amadey | 2142379a9c52ad7229e17227f54e935a9be18da1e32f0efd4cfb66f8d4648d9f

Analysis

max time kernel
108s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22-08-2024 11:56

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

2142379a9c52ad7229e17227f54e935a9be18da1e32f0efd4cfb66f8d4648d9f.exe
Size

1.8MB
MD5

e0c14883cd0435f5f4171fd6a920c2dc
SHA1

58ef4d76ae61d0826f2274c811c96c52c68d1528
SHA256

2142379a9c52ad7229e17227f54e935a9be18da1e32f0efd4cfb66f8d4648d9f
SHA512

52e7be9aec5dcdfd9636bc1a1a08a778162d292f4f19d7c63c83e1081e330f5d25ffd8934b7015fb83f1cd72e5cfe01de03a727b7a64429007595b107e6ad90a
SSDEEP

49152:IfquO+YZ8aeCQ3vuzpXNfnvcRPN/RaKO1X4GY:mU+cHXZFNH4RRpO1oGY

Malware Config

Extracted

Family

amadey

Version

4.41

Botnet

fed3aa

http://185.215.113.16

Attributes

install_dir
44111dbc49
install_file
axplong.exe
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
url_paths
/Jo89Ku7d/index.php

rc4.plain

Extracted

Family

redline

Botnet

LiveTraffic

95.179.163.21:29257

Extracted

Family

redline

Botnet

@CLOUDYTTEAM

65.21.18.51:45580

Extracted

Family

stealc

Botnet

default

http://185.215.113.17

Attributes

url_path
/2fb6c2cc8dce150a.php

Extracted

Family

redline

Botnet

14082024

185.215.113.67:21405

Extracted

Family

stealc

Botnet

penis

http://185.196.9.140

Attributes

url_path
/c3f845711fab35f8.php

Extracted

Family

xworm

127.0.0.1:7000

beshomandotestbesnd.run.place:7000

Attributes

Install_directory
%Userprofile%
install_file
USB.exe
telegram
https://api.telegram.org/bot2128988424:AAEkYnwvOQA95riqRZwlqBxg4GV-odRNOyo/sendMessage?chat_id=966649672

Extracted

Family

redline

Botnet

816FA

88.99.151.68:7200

Extracted

Family

redline

Botnet

NEW TEST

beshomandotestbesnd.run.place:46717

Extracted

Family

lumma

https://deicedosmzj.shop/api

https://potentioallykeos.shop/api

https://interactiedovspm.shop/api

https://charecteristicdxp.shop/api

https://cagedwifedsozm.shop/api

https://southedhiscuso.shop/api

https://consciousourwi.shop/api

https://tenntysjuxmz.shop/api

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000700000002353b-611.dat	family_xworm
behavioral2/memory/5256-623-0x0000000000720000-0x000000000073C000-memory.dmp	family_xworm

Detects Monster Stealer. 1 IoCs

resource	yara_rule
behavioral2/memory/1472-906-0x00007FF7B7D00000-0x00007FF7B8D26000-memory.dmp	family_monster

Exela Stealer
Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
stealer exelastealer
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Monster
Monster is a Golang stealer that was discovered in 2024.
stealer monster
PureLog Stealer
PureLog Stealer is an infostealer written in C#.
stealer purelogstealer

PureLog Stealer payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023579-919.dat	family_purelog_stealer
behavioral2/memory/6120-931-0x0000000000380000-0x000000000046E000-memory.dmp	family_purelog_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 8 IoCs

resource	yara_rule
behavioral2/memory/2548-42-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline
behavioral2/files/0x0007000000023465-112.dat	family_redline
behavioral2/memory/4652-121-0x0000000000450000-0x00000000004A2000-memory.dmp	family_redline
behavioral2/files/0x0003000000022e31-268.dat	family_redline
behavioral2/memory/2284-282-0x00000000007E0000-0x0000000000832000-memory.dmp	family_redline
behavioral2/memory/2172-753-0x0000000000D00000-0x0000000000D52000-memory.dmp	family_redline
behavioral2/memory/5256-912-0x000000001DA10000-0x000000001DA3A000-memory.dmp	family_redline
behavioral2/memory/5256-1603-0x000000001E880000-0x000000001E89E000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

resource	yara_rule
behavioral2/memory/5256-1603-0x000000001E880000-0x000000001E89E000-memory.dmp	family_sectoprat

Stealc
Stealc is an infostealer written in C++.
stealer stealc

Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs

description	pid	Process	procid_target
PID 5248 created 3464	5248	Beijing.pif	56
PID 5248 created 3464	5248	Beijing.pif	56
PID 5976 created 3464	5976	Cultures.pif	56

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	2142379a9c52ad7229e17227f54e935a9be18da1e32f0efd4cfb66f8d4648d9f.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5968	powershell.exe
5196	powershell.exe
1076	powershell.exe
6012	powershell.exe

Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2932	netsh.exe
5504	netsh.exe

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2142379a9c52ad7229e17227f54e935a9be18da1e32f0efd4cfb66f8d4648d9f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2142379a9c52ad7229e17227f54e935a9be18da1e32f0efd4cfb66f8d4648d9f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	BattleGermany.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	runtime.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	coreplugin.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	2142379a9c52ad7229e17227f54e935a9be18da1e32f0efd4cfb66f8d4648d9f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	axplong.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
4792	cmd.exe
5436	powershell.exe

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk	explorer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk	explorer.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MindLynx.url	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MindLynx.url	cmd.exe

Executes dropped EXE 24 IoCs

pid	Process
4120	axplong.exe
1280	GOLD.exe
4364	crypteda.exe
3612	d33dKuRU8s.exe
4652	fuww1rCuQj.exe
2724	stealc_default.exe
2212	axplong.exe
1140	clcs.exe
2284	14082024.exe
5400	BattleGermany.exe
5708	Community.pif
5988	runtime.exe
5248	Beijing.pif
5548	coreplugin.exe
5976	Cultures.pif
4712	crypted8888.exe
5256	explorer.exe
5464	LummaC22222.exe
3592	axplong.exe
5288	explorer
6128	5PHCENYBS068Y01.exe
1472	stub.exe
5952	Cultures.pif
6120	Mswgoudnv.exe

Identifies Wine through registry keys 2 TTPs 4 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Wine	2142379a9c52ad7229e17227f54e935a9be18da1e32f0efd4cfb66f8d4648d9f.exe
Key opened	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Wine	axplong.exe

Loads dropped DLL 37 IoCs

pid	Process
2724	stealc_default.exe
2724	stealc_default.exe
2384	RegAsm.exe
2384	RegAsm.exe
1472	stub.exe
1472	stub.exe
1472	stub.exe
1472	stub.exe
1472	stub.exe
1472	stub.exe
1472	stub.exe
1472	stub.exe
1472	stub.exe
1472	stub.exe
1472	stub.exe
1472	stub.exe
1472	stub.exe
1472	stub.exe
1472	stub.exe
1472	stub.exe
1472	stub.exe
1472	stub.exe
1472	stub.exe
1472	stub.exe
1472	stub.exe
1472	stub.exe
1472	stub.exe
1472	stub.exe
1472	stub.exe
1472	stub.exe
1472	stub.exe
1472	stub.exe
1472	stub.exe
1472	stub.exe
1472	stub.exe
1472	stub.exe
1472	stub.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Users\\Admin\\explorer"	explorer.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
165	raw.githubusercontent.com
166	raw.githubusercontent.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
112	ip-api.com
177	checkip.amazonaws.com

Network Service Discovery 1 TTPs 2 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
2840	cmd.exe
1600	ARP.EXE

Enumerates processes with tasklist 1 TTPs 10 IoCs

discovery

Process Discovery

T1057

pid	Process
640	tasklist.exe
5692	tasklist.exe
4076	tasklist.exe
5596	tasklist.exe
2288	tasklist.exe
5808	tasklist.exe
3296	tasklist.exe
5544	tasklist.exe
6128	tasklist.exe
5876	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
1420	cmd.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
564	2142379a9c52ad7229e17227f54e935a9be18da1e32f0efd4cfb66f8d4648d9f.exe
4120	axplong.exe
2212	axplong.exe
3592	axplong.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1280 set thread context of 2548	1280	GOLD.exe	91
PID 4364 set thread context of 3508	4364	crypteda.exe	98
PID 4712 set thread context of 2384	4712	crypted8888.exe	190
PID 5976 set thread context of 5952	5976	Cultures.pif	207

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysOrleans	runtime.exe
File opened for modification	C:\Windows\HostelGalleries	runtime.exe
File opened for modification	C:\Windows\ConfiguringUps	runtime.exe
File opened for modification	C:\Windows\ExplorerProprietary	runtime.exe
File created	C:\Windows\Tasks\axplong.job	2142379a9c52ad7229e17227f54e935a9be18da1e32f0efd4cfb66f8d4648d9f.exe
File opened for modification	C:\Windows\ChestAntique	runtime.exe
File opened for modification	C:\Windows\EquationExplorer	runtime.exe
File opened for modification	C:\Windows\TreeProfessor	runtime.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5452	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Location Discovery: System Language Discovery 1 TTPs 56 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cultures.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crypteda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	coreplugin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	clcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	14082024.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mswgoudnv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fuww1rCuQj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d33dKuRU8s.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	stealc_default.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beijing.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2142379a9c52ad7229e17227f54e935a9be18da1e32f0efd4cfb66f8d4648d9f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crypted8888.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LummaC22222.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BattleGermany.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Community.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	runtime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	axplong.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GOLD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cultures.pif

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
5764	cmd.exe
4548	netsh.exe

System Network Connections Discovery 1 TTPs 1 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
4652	NETSTAT.EXE

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	stealc_default.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	stealc_default.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe

Collects information from the system 1 TTPs 1 IoCs

Uses WMIC.exe to find detailed system information.

Data from Local System

T1005

pid	Process
5220	WMIC.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1316	WMIC.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
5984	ipconfig.exe
4652	NETSTAT.EXE

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
6064	systeminfo.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
5940	taskkill.exe
6204	taskkill.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	RegAsm.exe

Runs net.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5784	schtasks.exe
5860	schtasks.exe
5388	schtasks.exe
5320	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
5256	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
564	2142379a9c52ad7229e17227f54e935a9be18da1e32f0efd4cfb66f8d4648d9f.exe
564	2142379a9c52ad7229e17227f54e935a9be18da1e32f0efd4cfb66f8d4648d9f.exe
4120	axplong.exe
4120	axplong.exe
3612	d33dKuRU8s.exe
3612	d33dKuRU8s.exe
2548	RegAsm.exe
2548	RegAsm.exe
2548	RegAsm.exe
2548	RegAsm.exe
2548	RegAsm.exe
2548	RegAsm.exe
2724	stealc_default.exe
2724	stealc_default.exe
4652	fuww1rCuQj.exe
4652	fuww1rCuQj.exe
4652	fuww1rCuQj.exe
4652	fuww1rCuQj.exe
4652	fuww1rCuQj.exe
4652	fuww1rCuQj.exe
2212	axplong.exe
2212	axplong.exe
2724	stealc_default.exe
2724	stealc_default.exe
1204	msedge.exe
1204	msedge.exe
820	msedge.exe
820	msedge.exe
2284	14082024.exe
2284	14082024.exe
2284	14082024.exe
2284	14082024.exe
2284	14082024.exe
2284	14082024.exe
2284	14082024.exe
2284	14082024.exe
2284	14082024.exe
2284	14082024.exe
2284	14082024.exe
2284	14082024.exe
2284	14082024.exe
2284	14082024.exe
2284	14082024.exe
2284	14082024.exe
2284	14082024.exe
2284	14082024.exe
2284	14082024.exe
2284	14082024.exe
452	msedge.exe
452	msedge.exe
4100	msedge.exe
4100	msedge.exe
5000	identity_helper.exe
5000	identity_helper.exe
5708	Community.pif
5708	Community.pif
5708	Community.pif
5708	Community.pif
5708	Community.pif
5708	Community.pif
5708	Community.pif
5708	Community.pif
5708	Community.pif
5708	Community.pif

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

pid	Process
820	msedge.exe
820	msedge.exe
820	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3612	d33dKuRU8s.exe
Token: SeBackupPrivilege	3612	d33dKuRU8s.exe
Token: SeSecurityPrivilege	3612	d33dKuRU8s.exe
Token: SeSecurityPrivilege	3612	d33dKuRU8s.exe
Token: SeSecurityPrivilege	3612	d33dKuRU8s.exe
Token: SeSecurityPrivilege	3612	d33dKuRU8s.exe
Token: SeDebugPrivilege	2548	RegAsm.exe
Token: SeDebugPrivilege	4652	fuww1rCuQj.exe
Token: SeDebugPrivilege	2284	14082024.exe
Token: SeDebugPrivilege	5544	tasklist.exe
Token: SeDebugPrivilege	5596	tasklist.exe
Token: SeDebugPrivilege	6128	tasklist.exe
Token: SeDebugPrivilege	2288	tasklist.exe
Token: SeDebugPrivilege	5876	tasklist.exe
Token: SeDebugPrivilege	5808	tasklist.exe
Token: SeDebugPrivilege	5256	explorer.exe
Token: SeDebugPrivilege	6012	powershell.exe
Token: SeDebugPrivilege	5968	powershell.exe
Token: SeDebugPrivilege	5196	powershell.exe
Token: SeDebugPrivilege	1076	powershell.exe
Token: SeDebugPrivilege	5256	explorer.exe
Token: SeDebugPrivilege	5288	explorer
Token: SeIncreaseQuotaPrivilege	5456	WMIC.exe
Token: SeSecurityPrivilege	5456	WMIC.exe
Token: SeTakeOwnershipPrivilege	5456	WMIC.exe
Token: SeLoadDriverPrivilege	5456	WMIC.exe
Token: SeSystemProfilePrivilege	5456	WMIC.exe
Token: SeSystemtimePrivilege	5456	WMIC.exe
Token: SeProfSingleProcessPrivilege	5456	WMIC.exe
Token: SeIncBasePriorityPrivilege	5456	WMIC.exe
Token: SeCreatePagefilePrivilege	5456	WMIC.exe
Token: SeBackupPrivilege	5456	WMIC.exe
Token: SeRestorePrivilege	5456	WMIC.exe
Token: SeShutdownPrivilege	5456	WMIC.exe
Token: SeDebugPrivilege	5456	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5456	WMIC.exe
Token: SeRemoteShutdownPrivilege	5456	WMIC.exe
Token: SeUndockPrivilege	5456	WMIC.exe
Token: SeManageVolumePrivilege	5456	WMIC.exe
Token: 33	5456	WMIC.exe
Token: 34	5456	WMIC.exe
Token: 35	5456	WMIC.exe
Token: 36	5456	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1316	WMIC.exe
Token: SeSecurityPrivilege	1316	WMIC.exe
Token: SeTakeOwnershipPrivilege	1316	WMIC.exe
Token: SeLoadDriverPrivilege	1316	WMIC.exe
Token: SeSystemProfilePrivilege	1316	WMIC.exe
Token: SeSystemtimePrivilege	1316	WMIC.exe
Token: SeProfSingleProcessPrivilege	1316	WMIC.exe
Token: SeIncBasePriorityPrivilege	1316	WMIC.exe
Token: SeCreatePagefilePrivilege	1316	WMIC.exe
Token: SeBackupPrivilege	1316	WMIC.exe
Token: SeRestorePrivilege	1316	WMIC.exe
Token: SeShutdownPrivilege	1316	WMIC.exe
Token: SeDebugPrivilege	1316	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1316	WMIC.exe
Token: SeRemoteShutdownPrivilege	1316	WMIC.exe
Token: SeUndockPrivilege	1316	WMIC.exe
Token: SeManageVolumePrivilege	1316	WMIC.exe
Token: 33	1316	WMIC.exe
Token: 34	1316	WMIC.exe
Token: 35	1316	WMIC.exe
Token: 36	1316	WMIC.exe

Suspicious use of FindShellTrayWindow 60 IoCs

pid	Process
564	2142379a9c52ad7229e17227f54e935a9be18da1e32f0efd4cfb66f8d4648d9f.exe
820	msedge.exe
820	msedge.exe
820	msedge.exe
820	msedge.exe
820	msedge.exe
820	msedge.exe
820	msedge.exe
820	msedge.exe
820	msedge.exe
820	msedge.exe
820	msedge.exe
820	msedge.exe
820	msedge.exe
820	msedge.exe
820	msedge.exe
820	msedge.exe
820	msedge.exe
820	msedge.exe
820	msedge.exe
820	msedge.exe
820	msedge.exe
820	msedge.exe
820	msedge.exe
820	msedge.exe
820	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
5708	Community.pif
5708	Community.pif
5708	Community.pif
5248	Beijing.pif
5248	Beijing.pif
5248	Beijing.pif
5976	Cultures.pif
5976	Cultures.pif
5976	Cultures.pif

Suspicious use of SendNotifyMessage 57 IoCs

pid	Process
820	msedge.exe
820	msedge.exe
820	msedge.exe
820	msedge.exe
820	msedge.exe
820	msedge.exe
820	msedge.exe
820	msedge.exe
820	msedge.exe
820	msedge.exe
820	msedge.exe
820	msedge.exe
820	msedge.exe
820	msedge.exe
820	msedge.exe
820	msedge.exe
820	msedge.exe
820	msedge.exe
820	msedge.exe
820	msedge.exe
820	msedge.exe
820	msedge.exe
820	msedge.exe
820	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
5708	Community.pif
5708	Community.pif
5708	Community.pif
5248	Beijing.pif
5248	Beijing.pif
5248	Beijing.pif
5976	Cultures.pif
5976	Cultures.pif
5976	Cultures.pif

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5256	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 564 wrote to memory of 4120	564	2142379a9c52ad7229e17227f54e935a9be18da1e32f0efd4cfb66f8d4648d9f.exe	87
PID 564 wrote to memory of 4120	564	2142379a9c52ad7229e17227f54e935a9be18da1e32f0efd4cfb66f8d4648d9f.exe	87
PID 564 wrote to memory of 4120	564	2142379a9c52ad7229e17227f54e935a9be18da1e32f0efd4cfb66f8d4648d9f.exe	87
PID 4120 wrote to memory of 1280	4120	axplong.exe	90
PID 4120 wrote to memory of 1280	4120	axplong.exe	90
PID 4120 wrote to memory of 1280	4120	axplong.exe	90
PID 1280 wrote to memory of 2548	1280	GOLD.exe	91
PID 1280 wrote to memory of 2548	1280	GOLD.exe	91
PID 1280 wrote to memory of 2548	1280	GOLD.exe	91
PID 1280 wrote to memory of 2548	1280	GOLD.exe	91
PID 1280 wrote to memory of 2548	1280	GOLD.exe	91
PID 1280 wrote to memory of 2548	1280	GOLD.exe	91
PID 1280 wrote to memory of 2548	1280	GOLD.exe	91
PID 1280 wrote to memory of 2548	1280	GOLD.exe	91
PID 4120 wrote to memory of 4364	4120	axplong.exe	94
PID 4120 wrote to memory of 4364	4120	axplong.exe	94
PID 4120 wrote to memory of 4364	4120	axplong.exe	94
PID 4364 wrote to memory of 1132	4364	crypteda.exe	96
PID 4364 wrote to memory of 1132	4364	crypteda.exe	96
PID 4364 wrote to memory of 1132	4364	crypteda.exe	96
PID 4364 wrote to memory of 3824	4364	crypteda.exe	97
PID 4364 wrote to memory of 3824	4364	crypteda.exe	97
PID 4364 wrote to memory of 3824	4364	crypteda.exe	97
PID 4364 wrote to memory of 3508	4364	crypteda.exe	98
PID 4364 wrote to memory of 3508	4364	crypteda.exe	98
PID 4364 wrote to memory of 3508	4364	crypteda.exe	98
PID 4364 wrote to memory of 3508	4364	crypteda.exe	98
PID 4364 wrote to memory of 3508	4364	crypteda.exe	98
PID 4364 wrote to memory of 3508	4364	crypteda.exe	98
PID 4364 wrote to memory of 3508	4364	crypteda.exe	98
PID 4364 wrote to memory of 3508	4364	crypteda.exe	98
PID 4364 wrote to memory of 3508	4364	crypteda.exe	98
PID 4364 wrote to memory of 3508	4364	crypteda.exe	98
PID 3508 wrote to memory of 3612	3508	RegAsm.exe	99
PID 3508 wrote to memory of 3612	3508	RegAsm.exe	99
PID 3508 wrote to memory of 3612	3508	RegAsm.exe	99
PID 3508 wrote to memory of 4652	3508	RegAsm.exe	101
PID 3508 wrote to memory of 4652	3508	RegAsm.exe	101
PID 3508 wrote to memory of 4652	3508	RegAsm.exe	101
PID 4120 wrote to memory of 2724	4120	axplong.exe	105
PID 4120 wrote to memory of 2724	4120	axplong.exe	105
PID 4120 wrote to memory of 2724	4120	axplong.exe	105
PID 4120 wrote to memory of 1140	4120	axplong.exe	110
PID 4120 wrote to memory of 1140	4120	axplong.exe	110
PID 4120 wrote to memory of 1140	4120	axplong.exe	110
PID 4120 wrote to memory of 2284	4120	axplong.exe	111
PID 4120 wrote to memory of 2284	4120	axplong.exe	111
PID 4120 wrote to memory of 2284	4120	axplong.exe	111
PID 1140 wrote to memory of 820	1140	clcs.exe	113
PID 1140 wrote to memory of 820	1140	clcs.exe	113
PID 820 wrote to memory of 1316	820	msedge.exe	114
PID 820 wrote to memory of 1316	820	msedge.exe	114
PID 820 wrote to memory of 1492	820	msedge.exe	115
PID 820 wrote to memory of 1492	820	msedge.exe	115
PID 820 wrote to memory of 1492	820	msedge.exe	115
PID 820 wrote to memory of 1492	820	msedge.exe	115
PID 820 wrote to memory of 1492	820	msedge.exe	115
PID 820 wrote to memory of 1492	820	msedge.exe	115
PID 820 wrote to memory of 1492	820	msedge.exe	115
PID 820 wrote to memory of 1492	820	msedge.exe	115
PID 820 wrote to memory of 1492	820	msedge.exe	115
PID 820 wrote to memory of 1492	820	msedge.exe	115
PID 820 wrote to memory of 1492	820	msedge.exe	115
PID 820 wrote to memory of 1492	820	msedge.exe	115

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4332	attrib.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3464
- C:\Users\Admin\AppData\Local\Temp\2142379a9c52ad7229e17227f54e935a9be18da1e32f0efd4cfb66f8d4648d9f.exe
  "C:\Users\Admin\AppData\Local\Temp\2142379a9c52ad7229e17227f54e935a9be18da1e32f0efd4cfb66f8d4648d9f.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Checks computer location settings
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:564
- - C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
    "C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4120
  - - C:\Users\Admin\AppData\Local\Temp\1000002001\GOLD.exe
      "C:\Users\Admin\AppData\Local\Temp\1000002001\GOLD.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1280
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2548
  - - C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe
      "C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4364
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:1132
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:3824
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3508
      - C:\Users\Admin\AppData\Roaming\d33dKuRU8s.exe
        
        "C:\Users\Admin\AppData\Roaming\d33dKuRU8s.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3612
      - C:\Users\Admin\AppData\Roaming\fuww1rCuQj.exe
        
        "C:\Users\Admin\AppData\Roaming\fuww1rCuQj.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4652
  - - C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default.exe
      "C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:2724
  - - C:\Users\Admin\AppData\Local\Temp\1000129001\clcs.exe
      "C:\Users\Admin\AppData\Local\Temp\1000129001\clcs.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1140
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=clcs.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
        5⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:820
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xfc,0xd8,0x7ffc5bf846f8,0x7ffc5bf84708,0x7ffc5bf84718
        6⤵
        
        PID:1316
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,17647880893905268080,10108461000121638419,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
        6⤵
        
        PID:1492
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,17647880893905268080,10108461000121638419,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2468 /prefetch:3
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1204
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2060,17647880893905268080,10108461000121638419,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2792 /prefetch:8
        6⤵
        
        PID:372
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,17647880893905268080,10108461000121638419,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
        6⤵
        
        PID:1964
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,17647880893905268080,10108461000121638419,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
        6⤵
        
        PID:3612
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,17647880893905268080,10108461000121638419,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4156 /prefetch:1
        6⤵
        
        PID:3504
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=clcs.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
        5⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4100
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc5bf846f8,0x7ffc5bf84708,0x7ffc5bf84718
        6⤵
        
        PID:2192
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,14144690580711218592,6797320014645090082,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:2
        6⤵
        
        PID:5060
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,14144690580711218592,6797320014645090082,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2056 /prefetch:3
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:452
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,14144690580711218592,6797320014645090082,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2948 /prefetch:8
        6⤵
        
        PID:3604
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,14144690580711218592,6797320014645090082,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
        6⤵
        
        PID:5076
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,14144690580711218592,6797320014645090082,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
        6⤵
        
        PID:4284
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,14144690580711218592,6797320014645090082,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4928 /prefetch:1
        6⤵
        
        PID:4040
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,14144690580711218592,6797320014645090082,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3556 /prefetch:8
        6⤵
        
        PID:4868
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,14144690580711218592,6797320014645090082,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3556 /prefetch:8
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5000
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,14144690580711218592,6797320014645090082,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3560 /prefetch:1
        6⤵
        
        PID:1600
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,14144690580711218592,6797320014645090082,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:1
        6⤵
        
        PID:3420
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,14144690580711218592,6797320014645090082,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:1
        6⤵
        
        PID:4248
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,14144690580711218592,6797320014645090082,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4216 /prefetch:1
        6⤵
        
        PID:4856
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,14144690580711218592,6797320014645090082,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1816 /prefetch:1
        6⤵
        
        PID:5860
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,14144690580711218592,6797320014645090082,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:1
        6⤵
        
        PID:1128
  - - C:\Users\Admin\AppData\Local\Temp\1000135001\14082024.exe
      "C:\Users\Admin\AppData\Local\Temp\1000135001\14082024.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2284
  - - C:\Users\Admin\AppData\Local\Temp\1000147001\BattleGermany.exe
      "C:\Users\Admin\AppData\Local\Temp\1000147001\BattleGermany.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:5400
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k move Cassette Cassette.cmd & Cassette.cmd & exit
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5484
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:5544
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "wrsa.exe opssvc.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5552
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:5596
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5604
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 177479
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5644
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "FoolBurkeRetainedWait" Drop
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5660
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Tracked + ..\Luggage + ..\Prime + ..\Involved + ..\Fluid + ..\Newport + ..\Rod + ..\Society s
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5688
      - C:\Users\Admin\AppData\Local\Temp\177479\Community.pif
        
        Community.pif s
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:5708
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c schtasks.exe /create /tn "Capable" /tr "wscript //B 'C:\Users\Admin\AppData\Local\SkyNav Technologies\SkyPilot.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5748
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /create /tn "Capable" /tr "wscript //B 'C:\Users\Admin\AppData\Local\SkyNav Technologies\SkyPilot.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST
        8⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:5860
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /create /tn "SkyPilot" /tr "wscript //B 'C:\Users\Admin\AppData\Local\SkyNav Technologies\SkyPilot.js'" /sc onlogon /F /RL HIGHEST
        7⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:5784
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2172
      - C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 15
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5728
  - - C:\Users\Admin\AppData\Local\Temp\1000150001\runtime.exe
      "C:\Users\Admin\AppData\Local\Temp\1000150001\runtime.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:5988
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k move Continues Continues.cmd & Continues.cmd & exit
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6072
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:6128
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "wrsa.exe opssvc.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:6136
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2288
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3256
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 40365
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1424
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "HopeBuildersGeniusIslam" Sonic
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1720
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Mr + ..\Minister + ..\Template + ..\Dietary + ..\Speak + ..\Mobile + ..\Zinc + ..\Continue s
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1608
      - C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif
        
        Beijing.pif s
        6⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:5248
      - C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5276
  - - C:\Users\Admin\AppData\Local\Temp\1000157001\coreplugin.exe
      "C:\Users\Admin\AppData\Local\Temp\1000157001\coreplugin.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:5548
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k move Anytime Anytime.cmd & Anytime.cmd & exit
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5664
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:5876
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "wrsa.exe opssvc.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5872
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:5808
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5780
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 297145
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5884
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "CorkBkConditionsMoon" Scary
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5940
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Dependence + ..\Nsw + ..\Developmental + ..\Shared + ..\Ranges + ..\Notify + ..\Pending + ..\Previously k
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5952
      - C:\Users\Admin\AppData\Local\Temp\297145\Cultures.pif
        
        Cultures.pif k
        6⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:5976
      - C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:6020
  - - C:\Users\Admin\AppData\Local\Temp\1000167001\crypted8888.exe
      "C:\Users\Admin\AppData\Local\Temp\1000167001\crypted8888.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:4712
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        
        PID:2384
  - - C:\Users\Admin\AppData\Local\Temp\1000169001\explorer.exe
      "C:\Users\Admin\AppData\Local\Temp\1000169001\explorer.exe"
      4⤵
      Checks computer location settings
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Suspicious behavior: AddClipboardFormatListener
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:5256
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1000169001\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:6012
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:5968
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\explorer'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:5196
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'explorer'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1076
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "explorer" /tr "C:\Users\Admin\explorer"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5320
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://localhost:13240/
        5⤵
        
        PID:5896
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc5bf846f8,0x7ffc5bf84708,0x7ffc5bf84718
        6⤵
        
        PID:5404
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /C taskkill /F /PID 5256 && choice /C Y /N /D Y /T 3 & Del ""
        5⤵
        
        PID:6840
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 5256
        6⤵
        Kills process with taskkill
        
        PID:6204
  - - C:\Users\Admin\AppData\Local\Temp\1000170001\LummaC22222.exe
      "C:\Users\Admin\AppData\Local\Temp\1000170001\LummaC22222.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:5464
  - - C:\Users\Admin\AppData\Local\Temp\1000174001\5PHCENYBS068Y01.exe
      "C:\Users\Admin\AppData\Local\Temp\1000174001\5PHCENYBS068Y01.exe"
      4⤵
      Executes dropped EXE
      PID:6128
    - - C:\Users\Admin\AppData\Local\Temp\onefile_6128_133688014824952264\stub.exe
        
        C:\Users\Admin\AppData\Local\Temp\1000174001\5PHCENYBS068Y01.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1472
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        6⤵
        
        PID:4792
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
        6⤵
        
        PID:1264
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        7⤵
        Detects videocard installed
        Suspicious use of AdjustPrivilegeToken
        
        PID:1316
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
        6⤵
        
        PID:5304
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get Manufacturer
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5456
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "gdb --version"
        6⤵
        
        PID:1128
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        6⤵
        
        PID:5808
        
        C:\Windows\system32\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        
        PID:640
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
        6⤵
        
        PID:5488
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_ComputerSystem get Manufacturer
        7⤵
        
        PID:4952
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        6⤵
        
        PID:5608
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        7⤵
        
        PID:5696
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        6⤵
        
        PID:5644
        
        C:\Windows\system32\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        
        PID:5692
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe""
        6⤵
        Hide Artifacts: Hidden Files and Directories
        
        PID:1420
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe"
        7⤵
        Views/modifies file attributes
        
        PID:4332
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()""
        6⤵
        
        PID:6100
        
        C:\Windows\system32\mshta.exe
        
        mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()"
        7⤵
        
        PID:5812
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"
        6⤵
        
        PID:5924
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM chrome.exe
        7⤵
        Kills process with taskkill
        
        PID:5940
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        6⤵
        
        PID:5388
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        7⤵
        Enumerates processes with tasklist
        
        PID:3296
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
        6⤵
        Clipboard Data
        
        PID:4792
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Get-Clipboard
        7⤵
        Clipboard Data
        
        PID:5436
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "chcp"
        6⤵
        
        PID:5480
        
        C:\Windows\system32\chcp.com
        
        chcp
        7⤵
        
        PID:1264
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "chcp"
        6⤵
        
        PID:3188
        
        C:\Windows\system32\chcp.com
        
        chcp
        7⤵
        
        PID:2932
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
        6⤵
        Network Service Discovery
        
        PID:2840
        
        C:\Windows\system32\systeminfo.exe
        
        systeminfo
        7⤵
        Gathers system information
        
        PID:6064
        
        C:\Windows\system32\HOSTNAME.EXE
        
        hostname
        7⤵
        
        PID:6068
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic logicaldisk get caption,description,providername
        7⤵
        Collects information from the system
        
        PID:5220
        
        C:\Windows\system32\net.exe
        
        net user
        7⤵
        
        PID:6120
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        8⤵
        
        PID:6116
        
        C:\Windows\system32\query.exe
        
        query user
        7⤵
        
        PID:5884
        
        C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        8⤵
        
        PID:6104
        
        C:\Windows\system32\net.exe
        
        net localgroup
        7⤵
        
        PID:5932
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        8⤵
        
        PID:5972
        
        C:\Windows\system32\net.exe
        
        net localgroup administrators
        7⤵
        
        PID:5288
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        8⤵
        
        PID:5784
        
        C:\Windows\system32\net.exe
        
        net user guest
        7⤵
        
        PID:5880
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        8⤵
        
        PID:5840
        
        C:\Windows\system32\net.exe
        
        net user administrator
        7⤵
        
        PID:6140
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        8⤵
        
        PID:6052
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic startup get caption,command
        7⤵
        
        PID:5316
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /svc
        7⤵
        Enumerates processes with tasklist
        
        PID:4076
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /all
        7⤵
        Gathers network information
        
        PID:5984
        
        C:\Windows\system32\ROUTE.EXE
        
        route print
        7⤵
        
        PID:3420
        
        C:\Windows\system32\ARP.EXE
        
        arp -a
        7⤵
        Network Service Discovery
        
        PID:1600
        
        C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        7⤵
        System Network Connections Discovery
        Gathers network information
        
        PID:4652
        
        C:\Windows\system32\sc.exe
        
        sc query type= service state= all
        7⤵
        Launches sc.exe
        
        PID:5452
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall show state
        7⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2932
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall show config
        7⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5504
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
        6⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5764
        
        C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        7⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4548
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        6⤵
        
        PID:380
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        7⤵
        
        PID:2288
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        6⤵
        
        PID:528
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        7⤵
        
        PID:3432
  - - C:\Users\Admin\AppData\Local\Temp\1000177001\Mswgoudnv.exe
      "C:\Users\Admin\AppData\Local\Temp\1000177001\Mswgoudnv.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:6120
- C:\Windows\SysWOW64\cmd.exe
  cmd /c schtasks.exe /create /tn "Invitations" /tr "wscript //B 'C:\Users\Admin\AppData\Local\NeuraMind Innovations\MindLynx.js'" /sc minute /mo 5 /F
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2320
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /create /tn "Invitations" /tr "wscript //B 'C:\Users\Admin\AppData\Local\NeuraMind Innovations\MindLynx.js'" /sc minute /mo 5 /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:5388
- C:\Windows\SysWOW64\cmd.exe
  cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MindLynx.url" & echo URL="C:\Users\Admin\AppData\Local\NeuraMind Innovations\MindLynx.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MindLynx.url" & exit
  2⤵
  - Drops startup file
  - System Location Discovery: System Language Discovery
  PID:4380
- C:\Users\Admin\AppData\Local\Temp\297145\Cultures.pif
  C:\Users\Admin\AppData\Local\Temp\297145\Cultures.pif
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5952

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2212

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2504

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:380

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4824

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1448

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3592

C:\Users\Admin\explorer
C:\Users\Admin\explorer
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Permission Groups Discovery

T1069

Local Groups

T1069.001

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

System Network Connections Discovery

T1049

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\FIIEHJDBKJKECBFHDGHJ

Filesize
11KB

MD5
d8fd8f1795e64f4b18a3a618c969924a

SHA1
09d4ba342901cdda1c0e90e39d5ab3e7043d2082

SHA256
7802a58350454b065cbe3b99f7f26b8f7f4cde0ae69da64948868fa836cfb110

SHA512
e9533fd60f72ea15c326eaf8074231db330e9959613e883611f34195c42e1187a44ef07bad01b46f31a55d689b6ef712acd544ffa9929d9718d991afb4020f84

Download Submit
C:\ProgramData\HIDHDGDH

Filesize
114KB

MD5
c3311360e96fcf6ea559c40a78ede854

SHA1
562ada1868020814b25b5dbbdbcb5a9feb9eb6ba

SHA256
9372c1ee21c8440368f6dd8f6c9aeda24f2067056050fab9d4e050a75437d75b

SHA512
fef308d10d04d9a3de7db431a9ab4a47dc120bfe0d7ae7db7e151802c426a46b00426b861e7e57ac4d6d21dde6289f278b2dbf903d4d1d6b117e77467ab9cf65

Download Submit
C:\ProgramData\IIIEBGCB

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e765f3d75e6b0e4a7119c8b14d47d8da

SHA1
cc9f7c7826c2e1a129e7d98884926076c3714fc0

SHA256
986443556d3878258b710d9d9efbf4f25f0d764c3f83dc54217f2b12a6eccd89

SHA512
a1872a849f27da78ebe9adb9beb260cb49ed5f4ca2d403f23379112bdfcd2482446a6708188100496e45db1517cdb43aba8bb93a75e605713c3f97cd716b1079

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
53bc70ecb115bdbabe67620c416fe9b3

SHA1
af66ec51a13a59639eaf54d62ff3b4f092bb2fc1

SHA256
b36cad5c1f7bc7d07c7eaa2f3cad2959ddb5447d4d3adcb46eb6a99808e22771

SHA512
cad44933b94e17908c0eb8ac5feeb53d03a7720d97e7ccc8724a1ed3021a5bece09e1f9f3cec56ce0739176ebbbeb20729e650f8bca04e5060c986b75d8e4921

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\718f799d-2df0-4730-aee4-0471cd8df4cf.tmp

Filesize
5KB

MD5
0b07ef6a668acecdab31d0854ea6929b

SHA1
955c50b18d49644d1b00c0aa377f4e416c3bea81

SHA256
4eeba2be35e20fd40df1eb5690d1de76fd9f7faf97d493998871cb72bb948eea

SHA512
655bf1ade4d47ae813130f41f8a8467fa474a3c82bb46810f883b54542f30bd8d657cb01b96436c5e102f9d89a12ac6c71f318697781ea07d9b58d45dd16fa1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0

Filesize
44KB

MD5
86476f427538b34ec9539ad816691628

SHA1
a6028aed8f63b93066b197504fd10137cb615257

SHA256
a8dfd9cae4f26a728382caeb4b8842a52a9b2bc844794b0889a9927cb39a26a0

SHA512
4d38de4e37f8a0d79d6f70cc436014bd94182e526cd0bb4858db76102d5b156d768e435edde39ea2d63d23618b129ae1c5924b958e69b7fac502185198e8e9ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1

Filesize
264KB

MD5
6db2760fcc57bb4790d82230fce1fafe

SHA1
7abc91c5c1e3e38b06a436d27325f83eef0e04b8

SHA256
dfc9a39bc98d2ff12eebb04c51dcc9dd47501cd409d8cbedfc30d951e5740ac5

SHA512
18df152b3b42b372cce3a8af419982d0714f55a585dc2fb78916d0dff4c3048b332e9eaf6827edbd8684d0a7e3a0a7eb04f2034ecb1303bfa86a98b109c46f9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_2

Filesize
1.0MB

MD5
95c4b8f5b8a2e4af876f1695ba042f20

SHA1
b9524a6bfafb4f76ccc78dac3ce62b8528451a0d

SHA256
ef0e8917a938b1c13b85aa3c623e5fcb746192310f07973bd5f250c8ddc5ac3e

SHA512
e6e2f6c74004fb7ea2a76b5b54653828eb8212f6f52265fd6f0434fa5b8fa89f468039e604fe9c8d10648f4acad04ce02377351a934afe402bb9c4a6ac5a7492

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_3

Filesize
4.0MB

MD5
2a543d361fc80c2ad795deb628119232

SHA1
8ee887fac4460434f80fc7026e50825b94c37242

SHA256
5c4eeb04503afd539f139a5ba42a3142f0357d5e67bd2332b29f92e4307c4db2

SHA512
52dcc221281f8f93d6f67c3afeadf53375a4ec04c99a1373ffa320c3a398e43dfac676d3517fac4db14d17176c92ba7b75f148c65cd1aac29affcc072f4945ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001

Filesize
65KB

MD5
831fa4ef07b7ae9877e167e1bebe9e1a

SHA1
ddb2f8ac76b3868bb7521f029b453f77b7abe4dc

SHA256
460ec433c20b5df7b3442273a810aca17f27bd2c98006b2fee148366ee0560a6

SHA512
7a750b10e0e33af4682feac535cf395b96587ff411d36822ad08ed6b343106748ac6a6f75cd0e2df0ade019410e546b1867760fab2ba4a64826fb6caa982a1ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
79KB

MD5
e51f388b62281af5b4a9193cce419941

SHA1
364f3d737462b7fd063107fe2c580fdb9781a45a

SHA256
348404a68791474349e35bd7d1980abcbf06db85132286e45ad4f204d10b5f2c

SHA512
1755816c26d013d7b610bab515200b0f1f2bd2be0c4a8a099c3f8aff2d898882fd3bcf1163d0378916f4c5c24222df5dd7b18df0c8e5bf2a0ebef891215f148e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

Filesize
212KB

MD5
2257803a7e34c3abd90ec6d41fd76a5a

SHA1
f7a32e6635d8513f74bd225f55d867ea56ae4803

SHA256
af23860fb3a448f2cc6107680078402555a345eb45bc5efb750f541fe5d7c174

SHA512
e9f4dc90d0829885f08879e868aa62041150b500f62682fc108da258eee26ad9509dcbf6e8a55f2d0bdba7aa9118dd149a70a7d851820d4ea683db7808c48540

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\3ab592dde6ff023e_0

Filesize
272B

MD5
6d6d7864c2f3bb513260d0e62222ea89

SHA1
6f224a838adce9b8c459c6b779e4aab347de7f67

SHA256
2c8445f6fbe4b23abab9c86831a5df729640d66d0f0a31053e32d9c67869f799

SHA512
fb200c9b147643db5600726ec8ee085f172d7ec5bea26dba8e223bd2bf20ba30dee371789d345c79caecdbcd7e20894f2166ed7b6dbc318020f393fe9811befc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\4d335256af9ebbc5_0

Filesize
243B

MD5
5a03e8e6fb6e3b40f9100ddb9165b2ba

SHA1
9b965787ebc58797aafb7f07cbba730f02a9e90a

SHA256
7d4acb5245eeaa73a18feebd57c613ae5f7aca33c69ac18ef06979a9b85e59fc

SHA512
d81e913d2e44079a20de201db1832a1ba0196b976ee17129c30ea08482edbaad60ca8d3ca9a7270360976dee55d65c07b79e324649536e2b61254131e3ec772a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\ac4c2bd350c03345_0

Filesize
249B

MD5
a65e1d03690a0450ed075133da591444

SHA1
49d687ac13a2abac5b97a09cb4e2bbbdd216daeb

SHA256
f4da40767e0b0d496ca23e08dba2053f3787e5a6443a9170b5c1f6629e5dd94b

SHA512
d17041eb1c1d365271e48844c6c0199f00b1f3aa01f7dbb0cfca88ec185ef646237f584e3eae9cfdb824ca17759e5a929437213306380bbe878de5e1787026f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\f29ed5b5251e1eaf_0

Filesize
221B

MD5
9d343bdab8425186863d4995462ed47c

SHA1
2fbc311be9ef52dfe9436cbd0f4ce68394589b25

SHA256
da0f8e908a23b52f227f8879b69cd931f14beb393e167502e4045539033c66a0

SHA512
1a108aeb13030490cd33a17a8d4a48f1068e601cc663c567a990b7864149818c23863bc38b720ec77399d17763dc42980bd218bb1057ce488c989e0f5e9a1b5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
264B

MD5
d3727429964c932827882afa317ea5d8

SHA1
8009bfa6bbbc36eedee9f030e76fd6cf9905cd61

SHA256
45cd7e73518996cc3c9529000c0eb309d5f3e49b8d7cfaf8901100f0f61216f1

SHA512
47ce29e524f9c4c6f20d83d2a282070028612a970792e0c74c1d62be9895a8f69ea69bea0fb127e808a1dce41ed083c10e0b9b038d373b82f0391ac03b31bd98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe58a62e.TMP

Filesize
168B

MD5
699648e7b3c276eed5286e5b7461a61e

SHA1
a3860b251469fd1ba3d6f620aa9ccfb01c13cf84

SHA256
659b7558f7777e86455121c5c8ea975494d2d388020d025daebaa7429294d9fc

SHA512
8ff8e367eed11aa255a87e5e79dea1df770ab230e509093bace263529d420a8ff85b70332e4831987276a5911b8f7c92eeea7b106debf4a8100e42547f530a13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG

Filesize
322B

MD5
150887461ec7c8d87030f4f3aafc3f44

SHA1
f62a1780f9983ae6aa58814ba53543a2d5914f3c

SHA256
3beebc6fd65ed8f0c3a9b33af6bb0d017da25ea422b7f21b27787282f2540f63

SHA512
1572c1cc29742e24ae4fdd94bfd8b8dff2e184330f4631857b3b3ad73c1a4d946c1bc5feb40b95c13a1b0a078c0b0ec0fbc7c71ac83a872d4595db1f77d650a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Favicons-journal

Filesize
14KB

MD5
f8ec9565c7fec5ba64b5b9442186d16e

SHA1
551e5a65d4ae370d17b9308fae26acc7b9910abb

SHA256
12c381b1b7962a06bce91e02e6bff7c4bffb2550ea78e04d768d006997ec9193

SHA512
b5bb6cfb87ad7674105ea0d85ae08f547a463d38ce9290f4adb56dafc3a7d193c3287dee909efb1ce2fecc226d3d9febd116447a420218f967f8afa40329755d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History-journal

Filesize
28KB

MD5
7c44c639e7459ce469e0b59f9450788e

SHA1
5ea6bccf4dc445fdc561f5a3bdef4cdcfc0c8da8

SHA256
70d3f49228af2b682cabdc51d58d6073659b56dd10d4fa2948c43490e04d9de6

SHA512
33a737e2436b646648718ac87c8a1b6153dea88fdbc6a7559e45c138a43c6667ebb429f89c38ae429ff7da93e1cbdf34abd3f50a06595c5dafd73f6522425ae8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
331B

MD5
611db15e28c958d8d0d8df68ed8a6d32

SHA1
7181e395f9822cd63d448db7be530aff14bd976e

SHA256
6b4f72ed01709f8a2d7d05ce7b6e3fa28485c6f9a49b75d4be6fab614efbc217

SHA512
3ee2617567e7912eaa9a4122ea0f175d111a638db006cba8eb53d5edb457cc6679f160c403bc8943df9b9b7de619e98a3858d3f3f1db738702b5e475f9c6862c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4c84a97d0196f3ee146844fb641f7863

SHA1
4de7839b3768bc4ff24a892f86263ee727767846

SHA256
45f423c66d12d22b2a7a2d28517948cb6dbcaa0be8976bfff81ff84ed0491c46

SHA512
674df78130a8f2a37acc7f7bdd316f227d4767897f3f1c57921e5b675a9954e12385f211762359767cadb13824a723c1d505ffbbb2d019300d04c974994d48a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
554946e458a3e686253c7324d8fabf8a

SHA1
b74c5a3faf2722f5450624e8496659b2d45a30d4

SHA256
4c3864c15efe1a46d43c525ad6269baf4b04f4d7953dedc3977430aa1c8007e7

SHA512
7746804781829117d9104d8ce793f392b975c2b58cc515a2b929bf0b2acdeaa72a7937411fdefbb3cd8694d3a40cbfa82b9650b18c5bc44c0b27141756b9c6e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Session_13368801436698100

Filesize
1KB

MD5
a79dc02f1516909a62bade0c7d374c3a

SHA1
692c6f7e3870d1b86d3ac2c0abd9125ec87b6d17

SHA256
426d998bae4099af0e5e9dbb374c26ff963ac833c8e8c4238e560f65f0128b7e

SHA512
494cea6242707e64f22ec5634d51d22f4b7db802fb7eb905fb940c336e242eefe76f976c300a9427e9f9de45f7a7df1226d8e32618f35e6fb98f0f7acc777a40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13368801436882100

Filesize
933B

MD5
b67ad1dcd37bcd5a72453148d22ec9d4

SHA1
ed0413a49c98ef90573f80dbc4e86b9743ce0ea6

SHA256
6c7126846775968a82252f752ec75a7db9fdf28ab67ca72110022917ee84f2f7

SHA512
c463e35e51d640abe49472b01a0bd890277eae7e3eab73f799f8fa5fa3a6854a158cf4cb95501ed76ebdae8214a72db04740216d7cad68fa1b5354538675c446

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
347B

MD5
6b34c639174228b325821627b3a3d17d

SHA1
09f915ee7bc7e32926a0a06243733f02741635d5

SHA256
3d97bba51b5f3d093404696daea4ea9466d5cc669c27e6fd79a66c5d80904728

SHA512
31191fb44f6204ef856ca7687fb0c448b8c5351a10d32a651ce3de49dd2abdc14148ae60f051458a42978292a052a7871ef2c454e2592d1e82605f5e3c062cc8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
326B

MD5
77a3007c467755ae9011ae56de3e0152

SHA1
e30c633c5c1db7a132655c4b6ed1c24ddfd8bba4

SHA256
ff65537fc09dea14f1151c39db03b4c9a3428648a61c76d7be6b7e2c1b45091f

SHA512
a8de9cf61e61979b859360b84382d32380b7d6a2925c8f939253df1c0ebc749db44cddb5910b741f1d81a4ee28d6e9dcf99e12e6de2ea77c12c376867e8c4297

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

Filesize
128KB

MD5
7ab85d0643e6d12aaeb82e5b4c3250e2

SHA1
ddf52d28e9a02c97d3617687c3ca41ab8033824b

SHA256
0d564c5c21f15200dbe6036639765c57f9f54090a415bae4c9c608853f854ccb

SHA512
6b5cf0cb174fc678332ad6cdf6ad1769d7120bda4cc558a79ea02d122aae6d5f2c116c4b58a07fbca3fe2525d9c8bfe05b8a3b53a8ffc8d87ab75cd3449eadcb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db-wal

Filesize
96KB

MD5
fdf8ab2679317575f00fac6b354584c6

SHA1
3042763c9be6783e8fae94830e81da4fc4e065f1

SHA256
80ef3510fa78fbb873be07acf4576d42fea210b75c7a5eb4631ba51fa9f976a8

SHA512
adeed85fa609fe704dbc4d2d1c0615371cd78f942c7c13cb9e3ca5845720f8b71f366ab60395f0cdca3f5a7bca063e69f04c25a558b9f99ce0c55a3cb6e7f21e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

Filesize
322B

MD5
b53b5bf5fbcf5e8d5efc9ab70d70d9a4

SHA1
4e4732b88f2518c752bf6d0948fa5b084049a403

SHA256
a3b8d429317a48f3ca08456129c76f0650e0d4e1333994c7f5304ee48693434e

SHA512
a79e7a4b1057babeacf7617d2f0eeca1d4a6f1a888f9a0eac6599f76700f784857b59d9ea9df99c2c7aede9b99ff79024f94e802bf7a9cf9e8ac6233b2728270

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log

Filesize
194B

MD5
a48763b50473dbd0a0922258703d673e

SHA1
5a3572629bcdf5586d79823b6ddbf3d9736aa251

SHA256
9bb14ea03c24f4c3543b22a8b4e9d306b926d4950cfcc410808ecac2407409fd

SHA512
536406435e35f8204ce6d3b64850ffb656813aacbc5172af895c16c4f183005d69999c4f48f948875d9837890f290b51a7358ff974fb1efc6ba3d1592426cca1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

Filesize
340B

MD5
40c24a7b19bf019e3d313a833ef7a437

SHA1
93102bf5c7ae5e3e8bc376ea70593a460e6097be

SHA256
a207bf5d0f8e528e2e83c01b19e691c4f2efea1e4dde2d83fcb96654d2f81be8

SHA512
8168c9c9ec87ee8f67e26159dbeb35b0cba61b5dda9e3eeefc4d646c4e955b90e4aea692022e599b819601d7bcaab514fa9bc3600a5bc6c51c190f2d1e494c33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0

Filesize
44KB

MD5
881e38382475ffb7000ca10dbf63cb1a

SHA1
c26bc071c148bf38fa3b0ce2ac093a15bfa1880f

SHA256
c674bb852ca2294283b7189e6097dc0ee98d5ebff32b8780b019436816407e88

SHA512
acbd74d5ad0f12cda3bd5a0c078167938057614624be832eb6d56f8ec0a05fb6d97ea96ca51f3d200a5fe1462d652e0ba70e64f708346bd6e18f7ffacb4de49b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1

Filesize
264KB

MD5
af344feef098dcaff22696a720575873

SHA1
cfb066eb2fbf43b87843ec1dca3211bee77c985f

SHA256
c04ae320085ee8a70e11e32cede189ae8b66d88182a82cd229e1be55d315f21b

SHA512
1fc6bb055965accafba53f3bba23bf1921c9ec47214b4b785a05723a8765bc36fffe6be5268b5e86fc2bf28d13aac6d8b17146c05fffe3cab08cdbf77b2cd047

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_3

Filesize
4.0MB

MD5
5031f310db872f6e1709487e4a366bf1

SHA1
27e41ad30340620f13b67a8196a1ff0d308c6234

SHA256
330d32c8bfbfcc11edde423fdc4d99ad99da1dd66accf71cdebd8fede6b059a5

SHA512
ee50f581e234052739396d8110c3cfb039d39f395063a6d6f99b0eb84eea39a9d2897e194570085d8becb9b582fc8d3af1fcf82208562d62d654067f7150806f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
684917705fbf68ac0e3fc5c5ef0963ec

SHA1
c99af2dce19f7ff8ef38d5182d520e205e7422c9

SHA256
b9382334eb11069127067ef5adac9a59294ea6bc63afa351c788ab0963b38f8f

SHA512
94a079dde0ceb132ddcc257bee2c442c52db8ef75df13f3a7041bec6cfe4e83813168391dee6f1cfb45a80f2f3c979ab4d6150d3f3c17ab4a0274060b22a702b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres

Filesize
4KB

MD5
359c536b1572c8326b940aaee1f3e9d9

SHA1
9b39ec626ad970b06241b0eca33c91fcd4f11619

SHA256
72dc75d903b7f2582da0d105cfece53c8dddcacb26b1a7b21ab5bddadce03877

SHA512
3ad278b567c02e1c7792e174333f135ebf158c51a9183b5b82c39207cc2654692981d1c64a4e7e2ec8a92a200c49493f3581ae1cb0e3c1aa1b4aca93be7e42d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000002001\GOLD.exe

Filesize
323KB

MD5
d6fca3cd57293390ccf9d2bc83662dda

SHA1
94496d01aa91e981846299eeac5631ab8b8c4a93

SHA256
74e0bf30c9107fa716920c878521037db3ca4eeda5c14d745a2459eb14d1190e

SHA512
3990a61000c7dad33e75ce1ca670f5a7b66c0ce1215997dccfca5d4163fedfc7b736bca01c2f1064b0c780eccb039dd0de6be001c87399c1d69da0f456db2a8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe

Filesize
1.1MB

MD5
8e74497aff3b9d2ddb7e7f819dfc69ba

SHA1
1d18154c206083ead2d30995ce2847cbeb6cdbc1

SHA256
d8e81d9e336ef37a37cae212e72b6f4ef915db4b0f2a8df73eb584bd25f21e66

SHA512
9aacc5c130290a72f1087daa9e79984565ccab6dbcad5114bfed0919812b9ba5f8dee9c37d230eeca4df3cca47ba0b355fbf49353e53f10f0ebc266e93f49f97

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default.exe

Filesize
187KB

MD5
e78239a5b0223499bed12a752b893cad

SHA1
a429b46db791f433180ae4993ebb656d2f9393a4

SHA256
80befdb25413d68adbadd8f236a2e8c71b261d8befc04c99749e778b07bcde89

SHA512
cee5d5d4d32e5575852a412f6b3e17f8c0cbafe97fd92c7024934234a23c240dcc1f7a0452e2e5da949dec09dcfeb006e73862c5bbc549a2ab1cfb0241eaddfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000129001\clcs.exe

Filesize
7.9MB

MD5
d23710b05767ac5d4e1d4754f468599e

SHA1
6fbe21034afe7850a1e608ea67460c25aebb4232

SHA256
b78c67f56b7af5533a502fef2ed9b0ce4c9d507214a74f7d0501611941197b75

SHA512
e021881e5050b14ab78bcaa686d180b88ac620876cd45525b7648b04a8b672010832a3e8f40221c1e6420b9f6ceda1918a2cc04eb56db9dde39aae3c63dc8a37

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000135001\14082024.exe

Filesize
304KB

MD5
9bba979bb2972a3214a399054242109b

SHA1
60adcedb0f347580fb2c1faadb92345c602c54e9

SHA256
17b71b1895978b7aaf5a0184948e33ac3d70ce979030d5a9a195a1c256f6b368

SHA512
89285f67c4c40365f4028bc18dd658ad40b68ff3bcf15f2547fc8f9d9c3d8021e2950de8565e03451b9b4ebace7ed557df24732af632fdb74cbd9eb02cf08788

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000147001\BattleGermany.exe

Filesize
8.3MB

MD5
b7df5fdcfdc3f46b0b4f28c1ffb82937

SHA1
3209511839cd917318c754e0105c1d0cf298f25b

SHA256
7636d2367079eabd9da2bb40935df3da580affc47473fd93ed3b2e01ee6c46e5

SHA512
8a65c4e2b0755323293736fc01eb445071e04f7e2c345d2838bf7a89887f40c6e3b81df4bb35807d9a47ffa322b42383194baec45fd9b3f1e31cbcb6a72e819f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000150001\runtime.exe

Filesize
1.1MB

MD5
7adfc6a2e7a5daa59d291b6e434a59f3

SHA1
e21ef8be7b78912bed36121404270e5597a3fe25

SHA256
fbb957b3e36ba1dda0b65986117fd8555041d747810a100b47da4a90a1dfd693

SHA512
30f56bd75fe83e8fb60a816c1a0322bc686863d7ab17a763fff977a88f5582c356b4fcfe7c0c9e3e5925bfee7fc44e4ea8b96f82a011ed5e7cd236253187181b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000157001\coreplugin.exe

Filesize
1.1MB

MD5
9954f7ed32d9a20cda8545c526036143

SHA1
8d74385b24155fce660ab0ad076d070f8611024a

SHA256
a221b40667002cd19eece4e45e5dbb6f3c3dc1890870cf28ebcca0e4850102f5

SHA512
76ca2c0edc3ffdc0c357f7f43abc17b130618096fa9db41795272c5c6ad9829046194d3657ad41f4afec5a0b2e5ed9750a31e545e36a2fb19e6c50101ab2cabd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000162001\Identification-2.exe

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000167001\crypted8888.exe

Filesize
208KB

MD5
031836b5b4c2fc0ba30f29e8a936b24e

SHA1
adc7e7ec27f548afd50fac684c009cfe5c2e0090

SHA256
bf4f27f6932ce75b1746f5364af3abacbdafa59913da513a168d86ea0ad3a3a4

SHA512
ac58ed6b9a3ce4c35366e99e72e4ee1c87048a11979c91f69740d49b3c1f4f4dc3cbaa66287c73530806b8359933e7b6df0bbab01bc3dd4f351988a6a3cd3b6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000169001\explorer.exe

Filesize
87KB

MD5
7bc9e427746a95ed037db5e0b3230780

SHA1
e5fb0551239eb8edf5b117b04a86742c7780355c

SHA256
3d8b1b6802f265ff8eb229c38ff81824f3652f271eb97b7bfef86db369902a08

SHA512
ae6e823d72a1a976401726ba3dfb61919bf529719fc555c680a99b3a58c15c982b9a8024d4ca2dab933acd1cc22c1f66bc0d46e7d0e7422825dad9c77852808b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000170001\LummaC22222.exe

Filesize
258KB

MD5
40e9f5e6b35423ed5af9a791fc6b8740

SHA1
75d24d3d05a855bb347f4e3a94eae4c38981aca9

SHA256
7fdd7da7975da141ab5a48b856d24fba2ff35f52ad071119f6a83548494ba816

SHA512
c2150dfb166653a2627aba466a6d98c0f426232542afc6a3c6fb5ebb04b114901233f51d57ea59dbef988d038d4103a637d9a51015104213b0be0fe09c96aea8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000174001\5PHCENYBS068Y01.exe

Filesize
10.5MB

MD5
7fffe8702479239234bce6013bcad409

SHA1
ee7aaecaeff869350ead69c907b77d5b0afd3f09

SHA256
7870eda6f78bde1ea7c083ddf32a9aabd118b30f6b8617f4b9e6625edba0ff95

SHA512
8d5932d1fa8006c73e8576383425151439b4bf4637017f104a6c4e5cf202ce1c4a1dbec6d61adb794fd8a30c1300d6635d162df8630f9193c96239ec8b2a6869

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000177001\Mswgoudnv.exe

Filesize
924KB

MD5
de64bb0f39113e48a8499d3401461cf8

SHA1
8d78c2d4701e4596e87e3f09adde214a2a2033e8

SHA256
64b58794801f282e92571676e3571afc5c59033c262406bf0d36e1d6ef3cda6a

SHA512
35b7cdcfb866dcdc79be34066a9ad5a8058b80e68925aeb23708606149841022de17e9d205389c13803c01e356174a2f657773df7d53f889e4e1fc1d68074179

Download Submit
C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

Filesize
1.8MB

MD5
e0c14883cd0435f5f4171fd6a920c2dc

SHA1
58ef4d76ae61d0826f2274c811c96c52c68d1528

SHA256
2142379a9c52ad7229e17227f54e935a9be18da1e32f0efd4cfb66f8d4648d9f

SHA512
52e7be9aec5dcdfd9636bc1a1a08a778162d292f4f19d7c63c83e1081e330f5d25ffd8934b7015fb83f1cd72e5cfe01de03a727b7a64429007595b107e6ad90a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cookies.db

Filesize
20KB

MD5
a603e09d617fea7517059b4924b1df93

SHA1
31d66e1496e0229c6a312f8be05da3f813b3fa9e

SHA256
ccd15f9c7a997ae2b5320ea856c7efc54b5055254d41a443d21a60c39c565cb7

SHA512
eadb844a84f8a660c578a2f8e65ebcb9e0b9ab67422be957f35492ff870825a4b363f96fd1c546eaacfd518f6812fcf57268ef03c149e5b1a7af145c7100e2cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Logins.db

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\Logins.db

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpA0B4.tmp

Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jgxbznfq.1kp.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-523280732-2327480845-3730041215-1000\76b53b3ec448f7ccdda2063b15d2bfc3_a5c5e2ae-85e3-447c-9e0b-c9a7b966d823

Filesize
2KB

MD5
a7da9b6a40a5335a511c160d1ab3d13a

SHA1
dee835bd8f399be807103052486c0e9a5cee6c86

SHA256
d741de5fc38ed4722a2e33f074d9179c295021f2c65bc42d6da0f3eed1f62e9c

SHA512
b640ce80e956e9638ba4c1d228e5b8ba0058edc51a8bcc44f2d4a6a66d41f9371e023ccb0b90c732cba7f687f35defb220fa51729fd1736902d78c94f6dd67cf

Download Submit
C:\Users\Admin\AppData\Roaming\d33dKuRU8s.exe

Filesize
544KB

MD5
88367533c12315805c059e688e7cdfe9

SHA1
64a107adcbac381c10bd9c5271c2087b7aa369ec

SHA256
c6fc5c06ad442526a787989bae6ce0d32a2b15a12a41f78baca336b6560997a9

SHA512
7a8c3d767d19395ce9ffef964b0347a148e517982afcf2fc5e45b4c524fd44ec20857f6be722f57ff57722b952ef7b88f6249339551949b9e89cf60260f0a714

Download Submit
C:\Users\Admin\AppData\Roaming\fuww1rCuQj.exe

Filesize
304KB

MD5
30f46f4476cdc27691c7fdad1c255037

SHA1
b53415af5d01f8500881c06867a49a5825172e36

SHA256
3a8f5f6951dad3ba415b23b35422d3c93f865146da3ccf7849b75806e0b67ce0

SHA512
271aadb524e94ed1019656868a133c9e490cc6f8e4608c8a41c29eff7c12de972895a01f171e8f625d07994ff3b723bb308d362266f96cb20dff82689454c78f

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk

Filesize
2KB

MD5
963ca9a5095947baec18f6a65134e9cf

SHA1
a72f7dccfe0b62e48cb02c3a651034ae001e1039

SHA256
739f355a46a20ed02b8d7418bf802f56ff7d94388e8ee08028ea0dfeecb34e81

SHA512
249d890cf13e7fbc873ead7ff8492c3481d2b9b86d161685b2d37d7081566c62d6385b65fe4f6f76418fc0ced1d3a6cc533c4720971d973c3651211c0927de37

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk

Filesize
2KB

MD5
57c1745d7a3453e0fa1882256236bd1a

SHA1
409c3fa71da392341c6825ec6f97d4e360fcc621

SHA256
83c80b8e9d933025e8cf35bc3f23f719314b9202b4f30cd02f43bb478ebe4741

SHA512
d4147fec5f5e3b3369f6955849f45654d44114dec7096e8645c837e7db13ead951224dc3f5fd2b6f99c484a2502f65f1cd54c3fcf44469a53bada9a4350d4652

Download Submit
memory/564-3-0x0000000000780000-0x0000000000C33000-memory.dmp

Filesize
4.7MB

Download
memory/564-2-0x0000000000781000-0x00000000007AF000-memory.dmp

Filesize
184KB

Download
memory/564-18-0x0000000000780000-0x0000000000C33000-memory.dmp

Filesize
4.7MB

Download
memory/564-4-0x0000000000780000-0x0000000000C33000-memory.dmp

Filesize
4.7MB

Download
memory/564-0-0x0000000000780000-0x0000000000C33000-memory.dmp

Filesize
4.7MB

Download
memory/564-1-0x0000000077624000-0x0000000077626000-memory.dmp

Filesize
8KB

Download
memory/1280-39-0x000000007323E000-0x000000007323F000-memory.dmp

Filesize
4KB

Download
memory/1280-40-0x0000000000890000-0x00000000008E4000-memory.dmp

Filesize
336KB

Download
memory/1472-906-0x00007FF7B7D00000-0x00007FF7B8D26000-memory.dmp

Filesize
16.1MB

Download
memory/2172-772-0x0000000006B60000-0x0000000006BAC000-memory.dmp

Filesize
304KB

Download
memory/2172-753-0x0000000000D00000-0x0000000000D52000-memory.dmp

Filesize
328KB

Download
memory/2212-213-0x00000000006C0000-0x0000000000B73000-memory.dmp

Filesize
4.7MB

Download
memory/2212-218-0x00000000006C0000-0x0000000000B73000-memory.dmp

Filesize
4.7MB

Download
memory/2284-282-0x00000000007E0000-0x0000000000832000-memory.dmp

Filesize
328KB

Download
memory/2284-303-0x0000000006B10000-0x0000000006B5C000-memory.dmp

Filesize
304KB

Download
memory/2384-605-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2384-624-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/2384-604-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2548-44-0x00000000059B0000-0x0000000005F54000-memory.dmp

Filesize
5.6MB

Download
memory/2548-77-0x0000000006DF0000-0x0000000006E02000-memory.dmp

Filesize
72KB

Download
memory/2548-89-0x0000000006FC0000-0x000000000700C000-memory.dmp

Filesize
304KB

Download
memory/2548-76-0x0000000006EB0000-0x0000000006FBA000-memory.dmp

Filesize
1.0MB

Download
memory/2548-152-0x0000000009590000-0x00000000095E0000-memory.dmp

Filesize
320KB

Download
memory/2548-64-0x00000000068F0000-0x000000000690E000-memory.dmp

Filesize
120KB

Download
memory/2548-63-0x0000000006160000-0x00000000061D6000-memory.dmp

Filesize
472KB

Download
memory/2548-85-0x0000000006E50000-0x0000000006E8C000-memory.dmp

Filesize
240KB

Download
memory/2548-42-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2548-67-0x0000000007280000-0x0000000007898000-memory.dmp

Filesize
6.1MB

Download
memory/2548-45-0x0000000005400000-0x0000000005492000-memory.dmp

Filesize
584KB

Download
memory/2548-46-0x00000000055A0000-0x00000000055AA000-memory.dmp

Filesize
40KB

Download
memory/2724-263-0x00000000007C0000-0x0000000000A03000-memory.dmp

Filesize
2.3MB

Download
memory/2724-176-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/2724-174-0x00000000007C0000-0x0000000000A03000-memory.dmp

Filesize
2.3MB

Download
memory/3508-117-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/3508-92-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/3508-93-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/3508-95-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/3508-96-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/3592-774-0x00000000006C0000-0x0000000000B73000-memory.dmp

Filesize
4.7MB

Download
memory/3612-122-0x0000000000C90000-0x0000000000D1E000-memory.dmp

Filesize
568KB

Download
memory/3612-148-0x0000000009FE0000-0x000000000A1A2000-memory.dmp

Filesize
1.8MB

Download
memory/3612-147-0x0000000008860000-0x00000000088C6000-memory.dmp

Filesize
408KB

Download
memory/3612-149-0x000000000A6E0000-0x000000000AC0C000-memory.dmp

Filesize
5.2MB

Download
memory/4120-154-0x00000000006C0000-0x0000000000B73000-memory.dmp

Filesize
4.7MB

Download
memory/4120-223-0x00000000006C0000-0x0000000000B73000-memory.dmp

Filesize
4.7MB

Download
memory/4120-419-0x00000000006C0000-0x0000000000B73000-memory.dmp

Filesize
4.7MB

Download
memory/4120-146-0x00000000006C0000-0x0000000000B73000-memory.dmp

Filesize
4.7MB

Download
memory/4120-20-0x00000000006C0000-0x0000000000B73000-memory.dmp

Filesize
4.7MB

Download
memory/4120-911-0x00000000006C0000-0x0000000000B73000-memory.dmp

Filesize
4.7MB

Download
memory/4120-739-0x00000000006C0000-0x0000000000B73000-memory.dmp

Filesize
4.7MB

Download
memory/4120-304-0x00000000006C0000-0x0000000000B73000-memory.dmp

Filesize
4.7MB

Download
memory/4120-551-0x00000000006C0000-0x0000000000B73000-memory.dmp

Filesize
4.7MB

Download
memory/4120-478-0x00000000006C0000-0x0000000000B73000-memory.dmp

Filesize
4.7MB

Download
memory/4120-776-0x00000000006C0000-0x0000000000B73000-memory.dmp

Filesize
4.7MB

Download
memory/4120-19-0x00000000006C0000-0x0000000000B73000-memory.dmp

Filesize
4.7MB

Download
memory/4120-16-0x00000000006C0000-0x0000000000B73000-memory.dmp

Filesize
4.7MB

Download
memory/4120-159-0x00000000006C0000-0x0000000000B73000-memory.dmp

Filesize
4.7MB

Download
memory/4364-90-0x0000000000E80000-0x0000000000F92000-memory.dmp

Filesize
1.1MB

Download
memory/4652-121-0x0000000000450000-0x00000000004A2000-memory.dmp

Filesize
328KB

Download
memory/4712-602-0x0000000000520000-0x0000000000558000-memory.dmp

Filesize
224KB

Download
memory/5256-913-0x000000001DA60000-0x000000001DA72000-memory.dmp

Filesize
72KB

Download
memory/5256-1603-0x000000001E880000-0x000000001E89E000-memory.dmp

Filesize
120KB

Download
memory/5256-623-0x0000000000720000-0x000000000073C000-memory.dmp

Filesize
112KB

Download
memory/5256-914-0x000000001DAC0000-0x000000001DAFC000-memory.dmp

Filesize
240KB

Download
memory/5256-912-0x000000001DA10000-0x000000001DA3A000-memory.dmp

Filesize
168KB

Download
memory/5952-890-0x0000000000800000-0x000000000084C000-memory.dmp

Filesize
304KB

Download
memory/5952-810-0x0000000000800000-0x000000000084C000-memory.dmp

Filesize
304KB

Download
memory/5952-891-0x0000000000800000-0x000000000084C000-memory.dmp

Filesize
304KB

Download
memory/6012-688-0x0000019D36970000-0x0000019D36992000-memory.dmp

Filesize
136KB

Download
memory/6120-933-0x0000000004D90000-0x0000000004E6E000-memory.dmp

Filesize
888KB

Download
memory/6120-935-0x0000000004D90000-0x0000000004E68000-memory.dmp

Filesize
864KB

Download
memory/6120-934-0x0000000004D90000-0x0000000004E68000-memory.dmp

Filesize
864KB

Download
memory/6120-943-0x0000000004D90000-0x0000000004E68000-memory.dmp

Filesize
864KB

Download
memory/6120-945-0x0000000004D90000-0x0000000004E68000-memory.dmp

Filesize
864KB

Download
memory/6120-941-0x0000000004D90000-0x0000000004E68000-memory.dmp

Filesize
864KB

Download
memory/6120-939-0x0000000004D90000-0x0000000004E68000-memory.dmp

Filesize
864KB

Download
memory/6120-938-0x0000000004D90000-0x0000000004E68000-memory.dmp

Filesize
864KB

Download
memory/6120-932-0x0000000004C10000-0x0000000004CEC000-memory.dmp

Filesize
880KB

Download
memory/6120-2011-0x0000000004FA0000-0x0000000004FEC000-memory.dmp

Filesize
304KB

Download
memory/6120-2010-0x0000000004F40000-0x0000000004F98000-memory.dmp

Filesize
352KB

Download
memory/6120-931-0x0000000000380000-0x000000000046E000-memory.dmp

Filesize
952KB

Download
memory/6128-910-0x00007FF68FAE0000-0x00007FF690587000-memory.dmp

Filesize
10.7MB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads