amadey | 5a9c136d300c0315acd9ef384cbb745cbe25666b0fd1e32ed6671a9da3d4248c

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22-08-2024 15:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5a9c136d300c0315acd9ef384cbb745cbe25666b0fd1e32ed6671a9da3d4248c.exe
Size

1.8MB
MD5

bc84ed6e5a8ae05b5d5616de16628c03
SHA1

16f768b807acb9a9b047d37d5602f9fd4263c3e9
SHA256

5a9c136d300c0315acd9ef384cbb745cbe25666b0fd1e32ed6671a9da3d4248c
SHA512

f3b85266e5085ea74415e3346b0eb569335c70b32c366a9a1ad87fe04f96b178a5736e8ceda4e8bb43129321a429d588cfff0332316b5e3c38c332e6a909e1f8
SSDEEP

24576:tnLehpzQc+mCyg2F3rI8jm8PE/iyTZNndwZaqoBfpT3emrHviOeAiYZkMBpm9QsF:JihhgB8C8PE6ydMIqklBfeYkgUlh3Z

Malware Config

Extracted

Family

amadey

Version

4.41

Botnet

fed3aa

http://185.215.113.16

Attributes

install_dir
44111dbc49
install_file
axplong.exe
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
url_paths
/Jo89Ku7d/index.php

rc4.plain

Extracted

Family

redline

Botnet

LiveTraffic

95.179.163.21:29257

Extracted

Family

redline

Botnet

@CLOUDYTTEAM

65.21.18.51:45580

Extracted

Family

stealc

Botnet

default

http://185.215.113.17

Attributes

url_path
/2fb6c2cc8dce150a.php

Extracted

Family

redline

Botnet

14082024

185.215.113.67:21405

Extracted

Family

redline

Botnet

816FA

88.99.151.68:7200

Extracted

Family

stealc

Botnet

penis

http://185.196.9.140

Attributes

url_path
/c3f845711fab35f8.php

Extracted

Family

xworm

127.0.0.1:7000

beshomandotestbesnd.run.place:7000

Attributes

Install_directory
%Userprofile%
install_file
USB.exe
telegram
https://api.telegram.org/bot2128988424:AAEkYnwvOQA95riqRZwlqBxg4GV-odRNOyo/sendMessage?chat_id=966649672

Extracted

Family

amadey

Version

4.41

Botnet

a51500

http://api.garageserviceoperation.com

Attributes

install_dir
0cf505a27f
install_file
ednfovi.exe
strings_key
0044a8b8e295529eaf3743c9bc3171d2
url_paths
/CoreOPT/index.php

rc4.plain

Extracted

Family

lumma

https://potentioallykeos.shop/api

https://deicedosmzj.shop/api

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x00070000000235bb-642.dat	family_xworm
behavioral1/memory/5388-654-0x0000000000520000-0x000000000053C000-memory.dmp	family_xworm

Detects ZharkBot payload 1 IoCs

ZharkBot is a botnet written C++.

resource	yara_rule
behavioral1/files/0x000a000000023423-698.dat	zharkcore

Exela Stealer
Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
stealer exelastealer
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
PureLog Stealer
PureLog Stealer is an infostealer written in C#.
stealer purelogstealer

PureLog Stealer payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023609-878.dat	family_purelog_stealer
behavioral1/memory/3700-890-0x00000000003D0000-0x00000000004BE000-memory.dmp	family_purelog_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 6 IoCs

resource	yara_rule
behavioral1/memory/1948-44-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline
behavioral1/files/0x0007000000023519-114.dat	family_redline
behavioral1/memory/2716-124-0x0000000000730000-0x0000000000782000-memory.dmp	family_redline
behavioral1/files/0x0010000000023532-271.dat	family_redline
behavioral1/memory/4168-285-0x0000000000C60000-0x0000000000CB2000-memory.dmp	family_redline
behavioral1/memory/6068-561-0x0000000001150000-0x00000000011A2000-memory.dmp	family_redline

Stealc
Stealc is an infostealer written in C++.
stealer stealc

Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs

description	pid	Process	procid_target
PID 3716 created 3464	3716	Beijing.pif	56
PID 3716 created 3464	3716	Beijing.pif	56
PID 5920 created 3464	5920	Cultures.pif	56
PID 3700 created 3464	3700	Mswgoudnv.exe	56

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
ZharkBot
ZharkBot is a botnet written C++.
botnet zharkbot
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	5a9c136d300c0315acd9ef384cbb745cbe25666b0fd1e32ed6671a9da3d4248c.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5568	powershell.exe
5368	powershell.exe
5956	powershell.exe
6036	powershell.exe

Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
64	netsh.exe
556	netsh.exe

Checks BIOS information in registry 2 TTPs 10 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	5a9c136d300c0315acd9ef384cbb745cbe25666b0fd1e32ed6671a9da3d4248c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	5a9c136d300c0315acd9ef384cbb745cbe25666b0fd1e32ed6671a9da3d4248c.exe

Checks computer location settings 2 TTPs 9 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	runtime.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	coreplugin.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	build2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	5a9c136d300c0315acd9ef384cbb745cbe25666b0fd1e32ed6671a9da3d4248c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	axplong.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	BattleGermany.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	Beijing.pif

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
5056	cmd.exe
3276	powershell.exe

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk	explorer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk	explorer.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MindLynx.url	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MindLynx.url	cmd.exe

Executes dropped EXE 33 IoCs

pid	Process
2428	axplong.exe
692	GOLD.exe
768	crypteda.exe
2156	vBKe8gqNq1.exe
2716	XvrPMJJYrz.exe
1004	axplong.exe
4600	stealc_default.exe
3224	clcs.exe
4168	14082024.exe
5456	BattleGermany.exe
5768	Community.pif
6024	runtime.exe
3716	Beijing.pif
2832	coreplugin.exe
5920	Cultures.pif
4656	axplong.exe
4960	Indentif.exe
5452	crypted8888.exe
5388	explorer.exe
5232	Cultures.pif
3512	LummaC22222.exe
6024	kitty.exe
428	build2.exe
5532	5PHCENYBS068Y01.exe
5304	stub.exe
3700	Mswgoudnv.exe
5876	Hkbsse.exe
3620	SÐµtuÑ€111.exe
2568	Hkbsse.exe
5912	axplong.exe
1464	Mswgoudnv.exe
1260	bsnj.exe
448	explorer

Identifies Wine through registry keys 2 TTPs 5 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Wine	5a9c136d300c0315acd9ef384cbb745cbe25666b0fd1e32ed6671a9da3d4248c.exe
Key opened	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Wine	axplong.exe

Loads dropped DLL 34 IoCs

pid	Process
4600	stealc_default.exe
4600	stealc_default.exe
5304	stub.exe
5304	stub.exe
5304	stub.exe
5304	stub.exe
5304	stub.exe
5304	stub.exe
5304	stub.exe
5304	stub.exe
5304	stub.exe
5304	stub.exe
5304	stub.exe
5304	stub.exe
5304	stub.exe
5304	stub.exe
5304	stub.exe
5304	stub.exe
5304	stub.exe
5304	stub.exe
5304	stub.exe
5304	stub.exe
5304	stub.exe
5304	stub.exe
5304	stub.exe
5304	stub.exe
5304	stub.exe
5304	stub.exe
5304	stub.exe
5304	stub.exe
5304	stub.exe
5304	stub.exe
5304	stub.exe
5304	stub.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Users\\Admin\\explorer"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\afasdfga = "C:\\Users\\Admin\\AppData\\Roaming\\afasdfga.exe"	Mswgoudnv.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
153	raw.githubusercontent.com
154	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
128	ip-api.com

Network Service Discovery 1 TTPs 2 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
2140	cmd.exe
3260	ARP.EXE

Enumerates processes with tasklist 1 TTPs 10 IoCs

discovery

Process Discovery

T1057

pid	Process
5604	tasklist.exe
1316	tasklist.exe
2076	tasklist.exe
1100	tasklist.exe
4584	tasklist.exe
5284	tasklist.exe
5660	tasklist.exe
4652	tasklist.exe
5636	tasklist.exe
5660	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
6060	cmd.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

pid	Process
1916	5a9c136d300c0315acd9ef384cbb745cbe25666b0fd1e32ed6671a9da3d4248c.exe
2428	axplong.exe
1004	axplong.exe
4656	axplong.exe
5912	axplong.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 692 set thread context of 1948	692	GOLD.exe	92
PID 768 set thread context of 652	768	crypteda.exe	99
PID 5920 set thread context of 5232	5920	Cultures.pif	193
PID 5452 set thread context of 5544	5452	crypted8888.exe	196
PID 3700 set thread context of 1464	3700	Mswgoudnv.exe	362

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\axplong.job	5a9c136d300c0315acd9ef384cbb745cbe25666b0fd1e32ed6671a9da3d4248c.exe
File opened for modification	C:\Windows\ChestAntique	runtime.exe
File opened for modification	C:\Windows\HostelGalleries	runtime.exe
File opened for modification	C:\Windows\EquationExplorer	runtime.exe
File opened for modification	C:\Windows\TreeProfessor	runtime.exe
File opened for modification	C:\Windows\SysOrleans	runtime.exe
File opened for modification	C:\Windows\ConfiguringUps	runtime.exe
File opened for modification	C:\Windows\ExplorerProprietary	runtime.exe
File created	C:\Windows\Tasks\Hkbsse.job	build2.exe
File created	C:\Windows\Tasks\Test Task17.job	Mswgoudnv.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2728	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

Program crash 27 IoCs

pid	pid_target	Process	procid_target
4800	5232	WerFault.exe	193
6088	5232	WerFault.exe	193
5652	5232	WerFault.exe	193
3016	6024	WerFault.exe	215
5188	3512	WerFault.exe	202
5488	3512	WerFault.exe	202
4316	428	WerFault.exe	224
4924	428	WerFault.exe	224
5788	428	WerFault.exe	224
6040	428	WerFault.exe	224
2068	428	WerFault.exe	224
4344	428	WerFault.exe	224
3964	428	WerFault.exe	224
4004	428	WerFault.exe	224
5156	428	WerFault.exe	224
1140	5544	WerFault.exe	196
2092	5876	WerFault.exe	300
2156	5876	WerFault.exe	300
5324	5876	WerFault.exe	300
2900	5876	WerFault.exe	300
2564	5876	WerFault.exe	300
368	5876	WerFault.exe	300
5480	5876	WerFault.exe	300
4308	5876	WerFault.exe	300
5476	5876	WerFault.exe	300
2312	5876	WerFault.exe	300
3856	5876	WerFault.exe	300

System Location Discovery: System Language Discovery 1 TTPs 62 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vBKe8gqNq1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bsnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	build2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XvrPMJJYrz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5a9c136d300c0315acd9ef384cbb745cbe25666b0fd1e32ed6671a9da3d4248c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cultures.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LummaC22222.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crypted8888.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mswgoudnv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GOLD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	axplong.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	coreplugin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hkbsse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Community.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	stealc_default.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beijing.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cultures.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kitty.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crypteda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	runtime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BattleGermany.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mswgoudnv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SÐµtuÑ€111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	clcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	14082024.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
2352	cmd.exe
3916	netsh.exe

System Network Connections Discovery 1 TTPs 1 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
6088	NETSTAT.EXE

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	stealc_default.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	stealc_default.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	SÐµtuÑ€111.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	SÐµtuÑ€111.exe

Collects information from the system 1 TTPs 1 IoCs

Uses WMIC.exe to find detailed system information.

Data from Local System

T1005

pid	Process
3556	WMIC.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
692	WMIC.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
4796	ipconfig.exe
6088	NETSTAT.EXE

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
3444	systeminfo.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
3224	taskkill.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	RegAsm.exe

Runs net.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5856	schtasks.exe
5916	schtasks.exe
5260	schtasks.exe
1384	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
5388	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1916	5a9c136d300c0315acd9ef384cbb745cbe25666b0fd1e32ed6671a9da3d4248c.exe
1916	5a9c136d300c0315acd9ef384cbb745cbe25666b0fd1e32ed6671a9da3d4248c.exe
2428	axplong.exe
2428	axplong.exe
2156	vBKe8gqNq1.exe
2156	vBKe8gqNq1.exe
1948	RegAsm.exe
1948	RegAsm.exe
1948	RegAsm.exe
1948	RegAsm.exe
1948	RegAsm.exe
1948	RegAsm.exe
2716	XvrPMJJYrz.exe
2716	XvrPMJJYrz.exe
2716	XvrPMJJYrz.exe
2716	XvrPMJJYrz.exe
2716	XvrPMJJYrz.exe
2716	XvrPMJJYrz.exe
1004	axplong.exe
1004	axplong.exe
4600	stealc_default.exe
4600	stealc_default.exe
4600	stealc_default.exe
4600	stealc_default.exe
1256	msedge.exe
1256	msedge.exe
32	msedge.exe
32	msedge.exe
32	msedge.exe
4168	14082024.exe
4168	14082024.exe
4168	14082024.exe
4168	14082024.exe
4168	14082024.exe
4168	14082024.exe
4168	14082024.exe
4168	14082024.exe
4168	14082024.exe
4168	14082024.exe
4168	14082024.exe
4168	14082024.exe
4168	14082024.exe
4168	14082024.exe
4168	14082024.exe
4168	14082024.exe
4168	14082024.exe
4168	14082024.exe
4168	14082024.exe
4168	14082024.exe
4168	14082024.exe
4168	14082024.exe
4772	msedge.exe
4772	msedge.exe
1020	msedge.exe
1020	msedge.exe
4860	identity_helper.exe
4860	identity_helper.exe
5768	Community.pif
5768	Community.pif
5768	Community.pif
5768	Community.pif
5768	Community.pif
5768	Community.pif
5768	Community.pif

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
32	msedge.exe
32	msedge.exe
32	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2156	vBKe8gqNq1.exe
Token: SeBackupPrivilege	2156	vBKe8gqNq1.exe
Token: SeSecurityPrivilege	2156	vBKe8gqNq1.exe
Token: SeSecurityPrivilege	2156	vBKe8gqNq1.exe
Token: SeSecurityPrivilege	2156	vBKe8gqNq1.exe
Token: SeSecurityPrivilege	2156	vBKe8gqNq1.exe
Token: SeDebugPrivilege	1948	RegAsm.exe
Token: SeDebugPrivilege	2716	XvrPMJJYrz.exe
Token: SeDebugPrivilege	4168	14082024.exe
Token: SeDebugPrivilege	5604	tasklist.exe
Token: SeDebugPrivilege	5660	tasklist.exe
Token: SeDebugPrivilege	1316	tasklist.exe
Token: SeDebugPrivilege	4652	tasklist.exe
Token: SeDebugPrivilege	5636	tasklist.exe
Token: SeDebugPrivilege	5660	tasklist.exe
Token: SeDebugPrivilege	6068	jsc.exe
Token: SeDebugPrivilege	5388	explorer.exe
Token: SeDebugPrivilege	5368	powershell.exe
Token: SeDebugPrivilege	5956	powershell.exe
Token: SeDebugPrivilege	6036	powershell.exe
Token: SeDebugPrivilege	5568	powershell.exe
Token: SeDebugPrivilege	5388	explorer.exe
Token: SeIncreaseQuotaPrivilege	692	WMIC.exe
Token: SeSecurityPrivilege	692	WMIC.exe
Token: SeTakeOwnershipPrivilege	692	WMIC.exe
Token: SeLoadDriverPrivilege	692	WMIC.exe
Token: SeSystemProfilePrivilege	692	WMIC.exe
Token: SeSystemtimePrivilege	692	WMIC.exe
Token: SeProfSingleProcessPrivilege	692	WMIC.exe
Token: SeIncBasePriorityPrivilege	692	WMIC.exe
Token: SeCreatePagefilePrivilege	692	WMIC.exe
Token: SeBackupPrivilege	692	WMIC.exe
Token: SeRestorePrivilege	692	WMIC.exe
Token: SeShutdownPrivilege	692	WMIC.exe
Token: SeDebugPrivilege	692	WMIC.exe
Token: SeSystemEnvironmentPrivilege	692	WMIC.exe
Token: SeRemoteShutdownPrivilege	692	WMIC.exe
Token: SeUndockPrivilege	692	WMIC.exe
Token: SeManageVolumePrivilege	692	WMIC.exe
Token: 33	692	WMIC.exe
Token: 34	692	WMIC.exe
Token: 35	692	WMIC.exe
Token: 36	692	WMIC.exe
Token: SeDebugPrivilege	2076	tasklist.exe
Token: SeIncreaseQuotaPrivilege	4056	WMIC.exe
Token: SeSecurityPrivilege	4056	WMIC.exe
Token: SeTakeOwnershipPrivilege	4056	WMIC.exe
Token: SeLoadDriverPrivilege	4056	WMIC.exe
Token: SeSystemProfilePrivilege	4056	WMIC.exe
Token: SeSystemtimePrivilege	4056	WMIC.exe
Token: SeProfSingleProcessPrivilege	4056	WMIC.exe
Token: SeIncBasePriorityPrivilege	4056	WMIC.exe
Token: SeCreatePagefilePrivilege	4056	WMIC.exe
Token: SeBackupPrivilege	4056	WMIC.exe
Token: SeRestorePrivilege	4056	WMIC.exe
Token: SeShutdownPrivilege	4056	WMIC.exe
Token: SeDebugPrivilege	4056	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4056	WMIC.exe
Token: SeRemoteShutdownPrivilege	4056	WMIC.exe
Token: SeUndockPrivilege	4056	WMIC.exe
Token: SeManageVolumePrivilege	4056	WMIC.exe
Token: 33	4056	WMIC.exe
Token: 34	4056	WMIC.exe
Token: 35	4056	WMIC.exe

Suspicious use of FindShellTrayWindow 61 IoCs

pid	Process
1916	5a9c136d300c0315acd9ef384cbb745cbe25666b0fd1e32ed6671a9da3d4248c.exe
32	msedge.exe
32	msedge.exe
32	msedge.exe
32	msedge.exe
32	msedge.exe
32	msedge.exe
32	msedge.exe
32	msedge.exe
32	msedge.exe
32	msedge.exe
32	msedge.exe
32	msedge.exe
32	msedge.exe
32	msedge.exe
32	msedge.exe
32	msedge.exe
32	msedge.exe
32	msedge.exe
32	msedge.exe
32	msedge.exe
32	msedge.exe
32	msedge.exe
32	msedge.exe
32	msedge.exe
32	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
5768	Community.pif
5768	Community.pif
5768	Community.pif
3716	Beijing.pif
3716	Beijing.pif
3716	Beijing.pif
5920	Cultures.pif
5920	Cultures.pif
5920	Cultures.pif
428	build2.exe

Suspicious use of SendNotifyMessage 57 IoCs

pid	Process
32	msedge.exe
32	msedge.exe
32	msedge.exe
32	msedge.exe
32	msedge.exe
32	msedge.exe
32	msedge.exe
32	msedge.exe
32	msedge.exe
32	msedge.exe
32	msedge.exe
32	msedge.exe
32	msedge.exe
32	msedge.exe
32	msedge.exe
32	msedge.exe
32	msedge.exe
32	msedge.exe
32	msedge.exe
32	msedge.exe
32	msedge.exe
32	msedge.exe
32	msedge.exe
32	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
5768	Community.pif
5768	Community.pif
5768	Community.pif
3716	Beijing.pif
3716	Beijing.pif
3716	Beijing.pif
5920	Cultures.pif
5920	Cultures.pif
5920	Cultures.pif

