Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
22-08-2024 15:54
Static task
static1
Behavioral task
behavioral1
Sample
5a9c136d300c0315acd9ef384cbb745cbe25666b0fd1e32ed6671a9da3d4248c.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral2
Sample
5a9c136d300c0315acd9ef384cbb745cbe25666b0fd1e32ed6671a9da3d4248c.exe
Resource
win11-20240802-en
General
-
Target
5a9c136d300c0315acd9ef384cbb745cbe25666b0fd1e32ed6671a9da3d4248c.exe
-
Size
1.8MB
-
MD5
bc84ed6e5a8ae05b5d5616de16628c03
-
SHA1
16f768b807acb9a9b047d37d5602f9fd4263c3e9
-
SHA256
5a9c136d300c0315acd9ef384cbb745cbe25666b0fd1e32ed6671a9da3d4248c
-
SHA512
f3b85266e5085ea74415e3346b0eb569335c70b32c366a9a1ad87fe04f96b178a5736e8ceda4e8bb43129321a429d588cfff0332316b5e3c38c332e6a909e1f8
-
SSDEEP
24576:tnLehpzQc+mCyg2F3rI8jm8PE/iyTZNndwZaqoBfpT3emrHviOeAiYZkMBpm9QsF:JihhgB8C8PE6ydMIqklBfeYkgUlh3Z
Malware Config
Extracted
amadey
4.41
fed3aa
http://185.215.113.16
-
install_dir
44111dbc49
-
install_file
axplong.exe
-
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
-
url_paths
/Jo89Ku7d/index.php
Extracted
redline
LiveTraffic
95.179.163.21:29257
Extracted
redline
@CLOUDYTTEAM
65.21.18.51:45580
Extracted
stealc
default
http://185.215.113.17
-
url_path
/2fb6c2cc8dce150a.php
Extracted
redline
14082024
185.215.113.67:21405
Extracted
redline
816FA
88.99.151.68:7200
Extracted
amadey
4.41
a51500
http://api.garageserviceoperation.com
-
install_dir
0cf505a27f
-
install_file
ednfovi.exe
-
strings_key
0044a8b8e295529eaf3743c9bc3171d2
-
url_paths
/CoreOPT/index.php
Extracted
stealc
penis
http://185.196.9.140
-
url_path
/c3f845711fab35f8.php
Extracted
xworm
127.0.0.1:7000
beshomandotestbesnd.run.place:7000
-
Install_directory
%Userprofile%
-
install_file
USB.exe
-
telegram
https://api.telegram.org/bot2128988424:AAEkYnwvOQA95riqRZwlqBxg4GV-odRNOyo/sendMessage?chat_id=966649672
Extracted
gurcu
https://api.telegram.org/bot2128988424:AAEkYnwvOQA95riqRZwlqBxg4GV-odRNOyo/sendMessage?chat_id=966649672
Signatures
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral2/files/0x000100000002aba9-700.dat family_xworm behavioral2/memory/2536-712-0x0000000000FA0000-0x0000000000FBC000-memory.dmp family_xworm -
Detects ZharkBot payload 1 IoCs
ZharkBot is a botnet written C++.
resource yara_rule behavioral2/files/0x000100000002aba4-685.dat zharkcore -
Exela Stealer
Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
-
PureLog Stealer
PureLog Stealer is an infostealer written in C#.
-
PureLog Stealer payload 2 IoCs
resource yara_rule behavioral2/files/0x000100000002abf0-862.dat family_purelog_stealer behavioral2/memory/5000-876-0x0000000000140000-0x000000000022E000-memory.dmp family_purelog_stealer -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 6 IoCs
resource yara_rule behavioral2/memory/1388-44-0x0000000000400000-0x0000000000452000-memory.dmp family_redline behavioral2/files/0x000100000002ab01-113.dat family_redline behavioral2/memory/5936-121-0x0000000000840000-0x0000000000892000-memory.dmp family_redline behavioral2/files/0x000300000002a4c3-267.dat family_redline behavioral2/memory/2516-280-0x0000000000B70000-0x0000000000BC2000-memory.dmp family_redline behavioral2/memory/1864-598-0x0000000000B40000-0x0000000000B92000-memory.dmp family_redline -
Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs
description pid Process procid_target PID 2896 created 3344 2896 Beijing.pif 53 PID 2896 created 3344 2896 Beijing.pif 53 PID 5128 created 3344 5128 Cultures.pif 53 PID 5000 created 2536 5000 Mswgoudnv.exe 185 -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 5a9c136d300c0315acd9ef384cbb745cbe25666b0fd1e32ed6671a9da3d4248c.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 228 powershell.exe 4728 powershell.exe 2008 powershell.exe 3040 powershell.exe -
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 2 IoCs
pid Process 6000 netsh.exe 1280 netsh.exe -
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 5a9c136d300c0315acd9ef384cbb745cbe25666b0fd1e32ed6671a9da3d4248c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 5a9c136d300c0315acd9ef384cbb745cbe25666b0fd1e32ed6671a9da3d4248c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe -
Clipboard Data 1 TTPs 2 IoCs
Adversaries may collect data stored in the clipboard from users copying information within or between applications.
pid Process 5928 cmd.exe 4300 powershell.exe -
Drops startup file 4 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MindLynx.url cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MindLynx.url cmd.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk explorer.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk explorer.exe -
Executes dropped EXE 33 IoCs
pid Process 2160 axplong.exe 3080 GOLD.exe 2820 crypteda.exe 6140 hWU2wISwhK.exe 5936 o6jBypKfsf.exe 2128 stealc_default.exe 5352 axplong.exe 5872 clcs.exe 2516 14082024.exe 4952 BattleGermany.exe 1352 Community.pif 4676 runtime.exe 2896 Beijing.pif 3436 coreplugin.exe 5380 axplong.exe 5128 Cultures.pif 3604 Indentif.exe 5284 crypted8888.exe 5084 kitty.exe 2536 explorer.exe 4744 Cultures.pif 2068 LummaC22222.exe 5064 build2.exe 4856 5PHCENYBS068Y01.exe 5644 stub.exe 5000 Mswgoudnv.exe 3484 Hkbsse.exe 3040 Sеtuр111.exe 1660 Mswgoudnv.exe 2508 Hkbsse.exe 4852 explorer 200 axplong.exe 3004 gulmow.exe -
Identifies Wine through registry keys 2 TTPs 5 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000\Software\Wine 5a9c136d300c0315acd9ef384cbb745cbe25666b0fd1e32ed6671a9da3d4248c.exe -
Loads dropped DLL 34 IoCs
pid Process 2128 stealc_default.exe 2128 stealc_default.exe 5644 stub.exe 5644 stub.exe 5644 stub.exe 5644 stub.exe 5644 stub.exe 5644 stub.exe 5644 stub.exe 5644 stub.exe 5644 stub.exe 5644 stub.exe 5644 stub.exe 5644 stub.exe 5644 stub.exe 5644 stub.exe 5644 stub.exe 5644 stub.exe 5644 stub.exe 5644 stub.exe 5644 stub.exe 5644 stub.exe 5644 stub.exe 5644 stub.exe 5644 stub.exe 5644 stub.exe 5644 stub.exe 5644 stub.exe 5644 stub.exe 5644 stub.exe 5644 stub.exe 5644 stub.exe 5644 stub.exe 5644 stub.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000\Software\Microsoft\Windows\CurrentVersion\Run\afasdfga = "C:\\Users\\Admin\\AppData\\Roaming\\afasdfga.exe" Mswgoudnv.exe Set value (str) \REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Users\\Admin\\explorer" explorer.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 60 raw.githubusercontent.com 48 raw.githubusercontent.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 48 ip-api.com -
pid Process 2212 cmd.exe 4556 ARP.EXE -
Enumerates processes with tasklist 1 TTPs 10 IoCs
pid Process 2508 tasklist.exe 3176 tasklist.exe 3156 tasklist.exe 4324 tasklist.exe 6004 tasklist.exe 3268 tasklist.exe 6116 tasklist.exe 660 tasklist.exe 2528 tasklist.exe 3988 tasklist.exe -
Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs
pid Process 2508 cmd.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
pid Process 3020 5a9c136d300c0315acd9ef384cbb745cbe25666b0fd1e32ed6671a9da3d4248c.exe 2160 axplong.exe 5352 axplong.exe 5380 axplong.exe 200 axplong.exe -
Suspicious use of SetThreadContext 5 IoCs
description pid Process procid_target PID 3080 set thread context of 1388 3080 GOLD.exe 86 PID 2820 set thread context of 2784 2820 crypteda.exe 89 PID 5128 set thread context of 4744 5128 Cultures.pif 177 PID 5284 set thread context of 496 5284 crypted8888.exe 180 PID 5000 set thread context of 1660 5000 Mswgoudnv.exe 337 -
Drops file in Windows directory 10 IoCs
description ioc Process File created C:\Windows\Tasks\axplong.job 5a9c136d300c0315acd9ef384cbb745cbe25666b0fd1e32ed6671a9da3d4248c.exe File opened for modification C:\Windows\ChestAntique runtime.exe File opened for modification C:\Windows\EquationExplorer runtime.exe File opened for modification C:\Windows\SysOrleans runtime.exe File created C:\Windows\Tasks\Hkbsse.job build2.exe File created C:\Windows\Tasks\Test Task17.job Mswgoudnv.exe File opened for modification C:\Windows\TreeProfessor runtime.exe File opened for modification C:\Windows\HostelGalleries runtime.exe File opened for modification C:\Windows\ConfiguringUps runtime.exe File opened for modification C:\Windows\ExplorerProprietary runtime.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2528 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
-
Program crash 29 IoCs
pid pid_target Process procid_target 4940 5084 WerFault.exe 181 4068 4744 WerFault.exe 177 3148 4744 WerFault.exe 177 4984 4744 WerFault.exe 177 5276 2068 WerFault.exe 190 1804 5064 WerFault.exe 191 3428 5064 WerFault.exe 191 5408 5064 WerFault.exe 191 5160 5064 WerFault.exe 191 1640 5064 WerFault.exe 191 3660 5064 WerFault.exe 191 6136 5064 WerFault.exe 191 4764 5064 WerFault.exe 191 6108 5064 WerFault.exe 191 1716 5064 WerFault.exe 191 3528 496 WerFault.exe 180 588 3484 WerFault.exe 293 5060 3484 WerFault.exe 293 5676 3484 WerFault.exe 293 1520 3484 WerFault.exe 293 5684 3484 WerFault.exe 293 4924 3484 WerFault.exe 293 5436 3484 WerFault.exe 293 5924 3484 WerFault.exe 293 5396 3484 WerFault.exe 293 2524 3484 WerFault.exe 293 1608 3484 WerFault.exe 293 5052 3484 WerFault.exe 293 672 3040 WerFault.exe 303 -
System Location Discovery: System Language Discovery 1 TTPs 62 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Community.pif Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language clcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 14082024.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Beijing.pif Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cultures.pif Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o6jBypKfsf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language build2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language choice.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language crypteda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language stealc_default.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BattleGermany.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language coreplugin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kitty.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Sеtuр111.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language choice.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkbsse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language axplong.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language choice.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gulmow.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mswgoudnv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language runtime.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language crypted8888.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mswgoudnv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cultures.pif Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GOLD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hWU2wISwhK.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5a9c136d300c0315acd9ef384cbb745cbe25666b0fd1e32ed6671a9da3d4248c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LummaC22222.exe -
System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
pid Process 1504 cmd.exe 336 netsh.exe -
System Network Connections Discovery 1 TTPs 1 IoCs
Attempt to get a listing of network connections.
