 /prefetch:8
      4⤵
      PID:5976
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5696,i,8138205996068504341,7829579177225937113,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5704 /prefetch:8
      4⤵
      PID:5064
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5348,i,8138205996068504341,7829579177225937113,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5656 /prefetch:8
      4⤵
      PID:3688
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5584,i,8138205996068504341,7829579177225937113,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5724 /prefetch:8
      4⤵
      PID:4664
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Checks processor information in registry
    - Enumerates system info in registry
    - Modifies data under HKEY_USERS
    - Modifies registry class
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    PID:2516
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x23c,0x240,0x244,0x238,0x264,0x7ffb39d7f208,0x7ffb39d7f214,0x7ffb39d7f220
      4⤵
      PID:5460
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=1984,i,8404087201893022940,10822344643134822723,262144 --variations-seed-version --mojo-platform-channel-handle=1980 /prefetch:2
      4⤵
      PID:5296
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=2216,i,8404087201893022940,10822344643134822723,262144 --variations-seed-version --mojo-platform-channel-handle=2252 /prefetch:3
      4⤵
      PID:2492
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=1888,i,8404087201893022940,10822344643134822723,262144 --variations-seed-version --mojo-platform-channel-handle=2648 /prefetch:8
      4⤵
      PID:5940
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3552,i,8404087201893022940,10822344643134822723,262144 --variations-seed-version --mojo-platform-channel-handle=3604 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:2932
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3572,i,8404087201893022940,10822344643134822723,262144 --variations-seed-version --mojo-platform-channel-handle=3608 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:4772
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4184,i,8404087201893022940,10822344643134822723,262144 --variations-seed-version --mojo-platform-channel-handle=4356 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:5352
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=4200,i,8404087201893022940,10822344643134822723,262144 --variations-seed-version --mojo-platform-channel-handle=4360 /prefetch:2
      4⤵
      Uses browser remote debugging
      PID:396
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3616,i,8404087201893022940,10822344643134822723,262144 --variations-seed-version --mojo-platform-channel-handle=4212 /prefetch:8
      4⤵
      PID:1708
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4992,i,8404087201893022940,10822344643134822723,262144 --variations-seed-version --mojo-platform-channel-handle=5276 /prefetch:8
      4⤵
      PID:3528
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5304,i,8404087201893022940,10822344643134822723,262144 --variations-seed-version --mojo-platform-channel-handle=5308 /prefetch:8
      4⤵
      PID:3428
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5324,i,8404087201893022940,10822344643134822723,262144 --variations-seed-version --mojo-platform-channel-handle=5352 /prefetch:8
      4⤵
      PID:5820
  - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6220,i,8404087201893022940,10822344643134822723,262144 --variations-seed-version --mojo-platform-channel-handle=6252 /prefetch:8
      4⤵
      PID:5160
  - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6220,i,8404087201893022940,10822344643134822723,262144 --variations-seed-version --mojo-platform-channel-handle=6252 /prefetch:8
      4⤵
      PID:6096
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6464,i,8404087201893022940,10822344643134822723,262144 --variations-seed-version --mojo-platform-channel-handle=6480 /prefetch:8
      4⤵
      PID:4112
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6588,i,8404087201893022940,10822344643134822723,262144 --variations-seed-version --mojo-platform-channel-handle=6548 /prefetch:8
      4⤵
      PID:2032
- - C:\ProgramData\op8gvkxlx4.exe
    "C:\ProgramData\op8gvkxlx4.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:2204
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:6092
- - C:\ProgramData\5fkx4ect2v.exe
    "C:\ProgramData\5fkx4ect2v.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:1868
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:4784
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:4036
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:4956
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:4872
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
        5⤵
        Uses browser remote debugging
        Checks processor information in registry
        Enumerates system info in registry
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:3932
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffb38f1dcf8,0x7ffb38f1dd04,0x7ffb38f1dd10
        6⤵
        
        PID:3412
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=2620,i,8949181681963455027,1075490523539138374,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2628 /prefetch:3
        6⤵
        
        PID:1528
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2580,i,8949181681963455027,1075490523539138374,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2464 /prefetch:2
        6⤵
        
        PID:5648
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2212,i,8949181681963455027,1075490523539138374,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2728 /prefetch:8
        6⤵
        
        PID:3556
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3248,i,8949181681963455027,1075490523539138374,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3284 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:4080
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3256,i,8949181681963455027,1075490523539138374,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3312 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:2532
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4220,i,8949181681963455027,1075490523539138374,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4232 /prefetch:2
        6⤵
        Uses browser remote debugging
        
        PID:1336
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4584,i,8949181681963455027,1075490523539138374,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4608 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:7796
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4640,i,8949181681963455027,1075490523539138374,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4964 /prefetch:8
        6⤵
        
        PID:6728
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5040,i,8949181681963455027,1075490523539138374,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5092 /prefetch:8
        6⤵
        
        PID:6512
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5396,i,8949181681963455027,1075490523539138374,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5496 /prefetch:8
        6⤵
        