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5388	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1916 wrote to memory of 2428	1916	5a9c136d300c0315acd9ef384cbb745cbe25666b0fd1e32ed6671a9da3d4248c.exe	89
PID 1916 wrote to memory of 2428	1916	5a9c136d300c0315acd9ef384cbb745cbe25666b0fd1e32ed6671a9da3d4248c.exe	89
PID 1916 wrote to memory of 2428	1916	5a9c136d300c0315acd9ef384cbb745cbe25666b0fd1e32ed6671a9da3d4248c.exe	89
PID 2428 wrote to memory of 692	2428	axplong.exe	90
PID 2428 wrote to memory of 692	2428	axplong.exe	90
PID 2428 wrote to memory of 692	2428	axplong.exe	90
PID 692 wrote to memory of 1840	692	GOLD.exe	91
PID 692 wrote to memory of 1840	692	GOLD.exe	91
PID 692 wrote to memory of 1840	692	GOLD.exe	91
PID 692 wrote to memory of 1948	692	GOLD.exe	92
PID 692 wrote to memory of 1948	692	GOLD.exe	92
PID 692 wrote to memory of 1948	692	GOLD.exe	92
PID 692 wrote to memory of 1948	692	GOLD.exe	92
PID 692 wrote to memory of 1948	692	GOLD.exe	92
PID 692 wrote to memory of 1948	692	GOLD.exe	92
PID 692 wrote to memory of 1948	692	GOLD.exe	92
PID 692 wrote to memory of 1948	692	GOLD.exe	92
PID 2428 wrote to memory of 768	2428	axplong.exe	98
PID 2428 wrote to memory of 768	2428	axplong.exe	98
PID 2428 wrote to memory of 768	2428	axplong.exe	98
PID 768 wrote to memory of 652	768	crypteda.exe	99
PID 768 wrote to memory of 652	768	crypteda.exe	99
PID 768 wrote to memory of 652	768	crypteda.exe	99
PID 768 wrote to memory of 652	768	crypteda.exe	99
PID 768 wrote to memory of 652	768	crypteda.exe	99
PID 768 wrote to memory of 652	768	crypteda.exe	99
PID 768 wrote to memory of 652	768	crypteda.exe	99
PID 768 wrote to memory of 652	768	crypteda.exe	99
PID 768 wrote to memory of 652	768	crypteda.exe	99
PID 768 wrote to memory of 652	768	crypteda.exe	99
PID 652 wrote to memory of 2156	652	RegAsm.exe	100
PID 652 wrote to memory of 2156	652	RegAsm.exe	100
PID 652 wrote to memory of 2156	652	RegAsm.exe	100
PID 652 wrote to memory of 2716	652	RegAsm.exe	102
PID 652 wrote to memory of 2716	652	RegAsm.exe	102
PID 652 wrote to memory of 2716	652	RegAsm.exe	102
PID 2428 wrote to memory of 4600	2428	axplong.exe	107
PID 2428 wrote to memory of 4600	2428	axplong.exe	107
PID 2428 wrote to memory of 4600	2428	axplong.exe	107
PID 2428 wrote to memory of 3224	2428	axplong.exe	111
PID 2428 wrote to memory of 3224	2428	axplong.exe	111
PID 2428 wrote to memory of 3224	2428	axplong.exe	111
PID 2428 wrote to memory of 4168	2428	axplong.exe	112
PID 2428 wrote to memory of 4168	2428	axplong.exe	112
PID 2428 wrote to memory of 4168	2428	axplong.exe	112
PID 3224 wrote to memory of 32	3224	clcs.exe	114
PID 3224 wrote to memory of 32	3224	clcs.exe	114
PID 32 wrote to memory of 1140	32	msedge.exe	115
PID 32 wrote to memory of 1140	32	msedge.exe	115
PID 32 wrote to memory of 4892	32	msedge.exe	116
PID 32 wrote to memory of 4892	32	msedge.exe	116
PID 32 wrote to memory of 4892	32	msedge.exe	116
PID 32 wrote to memory of 4892	32	msedge.exe	116
PID 32 wrote to memory of 4892	32	msedge.exe	116
PID 32 wrote to memory of 4892	32	msedge.exe	116
PID 32 wrote to memory of 4892	32	msedge.exe	116
PID 32 wrote to memory of 4892	32	msedge.exe	116
PID 32 wrote to memory of 4892	32	msedge.exe	116
PID 32 wrote to memory of 4892	32	msedge.exe	116
PID 32 wrote to memory of 4892	32	msedge.exe	116
PID 32 wrote to memory of 4892	32	msedge.exe	116
PID 32 wrote to memory of 4892	32	msedge.exe	116
PID 32 wrote to memory of 4892	32	msedge.exe	116
PID 32 wrote to memory of 4892	32	msedge.exe	116

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4512	attrib.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3464
- C:\Users\Admin\AppData\Local\Temp\5a9c136d300c0315acd9ef384cbb745cbe25666b0fd1e32ed6671a9da3d4248c.exe
  "C:\Users\Admin\AppData\Local\Temp\5a9c136d300c0315acd9ef384cbb745cbe25666b0fd1e32ed6671a9da3d4248c.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Checks computer location settings
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1916
- - C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
    "C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2428
  - - C:\Users\Admin\AppData\Local\Temp\1000002001\GOLD.exe
      "C:\Users\Admin\AppData\Local\Temp\1000002001\GOLD.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:692
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:1840
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1948
  - - C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe
      "C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:768
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:652
      - C:\Users\Admin\AppData\Roaming\vBKe8gqNq1.exe
        
        "C:\Users\Admin\AppData\Roaming\vBKe8gqNq1.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2156
      - C:\Users\Admin\AppData\Roaming\XvrPMJJYrz.exe
        
        "C:\Users\Admin\AppData\Roaming\XvrPMJJYrz.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2716
  - - C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default.exe
      "C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:4600
  - - C:\Users\Admin\AppData\Local\Temp\1000129001\clcs.exe
      "C:\Users\Admin\AppData\Local\Temp\1000129001\clcs.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3224
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=clcs.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
        5⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:32
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xc0,0x108,0x7ffba96a46f8,0x7ffba96a4708,0x7ffba96a4718
        6⤵
        
        PID:1140
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,13857031746986170691,9603576881050009550,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
        6⤵
        
        PID:4892
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,13857031746986170691,9603576881050009550,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1256
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,13857031746986170691,9603576881050009550,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2856 /prefetch:8
        6⤵
        
        PID:4504
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13857031746986170691,9603576881050009550,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
        6⤵
        
        PID:4912
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13857031746986170691,9603576881050009550,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
        6⤵
        
        PID:3056
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13857031746986170691,9603576881050009550,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4100 /prefetch:1
        6⤵
        
        PID:2256
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=clcs.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
        5⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1020
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffba96a46f8,0x7ffba96a4708,0x7ffba96a4718
        6⤵
        
        PID:1752
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,17426889806035661416,4696183881942875267,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
        6⤵
        
        PID:5068
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,17426889806035661416,4696183881942875267,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4772
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,17426889806035661416,4696183881942875267,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3064 /prefetch:1
        6⤵
        
        PID:2164
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,17426889806035661416,4696183881942875267,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3084 /prefetch:1
        6⤵
        
        PID:1528
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,17426889806035661416,4696183881942875267,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3456 /prefetch:8
        6⤵
        
        PID:3904
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,17426889806035661416,4696183881942875267,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3860 /prefetch:1
        6⤵
        
        PID:728
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,17426889806035661416,4696183881942875267,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5100 /prefetch:8
        6⤵
        
        PID:1792
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,17426889806035661416,4696183881942875267,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5100 /prefetch:8
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4860
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,17426889806035661416,4696183881942875267,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5168 /prefetch:1
        6⤵
        
        PID:3720
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,17426889806035661416,4696183881942875267,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:1
        6⤵
        
        PID:2868
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,17426889806035661416,4696183881942875267,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4948 /prefetch:1
        6⤵
        
        PID:4332
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,17426889806035661416,4696183881942875267,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4928 /prefetch:1
        6⤵
        
        PID:1664
  - - C:\Users\Admin\AppData\Local\Temp\1000135001\14082024.exe
      "C:\Users\Admin\AppData\Local\Temp\1000135001\14082024.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4168
  - - C:\Users\Admin\AppData\Local\Temp\1000147001\BattleGermany.exe
      "C:\Users\Admin\AppData\Local\Temp\1000147001\BattleGermany.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:5456
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k move Cassette Cassette.cmd & Cassette.cmd & exit
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5548
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:5604
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "wrsa.exe opssvc.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5612
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:5660
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5668
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 177479
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5704
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "FoolBurkeRetainedWait" Drop
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5720
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Tracked + ..\Luggage + ..\Prime + ..\Involved + ..\Fluid + ..\Newport + ..\Rod + ..\Society s
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5748
      - C:\Users\Admin\AppData\Local\Temp\177479\Community.pif
        
        Community.pif s
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:5768
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c schtasks.exe /create /tn "Capable" /tr "wscript //B 'C:\Users\Admin\AppData\Local\SkyNav Technologies\SkyPilot.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5808
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /create /tn "Capable" /tr "wscript //B 'C:\Users\Admin\AppData\Local\SkyNav Technologies\SkyPilot.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST
        8⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:5916
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /create /tn "SkyPilot" /tr "wscript //B 'C:\Users\Admin\AppData\Local\SkyNav Technologies\SkyPilot.js'" /sc onlogon /F /RL HIGHEST
        7⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:5856
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
        7⤵
        
        PID:6064
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:6068
      - C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 15
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5788
  - - C:\Users\Admin\AppData\Local\Temp\1000150001\runtime.exe
      "C:\Users\Admin\AppData\Local\Temp\1000150001\runtime.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:6024
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k move Continues Continues.cmd & Continues.cmd & exit
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6108
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1316
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "wrsa.exe opssvc.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1832
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4652
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5148
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 40365
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2992
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "HopeBuildersGeniusIslam" Sonic
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2000
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Mr + ..\Minister + ..\Template + ..\Dietary + ..\Speak + ..\Mobile + ..\Zinc + ..\Continue s
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5164
      - C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif
        