pid Process 2060 NETSTAT.EXE -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 stealc_default.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString stealc_default.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RegAsm.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RegAsm.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Sеtuр111.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Sеtuр111.exe -
Collects information from the system 1 TTPs 1 IoCs
Uses WMIC.exe to find detailed system information.
pid Process 4596 WMIC.exe -
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 4124 WMIC.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
pid Process 2800 ipconfig.exe 2060 NETSTAT.EXE -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
pid Process 2124 systeminfo.exe -
Kills process with taskkill 1 IoCs
pid Process 5532 taskkill.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 RegAsm.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 RegAsm.exe -
Runs net.exe
-
Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 336 schtasks.exe 5972 schtasks.exe 876 schtasks.exe 5152 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2536 explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3020 5a9c136d300c0315acd9ef384cbb745cbe25666b0fd1e32ed6671a9da3d4248c.exe 3020 5a9c136d300c0315acd9ef384cbb745cbe25666b0fd1e32ed6671a9da3d4248c.exe 2160 axplong.exe 2160 axplong.exe 1388 RegAsm.exe 6140 hWU2wISwhK.exe 1388 RegAsm.exe 1388 RegAsm.exe 1388 RegAsm.exe 1388 RegAsm.exe 5936 o6jBypKfsf.exe 5936 o6jBypKfsf.exe 5936 o6jBypKfsf.exe 5936 o6jBypKfsf.exe 5936 o6jBypKfsf.exe 2128 stealc_default.exe 2128 stealc_default.exe 5352 axplong.exe 5352 axplong.exe 2128 stealc_default.exe 2128 stealc_default.exe 4208 msedge.exe 4208 msedge.exe 4800 msedge.exe 4800 msedge.exe 5396 msedge.exe 5396 msedge.exe 1408 identity_helper.exe 1408 identity_helper.exe 2516 14082024.exe 2516 14082024.exe 2516 14082024.exe 2516 14082024.exe 2516 14082024.exe 2516 14082024.exe 2516 14082024.exe 2516 14082024.exe 2516 14082024.exe 2516 14082024.exe 2516 14082024.exe 2516 14082024.exe 2516 14082024.exe 2516 14082024.exe 2516 14082024.exe 2516 14082024.exe 5288 msedge.exe 5288 msedge.exe 2044 msedge.exe 2044 msedge.exe 2516 14082024.exe 2516 14082024.exe 780 msedge.exe 780 msedge.exe 1452 identity_helper.exe 1452 identity_helper.exe 1352 Community.pif 1352 Community.pif 1352 Community.pif 1352 Community.pif 1352 Community.pif 1352 Community.pif 1352 Community.pif 1352 Community.pif 1352 Community.pif -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
pid Process 4800 msedge.exe 4800 msedge.exe 4800 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 6140 hWU2wISwhK.exe Token: SeBackupPrivilege 6140 hWU2wISwhK.exe Token: SeSecurityPrivilege 6140 hWU2wISwhK.exe Token: SeSecurityPrivilege 6140 hWU2wISwhK.exe Token: SeSecurityPrivilege 6140 hWU2wISwhK.exe Token: SeSecurityPrivilege 6140 hWU2wISwhK.exe Token: SeDebugPrivilege 1388 RegAsm.exe Token: SeDebugPrivilege 5936 o6jBypKfsf.exe Token: SeDebugPrivilege 2516 14082024.exe Token: SeDebugPrivilege 3176 tasklist.exe Token: SeDebugPrivilege 3156 tasklist.exe Token: SeDebugPrivilege 2528 tasklist.exe Token: SeDebugPrivilege 3988 tasklist.exe Token: SeDebugPrivilege 4324 tasklist.exe Token: SeDebugPrivilege 6004 tasklist.exe Token: SeDebugPrivilege 1864 jsc.exe Token: SeDebugPrivilege 2536 explorer.exe Token: SeDebugPrivilege 4728 powershell.exe Token: SeDebugPrivilege 2008 powershell.exe Token: SeDebugPrivilege 3040 powershell.exe Token: SeDebugPrivilege 228 powershell.exe Token: SeDebugPrivilege 2536 explorer.exe Token: SeIncreaseQuotaPrivilege 4124 WMIC.exe Token: SeSecurityPrivilege 4124 WMIC.exe Token: SeTakeOwnershipPrivilege 4124 WMIC.exe Token: SeLoadDriverPrivilege 4124 WMIC.exe Token: SeSystemProfilePrivilege 4124 WMIC.exe Token: SeSystemtimePrivilege 4124 WMIC.exe Token: SeProfSingleProcessPrivilege 4124 WMIC.exe Token: SeIncBasePriorityPrivilege 4124 WMIC.exe Token: SeCreatePagefilePrivilege 4124 WMIC.exe Token: SeBackupPrivilege 4124 WMIC.exe Token: SeRestorePrivilege 4124 WMIC.exe Token: SeShutdownPrivilege 4124 WMIC.exe Token: SeDebugPrivilege 4124 WMIC.exe Token: SeSystemEnvironmentPrivilege 4124 WMIC.exe Token: SeRemoteShutdownPrivilege 4124 WMIC.exe Token: SeUndockPrivilege 4124 WMIC.exe Token: SeManageVolumePrivilege 4124 WMIC.exe Token: 33 4124 WMIC.exe Token: 34 4124 WMIC.exe Token: 35 4124 WMIC.exe Token: 36 4124 WMIC.exe Token: SeIncreaseQuotaPrivilege 2972 WMIC.exe Token: SeSecurityPrivilege 2972 WMIC.exe Token: SeTakeOwnershipPrivilege 2972 WMIC.exe Token: SeLoadDriverPrivilege 2972 WMIC.exe Token: SeSystemProfilePrivilege 2972 WMIC.exe Token: SeSystemtimePrivilege 2972 WMIC.exe Token: SeProfSingleProcessPrivilege 2972 WMIC.exe Token: SeIncBasePriorityPrivilege 2972 WMIC.exe Token: SeCreatePagefilePrivilege 2972 WMIC.exe Token: SeBackupPrivilege 2972 WMIC.exe Token: SeRestorePrivilege 2972 WMIC.exe Token: SeShutdownPrivilege 2972 WMIC.exe Token: SeDebugPrivilege 2972 WMIC.exe Token: SeSystemEnvironmentPrivilege 2972 WMIC.exe Token: SeRemoteShutdownPrivilege 2972 WMIC.exe Token: SeUndockPrivilege 2972 WMIC.exe Token: SeManageVolumePrivilege 2972 WMIC.exe Token: 33 2972 WMIC.exe Token: 34 2972 WMIC.exe Token: 35 2972 WMIC.exe Token: 36 2972 WMIC.exe -
Suspicious use of FindShellTrayWindow 60 IoCs
pid Process 4800 msedge.exe 4800 msedge.exe 4800 msedge.exe 4800 msedge.exe 4800 msedge.exe 4800 msedge.exe 4800 msedge.exe 4800 msedge.exe 4800 msedge.exe 4800 msedge.exe 4800 msedge.exe 4800 msedge.exe 4800 msedge.exe 4800 msedge.exe 4800 msedge.exe 4800 msedge.exe 4800 msedge.exe 4800 msedge.exe 4800 msedge.exe 4800 msedge.exe 4800 msedge.exe 4800 msedge.exe 4800 msedge.exe 4800 msedge.exe 4800 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 1352 Community.pif 1352 Community.pif 1352 Community.pif 2896 Beijing.pif 2896 Beijing.pif 2896 Beijing.pif 5128 Cultures.pif 5128 Cultures.pif 5128 Cultures.pif 5064 build2.exe -
Suspicious use of SendNotifyMessage 33 IoCs
pid Process 4800 msedge.exe 4800 msedge.exe 4800 msedge.exe 4800 msedge.exe 4800 msedge.exe 4800 msedge.exe 4800 msedge.exe 4800 msedge.exe 4800 msedge.exe 4800 msedge.exe 4800 msedge.exe 4800 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 1352 Community.pif 1352 Community.pif 1352 Community.pif 2896 Beijing.pif 2896 Beijing.pif 2896 Beijing.pif 5128 Cultures.pif 5128 Cultures.pif 5128 Cultures.pif -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2536 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3020 wrote to memory of 2160 3020 5a9c136d300c0315acd9ef384cbb745cbe25666b0fd1e32ed6671a9da3d4248c.exe 82 PID 3020 wrote to memory of 2160 3020 5a9c136d300c0315acd9ef384cbb745cbe25666b0fd1e32ed6671a9da3d4248c.exe 82 PID 3020 wrote to memory of 2160 3020 5a9c136d300c0315acd9ef384cbb745cbe25666b0fd1e32ed6671a9da3d4248c.exe 82 PID 2160 wrote to memory of 3080 2160 axplong.exe 83 PID 2160 wrote to memory of 3080 2160 axplong.exe 83 PID 2160 wrote to memory of 3080 2160 axplong.exe 83 PID 3080 wrote to memory of 928 3080 GOLD.exe 84 PID 3080 wrote to memory of 928 3080 GOLD.exe 84 PID 3080 wrote to memory of 928 3080 GOLD.exe 84 PID 3080 wrote to memory of 1172 3080 GOLD.exe 85 PID 3080 wrote to memory of 1172 3080 GOLD.exe 85 PID 3080 wrote to memory of 1172 3080 GOLD.exe 85 PID 3080 wrote to memory of 1388 3080 GOLD.exe 86 PID 3080 wrote to memory of 1388 3080 GOLD.exe 86 PID 3080 wrote to memory of 1388 3080 GOLD.exe 86 PID 3080 wrote to memory of 1388 3080 GOLD.exe 86 PID 3080 wrote to memory of 1388 3080 GOLD.exe 86 PID 3080 wrote to memory of 1388 3080 GOLD.exe 86 PID 3080 wrote to memory of 1388 3080 GOLD.exe 86 PID 3080 wrote to memory of 1388 3080 GOLD.exe 86 PID 2160 wrote to memory of 2820 2160 axplong.exe 88 PID 2160 wrote to memory of 2820 2160 axplong.exe 88 PID 2160 wrote to memory