        PID:7432
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5564,i,8949181681963455027,1075490523539138374,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5016 /prefetch:8
        6⤵
        
        PID:7348
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5880,i,8949181681963455027,1075490523539138374,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5852 /prefetch:8
        6⤵
        
        PID:7532
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5092,i,8949181681963455027,1075490523539138374,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5896 /prefetch:8
        6⤵
        
        PID:5392
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory=""
        5⤵
        Uses browser remote debugging
        
        PID:8324
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory --edge-skip-compat-layer-relaunch
        6⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Suspicious use of FindShellTrayWindow
        
        PID:10964
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x234,0x23c,0x240,0x238,0x2f0,0x7ffb394cf208,0x7ffb394cf214,0x7ffb394cf220
        7⤵
        
        PID:10544
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --subproc-heap-profiling --always-read-main-dll --field-trial-handle=1940,i,11141117630684221687,8964981628197244389,262144 --variations-seed-version --mojo-platform-channel-handle=2188 /prefetch:3
        7⤵
        
        PID:10008
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --subproc-heap-profiling --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2160,i,11141117630684221687,8964981628197244389,262144 --variations-seed-version --mojo-platform-channel-handle=2156 /prefetch:2
        7⤵
        
        PID:10004
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --subproc-heap-profiling --always-read-main-dll --field-trial-handle=2524,i,11141117630684221687,8964981628197244389,262144 --variations-seed-version --mojo-platform-channel-handle=2540 /prefetch:8
        7⤵
        
        PID:10212
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --subproc-heap-profiling --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3552,i,11141117630684221687,8964981628197244389,262144 --variations-seed-version --mojo-platform-channel-handle=3572 /prefetch:1
        7⤵
        Uses browser remote debugging
        
        PID:8896
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --subproc-heap-profiling --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3556,i,11141117630684221687,8964981628197244389,262144 --variations-seed-version --mojo-platform-channel-handle=3656 /prefetch:1
        7⤵
        Uses browser remote debugging
        
        PID:8472
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --subproc-heap-profiling --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4192,i,11141117630684221687,8964981628197244389,262144 --variations-seed-version --mojo-platform-channel-handle=4204 /prefetch:1
        7⤵
        Uses browser remote debugging
        
        PID:9876
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=4252,i,11141117630684221687,8964981628197244389,262144 --variations-seed-version --mojo-platform-channel-handle=4212 /prefetch:2
        7⤵
        Uses browser remote debugging
        
        PID:9880
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --subproc-heap-profiling --always-read-main-dll --field-trial-handle=5240,i,11141117630684221687,8964981628197244389,262144 --variations-seed-version --mojo-platform-channel-handle=4256 /prefetch:8
        7⤵
        
        PID:10372
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --subproc-heap-profiling --always-read-main-dll --field-trial-handle=5180,i,11141117630684221687,8964981628197244389,262144 --variations-seed-version --mojo-platform-channel-handle=4052 /prefetch:8
        7⤵
        
        PID:10120
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --subproc-heap-profiling --always-read-main-dll --field-trial-handle=5544,i,11141117630684221687,8964981628197244389,262144 --variations-seed-version --mojo-platform-channel-handle=5580 /prefetch:8
        7⤵
        
        PID:15908
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --subproc-heap-profiling --always-read-main-dll --field-trial-handle=5564,i,11141117630684221687,8964981628197244389,262144 --variations-seed-version --mojo-platform-channel-handle=5612 /prefetch:8
        7⤵
        
        PID:15916
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\KJDAECAEBK.exe"
        5⤵
        
        PID:15944
      - C:\Users\Admin\KJDAECAEBK.exe
        
        "C:\Users\Admin\KJDAECAEBK.exe"
        6⤵
        
        PID:15976
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        
        PID:15168
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
        8⤵
        Uses browser remote debugging
        
        PID:5948
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffb3910dcf8,0x7ffb3910dd04,0x7ffb3910dd10
        9⤵
        
        PID:29712
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1572,i,3523894221585850330,15525815847039436481,262144 --variations-seed-version --mojo-platform-channel-handle=2888 /prefetch:3
        9⤵
        
        PID:30004
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2792,i,3523894221585850330,15525815847039436481,262144 --variations-seed-version --mojo-platform-channel-handle=2848 /prefetch:2
        9⤵
        
        PID:30012
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2096,i,3523894221585850330,15525815847039436481,262144 --variations-seed-version --mojo-platform-channel-handle=3020 /prefetch:8
        9⤵
        
        PID:30020
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=2512,i,3523894221585850330,15525815847039436481,262144 --variations-seed-version --mojo-platform-channel-handle=2072 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:30028
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=2520,i,3523894221585850330,15525815847039436481,262144 --variations-seed-version --mojo-platform-channel-handle=3180 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:30036
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4196,i,3523894221585850330,15525815847039436481,262144 --variations-seed-version --mojo-platform-channel-handle=4216 /prefetch:2
        9⤵
        Uses browser remote debugging
        