        Beijing.pif s
        6⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3716
        
        C:\Users\Admin\AppData\Local\Temp\1000064001\kitty.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000064001\kitty.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:6024
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6024 -s 488
        8⤵
        Program crash
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\1000142101\build2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000142101\build2.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        
        PID:428
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 428 -s 712
        8⤵
        Program crash
        
        PID:4316
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 428 -s 804
        8⤵
        Program crash
        
        PID:4924
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 428 -s 884
        8⤵
        Program crash
        
        PID:5788
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 428 -s 924
        8⤵
        Program crash
        
        PID:6040
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 428 -s 960
        8⤵
        Program crash
        
        PID:2068
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 428 -s 968
        8⤵
        Program crash
        
        PID:4344
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 428 -s 1124
        8⤵
        Program crash
        
        PID:3964
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 428 -s 1160
        8⤵
        Program crash
        
        PID:4004
        
        C:\Users\Admin\AppData\Local\Temp\fed0c9a4d3\Hkbsse.exe
        
        "C:\Users\Admin\AppData\Local\Temp\fed0c9a4d3\Hkbsse.exe"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5876
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5876 -s 416
        9⤵
        Program crash
        
        PID:2092
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5876 -s 576
        9⤵
        Program crash
        
        PID:2156
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5876 -s 584
        9⤵
        Program crash
        
        PID:5324
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5876 -s 828
        9⤵
        Program crash
        
        PID:2900
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5876 -s 840
        9⤵
        Program crash
        
        PID:2564
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5876 -s 916
        9⤵
        Program crash
        
        PID:368
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5876 -s 916
        9⤵
        Program crash
        
        PID:5480
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5876 -s 976
        9⤵
        Program crash
        
        PID:4308
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5876 -s 996
        9⤵
        Program crash
        
        PID:5476
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5876 -s 1100
        9⤵
        Program crash
        
        PID:2312
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5876 -s 1156
        9⤵
        Program crash
        
        PID:3856
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 428 -s 1140
        8⤵
        Program crash
        
        PID:5156
      - C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1784
  - - C:\Users\Admin\AppData\Local\Temp\1000157001\coreplugin.exe
      "C:\Users\Admin\AppData\Local\Temp\1000157001\coreplugin.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2832
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k move Anytime Anytime.cmd & Anytime.cmd & exit
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5500
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:5636
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "wrsa.exe opssvc.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5620
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:5660
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5680
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 297145
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5744
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "CorkBkConditionsMoon" Scary
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5756
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Dependence + ..\Nsw + ..\Developmental + ..\Shared + ..\Ranges + ..\Notify + ..\Pending + ..\Previously k
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5836
      - C:\Users\Admin\AppData\Local\Temp\297145\Cultures.pif
        
        Cultures.pif k
        6⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:5920
      - C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5844
  - - C:\Users\Admin\AppData\Local\Temp\1000162001\Indentif.exe
      "C:\Users\Admin\AppData\Local\Temp\1000162001\Indentif.exe"
      4⤵
      Executes dropped EXE
      PID:4960
  - - C:\Users\Admin\AppData\Local\Temp\1000167001\crypted8888.exe
      "C:\Users\Admin\AppData\Local\Temp\1000167001\crypted8888.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:5452
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        
        PID:5544
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5544 -s 1348
        6⤵
        Program crash
        
        PID:1140
  - - C:\Users\Admin\AppData\Local\Temp\1000169001\explorer.exe
      "C:\Users\Admin\AppData\Local\Temp\1000169001\explorer.exe"
      4⤵
      Checks computer location settings
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Suspicious behavior: AddClipboardFormatListener
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:5388
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1000169001\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:5368
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:5956
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\explorer'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:6036
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'explorer'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:5568
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "explorer" /tr "C:\Users\Admin\explorer"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1384
  - - C:\Users\Admin\AppData\Local\Temp\1000170001\LummaC22222.exe
      "C:\Users\Admin\AppData\Local\Temp\1000170001\LummaC22222.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3512
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3512 -s 712
        5⤵
        Program crash
        
        PID:5188
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3512 -s 1092
        5⤵
        Program crash
        
        PID:5488
  - - C:\Users\Admin\AppData\Local\Temp\1000174001\5PHCENYBS068Y01.exe
      "C:\Users\Admin\AppData\Local\Temp\1000174001\5PHCENYBS068Y01.exe"
      4⤵
      Executes dropped EXE
      PID:5532
    - - C:\Users\Admin\AppData\Local\Temp\onefile_5532_133688157935014865\stub.exe
        
        C:\Users\Admin\AppData\Local\Temp\1000174001\5PHCENYBS068Y01.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5304
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        6⤵
        
        PID:464
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
        6⤵
        
        PID:6044
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        7⤵
        Detects videocard installed
        Suspicious use of AdjustPrivilegeToken
        
        PID:692
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
        6⤵
        
        PID:5928
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get Manufacturer
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4056
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "gdb --version"
        6⤵
        
        PID:6088
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        6⤵
        
        PID:1316
        
        C:\Windows\system32\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2076
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
        6⤵
        
        PID:5564
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_ComputerSystem get Manufacturer
        7⤵
        
        PID:4124
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        6⤵
        
        PID:2856
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        7⤵
        
        PID:860
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        6⤵
        
        PID:64
        
        C:\Windows\system32\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        
        PID:1100
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe""
        6⤵
        Hide Artifacts: Hidden Files and Directories
        
        PID:6060
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe"
        7⤵
        Views/modifies file attributes
        
        PID:4512
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()""
        6⤵
        
        PID:3548
        
        C:\Windows\system32\mshta.exe
        
        mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()"
        7⤵
        
        PID:5008
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"
        6⤵
        
        PID:2560
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM chrome.exe
        7⤵
        Kills process with taskkill
        
        PID:3224
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        6⤵
        
        PID:5204
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        7⤵
        Enumerates processes with tasklist
        
        PID:4584
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
        6⤵
        Clipboard Data
        
        PID:5056
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Get-Clipboard
        7⤵
        Clipboard Data
        
        PID:3276
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "chcp"
        6⤵
        
        PID:1908
        
        C:\Windows\system32\chcp.com
        
        chcp
        7⤵
        
        PID:4168
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "chcp"
        6⤵
        
        PID:212
        
        C:\Windows\system32\chcp.com
        
        chcp
        7⤵
        
        PID:5340
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
        6⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:2352
        
        C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        7⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3916
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
        6⤵
        Network Service Discovery
        
        PID:2140
        
        C:\Windows\system32\systeminfo.exe
        
        systeminfo
        7⤵
        Gathers system information
        
        PID:3444
        
        C:\Windows\system32\HOSTNAME.EXE
        
        hostname
        7⤵
        
        PID:1272
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic logicaldisk get caption,description,providername
        7⤵
        Collects information from the system
        
        PID:3556
        
        C:\Windows\system32\net.exe
        
        net user
        7⤵
        
        PID:1512
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        8⤵
        
        PID:4452
        
        C:\Windows\system32\query.exe
        
        query user
        7⤵
        
        PID:1292
        
        C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        8⤵
        
        PID:3552
        
        C:\Windows\system32\net.exe
        
        net localgroup
        7⤵
        
        PID:5960
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        8⤵
        
        PID:1104
        
        C:\Windows\system32\net.exe
        
        net localgroup administrators
        7⤵
        
        PID:5952
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        8⤵
        
        PID:5792
        
        C:\Windows\system32\net.exe
        
        net user guest
        7⤵
        
        PID:1400
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        8⤵
        
        PID:1724
        
        C:\Windows\system32\net.exe
        
        net user administrator
        7⤵
        
        PID:1232
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        8⤵
        
        PID:3704
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic startup get caption,command
        7⤵
        
        PID:3904
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /svc
        7⤵
        Enumerates processes with tasklist
        
        PID:5284
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /all
        7⤵
        Gathers network information
        
        PID:4796
        
        C:\Windows\system32\ROUTE.EXE
        
        route print
        7⤵
        
        PID:3640
        
        C:\Windows\system32\ARP.EXE
        
        arp -a
        7⤵
        Network Service Discovery
        
        PID:3260
        
        C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        7⤵
        System Network Connections Discovery
        Gathers network information
        
        PID:6088
        
        C:\Windows\system32\sc.exe
        
        sc query type= service state= all
        7⤵
        Launches sc.exe
        
        PID:2728
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall show state
        7⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:64
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall show config
        7⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:556
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        6⤵
        
        PID:3232
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        7⤵
        
        PID:5148
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        6⤵
        
        PID:4340
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        7⤵
        
        PID:2520
  - - C:\Users\Admin\AppData\Local\Temp\1000177001\Mswgoudnv.exe
      "C:\Users\Admin\AppData\Local\Temp\1000177001\Mswgoudnv.exe"
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:3700
  - - C:\Users\Admin\AppData\Local\Temp\1000179001\SÐµtuÑ€111.exe
      "C:\Users\Admin\AppData\Local\Temp\1000179001\SÐµtuÑ€111.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      PID:3620
- C:\Windows\SysWOW64\cmd.exe
  cmd /c schtasks.exe /create /tn "Invitations" /tr "wscript //B 'C:\Users\Admin\AppData\Local\NeuraMind Innovations\MindLynx.js'" /sc minute /mo 5 /F
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2716
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /create /tn "Invitations" /tr "wscript //B 'C:\Users\Admin\AppData\Local\NeuraMind Innovations\MindLynx.js'" /sc minute /mo 5 /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:5260
- C:\Windows\SysWOW64\cmd.exe
  cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MindLynx.url" & echo URL="C:\Users\Admin\AppData\Local\NeuraMind Innovations\MindLynx.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MindLynx.url" & exit
  2⤵
  - Drops startup file
  - System Location Discovery: System Language Discovery
  PID:5224
- C:\Users\Admin\AppData\Local\Temp\297145\Cultures.pif
  C:\Users\Admin\AppData\Local\Temp\297145\Cultures.pif
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5232
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5232 -s 652
    3⤵
    - Program crash
    PID:4800
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5232 -s 1028
    3⤵
    - Program crash
    PID:6088
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5232 -s 1032
    3⤵
    - Program crash
    PID:5652
- C:\Users\Admin\AppData\Local\Temp\1000177001\Mswgoudnv.exe
  "C:\Users\Admin\AppData\Local\Temp\1000177001\Mswgoudnv.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:1464

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1004

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3840

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:428

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1084

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3708

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5232 -ip 5232
1⤵
PID:5656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 5232 -ip 5232
1⤵
PID:4296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 5232 -ip 5232
1⤵
PID:6096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 6024 -ip 6024
1⤵
PID:5996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3512 -ip 3512
1⤵
PID:5512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3512 -ip 3512
1⤵
PID:5408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 428 -ip 428
1⤵
PID:2396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 428 -ip 428
1⤵
PID:1152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 428 -ip 428
1⤵
PID:212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 428 -ip 428
1⤵
PID:1200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 428 -ip 428
1⤵
PID:3304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 428 -ip 428
1⤵
PID:5324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 428 -ip 428
1⤵
PID:2952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 428 -ip 428
1⤵
PID:432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 428 -ip 428
1⤵
PID:368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 5544 -ip 5544
1⤵
PID:1084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5876 -ip 5876
1⤵
PID:3840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 5876 -ip 5876
1⤵
PID:1924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5876 -ip 5876
1⤵
PID:5936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 5876 -ip 5876
1⤵
PID:2952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 5876 -ip 5876
1⤵
PID:4768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 5876 -ip 5876
1⤵
PID:1628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 5876 -ip 5876
1⤵
PID:1776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 5876 -ip 5876
1⤵
PID:2288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5876 -ip 5876
1⤵
PID:5336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 5876 -ip 5876
1⤵
PID:2272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 5876 -ip 5876
1⤵
PID:6016

C:\Users\Admin\AppData\Local\Temp\fed0c9a4d3\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\fed0c9a4d3\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:2568

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5912

C:\Users\Admin\explorer
C:\Users\Admin\explorer
1⤵
- Executes dropped EXE
PID:448

C:\ProgramData\eiits\bsnj.exe
C:\ProgramData\eiits\bsnj.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Permission Groups Discovery

T1069

Local Groups

T1069.001

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

System Network Connections Discovery

T1049

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
27304926d60324abe74d7a4b571c35ea

SHA1
78b8f92fcaf4a09eaa786bbe33fd1b0222ef29c1

SHA256
7039ad5c2b40f4d97c8c2269f4942be13436d739b2e1f8feb7a0c9f9fdb931de

SHA512
f5b6181d3f432238c7365f64fc8a373299e23ba8178bcc419471916ef8b23e909787c7c0617ab22e4eb90909c02bd7b84f1386fbc61e2bdb5a0eb474175da4bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9e3fc58a8fb86c93d19e1500b873ef6f

SHA1
c6aae5f4e26f5570db5e14bba8d5061867a33b56

SHA256
828f4eacac1c40b790fd70dbb6fa6ba03dcc681171d9b2a6579626d27837b1c4

SHA512
e5e245b56fa82075e060f468a3224cf2ef43f1b6d87f0351a2102d85c7c897e559be4caeaecfdc4059af29fdc674681b61229319dda95cb2ee649b2eb98d313e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0

Filesize
44KB

MD5
e72a6235546ecde489b513acd59ec438

SHA1
150ee6b1548e838b2efdb64b4791962c7b16c48c

SHA256
2aa9f0ca4f45a881f492c1e88f238cb335ae2ef42984f46beaccc35511d6f465

SHA512
3935e56bfe11de2c7cd58ec8a38a3f20021a58fc0cfd6f8cac2b7b6dd9968716c68fe849654689c3a71638158f3365620cea1d873fde484c5bc4435c2eb444ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1

Filesize
264KB

MD5
23cadf5b0ea37cc7bccab4db28e591ef

SHA1
fd7236d9c4293ab1f92ba29c0b5a3b12e025970a

SHA256
dea0a0734f3efb285556be1d65f42df7c1ba71b2ea6b9db9f0c5801f66d452dd

SHA512
fde9707b17aef133783dda2c2f267cb7150f40c7f9173b74300ad5e3ad9c6434854b635dbebfd838df7fb467f215803e403606ac5fd2ae0317635dbb3fb97611

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_3

Filesize
4.0MB

MD5
bdcb6bb9426394723ad78273d2874696

SHA1
0b75f625fadc288a49fdd31998a4badc7585fa99

SHA256
24b47ace57e7f844a3bd11da9bb233cd17a1810705f76562e352da3d40a4806a

SHA512
f9d4f0b7828cc6a85bcdc66fc6fc797c6980f229426a5614c47311a5e770d0470c571e9bdc9516f15b9f94830845181a0b8dd8ab424ae3ae915f12eb60764f9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
3a25afdcc3728691472f78ebfbb602a2

SHA1
951386f0ed1c568165c9b0dc5c65d2df60f6eaf2

SHA256
9aa6f10bc5d2c71758a4617221e744c5816d01698db75d8b9d6a510f98f4c4c5

SHA512
16ea01e70c75fa24074d739115724703bfb401a75316d7c061f908ff810a81a8634d79e40176a1659535f1884a8d9c570326cc148d6f478a63f466b723115ea9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG

Filesize
319B

MD5
a1569e31240d325e25c16aa2404db502

SHA1
23e033ddef111494a41ed631b65e63d8bab779ad

SHA256
33b26b6f48bd96ecbb8a7f5d2da5bde42409f1caf42f93df71ce7552fdb67941

SHA512
41c3edc8f58168c49f6e78e3c77011e4c5fd287ad4ade48054202cada1a0f017710710c71b8ee941d44c1622752e5bca505f1c2b02b2a3670611ff941dcb9a02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History-journal

Filesize
28KB

MD5
15e0490e39419d8de059efe88929b992

SHA1
1a0f5e79a3b4d60be6079f5835b6a5e9907a9df3

SHA256
0d903d2d7ba74a496074979f0db19811a853c91b88b3ae92511b5e47801f2aa0

SHA512
6e833a0260bc9e75f7f47fc0a50301bfb0fba35f89e2c2c5f71e278df366a091de01f0c823682fcec5d3a9c88e16bb6a03f5b9386d9bfe5d5244233e74517469

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
331B

MD5
a28a4216dd4ba4ee9acb7f691a04d717

SHA1
feb75f512322fc5158b6b63a8afde84379f673bb

SHA256
72ec72b7feb135f75b2c375d6c4e76928a0f61320b83a03b8b5d53c30d35f2ea

SHA512
74047db20c4651d2ca1746729aa9cc7fd5dd933a55fbdb693307b47cd7307e0115ca1439a06f2b8dc4d3aa29feccad4cd0964be3ddb58abeceb1681d8815cc79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
58cd0befe983b870244a71504b548dc4

SHA1
46d4f5cfea0b09cde149a815033d88e2afbb6e70

SHA256
4cdf79e1eddd98805434c3774af95a2e7eab238c09e85b88b1bff4ba2d19d1b2

SHA512
ea7949bfd725e14a9dd225ace575371ce16d6fd6c84dee9fa0969637b44368cc650e6322283096e913fb87a215e45b87243f2e01337ea7f23b43ffab355979be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
36b636e6a0a7b67fc563bf170c105a28

SHA1
c899851566e425b24200ea201ee82d9d5731fc99

SHA256
7dab583c5a502f6c52067878d15e92fc0ec5c0cca66403e8cd54c2b1d21da467

SHA512
c89f2e7fe3f8b6de1f84fe98b1f57cccab247c65e178124d8fa77d6c14714560c713213ee4b1f716b69775dd17db9ff8d29a30c6751db7705be32bacf4c3d238

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9ba9cb8011ebeff0578d8ff15e6e4221

SHA1
a4132e6154026b21b9db14d886167419729c5222

SHA256
a66472a31d6bd1b5d1ae580051c0ad8422075b90983677e1bafbb98c9360cd25

SHA512
be5c4cdda1e793046e1ed5c368071c0c23e88822db927fe56bb90ab01e8f80f6079f390615db4f9d08670002553bd01dce2905552bc453aee2efc0fea80d3f31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.log

Filesize
99B

MD5
ba92e5bbca79ea378c3376187ae43eae

SHA1
f0947098577f6d0fe07422acbe3d71510289e2fc

SHA256
ccf4c13cd2433fe8a7add616c7d8e6b384cf441e4d948de5c6fc73e9315c619f

SHA512
aa1d8b7eb9add6c5ed5635295f501f950914affc3fa9aa1ee58167ed110f99a1760b05e4efb779df8e432eab1b2a0fc9cf9d67a05b2d5432ff8f82c620a38a62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG

Filesize
319B

MD5
4d824067357d5aacbeb68d6e0fe0dd23

SHA1
c91f476518fba13578e3bb3af802d2d91fd46368

SHA256
41b1d1a4182f874a733c57881f32826ed63c66c63943fbec3af7dd76950f4c68

SHA512
1f8baf8dede6e30352cb6ce9f8232514253097026d983df03aa6cf69767907cbb7ca6ef3f0abdf03897b8c739aa8b9b4ac25baf98fa30ba0504ee18c82e7b96a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
347B

MD5
1495ed4a7152e0c9c4e79c5945380cf2

SHA1
3748bf71d4124292df3f03a1ca55c4aa1565e0bf

SHA256
3f849c89268dda4d08380e4196191495fbd2301d207bc983592f2a549e0c199f

SHA512
b5af78bc6ab0f4401edf9d84cbfa4259d5824cb05508a483c33386dead3b1c17fe664e49b9a8502cf6bff05b079df5da8860b3367a47c0940315810c82485e9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
323B

MD5
f6a84707751c659c976bab95160792e3

SHA1
e7e8c3d5d768c949296b09e55b082125b3a59261

SHA256
aaf1f33020aae71ddcf807f4acc71c81c92391e842a7a93f73541910b092e722

SHA512
7db2c660eda8cfa24e1674e20ab4381b976b4005ed2737f92e9850d7ec6d5be2aa898c3e69bc93186ec58ea01a8a6d3e98187a34b002728610318b6be1c453be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

Filesize
128KB

MD5
24eb756759e14caf8a0428dd43e5d5e2

SHA1
fd5e2c7380942251273f4590a6cf3af9ecf319dc

SHA256
5df010f6b9821314da092e590b83808e23208d70fe08f4f4cc91f413c13c60b8

SHA512
30945accaba8b426c1e5bdd23cbc573bf0d01249410eab92cb5cae9fada696912c46e89468519c41657ce3e5ebfcac84492f219be7ce3c78be12935b04eda7fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db-wal

Filesize
80KB

MD5
94ef6e2ee83af4197da1d61af0a2b655

SHA1
1c7aae2710ffbb24d1e99bf3776e922f58ca8724

SHA256
a8e963e40bf8b81ca785ae87eee258606d96d8d4dba3432330f68a1724f5a8c1

SHA512
e9bcc167eef5099f763e517a656c983185dbf6445db18b076db6af5546abf1360dd4fb68f20272bb8c364dbcf5e2b2f3583a9af1de269d7379f57c1d25bea962

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

Filesize
322B

MD5
5eb022cd151c16db36ba276d9dd434b1

SHA1
6ff57eab483fca43f648b991294b5357cdbd510e

SHA256
0b9e3a935d0dd11aa0d15aa0e9b8bec8ba9c1963a1de1156ac5ba12b5e2cea12

SHA512
73233aad0e0ec8b1821bdc7877340ff944db812cbe451a37788d67a4fa3982a628db21c33d121853b0f14a49f210cf6813b6126f3c6a06d6485ce7b8385027d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log

Filesize
194B

MD5
a48763b50473dbd0a0922258703d673e

SHA1
5a3572629bcdf5586d79823b6ddbf3d9736aa251

SHA256
9bb14ea03c24f4c3543b22a8b4e9d306b926d4950cfcc410808ecac2407409fd

SHA512
536406435e35f8204ce6d3b64850ffb656813aacbc5172af895c16c4f183005d69999c4f48f948875d9837890f290b51a7358ff974fb1efc6ba3d1592426cca1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

Filesize
340B

MD5
4cd463510573eeaa7e11604cbdd1e88a

SHA1
ba8643891e6bd843d6a54103860a7bdd8bdcff2f

SHA256
23b6f7fdca58745bfb1b1688d02604a78302f0ee54850533207edffdc363762f

SHA512
ed050794d83b62e805d958f3cb4bcfd4e88a2afc880ce6c960813b157d9ff5e5abe4b9d59c0f5ec6bc339797ec19e9c7e61c817d7b55efa67319a31d8ae99460

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0

Filesize
44KB

MD5
551bf185edf4b0914df19b1414d57771

SHA1
9da77e2757a8477328cd3fc6e7ef6c7949af1161

SHA256
57b5dddd047846584180452371b219f1218a1d5bbfa487cad31e487124a8823c

SHA512
8d8fe684e0001eb1d5d2e331e13b0741e8286680333e9d4891d8881fb8da3f04e6d7df295f57a094c91670eff3b7b9a8b9b3e524f81440be2091d8a9a1513408

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1

Filesize
264KB

MD5
2ef7733fdad1fe1707483ad323711555

SHA1
f1653e61edc46c81488375ed8e3604caaa24c3a9

SHA256
35918128a29104166257abe40564ac0e0b28a797b16c7cd8e8f5a5c2ee39d24c

SHA512
5ab029200e869827aa6fc3deecc18fadbb22c2446bbbee59a24726ec0c22518380e61f4ee3598ec34c36df514834c9bdc56dc93f436021508671a7297c5515ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_3

Filesize
4.0MB

MD5
4459bf26eebf0293b75c624cdf1c6b23

SHA1
2a0cf63d7d2a2a729b1b84e221955a5ab46f2e47

SHA256
2ddd13a6fc974d25f11c33a905c39ba8b6d266f7c58a93a41e5ada5975c821c7

SHA512
f9246c653ea54d90833734d359ebba743e97a7978639a8c48f64f2b026affed9281e65a44d12af2224e0493df1e3ca3dfd8fd101bd4c5170471b5dd6dbaf8f12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
166fb805a340b72b2fe7af92e749f164

SHA1
d24e04aee04e46a0c9e26980255f591b47051c66

SHA256
c48cc8ec4c993be73a7fbcce530ab49aff1bb1cfef99f630e680c3f2b9c63e8d

SHA512
17bc50659e0889c4ce949e51edb6b970c5a21946a13f3a3db0f323c9ba310de0a0f32c08b1a7f13ce171f16b9604733237c8529ffe5f194c6e45daa6ab1a9c22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres

Filesize
4KB

MD5
efddc702c111d9aadbaebea81df62a4b

SHA1
7c0ba787b7322165d2a2200c38b60df6333d4ffa

SHA256
81734b2bd0ceb49c2d4fafbea015309cef0ffdd2501085fb6f8badab19dfdfdd

SHA512
0639ae02e583aadc610c105b6cac7adef24246306254002d6a40df90451b0382e07e1d082743f56542be67ca5c1b793fbca6423e49d71beef64042f975323604

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000002001\GOLD.exe

Filesize
323KB

MD5
d6fca3cd57293390ccf9d2bc83662dda

SHA1
94496d01aa91e981846299eeac5631ab8b8c4a93

SHA256
74e0bf30c9107fa716920c878521037db3ca4eeda5c14d745a2459eb14d1190e

SHA512
3990a61000c7dad33e75ce1ca670f5a7b66c0ce1215997dccfca5d4163fedfc7b736bca01c2f1064b0c780eccb039dd0de6be001c87399c1d69da0f456db2a8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe

Filesize
1.1MB

MD5
8e74497aff3b9d2ddb7e7f819dfc69ba

SHA1
1d18154c206083ead2d30995ce2847cbeb6cdbc1

SHA256
d8e81d9e336ef37a37cae212e72b6f4ef915db4b0f2a8df73eb584bd25f21e66

SHA512
9aacc5c130290a72f1087daa9e79984565ccab6dbcad5114bfed0919812b9ba5f8dee9c37d230eeca4df3cca47ba0b355fbf49353e53f10f0ebc266e93f49f97

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000064001\kitty.exe

Filesize
319KB

MD5
0ec1f7cc17b6402cd2df150e0e5e92ca

SHA1
8405b9bf28accb6f1907fbe28d2536da4fba9fc9

SHA256
4c5ca5701285337a96298ebf994f8ba013d290c63afa65b5c2b05771fbbb9ed4

SHA512
7caa2416bc7878493b62a184ddc844d201a9ab5282abfa77a616316af39ff65309e37bb566b3e29d9e764e08f4eda43a06464acaf9962f911b33e6dbc60c1861

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default.exe

Filesize
187KB

MD5
e78239a5b0223499bed12a752b893cad

SHA1
a429b46db791f433180ae4993ebb656d2f9393a4

SHA256
80befdb25413d68adbadd8f236a2e8c71b261d8befc04c99749e778b07bcde89

SHA512
cee5d5d4d32e5575852a412f6b3e17f8c0cbafe97fd92c7024934234a23c240dcc1f7a0452e2e5da949dec09dcfeb006e73862c5bbc549a2ab1cfb0241eaddfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000129001\clcs.exe

Filesize
7.9MB

MD5
d23710b05767ac5d4e1d4754f468599e

SHA1
6fbe21034afe7850a1e608ea67460c25aebb4232

SHA256
b78c67f56b7af5533a502fef2ed9b0ce4c9d507214a74f7d0501611941197b75

SHA512
e021881e5050b14ab78bcaa686d180b88ac620876cd45525b7648b04a8b672010832a3e8f40221c1e6420b9f6ceda1918a2cc04eb56db9dde39aae3c63dc8a37

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000135001\14082024.exe

Filesize
304KB

MD5
9bba979bb2972a3214a399054242109b

SHA1
60adcedb0f347580fb2c1faadb92345c602c54e9

SHA256
17b71b1895978b7aaf5a0184948e33ac3d70ce979030d5a9a195a1c256f6b368

SHA512
89285f67c4c40365f4028bc18dd658ad40b68ff3bcf15f2547fc8f9d9c3d8021e2950de8565e03451b9b4ebace7ed557df24732af632fdb74cbd9eb02cf08788

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000142101\build2.exe

Filesize
481KB

MD5
f9a4f6684d1bf48406a42921aebc1596

SHA1
c9186ff53de4724ede20c6485136b4b2072bb6a6

SHA256
e0a051f93d4c1e81cc142181d14249e246be4c169645d667267134b664e75042

SHA512
67294a47dfef6aba404939497c403f93318841e9c5ee28b706f7506b5dff2630381e28e86f6dcbfdff2427092a515db1dc0a04e334e7f8de8b0b682269ff88fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000147001\BattleGermany.exe

Filesize
8.3MB

MD5
b7df5fdcfdc3f46b0b4f28c1ffb82937

SHA1
3209511839cd917318c754e0105c1d0cf298f25b

SHA256
7636d2367079eabd9da2bb40935df3da580affc47473fd93ed3b2e01ee6c46e5

SHA512
8a65c4e2b0755323293736fc01eb445071e04f7e2c345d2838bf7a89887f40c6e3b81df4bb35807d9a47ffa322b42383194baec45fd9b3f1e31cbcb6a72e819f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000150001\runtime.exe