of 2820 2160 axplong.exe 88 PID 2820 wrote to memory of 2784 2820 crypteda.exe 89 PID 2820 wrote to memory of 2784 2820 crypteda.exe 89 PID 2820 wrote to memory of 2784 2820 crypteda.exe 89 PID 2820 wrote to memory of 2784 2820 crypteda.exe 89 PID 2820 wrote to memory of 2784 2820 crypteda.exe 89 PID 2820 wrote to memory of 2784 2820 crypteda.exe 89 PID 2820 wrote to memory of 2784 2820 crypteda.exe 89 PID 2820 wrote to memory of 2784 2820 crypteda.exe 89 PID 2820 wrote to memory of 2784 2820 crypteda.exe 89 PID 2820 wrote to memory of 2784 2820 crypteda.exe 89 PID 2784 wrote to memory of 6140 2784 RegAsm.exe 90 PID 2784 wrote to memory of 6140 2784 RegAsm.exe 90 PID 2784 wrote to memory of 6140 2784 RegAsm.exe 90 PID 2784 wrote to memory of 5936 2784 RegAsm.exe 91 PID 2784 wrote to memory of 5936 2784 RegAsm.exe 91 PID 2784 wrote to memory of 5936 2784 RegAsm.exe 91 PID 2160 wrote to memory of 2128 2160 axplong.exe 94 PID 2160 wrote to memory of 2128 2160 axplong.exe 94 PID 2160 wrote to memory of 2128 2160 axplong.exe 94 PID 2160 wrote to memory of 5872 2160 axplong.exe 96 PID 2160 wrote to memory of 5872 2160 axplong.exe 96 PID 2160 wrote to memory of 5872 2160 axplong.exe 96 PID 2160 wrote to memory of 2516 2160 axplong.exe 97 PID 2160 wrote to memory of 2516 2160 axplong.exe 97 PID 2160 wrote to memory of 2516 2160 axplong.exe 97 PID 5872 wrote to memory of 4800 5872 clcs.exe 99 PID 5872 wrote to memory of 4800 5872 clcs.exe 99 PID 4800 wrote to memory of 3016 4800 msedge.exe 100 PID 4800 wrote to memory of 3016 4800 msedge.exe 100 PID 4800 wrote to memory of 3848 4800 msedge.exe 101 PID 4800 wrote to memory of 3848 4800 msedge.exe 101 PID 4800 wrote to memory of 3848 4800 msedge.exe 101 PID 4800 wrote to memory of 3848 4800 msedge.exe 101 PID 4800 wrote to memory of 3848 4800 msedge.exe 101 PID 4800 wrote to memory of 3848 4800 msedge.exe 101 PID 4800 wrote to memory of 3848 4800 msedge.exe 101 PID 4800 wrote to memory of 3848 4800 msedge.exe 101 PID 4800 wrote to memory of 3848 4800 msedge.exe 101 PID 4800 wrote to memory of 3848 4800 msedge.exe 101 PID 4800 wrote to memory of 3848 4800 msedge.exe 101 PID 4800 wrote to memory of 3848 4800 msedge.exe 101 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 4976 attrib.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3344
-
C:\Users\Admin\AppData\Local\Temp\5a9c136d300c0315acd9ef384cbb745cbe25666b0fd1e32ed6671a9da3d4248c.exe"C:\Users\Admin\AppData\Local\Temp\5a9c136d300c0315acd9ef384cbb745cbe25666b0fd1e32ed6671a9da3d4248c.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Users\Admin\AppData\Local\Temp\1000002001\GOLD.exe"C:\Users\Admin\AppData\Local\Temp\1000002001\GOLD.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3080 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"5⤵PID:928
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"5⤵PID:1172
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"5⤵
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1388
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe"C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Users\Admin\AppData\Roaming\hWU2wISwhK.exe"C:\Users\Admin\AppData\Roaming\hWU2wISwhK.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6140
-
-
C:\Users\Admin\AppData\Roaming\o6jBypKfsf.exe"C:\Users\Admin\AppData\Roaming\o6jBypKfsf.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5936
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default.exe"C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:2128
-
-
C:\Users\Admin\AppData\Local\Temp\1000129001\clcs.exe"C:\Users\Admin\AppData\Local\Temp\1000129001\clcs.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5872 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=clcs.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.05⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4800 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa5ca33cb8,0x7ffa5ca33cc8,0x7ffa5ca33cd86⤵PID:3016
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,13327998034029599319,355582662265837694,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1932 /prefetch:26⤵PID:3848
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1892,13327998034029599319,355582662265837694,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2056 /prefetch:36⤵
- Suspicious behavior: EnumeratesProcesses
PID:4208
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1892,13327998034029599319,355582662265837694,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2492 /prefetch:86⤵PID:4716
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,13327998034029599319,355582662265837694,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3064 /prefetch:16⤵PID:2288
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,13327998034029599319,355582662265837694,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3088 /prefetch:16⤵PID:2868
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,13327998034029599319,355582662265837694,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4520 /prefetch:16⤵PID:3756
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1892,13327998034029599319,355582662265837694,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3964 /prefetch:86⤵
- Suspicious behavior: EnumeratesProcesses
PID:5396
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1892,13327998034029599319,355582662265837694,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3376 /prefetch:86⤵
- Suspicious behavior: EnumeratesProcesses
PID:1408
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=clcs.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.05⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2044 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa5ca33cb8,0x7ffa5ca33cc8,0x7ffa5ca33cd86⤵PID:5796
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1936,7888863270661756282,10577667586084242598,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1932 /prefetch:26⤵PID:3012
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1936,7888863270661756282,10577667586084242598,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2004 /prefetch:36⤵
- Suspicious behavior: EnumeratesProcesses
PID:5288
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1936,7888863270661756282,10577667586084242598,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2616 /prefetch:86⤵PID:5264
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,7888863270661756282,10577667586084242598,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3164 /prefetch:16⤵PID:2096
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,7888863270661756282,10577667586084242598,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3172 /prefetch:16⤵PID:3700
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,7888863270661756282,10577667586084242598,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4944 /prefetch:16⤵PID:4708
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1936,7888863270661756282,10577667586084242598,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4368 /prefetch:86⤵
- Suspicious behavior: EnumeratesProcesses
PID:780
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1936,7888863270661756282,10577667586084242598,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5460 /prefetch:86⤵
- Suspicious behavior: EnumeratesProcesses
PID:1452
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,7888863270661756282,10577667586084242598,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:16⤵PID:5844
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,7888863270661756282,10577667586084242598,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3876 /prefetch:16⤵PID:5200
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,7888863270661756282,10577667586084242598,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4980 /prefetch:16⤵PID:5820
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,7888863270661756282,10577667586084242598,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:16⤵PID:2680
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000135001\14082024.exe"C:\Users\Admin\AppData\Local\Temp\1000135001\14082024.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2516
-
-
C:\Users\Admin\AppData\Local\Temp\1000147001\BattleGermany.exe"C:\Users\Admin\AppData\Local\Temp\1000147001\BattleGermany.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4952 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k move Cassette Cassette.cmd & Cassette.cmd & exit5⤵
- System Location Discovery: System Language Discovery
PID:2080 -
C:\Windows\SysWOW64\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3176
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa.exe opssvc.exe"6⤵
- System Location Discovery: System Language Discovery
PID:4880
-
-
C:\Windows\SysWOW64\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3156
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"6⤵
- System Location Discovery: System Language Discovery
PID:6132
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 1774796⤵
- System Location Discovery: System Language Discovery
PID:2028
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "FoolBurkeRetainedWait" Drop6⤵
- System Location Discovery: System Language Discovery
PID:2488
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Tracked + ..\Luggage + ..\Prime + ..\Involved + ..\Fluid + ..\Newport + ..\Rod + ..\Society s6⤵
- System Location Discovery: System Language Discovery
PID:2168
-
-
C:\Users\Admin\AppData\Local\Temp\177479\Community.pifCommunity.pif s6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1352 -
C:\Windows\SysWOW64\cmd.execmd /c schtasks.exe /create /tn "Capable" /tr "wscript //B 'C:\Users\Admin\AppData\Local\SkyNav Technologies\SkyPilot.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST7⤵
- System Location Discovery: System Language Discovery
PID:396 -
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /create /tn "Capable" /tr "wscript //B 'C:\Users\Admin\AppData\Local\SkyNav Technologies\SkyPilot.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST8⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:5152
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /create /tn "SkyPilot" /tr "wscript //B 'C:\Users\Admin\AppData\Local\SkyNav Technologies\SkyPilot.js'" /sc onlogon /F /RL HIGHEST7⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:876
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe7⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1864
-
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 156⤵
- System Location Discovery: System Language Discovery
PID:4732
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000150001\runtime.exe"C:\Users\Admin\AppData\Local\Temp\1000150001\runtime.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4676 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k move Continues Continues.cmd & Continues.cmd & exit5⤵
- System Location Discovery: System Language Discovery
PID:4548 -
C:\Windows\SysWOW64\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2528
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa.exe opssvc.exe"6⤵
- System Location Discovery: System Language Discovery
PID:3132
-
-
C:\Windows\SysWOW64\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3988
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"6⤵
- System Location Discovery: System Language Discovery
PID:5156
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 403656⤵
- System Location Discovery: System Language Discovery
PID:4788
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "HopeBuildersGeniusIslam" Sonic6⤵
- System Location Discovery: System Language Discovery
PID:3292
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Mr + ..\Minister + ..\Template + ..\Dietary + ..\Speak + ..\Mobile + ..\Zinc + ..\Continue s6⤵
- System Location Discovery: System Language Discovery
PID:980
-
-
C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pifBeijing.pif s6⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2896 -
C:\Users\Admin\AppData\Local\Temp\1000064001\kitty.exe"C:\Users\Admin\AppData\Local\Temp\1000064001\kitty.exe"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5084 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 5088⤵
- Program crash
PID:4940
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000142101\build2.exe"C:\Users\Admin\AppData\Local\Temp\1000142101\build2.exe"7⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:5064 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 7928⤵
- Program crash
PID:1804
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 8248⤵
- Program crash
PID:3428
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 8808⤵
- Program crash
PID:5408
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 9248⤵
- Program crash
PID:5160
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 8808⤵
- Program crash
PID:1640
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 9808⤵
- Program crash
PID:3660
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 9928⤵
- Program crash
PID:6136
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 10408⤵
- Program crash
PID:4764
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 9928⤵
- Program crash
PID:6108
-
-
C:\Users\Admin\AppData\Local\Temp\fed0c9a4d3\Hkbsse.exe"C:\Users\Admin\AppData\Local\Temp\fed0c9a4d3\Hkbsse.exe"8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3484 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3484 -s 5929⤵
- Program crash
PID:588
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3484 -s 6329⤵
- Program crash
PID:5060
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3484 -s 6409⤵
- Program crash
PID:5676
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3484 -s 8649⤵
- Program crash
PID:1520
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3484 -s 8849⤵
- Program crash
PID:5684
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3484 -s 9009⤵
- Program crash
PID:4924
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3484 -s 8769⤵
- Program crash
PID:5436
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3484 -s 9169⤵
- Program crash
PID:5924
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3484 -s 9649⤵
- Program crash
PID:5396
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3484 -s 11929⤵
- Program crash
PID:2524
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3484 -s 13929⤵
- Program crash
PID:1608
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3484 -s 14329⤵
- Program crash
PID:5052
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 11808⤵
- Program crash
PID:1716
-
-
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 56⤵
- System Location Discovery: System Language Discovery
PID:5312
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000157001\coreplugin.exe"C:\Users\Admin\AppData\Local\Temp\1000157001\coreplugin.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3436 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k move Anytime Anytime.cmd & Anytime.cmd & exit5⤵
- System Location Discovery: System Language Discovery
PID:2780 -
C:\Windows\SysWOW64\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4324
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa.exe opssvc.exe"6⤵
- System Location Discovery: System Language Discovery
PID:5800
-
-
C:\Windows\SysWOW64\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:6004
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"6⤵
- System Location Discovery: System Language Discovery
PID:4388
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 2971456⤵
- System Location Discovery: System Language Discovery
PID:5672
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "CorkBkConditionsMoon" Scary6⤵
- System Location Discovery: System Language Discovery
PID:3408
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Dependence + ..\Nsw + ..\Developmental + ..\Shared + ..\Ranges + ..\Notify + ..\Pending + ..\Previously k6⤵
- System Location Discovery: System Language Discovery
PID:5764
-
-
C:\Users\Admin\AppData\Local\Temp\297145\Cultures.pifCultures.pif k6⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5128
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 56⤵
- System Location Discovery: System Language Discovery
PID:932
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000162001\Indentif.exe"C:\Users\Admin\AppData\Local\Temp\1000162001\Indentif.exe"4⤵
- Executes dropped EXE
PID:3604
-
-
C:\Users\Admin\AppData\Local\Temp\1000167001\crypted8888.exe"C:\Users\Admin\AppData\Local\Temp\1000167001\crypted8888.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:5284 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"5⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
PID:496 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 496 -s 13246⤵
- Program crash
PID:3528
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000169001\explorer.exe"C:\Users\Admin\AppData\Local\Temp\1000169001\explorer.exe"4⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2536 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1000169001\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4728
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2008
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\explorer'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3040
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'explorer'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:228
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "explorer" /tr "C:\Users\Admin\explorer"5⤵
- Scheduled Task/Job: Scheduled Task
PID:5972
-
-
C:\Users\Admin\AppData\Local\Temp\1000177001\Mswgoudnv.exe"C:\Users\Admin\AppData\Local\Temp\1000177001\Mswgoudnv.exe"5⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1660
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000170001\LummaC22222.exe"C:\Users\Admin\AppData\Local\Temp\1000170001\LummaC22222.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2068 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2068 -s 11685⤵
- Program crash
PID:5276
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000174001\5PHCENYBS068Y01.exe"C:\Users\Admin\AppData\Local\Temp\1000174001\5PHCENYBS068Y01.exe"4⤵
- Executes dropped EXE
PID:4856 -
C:\Users\Admin\AppData\Local\Temp\onefile_4856_133688157916339397\stub.exeC:\Users\Admin\AppData\Local\Temp\1000174001\5PHCENYBS068Y01.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5644 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "ver"6⤵PID:440
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"6⤵PID:1500
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name7⤵
- Detects videocard installed
- Suspicious use of AdjustPrivilegeToken
PID:4124
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"6⤵PID:4592
-
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get Manufacturer7⤵
- Suspicious use of AdjustPrivilegeToken
PID:2972
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "gdb --version"6⤵PID:3200
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist"6⤵PID:2164
-
C:\Windows\system32\tasklist.exetasklist7⤵
- Enumerates processes with tasklist
PID:3268
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"6⤵PID:3936
-
C:\Windows\System32\Wbem\WMIC.exewmic path Win32_ComputerSystem get Manufacturer7⤵PID:1280
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"6⤵PID:5876
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid7⤵PID:1504
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist"6⤵PID:4760
-
C:\Windows\system32\tasklist.exetasklist7⤵
- Enumerates processes with tasklist
PID:6116
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe""6⤵
- Hide Artifacts: Hidden Files and Directories
PID:2508 -
C:\Windows\system32\attrib.exeattrib +h +s "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe"7⤵
- Views/modifies file attributes
PID:4976
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()""6⤵PID:4848
-
C:\Windows\system32\mshta.exemshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()"7⤵PID:1632
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"6⤵PID:2444
-
C:\Windows\system32\taskkill.exetaskkill /F /IM chrome.exe7⤵
- Kills process with taskkill
PID:5532
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"6⤵PID:5216
-
C:\Windows\system32\tasklist.exetasklist /FO LIST7⤵
- Enumerates processes with tasklist
PID:660
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"6⤵
- Clipboard Data
PID:5928 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Clipboard7⤵
- Clipboard Data
PID:4300
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "chcp"6⤵PID:2396
-
C:\Windows\system32\chcp.comchcp7⤵PID:4132
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "chcp"6⤵PID:676
-
C:\Windows\system32\chcp.comchcp7⤵PID:4864
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "netsh wlan show profiles"6⤵
- System Network Configuration Discovery: Wi-Fi Discovery
PID:1504 -
C:\Windows\system32\netsh.exenetsh wlan show profiles7⤵
- Event Triggered Execution: Netsh Helper DLL
- System Network Configuration Discovery: Wi-Fi Discovery
PID:336
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"6⤵
- Network Service Discovery
PID:2212 -
C:\Windows\system32\systeminfo.exesysteminfo7⤵
- Gathers system information
PID:2124
-
-
C:\Windows\system32\HOSTNAME.EXEhostname7⤵PID:4352
-
-
C:\Windows\System32\Wbem\WMIC.exewmic logicaldisk get caption,description,providername7⤵
- Collects information from the system
PID:4596
-
-
C:\Windows\system32\net.exenet user7⤵PID:5968
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user8⤵PID:2760
-
-
-
C:\Windows\system32\query.exequery user7⤵PID:5924
-
C:\Windows\system32\quser.exe"C:\Windows\system32\quser.exe"8⤵PID:132
-
-
-
C:\Windows\system32\net.exenet localgroup7⤵PID:5396
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup8⤵PID:5984
-
-
-
C:\Windows\system32\net.exenet localgroup administrators7⤵PID:6004
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup administrators8⤵PID:2524
-
-
-
C:\Windows\system32\net.exenet user guest7⤵PID:4956
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user guest8⤵PID:5936
-
-
-
C:\Windows\system32\net.exenet user administrator7⤵PID:704
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user administrator8⤵PID:412
-
-
-
C:\Windows\System32\Wbem\WMIC.exewmic startup get caption,command7⤵PID:5660
-
-
C:\Windows\system32\tasklist.exetasklist /svc7⤵
- Enumerates processes with tasklist
PID:2508
-
-
C:\Windows\system32\ipconfig.exeipconfig /all7⤵
- Gathers network information
PID:2800
-
-
C:\Windows\system32\ROUTE.EXEroute print7⤵PID:1204
-
-
C:\Windows\system32\ARP.EXEarp -a7⤵
- Network Service Discovery
PID:4556
-
-
C:\Windows\system32\NETSTAT.EXEnetstat -ano7⤵
- System Network Connections Discovery
- Gathers network information
PID:2060
-
-
C:\Windows\system32\sc.exesc query type= service state= all7⤵
- Launches sc.exe
PID:2528
-
-
C:\Windows\system32\netsh.exenetsh firewall show state7⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:6000
-
-
C:\Windows\system32\netsh.exenetsh firewall show config7⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:1280
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"6⤵PID:2796
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid7⤵PID:3912
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"6⤵PID:2432
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid7⤵PID:2712
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000177001\Mswgoudnv.exe"C:\Users\Admin\AppData\Local\Temp\1000177001\Mswgoudnv.exe"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:5000
-
-
C:\Users\Admin\AppData\Local\Temp\1000179001\SеtuÑ€111.exe"C:\Users\Admin\AppData\Local\Temp\1000179001\SеtuÑ€111.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
PID:3040 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3040 -s 9765⤵
- Program crash
PID:672
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c schtasks.exe /create /tn "Invitations" /tr "wscript //B 'C:\Users\Admin\AppData\Local\NeuraMind Innovations\MindLynx.js'" /sc minute /mo 5 /F2⤵
- System Location Discovery: System Language Discovery
PID:2436 -
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /create /tn "Invitations" /tr "wscript //B 'C:\Users\Admin\AppData\Local\NeuraMind Innovations\MindLynx.js'" /sc minute /mo 5 /F3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:336
-
-
-
C:\Windows\SysWOW64\cmd.execmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MindLynx.url" & echo URL="C:\Users\Admin\AppData\Local\NeuraMind Innovations\MindLynx.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MindLynx.url" & exit2⤵
- Drops startup file
- System Location Discovery: System Language Discovery
PID:5840
-
-
C:\Users\Admin\AppData\Local\Temp\297145\Cultures.pifC:\Users\Admin\AppData\Local\Temp\297145\Cultures.pif2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4744 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4744 -s 10643⤵
- Program crash
PID:4068
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4744 -s 10563⤵
- Program crash
PID:3148
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4744 -s 10643⤵
- Program crash
PID:4984
-
-
-
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exeC:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5352
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5224
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5800
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4788
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1700
-
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exeC:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5380
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5084 -ip 50841⤵PID:3592
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4744 -ip 47441⤵PID:5672
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4744 -ip 47441⤵PID:5676
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4744 -ip 47441⤵PID:4132
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2068 -ip 20681⤵PID:1204
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5064 -ip 50641⤵PID:2196
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 5064 -ip 50641⤵PID:5916
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5064 -ip 50641⤵PID:5376
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5064 -ip 50641⤵PID:3308
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5064 -ip 50641⤵PID:5860
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 5064 -ip 50641⤵PID:4128
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 5064 -ip 50641⤵PID:5672
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 5064 -ip 50641⤵PID:1324
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5064 -ip 50641⤵PID:4968
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5064 -ip 50641⤵PID:1068
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 496 -ip 4961⤵PID:4784
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3484 -ip 34841⤵PID:4992
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3484 -ip 34841⤵PID:4900
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 380 -p 3484 -ip 34841⤵PID:776
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3484 -ip 34841⤵PID:700
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3484 -ip 34841⤵PID:5932
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3484 -ip 34841⤵PID:2732
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3484 -ip 34841⤵PID:1824
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3484 -ip 34841⤵PID:248
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3484 -ip 34841⤵PID:4220
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3484 -ip 34841⤵PID:3280
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3484 -ip 34841⤵PID:1432
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3484 -ip 34841⤵PID:4160
-
C:\Users\Admin\AppData\Local\Temp\fed0c9a4d3\Hkbsse.exeC:\Users\Admin\AppData\Local\Temp\fed0c9a4d3\Hkbsse.exe1⤵
- Executes dropped EXE
PID:2508
-
C:\Users\Admin\explorerC:\Users\Admin\explorer1⤵
- Executes dropped EXE
PID:4852
-
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exeC:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:200
-
C:\ProgramData\pjuf\gulmow.exeC:\ProgramData\pjuf\gulmow.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3004
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3040 -ip 30401⤵PID:1848
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Account Manipulation
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Account Manipulation
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
4Discovery
Browser Information Discovery
1Network Service Discovery
1Permission Groups Discovery
1Local Groups
1Process Discovery
1Query Registry
7System Information Discovery
7System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Wi-Fi Discovery
1System Network Connections Discovery
1Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
10KB
MD5848e908b8a424a63e333ef6522ad3afc
SHA188bdc2c6397d874aeecffd972017aa40040d84ca
SHA25672040e752189e7c7e1ff0983c91e8d742ac0e75375f37cefc8372219d438f597
SHA512dd90aaeddef25761b8faf7b420e4cbb22e911214bbb6281932d08ebc0bfd7d53873e340ab0fea510c240c11bf7275fd042ff1d9bd5620609cc5c33a3b8caab9f
-
Filesize
152B
MD5f74f80cd052dc4903da98dd6916f375d
SHA13e3512884ee41291824b30b256670b3d0a1c8d40
SHA256d9589878daebff7c0991b2007a7af982f4760512545b4e331708f3f3308447ac
SHA512bd186699a85c91cda88df15ebee640f99b55ff168e228dd0de8d7416d62de1bcb57e88beb3b12ce74a54a9c7491934ef3dd5fdd6b92ab5c909f129b419d96b77
-
Filesize
152B
MD5c32b6fc873c040253034fe4bf5037bd0
SHA1fc58579eb5bf46c8d5246a45abae3566898c2e27
SHA2568d59014ec29aebf56b641a018b29b6c64e33764d7a2262283ce51319071f930c
SHA512e8ba0e9e78bc58b3d6d671a1e693cbe81745f000daaf281cc6aa6c591ae261b981f704e3dcb32f0fef87424aab0f42e4cfe40e445d8ef5a529c7bfda8ac510f2
-
Filesize
44KB
MD5e669d063e57e65d1f3338b0e451964bd
SHA1ee3049106b9dfb5080b61c457fc9296a326f664b
SHA25660f5892976a05ea00ecf849103ba93cdf61dfafb7dbe4a69ea1af663acd12655
SHA5122cf54c33218043ac20cd4edf72b6c30fed0891b7a898afe285424195eac0100ad4db68363f7049c845ce2b3c962ce682fc26cf3a1f327853443e71a785d27720
-
Filesize
264KB
MD592272706acf973c7d14ddbbf30b5efcb
SHA153e552f5b92bf790ecc12d089a8c5fe30643f6e9
SHA2567702a69b25ddfe1d36b15d6eb66a9dffd4c6d16199f78ba770f027b431aba5e4
SHA5121188733830de3b2628c10ad3c33e391f9745eaec854dbe08c3119c4156cad61a789f89a2574a345ed616b60fc3f2cc41b9d22db0d3455d2d0382b3b60d53711d
-
Filesize
1.0MB
MD57951c5e3a8711dad15026683e30e15a3
SHA1ab91c0d965446200397b40e8bcf47ef9d91fb4bd
SHA2562b575c8c74500299784bc46d6b905ca599b7e5d57bf55a9c6033ca8f02f889f8
SHA51298a02986dab0c1d39c0b6bd42f8e5a12f7912e7f61fe08d12bfe4aa8924b83b675699afd42e3e890abfa4abe4b970f39105b63f1e66f4efde3eb84ecddce1e9b
-
Filesize
4.0MB
MD5980b13bbdaf872855edb63a2b275c32f
SHA156d57ea472e3a3880c1536a4bd1721f00a2a6309
SHA25635c0aa461d3b08142d6671a03541ca74528356f13a1c3bca1a9167fff5f8d349
SHA51275de8768b9dbbfb9481d31d2c090e3baf0f9c92ee7407dabd538e1bd3c588d897849b0634b7f7510368b6ef5b42effc4ee2df405087b8ebbf99002e885e5c7e9
-
Filesize
224B
MD51317b793c35cc3bf9ddcfbe505dbb0c2
SHA110f74510716799db8975049bcc8784eade10cc55
SHA256654c3b46b73e7276de4e2286e0e299516f542ead05ffadeb64c9b10eda4c1dc0
SHA51252fbd9e76c0748b1494d19a3dd37f102b09ab35d9cd41784d26c3d8a36dee97b236df82d7d161cd3f7677b0c49c673f53b3ca0d952bacdba68787d05fd3adf6b
-
Filesize
243B
MD557c2fc5a7f8df0e08a8392c897be6b5a
SHA1d3f11435e822e786ee31d82bc63f3065c125aada
SHA25674ce345f064c634a22b1f8161008f7481b603117cea9bab01afe1b4acca881d8
SHA5127046bdc5110b6e090bb0da1503df12bd7e1cb7e1ba3583fdcbc24eeff8e71962145a7287854e1af3a13afd85a65fa13c9c00baa959620c9fe4eab91bdec719ac
-
Filesize
221B
MD546154ee8003109c2562ea944f56b17b9
SHA1e1cd4ef3672b56e78097dc84359078db94f2d23c
SHA256978d36da7538f7684a42537317177c989779cc103f25848e2f1a4ef272bc04fe
SHA512613761b50bc331d176b42b7df007e35b2b1ad602cdb351a32941d9996b28e4137e22ed0ccac795d5f840e006d3d414188c93636c883560dd6b40772cfdd6cabb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize264B
MD50184b1cb8c9b6eefb426be0f5386f701
SHA18828f34924d07e3f4f53dbfde8e85e76d247e2ae
SHA256f538106f8bb3421c928c090bba705984c68bc2969265928fcc3e543926fd2ab1
SHA512bc1d4c4949f2cc8921d7446c337cefec81e2d075069394139e66ca0ea196778323f6b60c6b15e4d562e70ab2172855cc81327896883975da48c81c470b99f7a9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe590517.TMP
Filesize168B
MD57bf7559c67bfad497c38ba020862b85b
SHA1cd1c6bd858d4a34b2c0f10424d5eacd4562c8727
SHA256408a2da676d2eb614bd33762e40772d0f37402294bb717df8bb927caf0448de6
SHA512d860e29b2f4c005f5abf83010bb997ba1af249cdcab71c16516e62e4aa4e71500fd8dd4d57f1f324c1d38484294a11486cbd085aebf4c0f856763783044bde5f
-
Filesize
14KB
MD514f338279b907330fea4b13abed8fa96
SHA195f4b8034eb02413890a0bda366d93df17fb36e6
SHA256fab71a01c4b36e7b9677b68d6e54df0147704810b5a16d9bf742d2b49839ebd6
SHA512981caa65c314c786bbd191d323bf8a473688c6f297106b84a67eb1a65047a0c0b05447a359436bd1f6e0a3794d6647a2bd3aa6f7a5a762a8c6f1aae73e298918
-
Filesize
28KB
MD5e37cbb4cf02e52e7c832fefb02ce3acd
SHA1c658d3f12a573c1b9128a43b72092cd8fa31b829
SHA256d96017e289af03c6ded5c68a13ef1eb6e7dc0988c2235dae8d7231c08b3875a9
SHA512a52155c113c585ed844c870d250392c3f3538990dd6c0b7006e8360bce59c5115af1d00de2239621c9c05a5db599e4accf19d12a576f4e4741587c0b7a108ae0
-
Filesize
331B
MD563b815db644559adceee36927d07f19e
SHA122b017bd12ead4adaf31c6b7603215eb4aa1d079
SHA256e54275d42ac4a65788b295068057777dbf0cdb560857051bd36bc6738614ad93
SHA512d6c95bf7be95ce0edc12f0e38d5ffb7f8a871fd55a9e8bf745be34de56e7136ec522f99deaf78bbce9c4059476d79c3393be613964f1b7fc00613b6125dc986d
-
Filesize
5KB
MD5ab22b6ac060754e12b565fd6f1f639d8
SHA1eff9b8dd449cb5fa76f06a0d977fef4d098c169d
SHA256322c81aeca39f3ac0d21dc5e0a4451f275e5f1095b44574bc95b5ce6885a6892
SHA5125d1684c5e7668381315f83ce0cae8f88fdd0dbc5c6adbea0e54e8ec48b4d06111e6f7503b6f28378c6bccc09e5c06a43b4137e6ca1920d074b520323109a7c2c
-
Filesize
5KB
MD5106b73fa6c8bfda615e2715f7b32f2e3
SHA166955ae4fee64ad4715be694b8f6d241a3d62988
SHA25626f706e4ac9fab2f0c3955c38412bfabae396860d7b4c2a0874b1cc2d2ab1f3f
SHA51284c48c57bb48a2c5fddfacd6190e5a4f6a4c65071c9679f54c0fb545a19ca76d18c5ea53eec7d23fcb5f30c602bf9fe37776bd17c257c4e9245a3b9ef3313bcf
-
Filesize
5KB
MD58a91b0e7569ae0e4bd1586b9a52c9f15
SHA17b2fbcf42a6122ded411860027360026a01161a5
SHA256fa805e08508fdd43f4afe5871a65326c04d43daa63b675a44c6ab17bbb741273
SHA512a25341888dac5c9ad0882c54f7fcbf66ea4a75bc5a2fe13ec1bcc543a53c30a80e8b1c1f7a159377bbd63c08493b924b312b20d4c6df74424bd522c56448e6c8
-
Filesize
25KB
MD55c3d7765ba43bd1edee4b831682a4b15
SHA185b74a85860b724221380ac36104c4cee5ed4b38
SHA256c5f1bd264450e4e5abbc92baa64264e8621ffc3dc7ffe360145958651635b186
SHA5129e6977b042efa5eb699dcd81cb8246309dc51e89b4e90ad752d4dbafba629c2f55813da36959e4489cae1f738f28c9e1bb976bc030b34e0c956a7656defeadf3
-
Filesize
1KB
MD5a026c807cbe6ba5da612cd85a367d439
SHA1b8800b089d3ae09207fa033ea8032557b71cc684
SHA256478567892ae2a67dc01fea6e907fc183501f113a835d5b4d887bae4814975f0e
SHA51231192c04dd8deecbab8b0b3018e72afb2016866cce8da33b464ec2fbd1d93cb69c7238ec559ac779b1cd093a963f21b4ab594cee1245cf617a77e71b5df7ac11
-
Filesize
717B
MD5c7e645d591cd792020883e8feefc04b9
SHA1e17ffc621f708928b87fb5e0681c83becf8941ae
SHA25658f75b2f8af589e2bc1cd53b7ba4ae43e930314b17a4c7827baea58ed82acc34
SHA512029074be5ebbd0a93ea951105d0f786015a6aa123b5bc66b8c56034541cdcaa5bb64f635659048747903e45d94817cc826a7601166af04ac6ed47c2df19ae831
-
Filesize
347B
MD59023253038adf74ceadfe1ab71bf9ca9
SHA160a3e576c99e010e5adba78834f1edf4a9740e51
SHA256b984b7848337523b0aa9b73da28f13f4135c26647b162b6831fefbbc7a7262c2
SHA5122c7834e3f337a6a0e2fc756ac072dda5f5823fd5afe0dbab8b01df3d6035a56ec839ec0b59443ae9556226f0553af95c996967ce351a759f0d69b58db994eb17
-
Filesize
323B
MD5d19b5706dc4db78527e7a705152bc640
SHA1f842a8993d9c74d3a1f0852cb39b4cacbaef4ea8
SHA256a321907fb9298a88c23ade71c1220d2e1c6c28c75ebee849f023b0a38b7809ed
SHA5123e38da792c2922461923930c391a41da1891ef9214d93694829ac3fcb03e654e326a3008a910d868a01e8a15421e7431d0b0cbf3b2ea0c65f458edaf727bd0d2
-
Filesize
128KB
MD50253c475c77973af6c92ede8497c11a0
SHA1e492a89a3e18511222eafd67ca6eea0dcedb2871
SHA25674c07a8cf93284e06ad575a7374500b239f88d79851089404d6943afd789d66f
SHA512923bdff6ff6aade045c06df0ce451c09e84576b6d8ba16fe2fc9d515ff10f065a2f0340d82fe528fed49ffee62222f036c8247be7c6a26a345cd09d934e9f619
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
96KB
MD55de1dd8d21af6695dc0eec4c9e2e41b4
SHA1a0072df1179f9ea5b12a8b413dd488d93afef24d
SHA2560434035d3f49e19183fe3e9a4d670f4fcde25861de0bf41b13956f0503e785e1
SHA51287448d42a2c46569a1165cc97bf151709a011604a2b03741f0537c95e514c462ac6676819a3c03a62f1cb16db23a13720896c2b4f8d7bc0a1d37472aef45eee1
-
Filesize
19B
MD50407b455f23e3655661ba46a574cfca4
SHA1855cb7cc8eac30458b4207614d046cb09ee3a591
SHA256ab5c71347d95f319781df230012713c7819ac0d69373e8c9a7302cae3f9a04b7
SHA5123020f7c87dc5201589fa43e03b1591ed8beb64523b37eb3736557f3ab7d654980fb42284115a69d91de44204cefab751b60466c0ef677608467de43d41bfb939
-
Filesize
322B
MD5ed676496cb314a9797f51fcf8c92bd42
SHA1e19cd153b2c8abfd6b214588ec3784cb2c35542d
SHA256e5ca321e1fd648cc5e225506a17a11f5505fc6b79a1699c5f00c123b1d287a02
SHA5121f5352f545b203335735ceb61c4e451b623aeb88d5ba3fd876a7edf3d3c92fd0f46c39354f63cdd5dffebd7ad9315860f28af87f581d8ca75440f94f948e8289
-
Filesize
318B
MD5ccb671a16c98b3b166a2b9eac10b30f8
SHA1a888cd976ec07fa31ac028bf81272f16f7846411
SHA25632ada2fe18d53731572d1a93674a40ab42df4705120b77db8f6773aca879167d
SHA51231c7752179cc0ea895b085d78676a8a3566aa94078ea054a19473dd583fc2f34bf9ad5aa7e2a6bcba4afc7830a15cc69abec9f9c211eb411aecc6c3304bbad17
-
Filesize
340B
MD5eb4ce58a934197883a81950c83dd70da
SHA1d165a6fd0e373c9962c96f168c93afe74204f6b4
SHA256e71f79ec30c36b6f426e708575c9a1bd7734a0c6fcc72384abeb5f88f9fead2f
SHA512889277fee13b27715ea88dc0130ebaa2b6273b15a97f753f1a2aa76ef65d0484aceea4cae1393d65eccd02c446561bc16137c84dd1a3b25d1b452e992f5deb9e
-
Filesize
44KB
MD58bd51feb84813c72e8d5163ad36c0d39
SHA1c97714f3195d41328beaf9ff8f2913fd3c54990d
SHA2560efd3c908263a84ae83a0a8204b19c757c1865e0c6a8b57f4e033d4ffa973693
SHA512ee4658a89c523d19084bd0326b6c0ff538e3755a86ba69e910bf04923b182f31212a66808c52fafcbe77e530301d7ac7783495c24631a27c03c2f3e17c92d81a
-
Filesize
264KB
MD5782c2a52f373b1b45b2ba95f101e6401
SHA1ee4aa26af7784bf7e79f703b3bee55ed1089c723
SHA25639d684267fd8d3c6a3c10cb84dd8002946eea617652e67cd727ff33a976e8e0c
SHA5121b08cecf98e4b80136e907ba75c777e12bdddd5f7b9038f4057e7d30bc30d4ce35a1976b1f4f34f6a0ab67bf229f90d0d7b6ffbb91d34277b0fb8b4fec4e121f
-
Filesize
4.0MB
MD570e8179f1ce31753c48c1a0494d0cd43
SHA1c7d0d44996c7778fca90d5e05ce71e17992cfa8a
SHA2563cfb73d94d2cc84b59659d945fd1e5fc4f7bfb3a46b958255ea1a90a6130a595
SHA5128336577c3e5c685ee72519499edf094a6ac78ced00b8c26d6299828d6016d699d69fbd8efc218bbba367938c69f591dd35b41303475e2a53bfc39571431cc331
-
Filesize
11B
MD5b29bcf9cd0e55f93000b4bb265a9810b
SHA1e662b8c98bd5eced29495dbe2a8f1930e3f714b8
SHA256f53ab2877a33ef4dbde62f23f0cbfb572924a80a3921f47fc080d680107064b4
SHA512e15f515e4177d38d6bb83a939a0a8f901ce64dffe45e635063161497d527fbddaf2b1261195fde90b72b4c3e64ac0a0500003faceffcc749471733c9e83eb011
-
Filesize
323KB
MD5d6fca3cd57293390ccf9d2bc83662dda
SHA194496d01aa91e981846299eeac5631ab8b8c4a93
SHA25674e0bf30c9107fa716920c878521037db3ca4eeda5c14d745a2459eb14d1190e
SHA5123990a61000c7dad33e75ce1ca670f5a7b66c0ce1215997dccfca5d4163fedfc7b736bca01c2f1064b0c780eccb039dd0de6be001c87399c1d69da0f456db2a8e
-
Filesize
1.1MB
MD58e74497aff3b9d2ddb7e7f819dfc69ba
SHA11d18154c206083ead2d30995ce2847cbeb6cdbc1
SHA256d8e81d9e336ef37a37cae212e72b6f4ef915db4b0f2a8df73eb584bd25f21e66
SHA5129aacc5c130290a72f1087daa9e79984565ccab6dbcad5114bfed0919812b9ba5f8dee9c37d230eeca4df3cca47ba0b355fbf49353e53f10f0ebc266e93f49f97
-
Filesize
319KB
MD50ec1f7cc17b6402cd2df150e0e5e92ca
SHA18405b9bf28accb6f1907fbe28d2536da4fba9fc9
SHA2564c5ca5701285337a96298ebf994f8ba013d290c63afa65b5c2b05771fbbb9ed4
SHA5127caa2416bc7878493b62a184ddc844d201a9ab5282abfa77a616316af39ff65309e37bb566b3e29d9e764e08f4eda43a06464acaf9962f911b33e6dbc60c1861
-
Filesize
187KB
MD5e78239a5b0223499bed12a752b893cad
SHA1a429b46db791f433180ae4993ebb656d2f9393a4
SHA25680befdb25413d68adbadd8f236a2e8c71b261d8befc04c99749e778b07bcde89
SHA512cee5d5d4d32e5575852a412f6b3e17f8c0cbafe97fd92c7024934234a23c240dcc1f7a0452e2e5da949dec09dcfeb006e73862c5bbc549a2ab1cfb0241eaddfc
-
Filesize
7.9MB
MD5d23710b05767ac5d4e1d4754f468599e
SHA16fbe21034afe7850a1e608ea67460c25aebb4232
SHA256b78c67f56b7af5533a502fef2ed9b0ce4c9d507214a74f7d0501611941197b75
SHA512e021881e5050b14ab78bcaa686d180b88ac620876cd45525b7648b04a8b672010832a3e8f40221c1e6420b9f6ceda1918a2cc04eb56db9dde39aae3c63dc8a37
-
Filesize
304KB
MD59bba979bb2972a3214a399054242109b
SHA160adcedb0f347580fb2c1faadb92345c602c54e9
SHA25617b71b1895978b7aaf5a0184948e33ac3d70ce979030d5a9a195a1c256f6b368
SHA51289285f67c4c40365f4028bc18dd658ad40b68ff3bcf15f2547fc8f9d9c3d8021e2950de8565e03451b9b4ebace7ed557df24732af632fdb74cbd9eb02cf08788
-
Filesize
481KB
MD5f9a4f6684d1bf48406a42921aebc1596
SHA1c9186ff53de4724ede20c6485136b4b2072bb6a6
SHA256e0a051f93d4c1e81cc142181d14249e246be4c169645d667267134b664e75042
SHA51267294a47dfef6aba404939497c403f93318841e9c5ee28b706f7506b5dff2630381e28e86f6dcbfdff2427092a515db1dc0a04e334e7f8de8b0b682269ff88fd
-
Filesize
8.3MB
MD5b7df5fdcfdc3f46b0b4f28c1ffb82937
SHA13209511839cd917318c754e0105c1d0cf298f25b
SHA2567636d2367079eabd9da2bb40935df3da580affc47473fd93ed3b2e01ee6c46e5
SHA5128a65c4e2b0755323293736fc01eb445071e04f7e2c345d2838bf7a89887f40c6e3b81df4bb35807d9a47ffa322b42383194baec45fd9b3f1e31cbcb6a72e819f
-
Filesize
1.1MB
MD57adfc6a2e7a5daa59d291b6e434a59f3
SHA1e21ef8be7b78912bed36121404270e5597a3fe25
SHA256fbb957b3e36ba1dda0b65986117fd8555041d747810a100b47da4a90a1dfd693
SHA51230f56bd75fe83e8fb60a816c1a0322bc686863d7ab17a763fff977a88f5582c356b4fcfe7c0c9e3e5925bfee7fc44e4ea8b96f82a011ed5e7cd236253187181b
-
Filesize
1.1MB
MD59954f7ed32d9a20cda8545c526036143
SHA18d74385b24155fce660ab0ad076d070f8611024a
SHA256a221b40667002cd19eece4e45e5dbb6f3c3dc1890870cf28ebcca0e4850102f5
SHA51276ca2c0edc3ffdc0c357f7f43abc17b130618096fa9db41795272c5c6ad9829046194d3657ad41f4afec5a0b2e5ed9750a31e545e36a2fb19e6c50101ab2cabd
-
Filesize
7.4MB
MD5e14e1aa11625c06cafce8fdab8e9875d
SHA112e19904b45ad20df2d57ce0305a3469eda28f28
SHA256d52015fab106cf0c3b2b290f5234e15d966a9adc779c20268789e24f715f9e84
SHA512b37dab49c8fa9ca39ace81374a1bdcdac44240b28936734cbe1a3a9ca8069e482b8f3be48594485c20ed883c1b2f214dc3824fad6cb1c19cbbdd303e61cd720d
-
Filesize
208KB
MD5031836b5b4c2fc0ba30f29e8a936b24e
SHA1adc7e7ec27f548afd50fac684c009cfe5c2e0090
SHA256bf4f27f6932ce75b1746f5364af3abacbdafa59913da513a168d86ea0ad3a3a4
SHA512ac58ed6b9a3ce4c35366e99e72e4ee1c87048a11979c91f69740d49b3c1f4f4dc3cbaa66287c73530806b8359933e7b6df0bbab01bc3dd4f351988a6a3cd3b6d
-
Filesize
87KB
MD57bc9e427746a95ed037db5e0b3230780
SHA1e5fb0551239eb8edf5b117b04a86742c7780355c
SHA2563d8b1b6802f265ff8eb229c38ff81824f3652f271eb97b7bfef86db369902a08
SHA512ae6e823d72a1a976401726ba3dfb61919bf529719fc555c680a99b3a58c15c982b9a8024d4ca2dab933acd1cc22c1f66bc0d46e7d0e7422825dad9c77852808b
-
Filesize
258KB
MD540e9f5e6b35423ed5af9a791fc6b8740
SHA175d24d3d05a855bb347f4e3a94eae4c38981aca9
SHA2567fdd7da7975da141ab5a48b856d24fba2ff35f52ad071119f6a83548494ba816
SHA512c2150dfb166653a2627aba466a6d98c0f426232542afc6a3c6fb5ebb04b114901233f51d57ea59dbef988d038d4103a637d9a51015104213b0be0fe09c96aea8
-
Filesize
10.5MB
MD57fffe8702479239234bce6013bcad409
SHA1ee7aaecaeff869350ead69c907b77d5b0afd3f09
SHA2567870eda6f78bde1ea7c083ddf32a9aabd118b30f6b8617f4b9e6625edba0ff95
SHA5128d5932d1fa8006c73e8576383425151439b4bf4637017f104a6c4e5cf202ce1c4a1dbec6d61adb794fd8a30c1300d6635d162df8630f9193c96239ec8b2a6869
-
Filesize
924KB
MD5de64bb0f39113e48a8499d3401461cf8
SHA18d78c2d4701e4596e87e3f09adde214a2a2033e8
SHA25664b58794801f282e92571676e3571afc5c59033c262406bf0d36e1d6ef3cda6a
SHA51235b7cdcfb866dcdc79be34066a9ad5a8058b80e68925aeb23708606149841022de17e9d205389c13803c01e356174a2f657773df7d53f889e4e1fc1d68074179
-
Filesize
6.4MB
MD59436c63eb99d4933ec7ffd0661639cbe
SHA112da487e8e0a42a1a40ed00ee8708e8c6eed1800
SHA2563a79351bd8099a518ecb4258aacecc84f7ed44cf67426b482b7583ce20c17e4e
SHA51259bc369bf7d96865be7e2f0b148e8216804c7f85d59958e7cc142770b44a84a266db8aec05b28bed483828f84abd81a21b3d40cdda230c1a534f6b380a387c44
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
Filesize
82KB
MD589b56d8bcb6ae96fbd053e6b2b15c55e
SHA1bfc8b027653423828f023021cf33597acc9b9598
SHA2566f271f737e7e3078066c0ee7b9e71a1d05aa809fe8a88aab5e1ade1c68ee6b02
SHA5120037d54c85a7dda1e37c50023707d5061f0bf657443be29acb9eb8eb6bb6302c64ccfd83427aa11b19f07b0e02c004686e8131e4aaab1a59e434d0438d0bf7af
-
Filesize
1.8MB
MD5bc84ed6e5a8ae05b5d5616de16628c03
SHA116f768b807acb9a9b047d37d5602f9fd4263c3e9
SHA2565a9c136d300c0315acd9ef384cbb745cbe25666b0fd1e32ed6671a9da3d4248c
SHA512f3b85266e5085ea74415e3346b0eb569335c70b32c366a9a1ad87fe04f96b178a5736e8ceda4e8bb43129321a429d588cfff0332316b5e3c38c332e6a909e1f8
-
Filesize
2KB
MD51420d30f964eac2c85b2ccfe968eebce
SHA1bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA5126fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8
-
Filesize
112KB
MD587210e9e528a4ddb09c6b671937c79c6
SHA13c75314714619f5b55e25769e0985d497f0062f2
SHA256eeb23424586eb7bc62b51b19f1719c6571b71b167f4d63f25984b7f5c5436db1
SHA512f8cb8098dc8d478854cddddeac3396bc7b602c4d0449491ecacea7b9106672f36b55b377c724dc6881bee407c6b6c5c3352495ed4b852dd578aa3643a43e37c0
-
Filesize
114KB
MD50314b66f9eb938be8129e7b72a6dfe4d
SHA1f524526636d7e3df1c2d6fc4d3a530ec2b40f5a6
SHA25696f64dc6baf4363b64cf944be7e45a0400e535951510200007a4bdd68d1788d8
SHA512ce7622f34a755687816868f1d26c069cefc69b2a630f333d3c49203e4aa285a312e693c4875f8ce709778ffb2e7f9376269f795063f665f18efaf7550e956194
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-242286936-336880687-2152680090-1000\76b53b3ec448f7ccdda2063b15d2bfc3_c9038f8c-1e1b-4144-a72a-756d47bbff27
Filesize2KB
MD5f427134ab9274cdb9b619eb83d9865eb
SHA1bfa1b4a762179db7188ddf742a221fc9111c8cda
SHA256536b1c3cb545c5451c00ba2ab356835e186d589ea98683a15d3cb27f84ddcc2e
SHA512ad3aa7e269844798322b00b0b5a53fcfe0871de0550a94076a3f671bc2d0c11a9e29f83f208172e5435c3e4549b41a88ccd19f1bc6ec484f3b77a727bf6e24c7
-
Filesize
544KB
MD588367533c12315805c059e688e7cdfe9
SHA164a107adcbac381c10bd9c5271c2087b7aa369ec
SHA256c6fc5c06ad442526a787989bae6ce0d32a2b15a12a41f78baca336b6560997a9
SHA5127a8c3d767d19395ce9ffef964b0347a148e517982afcf2fc5e45b4c524fd44ec20857f6be722f57ff57722b952ef7b88f6249339551949b9e89cf60260f0a714
-
Filesize
304KB
MD530f46f4476cdc27691c7fdad1c255037
SHA1b53415af5d01f8500881c06867a49a5825172e36
SHA2563a8f5f6951dad3ba415b23b35422d3c93f865146da3ccf7849b75806e0b67ce0
SHA512271aadb524e94ed1019656868a133c9e490cc6f8e4608c8a41c29eff7c12de972895a01f171e8f625d07994ff3b723bb308d362266f96cb20dff82689454c78f
-
Filesize
2KB
MD5c89ec7eef153b59970834ff9b01111a1
SHA15815648d12fa55ca217b9316fb2c203c643e6f92
SHA256dfc259232d988d01c13df91321216dafde34b5c6fde2aa392e89d4eeeee77a51
SHA51215e52b563e611fee3ea8085004e7c908bf4c9fd1207d964dc7aac26239bc9231ab23edbda59e382ffe02529d405b09ff01a468903c726bf98c8392bd8b5633c1
-
Filesize
2KB
MD5aa36b9219256e4e064d57fa978ef6706
SHA131251aeecebc5db81e93ebaccf44dacb56286881
SHA2569142bd5c6e74c5e668325b443df2e3709309fb81a317ebc8743b76a7c7abcdf8
SHA512c5d09d03c7d551ae9cb878b6b4851b7e6c126eaf66698409384b46adaf3fbd74cae12e37c8cc9c5ae8d0e8f55d7bcd019b791dd7bcd5293de2a35af2cbd6691f