        PID:30104
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4572,i,3523894221585850330,15525815847039436481,262144 --variations-seed-version --mojo-platform-channel-handle=4592 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:33180
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\DHIJDHIDBG.exe"
        5⤵
        
        PID:15260
      - C:\Users\Admin\DHIJDHIDBG.exe
        
        "C:\Users\Admin\DHIJDHIDBG.exe"
        6⤵
        
        PID:15316
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        
        PID:15344
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\BKKFHIEGDH.exe"
        5⤵
        
        PID:10204
      - C:\Users\Admin\BKKFHIEGDH.exe
        
        "C:\Users\Admin\BKKFHIEGDH.exe"
        6⤵
        
        PID:14484
        
        C:\Users\Admin\AppData\Local\Temp\XmaKYaEd\1dlLagE8y2EGLwZY.exe
        
        C:\Users\Admin\AppData\Local\Temp\XmaKYaEd\1dlLagE8y2EGLwZY.exe 0
        7⤵
        
        PID:6552
        
        C:\Users\Admin\AppData\Local\Temp\XmaKYaEd\Mp8F9eHTK0iL16kK.exe
        
        C:\Users\Admin\AppData\Local\Temp\XmaKYaEd\Mp8F9eHTK0iL16kK.exe 6552
        8⤵
        
        PID:9028
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 9028 -s 996
        9⤵
        Program crash
        
        PID:29672
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6552 -s 656
        8⤵
        Program crash
        
        PID:29688
- - C:\ProgramData\q1n7g4o8yu.exe
    "C:\ProgramData\q1n7g4o8yu.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5668
  - - C:\Users\Admin\AppData\Local\Temp\Rk1j78Od\kVLzYgADuvPREqVN.exe
      C:\Users\Admin\AppData\Local\Temp\Rk1j78Od\kVLzYgADuvPREqVN.exe 0
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:5512
    - - C:\Users\Admin\AppData\Local\Temp\Rk1j78Od\yocAffQmJNkTfQn4.exe
        
        C:\Users\Admin\AppData\Local\Temp\Rk1j78Od\yocAffQmJNkTfQn4.exe 5512
        5⤵
        Drops startup file
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1564
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1564 -s 1472
        6⤵
        Program crash
        
        PID:16136
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c timeout /t 11 & rd /s /q "C:\ProgramData\a1ngv" & exit
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1976
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 11
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:6064

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:5792

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1012

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:1448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Rk1j78Od\kVLzYgADuvPREqVN.exe
1⤵
PID:1548
- C:\Users\Admin\AppData\Local\Temp\Rk1j78Od\kVLzYgADuvPREqVN.exe
  C:\Users\Admin\AppData\Local\Temp\Rk1j78Od\kVLzYgADuvPREqVN.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4436
- - C:\Users\Admin\AppData\Local\Temp\Pnn84ssZ\QjxjwlEbFRO0SWLj.exe
    C:\Users\Admin\AppData\Local\Temp\Pnn84ssZ\QjxjwlEbFRO0SWLj.exe 4436
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3700
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3700 -s 640
      4⤵
      Program crash
      PID:17200

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:5928

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:9572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1564 -ip 1564
1⤵
PID:14604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3700 -ip 3700
1⤵
PID:17180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 6552 -ip 6552
1⤵
PID:29644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 9028 -ip 9028
1⤵
PID:29656

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:29912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Modify Authentication Process

T1556

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Authentication Process

T1556

Modify Registry

T1112

Credential Access

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\5fkx4ect2v.exe

Filesize
736KB

MD5
18e5e760b807fc2b05172215540398b3

SHA1
6a1b4d3227088473c45869469b68a1737b26b90d

SHA256
6cff9733bcd32c2af2da61eab8281cd412a6d208ce6b763b783157be2901d5bd

SHA512
23430597753696466eea1c54337b1d37a734918433be2e0637aaf022c0ef09d5f8b04a3793ccb1a296bb83d13fda832d677cb926730653d78b0833f96737fa04

Download Submit
C:\ProgramData\CFCBAAEBKEGHIEBFIJJK

Filesize
6KB

MD5
43e9bb4c0b015732fdb23eaa2154c076

SHA1
eb04ea8171aeaba06861753917bfb61997ee7c53

SHA256
80fa6e34d060d30989c647aef8064e5757622059bce4c10ff135f80af36f0637

SHA512
8ab536eac2cc1122d1c270cd89879bc2c3f932dfb7ea246138415b262462639fcfcea357196921101607a650c25c7ddd383bde2037f73b6622592f4e84e87829

Download Submit
C:\ProgramData\HCFIIIJJ

Filesize
228KB

MD5
ee463e048e56b687d02521cd12788e2c

SHA1
ee26598f8e8643df84711960e66a20ecbc6321b8

SHA256
3a07b3003758a79a574aa73032076567870389751f2a959537257070da3a10d8

SHA512
42b395bf6bd97da800385b9296b63a4b0edd7b3b50dc92f19e61a89235a42d37d204359b57d506e6b25ab95f16625cce035ed3b55ef2d54951c82332498dab0f

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\op8gvkxlx4.exe

Filesize
850KB

MD5
260faa08dbff4bc7ca6346061f42b956

SHA1
ccef508bb2693b097510015ef89ebb8f0289c5c1

SHA256
c47a55b842177445756163ca2d5cadaed5cdd4d313d7897b9aaac8e1d1c6e810

SHA512
ae30c903720f58abef12b9e091872d4a6470bae5ba246fc1d35dbaa4aecad04803647a0339490090a037de780b09df4282d5cc6247731729bf24e8fe872c42dc

Download Submit
C:\ProgramData\phdjw\7y5pzm

Filesize
130KB

MD5
bea6670b9c13e7eda631c714bcb85786

SHA1
90f7ee6daa6f4d5b958f651dc64b1e7da1d2334f

SHA256
aa0cda39c95f2f7ae47bda93363a8ba36d882595e749775273b60d6926c2cfbe

SHA512
dabd4546d22721bd67a330b1781a473156565493acece46f6f10020e04861a9d6b6638f5563ee1def523e4793558701cb9b3b92d0f13103fc35c6e853d95c273

Download Submit
C:\ProgramData\phdjw\gln7ym79r

Filesize
40KB

MD5
dfd4f60adc85fc874327517efed62ff7

SHA1
f97489afb75bfd5ee52892f37383fbc85aa14a69

SHA256
c007da2e5fd780008f28336940b427c3bfd509c72a40bfb7759592149ff3606e

SHA512
d76f75b1b5b23aa4f87c53ce44c3d3b7e41a44401e53d89f05a114600ea3dcd8beda9ca1977b489ac6ea5586cf26e47396e92d4796c370e89fab0aa76f38f3c4

Download Submit
C:\ProgramData\q1n7g4o8yu.exe

Filesize
251KB

MD5
58d3a0d574e37dc90b40603f0658abd2

SHA1
bf5419ce7000113002b8112ace2a9ac35d0dc557

SHA256
dcc05c3ac7ae22d601bcb7c97cfcda568f3041bd39b2fd8899282dfde83369a5

SHA512
df61329a32e9261b01c5b7d95e0d9a3fb8cc36e5d90ede72bc16befe00fb32c221898a8346db9de07c0f5dcba57dcdbb09a22ca8b73223f989d33ec433c3a90a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-active.pma

Filesize
1024KB

MD5
34c29bdb9e41b1f47f2d2786762c12ec

SHA1
4075131b18c3487e3e848361e112009c897629c7

SHA256
67ee11b51cd6f637795e31ab501f135ed595c8459bce885735f08b0418513a17

SHA512
ca3a978798e77b2ced27b379f38e935ef18beaa7ea23e34270a9af20b37e1b1c5edf9478606311cf1acabd83992766cb3da8444de9394c674d5955bdbc53c0d0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
eb11d0449e2f631e899c84ee76249f7f

SHA1
5560ba98a9b0a1bc85818853429a4b397fd8270f

SHA256
33cd082f616d214b36d42fe7af5aa121c12759258aa6df42ad440fcf7785ad3f

SHA512
8e6a5823b5b8a0292b2274fab64f855e678eb40feed9744be5ae2795f3d3132d3824e257fd045e3fe37555cfd2b579c637d05dddeeef59a3ddfd4bd001d53808

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
020daf3e22180843b7f7a93da156da97

SHA1
d4ddabbe8603de5dac0c58a66c21d01cfec7251a

SHA256
c2bf74eb1e3ed0d688295c3bf1f8342cc5a1d1df467a79265fa7af2297385bd8

SHA512
7c9f03d93de7e7bd5ce5f37bd8f61b10bbf79aeab5bbb231933720aab1ff112c759ffd2a3640599abb8fa34e38d7de470c41a7dd6f5c0cd2b1c749fc854f0ccd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_0

Filesize
44KB

MD5
0a9e99ac24e2cec255edb91b7187e559

SHA1
1e746af2e3292da1cb8a92eb07dcb147eb794a4c

SHA256
d85084b182c082e01e2793e39d1da58881e22985a70ae5ed1915fcdefed5e952

SHA512
adfe1ef4d31da00183c7eb8f312c0e88ee28b4832624a4abef7cf0721dab313e9e820649781b9e2fe4de267ad94f1c649bfd2bd190c798e2d2da09ef694cbdd2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_1

Filesize
264KB

MD5
3ae950e86403bcaf61ff55dc3589f656

SHA1
f7356086d0de0f5f9de00397635f1a67ed0292f3

SHA256
b95a1f264c2cac195d5e3bf5bff03bdd33cb6d9443bf2572d7d872d792f8ba4b

SHA512
f6a9d06cb319bd6df96e96649361818b468b18a90d63946fdf08bb0574ae649e930f94dcb6c7b2d5e1b1a44b40a1f46945666ea9ca5b3e3c7526509bdca005da

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_2

Filesize
1.0MB

MD5
0605b75c5c345cc202a7885499cc09a7

SHA1
540568cdb245ba26bce8711347e456320012e83d

SHA256
8ed5d8964a977a79c5aacf34853c9e5e00a06de2f2f0964a56c4089805a2dda8

SHA512
dae16a98e4cf861b918d684f0d7660e1c6647897afeded6859253a51f8dd95c41f007e3f20fe43da0292b493c170cb94fb8370d7b17b4f23cf2950cec477f9a6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_3

Filesize
4.0MB

MD5
11bfa8282d00ad693fc1b90136d773ad

SHA1
78e187adff22891c61cea1bc0a54f6de1d4e3364

SHA256
042a8d0bcbbd6a73eb7bd079c353cb2b78898eb242a3568ff3a0a89a776cbaa3

SHA512
c677b46264f8cd7a83eca6831b1f137085a38bd9e0efd5dbffed65c46ec00b6a939cb2e45b4ff37fb126b9226023e9fdae905ccf95a12665db9c737927d77020

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
35KB

MD5
045cfb4750c12ab5b58fb24d0748de28

SHA1
bec4a5e2c9a6308e9d7f366b8fac26d525489844

SHA256
d969cb4e98cf7b76871656d7c1ffa0dce44c8deffdcc628e48c380bd4b592a03

SHA512
e1da63d19d63d804f445495de5aa772417972a8830cf33ff8c9a8170fd8f2d45e70a01487df4eb6a54057b0674e2dc18858b34a0b08afeff80d9fd17b4512aff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000006

Filesize
63KB

MD5
1901d2bcbbabee4bbb9804c30642ae2b

SHA1
f31774bc12614be681c0b0c7de3ac128f0e932db

SHA256
15eba349e5829f11363614b8f3dd9c3d04994586601d3c4c4d8069e0f5655310

SHA512
bdb94d7d8cf47b239c61559545b1dd26e05da909fec05d215471388545879cd8ec9e1fea51c04ed43927e2b07b5b80a74f09eb9038c8d9045e4161ea69df215f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000007

Filesize
38KB

MD5
f53236bc138719b68ccd1c7efb02a276

SHA1
26b7d3eea5d3b12d0b0e173ebf2af50a7d7e56d6

SHA256
787c14f8cc865430c03c96a345044b7c5b8dc8a032511a500d4a42228533acd8

SHA512
5485bc7ccce8ec75f60bca3be846086a4bd4466009c8e22da9cdd16bb1154529af2fb2667cd3a97485cc4f6635fb79ac0fdda4f3e1f39f25f6196f708a92d740

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\000003.log

Filesize
3KB

MD5
2aac2e5dde6ee57e3d8f04b888c141a2

SHA1
736492d054aa88aab78786c582fe779bed7be7b5

SHA256
48785543d127c665dbae184dca717e3c39a3bf9c7bd99370eb045481c8c12c12

SHA512
0b60798410cb579a5269c17b509247fa528421d39401d1a8688f896a75cb63eb76256359496de285b34399be9edacc80b410a0ca5f8789d27449a4f5a6f45678

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\LOG

Filesize
336B

MD5
18b20c64d55bbd77ec2f401ae25727f5

SHA1
637cae9323f247ebbac822e08fceedc0849f2989

SHA256
9d261590c91048e88791044ed88504ac2584619e4de8076598b79edd2d2cd56b

SHA512
9399ca64373ca5ebbaeb97ab64f1dd14a6d0bf03e23953f55344eeadd089a3e64c5bbfcccca6bc0ccc8080b0d8bcf6b7bb2174e5601bd7a5011840d21e35dce0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\f1cdccba37924bda_0

Filesize
128KB

MD5
ad5500392a3d6dab62cbbed72729419d

SHA1
74b1d039a44cc37e62dc573d0d14efe2ead9e391

SHA256
aac955452d846e19791a2c1f30dba6a9c1ebde5b20547d37c6e7ebb6c62154eb

SHA512
454433c661570990955c25eedb52ebdf5ae2317ac062cb23be3537b1cc8b5afc2a1d3d1e370951641a473cccb0f3ddee9db34dee2bb7f52db5bb4c9a609a1872

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\f1cdccba37924bda_1

Filesize
343KB

MD5
5a59103dbde3e8137761097609bcf005

SHA1
fd55aca2ae3c317576aa6b9f50877a0241a18968

SHA256
315e9ce1dbacfe9740368bac58caac24fdbece24a1c712cb26eb4933723ffedb

SHA512
4ea3f262b2a16e653dd2ac84908c89823ee3dc9532ca0e368325d66f95912c45e01b33d9ffce34b2b01b821bdcc623f2fbb773d382c82a2edb394b1985c7ba46

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
48B

MD5
0619d7e40aacb03909d46d0f0e3378f5

SHA1
46033e2e015c31fee986029923f698d5ce7a2ed4

SHA256
98ed6d777041858cc7ed0f4a25c96c427cc358569bbbdb279e1a7af0b9df24ed

SHA512
9818931c3dbb720df7ffbbafea37ee4e547e47f9d8d0683332ded92ed25c0bc697ac2a9b4ce9c5a7fba74ba3a00e129265b4e7bf28a365282c40874d7bbea1e0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG

Filesize
348B

MD5
6ddfda5215c28f69e71616b3590ec607

SHA1
0be2fae1f678561ae60148f3145c7412d56a6b14

SHA256
71ef50c97c0f233c08700db8c7912600eae1a43b894bea6fed35acdbb5f24fa6

SHA512
92efbfe240affded2abd5ded905c618493364c9a8ff0a2b2c9128d9636c24e456a3df951de729a01383828b79138f1b853620b89893587f2dd44dd0389e54bbd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG

Filesize
321B

MD5
ae3e9b3a1e836e211c465adf5180e9e9

SHA1
adb2a586748e023110127fb4049ac0dd3e31362f

SHA256
8a746c77a1cd73a60b51f48bbfc813c96d2308e626935de3bcddee6682c4e58e

SHA512
2a2a16cdcad179572db368e151491ec54abac3c63517c351735eb54422a2606e057e0c6e22d75104f485217bb593549610a6b57fb6b0d8d0fd8fd32e7002e1c8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\QuotaManager-journal

Filesize
12KB

MD5
ecc5f855e004ff8d06ce40ab8619f339

SHA1
7f99cf506b948ff2a288ccd6c35f0572170a44f0

SHA256
4a8914853a70b2825872fea70e525f5967fc0b862d3e8f28417297dff8fd580a

SHA512
85b38fbdf55e5fb964694eaa24422305a5c350e20cb4a2653dbd417845fcf9075a411dbbe6575a9131401695c4b7d425b212758d293df2940c911900d32250dc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\LOG

Filesize
335B

MD5
8635f44ad70e73b26c505d6094461395

SHA1
e2cf88a05a84d5c3cda19634d8653a299ccf4efd

SHA256
aa67569c1a420025501817af85c1c3a72720cbae2016e46d0c6809db997e6717

SHA512
27e1d5a80addfee660943aa49fd59948c268bf15d793c8d58597aaa61f0523630fe4dc48a6ce724a977a23f556ad871bfe72e3a83f8b6543a76665eeb00b3eee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version

Filesize
13B

MD5
a4710a30ca124ef24daf2c2462a1da92

SHA1
96958e2fe60d71e08ea922dfd5e69a50e38cc5db

SHA256
7114eaf0a021d2eb098b1e9f56f3500dc4f74ac68a87f5256922e4a4b9fa66b7

SHA512
43878e3bc6479df9e4ebd11092be61a73ab5a1441cd0bc8755edd401d37032c44a7279bab477c01d563ab4fa5d8078c0ba163a9207383538e894e0a7ff5a3e15

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
80KB

MD5
f9b950733c9cc9ebc9d992800b070037

SHA1
b146f1b4c35f82f263854f492fcd1ca52e490942

SHA256
5ab7a0200c9cf1e79b24c88665bff504e3ae23360f107e45178a6fc039b2b0b1

SHA512
d7ce8be492b613f6b4901d574bd8c551699518790ff66427583d071423dc73067cee4c75b4d491cae330b68e7a0d004662d1cef4650923ebce1486becc99ad9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
abdf0ab6ee0eb14c69efe616dc61c0ee

SHA1
9956d2fe598c8b1d1e2e90fe58509c52195ebda7

SHA256
62057a68b68f328dc5e1f5c28a47a0e7a13ffd7d0461f54a6797a6b40962dd56

SHA512
7c15c72acdf4408474c5f20be1febb5dd3d57cc37971388a499727ef1694df275b3aae28d972bee64a50b79c7befcb1aa9fcdd9ea9f4c2a97032f81ccd13398c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
18af630036496bbbc0335e4d677e99b8

SHA1
614b16dee60bb93dc99b66c557bad7e2ce85fbfa

SHA256
3219ebc46058ba9401b0a4363578ce8996fcf55820a8561048f0b6429f762c3b

SHA512
87c5a9b4d70d24f9b2e4b02ae0e29b85643a281fb802b76ae1cefeac6ab0f7d4fe55b14bc99d221ce77e3264bc2d8253bd151e222d8b00ea8be42218c13257c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
eec55fe349980566b1dbf1d409d28c3e

SHA1
654ce4b550defea0851f12e8ff81ae9298bb3f60

SHA256
2e81ea3d7ddfc0274f3955d5131143c481e63f2529514c5295873b393d508efe

SHA512
58e02658d08732b5f36e868331a483b5fde15475a6c5f704a19c97d920399c3f7d41a8fa163c66683bf403598f8f48f0cf9fa468f9783fcabd9136a55cec0059

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
5a7e1750438748bd333b79a94ca69b2a

SHA1
94fd1be56969e269ce195ba29c3d464d356d6556

SHA256
6d7a64a318c25c643323d5cf1c0c80ccf2f2433e7d74b722fca90468f8f9b914

SHA512
842509c0f495ee24d152ab3f7867183d7cd64b01b5a9305405682abbbff3aa18a8ad7d97ee039393fdd1766fc17ad2df1caf711dc4db8dc7b9df608ffc0fdc7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
69KB