Filesize
1.1MB

MD5
7adfc6a2e7a5daa59d291b6e434a59f3

SHA1
e21ef8be7b78912bed36121404270e5597a3fe25

SHA256
fbb957b3e36ba1dda0b65986117fd8555041d747810a100b47da4a90a1dfd693

SHA512
30f56bd75fe83e8fb60a816c1a0322bc686863d7ab17a763fff977a88f5582c356b4fcfe7c0c9e3e5925bfee7fc44e4ea8b96f82a011ed5e7cd236253187181b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000157001\coreplugin.exe

Filesize
1.1MB

MD5
9954f7ed32d9a20cda8545c526036143

SHA1
8d74385b24155fce660ab0ad076d070f8611024a

SHA256
a221b40667002cd19eece4e45e5dbb6f3c3dc1890870cf28ebcca0e4850102f5

SHA512
76ca2c0edc3ffdc0c357f7f43abc17b130618096fa9db41795272c5c6ad9829046194d3657ad41f4afec5a0b2e5ed9750a31e545e36a2fb19e6c50101ab2cabd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000162001\Indentif.exe

Filesize
7.4MB

MD5
e14e1aa11625c06cafce8fdab8e9875d

SHA1
12e19904b45ad20df2d57ce0305a3469eda28f28

SHA256
d52015fab106cf0c3b2b290f5234e15d966a9adc779c20268789e24f715f9e84

SHA512
b37dab49c8fa9ca39ace81374a1bdcdac44240b28936734cbe1a3a9ca8069e482b8f3be48594485c20ed883c1b2f214dc3824fad6cb1c19cbbdd303e61cd720d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000167001\crypted8888.exe

Filesize
208KB

MD5
031836b5b4c2fc0ba30f29e8a936b24e

SHA1
adc7e7ec27f548afd50fac684c009cfe5c2e0090

SHA256
bf4f27f6932ce75b1746f5364af3abacbdafa59913da513a168d86ea0ad3a3a4

SHA512
ac58ed6b9a3ce4c35366e99e72e4ee1c87048a11979c91f69740d49b3c1f4f4dc3cbaa66287c73530806b8359933e7b6df0bbab01bc3dd4f351988a6a3cd3b6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000169001\explorer.exe

Filesize
87KB

MD5
7bc9e427746a95ed037db5e0b3230780

SHA1
e5fb0551239eb8edf5b117b04a86742c7780355c

SHA256
3d8b1b6802f265ff8eb229c38ff81824f3652f271eb97b7bfef86db369902a08

SHA512
ae6e823d72a1a976401726ba3dfb61919bf529719fc555c680a99b3a58c15c982b9a8024d4ca2dab933acd1cc22c1f66bc0d46e7d0e7422825dad9c77852808b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000170001\LummaC22222.exe

Filesize
258KB

MD5
40e9f5e6b35423ed5af9a791fc6b8740

SHA1
75d24d3d05a855bb347f4e3a94eae4c38981aca9

SHA256
7fdd7da7975da141ab5a48b856d24fba2ff35f52ad071119f6a83548494ba816

SHA512
c2150dfb166653a2627aba466a6d98c0f426232542afc6a3c6fb5ebb04b114901233f51d57ea59dbef988d038d4103a637d9a51015104213b0be0fe09c96aea8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000174001\5PHCENYBS068Y01.exe

Filesize
10.5MB

MD5
7fffe8702479239234bce6013bcad409

SHA1
ee7aaecaeff869350ead69c907b77d5b0afd3f09

SHA256
7870eda6f78bde1ea7c083ddf32a9aabd118b30f6b8617f4b9e6625edba0ff95

SHA512
8d5932d1fa8006c73e8576383425151439b4bf4637017f104a6c4e5cf202ce1c4a1dbec6d61adb794fd8a30c1300d6635d162df8630f9193c96239ec8b2a6869

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000177001\Mswgoudnv.exe

Filesize
924KB

MD5
de64bb0f39113e48a8499d3401461cf8

SHA1
8d78c2d4701e4596e87e3f09adde214a2a2033e8

SHA256
64b58794801f282e92571676e3571afc5c59033c262406bf0d36e1d6ef3cda6a

SHA512
35b7cdcfb866dcdc79be34066a9ad5a8058b80e68925aeb23708606149841022de17e9d205389c13803c01e356174a2f657773df7d53f889e4e1fc1d68074179

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000179001\SÐµtuÑ€111.exe

Filesize
6.4MB

MD5
9436c63eb99d4933ec7ffd0661639cbe

SHA1
12da487e8e0a42a1a40ed00ee8708e8c6eed1800

SHA256
3a79351bd8099a518ecb4258aacecc84f7ed44cf67426b482b7583ce20c17e4e

SHA512
59bc369bf7d96865be7e2f0b148e8216804c7f85d59958e7cc142770b44a84a266db8aec05b28bed483828f84abd81a21b3d40cdda230c1a534f6b380a387c44

Download Submit
C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

Filesize
1.8MB

MD5
bc84ed6e5a8ae05b5d5616de16628c03

SHA1
16f768b807acb9a9b047d37d5602f9fd4263c3e9

SHA256
5a9c136d300c0315acd9ef384cbb745cbe25666b0fd1e32ed6671a9da3d4248c

SHA512
f3b85266e5085ea74415e3346b0eb569335c70b32c366a9a1ad87fe04f96b178a5736e8ceda4e8bb43129321a429d588cfff0332316b5e3c38c332e6a909e1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\569267554116

Filesize
87KB

MD5
27aa5aac1538aaaecca32651f3023544

SHA1
86ca39e3700cff7cdd293b32eeaba74468cb8863

SHA256
0a74ca586d1d097ec4a03e50dad81cd98baf59fa620999e59a35ef981a9ecc29

SHA512
de0a4416f053a807ae8e05010eed8c04c940f5966d12bf7647d38f5011983052ccf1c9ce5243649cc7eac01aab853f53995b4a3acc942e3398f0dddfde374572

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpE32C.tmp

Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Web.db

Filesize
114KB

MD5
2e5b34ca73bac7d39579ae5af5c50268

SHA1
910b0865cce750b73e308d0c9314edcdcf4162bb

SHA256
79f7541d73ed1744fbc041fdeaf95cae2e2a43cf9d73f6d9476b67a5c2ea9695

SHA512
95dcb404558da6bf1b58640440f3e26b13bf53b8fe05932e85b85dea7e629a544f2bfef094fdd23fd2ad0692297aad338e23c9e6e516e5c852d6d7c1c97249fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Web.db

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jquseds4.qwr.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-656926755-4116854191-210765258-1000\76b53b3ec448f7ccdda2063b15d2bfc3_6f95b8b4-c02b-43c9-8cd4-016780936b63

Filesize
2KB

MD5
056890b37b954f344fa6fd2a6650f739

SHA1
3ddf4f7b54aa6b5ab82592f7b479ac3e651b4813

SHA256
6ba3468678dfcac4d42edf4831a2e3055f6363bc7e563704e50ee1ab94a293b8

SHA512
b403e3c024a4a2b2bf1e1a4744962795fbe8dedff38d113902b170d08a88019dbf4aae7a20ab6a8cadd84b58f705a835086dd00ef9e0bdf8ab5bc1016115d951

Download Submit
C:\Users\Admin\AppData\Roaming\XvrPMJJYrz.exe

Filesize
304KB

MD5
30f46f4476cdc27691c7fdad1c255037

SHA1
b53415af5d01f8500881c06867a49a5825172e36

SHA256
3a8f5f6951dad3ba415b23b35422d3c93f865146da3ccf7849b75806e0b67ce0

SHA512
271aadb524e94ed1019656868a133c9e490cc6f8e4608c8a41c29eff7c12de972895a01f171e8f625d07994ff3b723bb308d362266f96cb20dff82689454c78f

Download Submit
C:\Users\Admin\AppData\Roaming\vBKe8gqNq1.exe

Filesize
544KB

MD5
88367533c12315805c059e688e7cdfe9

SHA1
64a107adcbac381c10bd9c5271c2087b7aa369ec

SHA256
c6fc5c06ad442526a787989bae6ce0d32a2b15a12a41f78baca336b6560997a9

SHA512
7a8c3d767d19395ce9ffef964b0347a148e517982afcf2fc5e45b4c524fd44ec20857f6be722f57ff57722b952ef7b88f6249339551949b9e89cf60260f0a714

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk

Filesize
2KB

MD5
ae8215854610b6bf9f765633f6959820

SHA1
505f0d29a5976a6091369802839d08a93c725bbd

SHA256
1b0225d14d990acf9e77cef95b86fc3abd315a49894058fee3195cead841bc0e

SHA512
9bbd10e2966fece395877f5d73118bdc0550246e8304cddbe2c1bd652cebacf5be44c395cbfdf23a22174199cd93f706129dded9035b79ae7fecc9b54d415890

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk

Filesize
2KB

MD5
4961935ad9e517cd5707a428e17c3b78

SHA1
ca23ef4ae4e54451c344b8cd4e7b128401ca634d

SHA256
7ee148ccfcbcc0df2996f45503cc8d379bf98441cb84ccf7f9a549d75b6c1e42

SHA512
3861884369632c87ceebe23c54a97df47a0e6d470ce39bba3d59b2ba7651d27ebebe95a33db87243a96d6e8dc4ba7fb344c308244707707e4fd2d9ddcbd29a6a

Download Submit
memory/652-94-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/652-119-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/652-98-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/652-99-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/652-96-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/692-41-0x0000000073A8E000-0x0000000073A8F000-memory.dmp

Filesize
4KB

Download
memory/692-42-0x0000000000DE0000-0x0000000000E34000-memory.dmp

Filesize
336KB

Download
memory/768-92-0x0000000000310000-0x0000000000422000-memory.dmp

Filesize
1.1MB

Download
memory/1004-165-0x0000000000E50000-0x0000000001306000-memory.dmp

Filesize
4.7MB

Download
memory/1004-164-0x0000000000E50000-0x0000000001306000-memory.dmp

Filesize
4.7MB

Download
memory/1916-3-0x00000000000E0000-0x0000000000596000-memory.dmp

Filesize
4.7MB

Download
memory/1916-0-0x00000000000E0000-0x0000000000596000-memory.dmp

Filesize
4.7MB

Download
memory/1916-5-0x00000000000E0000-0x0000000000596000-memory.dmp

Filesize
4.7MB

Download
memory/1916-2-0x00000000000E1000-0x000000000010F000-memory.dmp

Filesize
184KB

Download
memory/1916-1-0x0000000077E74000-0x0000000077E76000-memory.dmp

Filesize
8KB

Download
memory/1916-17-0x00000000000E0000-0x0000000000596000-memory.dmp

Filesize
4.7MB

Download
memory/1948-48-0x0000000004FE0000-0x0000000004FEA000-memory.dmp

Filesize
40KB

Download
memory/1948-69-0x0000000006E00000-0x0000000007418000-memory.dmp

Filesize
6.1MB

Download
memory/1948-70-0x00000000068F0000-0x00000000069FA000-memory.dmp

Filesize
1.0MB

Download
memory/1948-66-0x0000000006470000-0x000000000648E000-memory.dmp

Filesize
120KB

Download
memory/1948-71-0x0000000006820000-0x0000000006832000-memory.dmp

Filesize
72KB

Download
memory/1948-72-0x0000000006880000-0x00000000068BC000-memory.dmp

Filesize
240KB

Download
memory/1948-65-0x0000000005CD0000-0x0000000005D46000-memory.dmp

Filesize
472KB

Download
memory/1948-73-0x0000000006A00000-0x0000000006A4C000-memory.dmp

Filesize
304KB

Download
memory/1948-47-0x0000000004E50000-0x0000000004EE2000-memory.dmp

Filesize
584KB

Download
memory/1948-159-0x0000000009590000-0x00000000095E0000-memory.dmp

Filesize
320KB

Download
memory/1948-46-0x0000000005360000-0x0000000005904000-memory.dmp

Filesize
5.6MB

Download
memory/1948-44-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2156-154-0x000000000A2B0000-0x000000000A472000-memory.dmp

Filesize
1.8MB

Download
memory/2156-150-0x0000000008720000-0x0000000008786000-memory.dmp

Filesize
408KB

Download
memory/2156-123-0x00000000007B0000-0x000000000083E000-memory.dmp

Filesize
568KB

Download
memory/2156-155-0x000000000A9B0000-0x000000000AEDC000-memory.dmp

Filesize
5.2MB

Download
memory/2428-560-0x0000000000E50000-0x0000000001306000-memory.dmp

Filesize
4.7MB

Download
memory/2428-333-0x0000000000E50000-0x0000000001306000-memory.dmp

Filesize
4.7MB

Download
memory/2428-146-0x0000000000E50000-0x0000000001306000-memory.dmp

Filesize
4.7MB

Download
memory/2428-449-0x0000000000E50000-0x0000000001306000-memory.dmp

Filesize
4.7MB

Download
memory/2428-153-0x0000000000E50000-0x0000000001306000-memory.dmp

Filesize
4.7MB

Download
memory/2428-411-0x0000000000E50000-0x0000000001306000-memory.dmp

Filesize
4.7MB

Download
memory/2428-156-0x0000000000E50000-0x0000000001306000-memory.dmp

Filesize
4.7MB

Download
memory/2428-162-0x0000000000E50000-0x0000000001306000-memory.dmp

Filesize
4.7MB

Download
memory/2428-548-0x0000000000E50000-0x0000000001306000-memory.dmp

Filesize
4.7MB

Download
memory/2428-656-0x0000000000E50000-0x0000000001306000-memory.dmp

Filesize
4.7MB

Download
memory/2428-22-0x0000000000E50000-0x0000000001306000-memory.dmp

Filesize
4.7MB

Download
memory/2428-251-0x0000000000E50000-0x0000000001306000-memory.dmp

Filesize
4.7MB

Download
memory/2428-21-0x0000000000E50000-0x0000000001306000-memory.dmp

Filesize
4.7MB

Download
memory/2428-147-0x0000000000E50000-0x0000000001306000-memory.dmp

Filesize
4.7MB

Download
memory/2428-20-0x0000000000E50000-0x0000000001306000-memory.dmp

Filesize
4.7MB

Download
memory/2428-19-0x0000000000E51000-0x0000000000E7F000-memory.dmp

Filesize
184KB

Download
memory/2428-219-0x0000000000E50000-0x0000000001306000-memory.dmp

Filesize
4.7MB

Download
memory/2428-18-0x0000000000E50000-0x0000000001306000-memory.dmp

Filesize
4.7MB

Download
memory/2716-124-0x0000000000730000-0x0000000000782000-memory.dmp

Filesize
328KB

Download
memory/3700-1980-0x0000000005000000-0x000000000504C000-memory.dmp

Filesize
304KB

Download
memory/3700-1979-0x0000000004FA0000-0x0000000004FF8000-memory.dmp

Filesize
352KB

Download
memory/3700-890-0x00000000003D0000-0x00000000004BE000-memory.dmp

Filesize
952KB

Download
memory/3700-893-0x0000000004CF0000-0x0000000004DCC000-memory.dmp

Filesize
880KB

Download
memory/3700-894-0x0000000004E80000-0x0000000004F5E000-memory.dmp

Filesize
888KB

Download
memory/3700-2044-0x00000000050E0000-0x0000000005134000-memory.dmp

Filesize
336KB

Download
memory/3716-675-0x0000000003EA0000-0x0000000003F0F000-memory.dmp

Filesize
444KB

Download
memory/3716-674-0x0000000003EA0000-0x0000000003F0F000-memory.dmp

Filesize
444KB

Download
memory/3716-702-0x0000000003EA0000-0x0000000003F0F000-memory.dmp

Filesize
444KB

Download
memory/3716-680-0x0000000003EA0000-0x0000000003F0F000-memory.dmp

Filesize
444KB

Download
memory/3716-676-0x0000000003EA0000-0x0000000003F0F000-memory.dmp

Filesize
444KB

Download
memory/3716-671-0x0000000003EA0000-0x0000000003F0F000-memory.dmp

Filesize
444KB

Download
memory/3716-673-0x0000000003EA0000-0x0000000003F0F000-memory.dmp

Filesize
444KB

Download
memory/3716-672-0x0000000003EA0000-0x0000000003F0F000-memory.dmp

Filesize
444KB

Download
memory/4168-285-0x0000000000C60000-0x0000000000CB2000-memory.dmp

Filesize
328KB

Download
memory/4168-306-0x0000000006E90000-0x0000000006EDC000-memory.dmp

Filesize
304KB

Download
memory/4600-250-0x0000000000AF0000-0x0000000000D33000-memory.dmp

Filesize
2.3MB

Download
memory/4600-184-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/4600-181-0x0000000000AF0000-0x0000000000D33000-memory.dmp

Filesize
2.3MB

Download
memory/4656-559-0x0000000000E50000-0x0000000001306000-memory.dmp

Filesize
4.7MB

Download
memory/4656-558-0x0000000000E50000-0x0000000001306000-memory.dmp

Filesize
4.7MB

Download
memory/4960-612-0x0000000140000000-0x0000000140278000-memory.dmp

Filesize
2.5MB

Download
memory/4960-611-0x0000000140000000-0x0000000140278000-memory.dmp

Filesize
2.5MB

Download
memory/4960-606-0x0000000140000000-0x0000000140278000-memory.dmp

Filesize
2.5MB

Download
memory/4960-607-0x0000000140000000-0x0000000140278000-memory.dmp

Filesize
2.5MB

Download
memory/4960-609-0x0000000140000000-0x0000000140278000-memory.dmp

Filesize
2.5MB

Download
memory/4960-608-0x0000000140000000-0x0000000140278000-memory.dmp

Filesize
2.5MB

Download
memory/4960-705-0x0000000140000000-0x0000000140278000-memory.dmp

Filesize
2.5MB

Download
memory/4960-599-0x0000000140000000-0x0000000140278000-memory.dmp

Filesize
2.5MB

Download
memory/4960-605-0x0000000140000000-0x0000000140278000-memory.dmp

Filesize
2.5MB

Download
memory/4960-610-0x0000000140000000-0x0000000140278000-memory.dmp

Filesize
2.5MB

Download
memory/5232-582-0x00000000014A0000-0x00000000014EC000-memory.dmp

Filesize
304KB

Download
memory/5232-665-0x00000000014A0000-0x00000000014EC000-memory.dmp

Filesize
304KB

Download
memory/5232-655-0x00000000014A0000-0x00000000014EC000-memory.dmp

Filesize
304KB

Download
memory/5368-689-0x0000018427560000-0x0000018427582000-memory.dmp

Filesize
136KB

Download
memory/5388-1978-0x000000001D000000-0x000000001D350000-memory.dmp

Filesize
3.3MB

Download
memory/5388-654-0x0000000000520000-0x000000000053C000-memory.dmp

Filesize
112KB

Download
memory/5452-633-0x0000000000A70000-0x0000000000AA8000-memory.dmp

Filesize
224KB

Download
memory/5544-636-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/5544-635-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/5912-2043-0x0000000000E50000-0x0000000001306000-memory.dmp

Filesize
4.7MB

Download
memory/5912-2053-0x0000000000E50000-0x0000000001306000-memory.dmp

Filesize
4.7MB

Download
memory/6068-561-0x0000000001150000-0x00000000011A2000-memory.dmp

Filesize
328KB

Download
memory/6068-580-0x00000000070C0000-0x000000000710C000-memory.dmp

Filesize
304KB

Download