MD5
164a788f50529fc93a6077e50675c617

SHA1
c53f6cd0531fd98d6abbd2a9e5fbb4319b221f48

SHA256
b305e470fb9f8b69a8cd53b5a8ffb88538c9f6a9c7c2c194a226e8f6c9b53c17

SHA512
ec7d173b55283f3e59a468a0037921dc4e1bf3fab1c693330b9d8e5826273c917b374c4b802f3234bbb5e5e210d55e52351426867e0eb8c9f6fba1a053cb05d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps

Filesize
107KB

MD5
40e2018187b61af5be8caf035fb72882

SHA1
72a0b7bcb454b6b727bf90da35879b3e9a70621e

SHA256
b3efd9d75856016510dd0bdb5e22359925cee7f2056b3cde6411c55ae8ae8ee5

SHA512
a21b8f3f7d646909d6aed605ad5823269f52fda1255aa9bb4d4643e165a7b11935572bf9e0a6a324874f99c20a6f3b6d1e457c7ccd30adcac83c15febc063d12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\b6a380d4-5862-40a9-a645-ceea7f421bc5\index-dir\the-real-index

Filesize
1KB

MD5
797f754c1466ae3dcc6865f7dcedd357

SHA1
8bace186b7946657e5823a1ac2d6de22ad2491d6

SHA256
788840cef3876c45afb3d92c0ac23607349a996754b8af9c5fd38cd4f7c021ba

SHA512
747a77760fac0a02832a8e7eed38e8f5535f1abc04730af6a4ab3949958a3df063b06793dfa40979958b6785081e430e372e90de109507cd31610e379515ee76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\b6a380d4-5862-40a9-a645-ceea7f421bc5\index-dir\the-real-index

Filesize
2KB

MD5
8f26f5e5065f7745e58c60ef177ba723

SHA1
495bb73d62077c283fff79e40f0f0725733e0403

SHA256
e963770c60ea080191d11d971ed4dac5d8242332128d8fb23a409f1d8aabef38

SHA512
44049e0070e2eeaf53904e9a99de80113d57d2840d5b6bfc55b517da8f104166c49a533dfb63652177cb59b0462dc594c298dc5dfacc6474bce9e4db919c61f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\b6a380d4-5862-40a9-a645-ceea7f421bc5\index-dir\the-real-index~RFe57bd74.TMP

Filesize
1KB

MD5
84f83384b64659f5aea9a0e272f48f3a

SHA1
59dae5c25611fff61d49afffae860d3d5b82305b

SHA256
0f7c2bf7aa1c7a7109f53fe6ebdfbc1b07933f2e90c5565bdccc0f658b8aab98

SHA512
21b7e1ff394c2d27243b83bf278846106461a85ef306fedeb0db45d32aadeb2e21834ee71dda9f6d9434fe53d09fcf5eabfda4f11a1813dbcbbd9aef6d04eca9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\b6a380d4-5862-40a9-a645-ceea7f421bc5\index-dir\the-real-index~RFe5822e5.TMP

Filesize
2KB

MD5
a16db98bf7ea57e74d8153162b031ac9

SHA1
dcfe7dc0de6b1c65ef70244d9b8806b770e4c78c

SHA256
17c070c15bcd25286199b0441d67f6000925a8782d9547c6877a980ccf9cea3a

SHA512
7f251b295747c78157863f9c48eab8778231fd9f9b8fc5420a40aba35b0710261ff51d0d0b511775d77af2e17a518361980de75d9b2cd7e19c713ceb597491e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
4KB

MD5
397fc6e8968f05fd5770cdf4a0d0be5d

SHA1
db899b90178aa0ee9dd112822ecb2b132278dfd8

SHA256
3a41d27f8d3193f3743eecabf51d675354b7f03be6fa81b7e43d5dc952a00739

SHA512
7b4afb024b3373e21eb5335624966e42683e8f6f2648bc32c524b8db630866abd69c6092a85523da678c8ec6e125c0d7ffaa3c2e1760f1ce6037788d2089bc65

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\e75b4099-9be8-451c-9c08-ba568e33e703.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
59607d8c714a88218187f81ab1edce65

SHA1
7ab5c128ed67beaaae6b5f90a3be84ff50e0506a

SHA256
fba6d7ba7e6d835f47d04e2b50b13765360d0eaeb8d67c2bde52fdc66a9b0b1e

SHA512
197599100093548743d5073100e904f7c8f3b95bf65fbb65918bb8b6f31347ea18ec6069f2f378d6b6d5c7f44c2ebb062f2a93cfc8ff580496f6b4ebdaf878f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
7KB

MD5
09eabbb87e3b0c62b8addfce5f5bc7d4

SHA1
22b33a7ca218039cf4c2d3e3beea191dc69d15b0

SHA256
53c6d0e28a79d48542176800975e4596fc70bb666cbcc57a960647a2f1bca7bd

SHA512
79944cf2c51a055e822b57e4ac417fec818b631ef290cc97468fc5866c473c639d3796ec5a94d64f9c719e6cfe04d507cde6cd1a2742709fb2753a2261ad2180

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
6KB

MD5
edda0f4ba7c3a0f9668e81d708f7c421

SHA1
2f9f88e2670967ae9f673abc3add130010f43f15

SHA256
59a9cbb57a72d6e6bcf5de4b239e789725931c9160a3ec7365325825b685b139

SHA512
32e3572eeb8df9b87da3ba0047b12ed12d40d315234855ed29ef44624a32ca993c7fab881d62eaa4c9ee011394270e26b93363e21146b844502e0891feedb49e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

Filesize
2KB

MD5
95d110f4b9ad39d353e917638c36c3d6

SHA1
2f4db3c5adc42f547473c491eaf60c40cbca3667

SHA256
001d9d8112d0ff2a27a9fdd2dd7d2fd5c34742ccd53a96eb83783be893a60bfb

SHA512
59adb9c21ef9b2bcca798107957959d33b9a2913724c3f05fe93bd9d13123be48fc6fd906ab99c8559ba273d9516bc320afe2c9f54b6c454cc57cf8f2836ddf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\805ca72e-2f1c-462b-b2b0-01f27d5ae8bf.tmp

Filesize
10KB

MD5
78e47dda17341bed7be45dccfd89ac87

SHA1
1afde30e46997452d11e4a2adbbf35cce7a1404f

SHA256
67d161098be68cd24febc0c7b48f515f199dda72f20ae3bbb97fcf2542bb0550

SHA512
9574a66d3756540479dc955c4057144283e09cae11ce11ebce801053bb48e536e67dc823b91895a9e3ee8d3cb27c065d5e9030c39a26cbf3f201348385b418a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir3932_1981740443\CRX_INSTALL\_locales\en\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir3932_1981740443\CRX_INSTALL\_locales\en_US\messages.json

Filesize
1KB

MD5
64eaeb92cb15bf128429c2354ef22977

SHA1
45ec549acaa1fda7c664d3906835ced6295ee752

SHA256
4f70eca8e28541855a11ec7a4e6b3bc6dd16c672ff9b596ecfb7715bb3b5898c

SHA512
f63ee02159812146eee84c4eb2034edfc2858a287119cc34a8b38c309c1b98953e14ca1ca6304d6b32b715754b15ba1b3aa4b46976631b5944d50581b2f49def

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir3932_1981740443\CRX_INSTALL\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir3932_1981740443\CRX_INSTALL\manifest.json

Filesize
1KB

MD5
2a738ca67be8dd698c70974c9d4bb21b

SHA1
45a4086c876d276954ffce187af2ebe3dc667b5f

SHA256
b08d566a5705247ddc9abf5e970fc93034970b02cf4cb3d5ccc90e1a1f8c816e

SHA512
f72b9190f9f2b1acc52f7fbb920d48797a96e62dfc0659c418edbbc0299dccf1931f6c508b86c940b976016745b9877f88f2ee081d3e3d5dcdcc2cc7e7884492

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5568_1850677301\4965aae7-26c4-45de-8374-81010aa10eb4.tmp

Filesize
152KB

MD5
dd9bf8448d3ddcfd067967f01e8bf6d7

SHA1
d7829475b2bd6a3baa8fabfaf39af57c6439b35e

SHA256
fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

SHA512
65347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GoogleChrome.lnk

Filesize
1KB

MD5
8383841770c3cd0c22cff36f2eb4cb80

SHA1
3ac778b4a28d68dfda5eda3b8abef3ca287b4bc4

SHA256
85ff203da06b6eb7c89ea2f4f2de182ad32f24896ad4fae2512668aff32d4f70

SHA512
db3c7127ae0d9b33c94050ad765778d199924ecd1828cfd1d4230869bcacfd5bee3760de0edc8e767289a02457b9a897ed6c0c52ff5a70167c0017d3b8a0820a

Download Submit
memory/4872-952-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/4872-918-0x0000000000400000-0x0000000000650000-memory.dmp

Filesize
2.3MB

Download
memory/4872-917-0x0000000000400000-0x0000000000650000-memory.dmp

Filesize
2.3MB

Download
memory/4916-384-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4916-369-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4916-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4916-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4916-894-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4916-971-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4916-893-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4916-892-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4916-891-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4916-890-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4916-889-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4916-888-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4916-882-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4916-885-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4916-747-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4916-386-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4916-0-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4916-380-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4916-379-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4916-378-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4916-374-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4916-371-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4916-370-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4916-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4916-368-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4916-32-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4916-29-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4916-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4916-24-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4916-20-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4916-19-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4916-16-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4916-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4916-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5668-935-0x00000000002C0000-0x0000000000304000-memory.dmp

Filesize
272KB

Download
memory/6092-906-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/6092-905-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/14484-1623-0x0000000000430000-0x0000000000474000-memory.dmp

Filesize
272KB

Download
memory/15168-1628-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/15168-1634-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/15168-1635-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/15168-1638-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/15168-1642-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/15168-1629-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/15168-1643-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/15168-1644-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/15168-1648-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/15168-1608-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads