asyncrat | hxxp://ser[.]nrovn[.]xyz/langla[.]exe

Analysis

max time kernel
133s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-10-2024 19:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://ser.nrovn.xyz/langla.exe

Score

10^/10

asyncrat default discovery rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

ser.nrovn.xyz:6606

ser.nrovn.xyz:7707

ser.nrovn.xyz:8808

Mutex

nfMlxLKxWkbD

Attributes

delay
3
install
true
install_file
http.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\Unconfirmed 782757.crdownload	family_asyncrat

Downloads MZ/PE file
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

langla.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation langla.exe
Executes dropped EXE 6 IoCs

Processes:

langla.exehttp.exelangla.exelangla.exelangla.exelangla.exe

pid process

3504 langla.exe
5336 http.exe
5372 langla.exe
5404 langla.exe
5432 langla.exe
5104 langla.exe
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	langla.exe

pid	process
3504	langla.exe
5336	http.exe
5372	langla.exe
5404	langla.exe
5432	langla.exe
5104	langla.exe

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exetimeout.exelangla.exelangla.exelangla.exelangla.execmd.exeschtasks.exehttp.exelangla.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	langla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	langla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	langla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	langla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	http.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	langla.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

5292 timeout.exe

pid	process
5292	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 1 IoCs

Processes:

explorer.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings explorer.exe
NTFS ADS 1 IoCs

Processes:

msedge.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\Unconfirmed 782757.crdownload:SmartScreen msedge.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

5300 schtasks.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	explorer.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 782757.crdownload:SmartScreen	msedge.exe

pid	process
5300	schtasks.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exelangla.exe

pid	process
2456	msedge.exe
2456	msedge.exe
4080	msedge.exe
4080	msedge.exe
1396	identity_helper.exe
1396	identity_helper.exe
1820	msedge.exe
1820	msedge.exe
3504	langla.exe
3504	langla.exe
3504	langla.exe
3504	langla.exe
3504	langla.exe
3504	langla.exe
3504	langla.exe
3504	langla.exe
3504	langla.exe
3504	langla.exe
3504	langla.exe
3504	langla.exe
3504	langla.exe
3504	langla.exe
3504	langla.exe
3504	langla.exe
3504	langla.exe
3504	langla.exe
3504	langla.exe
3504	langla.exe
3504	langla.exe
3504	langla.exe
3504	langla.exe
3504	langla.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

4080 msedge.exe
4080 msedge.exe
4080 msedge.exe
4080 msedge.exe
4080 msedge.exe
4080 msedge.exe
4080 msedge.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

langla.exehttp.exe

description pid process

Token: SeDebugPrivilege 3504 langla.exe
Token: SeDebugPrivilege 5336 http.exe
Token: SeDebugPrivilege 5336 http.exe

description	pid	process
Token: SeDebugPrivilege	3504	langla.exe
Token: SeDebugPrivilege	5336	http.exe
Token: SeDebugPrivilege	5336	http.exe

Suspicious use of FindShellTrayWindow 37 IoCs

Processes:

msedge.exe

pid	process
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4080 wrote to memory of 4640	4080	msedge.exe	msedge.exe
PID 4080 wrote to memory of 4640	4080	msedge.exe	msedge.exe
PID 4080 wrote to memory of 996	4080	msedge.exe	msedge.exe
PID 4080 wrote to memory of 996	4080	msedge.exe	msedge.exe
PID 4080 wrote to memory of 996	4080	msedge.exe	msedge.exe
PID 4080 wrote to memory of 996	4080	msedge.exe	msedge.exe
PID 4080 wrote to memory of 996	4080	msedge.exe	msedge.exe
PID 4080 wrote to memory of 996	4080	msedge.exe	msedge.exe
PID 4080 wrote to memory of 996	4080	msedge.exe	msedge.exe
PID 4080 wrote to memory of 996	4080	msedge.exe	msedge.exe
PID 4080 wrote to memory of 996	4080	msedge.exe	msedge.exe
PID 4080 wrote to memory of 996	4080	msedge.exe	msedge.exe
PID 4080 wrote to memory of 996	4080	msedge.exe	msedge.exe
PID 4080 wrote to memory of 996	4080	msedge.exe	msedge.exe
PID 4080 wrote to memory of 996	4080	msedge.exe	msedge.exe
PID 4080 wrote to memory of 996	4080	msedge.exe	msedge.exe
PID 4080 wrote to memory of 996	4080	msedge.exe	msedge.exe
PID 4080 wrote to memory of 996	4080	msedge.exe	msedge.exe
PID 4080 wrote to memory of 996	4080	msedge.exe	msedge.exe
PID 4080 wrote to memory of 996	4080	msedge.exe	msedge.exe
PID 4080 wrote to memory of 996	4080	msedge.exe	msedge.exe
PID 4080 wrote to memory of 996	4080	msedge.exe	msedge.exe
PID 4080 wrote to memory of 996	4080	msedge.exe	msedge.exe
PID 4080 wrote to memory of 996	4080	msedge.exe	msedge.exe
PID 4080 wrote to memory of 996	4080	msedge.exe	msedge.exe
PID 4080 wrote to memory of 996	4080	msedge.exe	msedge.exe
PID 4080 wrote to memory of 996	4080	msedge.exe	msedge.exe
PID 4080 wrote to memory of 996	4080	msedge.exe	msedge.exe
PID 4080 wrote to memory of 996	4080	msedge.exe	msedge.exe
PID 4080 wrote to memory of 996	4080	msedge.exe	msedge.exe
PID 4080 wrote to memory of 996	4080	msedge.exe	msedge.exe
PID 4080 wrote to memory of 996	4080	msedge.exe	msedge.exe
PID 4080 wrote to memory of 996	4080	msedge.exe	msedge.exe
PID 4080 wrote to memory of 996	4080	msedge.exe	msedge.exe
PID 4080 wrote to memory of 996	4080	msedge.exe	msedge.exe
PID 4080 wrote to memory of 996	4080	msedge.exe	msedge.exe
PID 4080 wrote to memory of 996	4080	msedge.exe	msedge.exe
PID 4080 wrote to memory of 996	4080	msedge.exe	msedge.exe
PID 4080 wrote to memory of 996	4080	msedge.exe	msedge.exe
PID 4080 wrote to memory of 996	4080	msedge.exe	msedge.exe
PID 4080 wrote to memory of 996	4080	msedge.exe	msedge.exe
PID 4080 wrote to memory of 996	4080	msedge.exe	msedge.exe
PID 4080 wrote to memory of 2456	4080	msedge.exe	msedge.exe
PID 4080 wrote to memory of 2456	4080	msedge.exe	msedge.exe
PID 4080 wrote to memory of 3788	4080	msedge.exe	msedge.exe
PID 4080 wrote to memory of 3788	4080	msedge.exe	msedge.exe
PID 4080 wrote to memory of 3788	4080	msedge.exe	msedge.exe
PID 4080 wrote to memory of 3788	4080	msedge.exe	msedge.exe
PID 4080 wrote to memory of 3788	4080	msedge.exe	msedge.exe
PID 4080 wrote to memory of 3788	4080	msedge.exe	msedge.exe
PID 4080 wrote to memory of 3788	4080	msedge.exe	msedge.exe
PID 4080 wrote to memory of 3788	4080	msedge.exe	msedge.exe
PID 4080 wrote to memory of 3788	4080	msedge.exe	msedge.exe
PID 4080 wrote to memory of 3788	4080	msedge.exe	msedge.exe
PID 4080 wrote to memory of 3788	4080	msedge.exe	msedge.exe
PID 4080 wrote to memory of 3788	4080	msedge.exe	msedge.exe
PID 4080 wrote to memory of 3788	4080	msedge.exe	msedge.exe
PID 4080 wrote to memory of 3788	4080	msedge.exe	msedge.exe
PID 4080 wrote to memory of 3788	4080	msedge.exe	msedge.exe
PID 4080 wrote to memory of 3788	4080	msedge.exe	msedge.exe
PID 4080 wrote to memory of 3788	4080	msedge.exe	msedge.exe
PID 4080 wrote to memory of 3788	4080	msedge.exe	msedge.exe
PID 4080 wrote to memory of 3788	4080	msedge.exe	msedge.exe
PID 4080 wrote to memory of 3788	4080	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://ser.nrovn.xyz/langla.exe
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4080

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd504946f8,0x7ffd50494708,0x7ffd50494718
2⤵
PID:4640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,15469287345761191144,13569433668344462852,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2
2⤵
PID:996

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,15469287345761191144,13569433668344462852,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2456

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,15469287345761191144,13569433668344462852,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2640 /prefetch:8
2⤵
PID:3788

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,15469287345761191144,13569433668344462852,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3116 /prefetch:1
2⤵
PID:3480

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,15469287345761191144,13569433668344462852,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3144 /prefetch:1
2⤵
PID:1552

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,15469287345761191144,13569433668344462852,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4852 /prefetch:1
2⤵
PID:1320

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,15469287345761191144,13569433668344462852,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5084 /prefetch:1
2⤵
PID:5116

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,15469287345761191144,13569433668344462852,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5472 /prefetch:8
2⤵
PID:2832

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,15469287345761191144,13569433668344462852,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5472 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2112,15469287345761191144,13569433668344462852,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3444 /prefetch:8
2⤵
PID:708

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,15469287345761191144,13569433668344462852,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4140 /prefetch:1
2⤵
PID:2912

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,15469287345761191144,13569433668344462852,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5804 /prefetch:1
2⤵
PID:3120

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,15469287345761191144,13569433668344462852,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5840 /prefetch:1
2⤵
PID:512

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2112,15469287345761191144,13569433668344462852,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5716 /prefetch:8
2⤵
PID:4436

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2112,15469287345761191144,13569433668344462852,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5792 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1820

C:\Users\Admin\Downloads\langla.exe
"C:\Users\Admin\Downloads\langla.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3504

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "http" /tr '"C:\Users\Admin\AppData\Roaming\http.exe"' & exit
3⤵
- System Location Discovery: System Language Discovery
PID:5188

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "http" /tr '"C:\Users\Admin\AppData\Roaming\http.exe"'
4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:5300

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpBFE5.tmp.bat""
3⤵
- System Location Discovery: System Language Discovery
PID:5212

C:\Windows\SysWOW64\timeout.exe
timeout 3
4⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:5292

C:\Users\Admin\AppData\Roaming\http.exe
"C:\Users\Admin\AppData\Roaming\http.exe"
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5336

C:\Users\Admin\Downloads\langla.exe
"C:\Users\Admin\Downloads\langla.exe"
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5372

C:\Users\Admin\Downloads\langla.exe
"C:\Users\Admin\Downloads\langla.exe"
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5404

C:\Users\Admin\Downloads\langla.exe
"C:\Users\Admin\Downloads\langla.exe"
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5432

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2680

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:696

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5780

C:\Windows\explorer.exe
"C:\Windows\explorer.exe" shell:::{52205fd8-5dfb-447d-801a-d0b52f2e83e1}
1⤵
PID:1596

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:4092

C:\Users\Admin\Downloads\langla.exe
"C:\Users\Admin\Downloads\langla.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\langla.exe.log

Filesize
522B

MD5
acc9090417037dfa2a55b46ed86e32b8

SHA1
53fa6fb25fb3e88c24d2027aca6ae492b2800a4d

SHA256
2412679218bb0a7d05ceee32869bbb223619bde9966c4c460a68304a3367724b

SHA512
d51f7085ec147c708f446b9fb6923cd2fb64596d354ed929e125b30ace57c8cb3217589447a36960e5d3aea87a4e48aaa82c7509eced6d6c2cecd71fcfe3697b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e55832d7cd7e868a2c087c4c73678018

SHA1
ed7a2f6d6437e907218ffba9128802eaf414a0eb

SHA256
a4d7777b980ec53de3a70aca8fb25b77e9b53187e7d2f0fa1a729ee9a35da574

SHA512
897fdebf1a9269a1bf1e3a791f6ee9ab7c24c9d75eeff65ac9599764e1c8585784e1837ba5321d90af0b004af121b2206081a6fb1b1ad571a0051ee33d3f5c5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c2d9eeb3fdd75834f0ac3f9767de8d6f

SHA1
4d16a7e82190f8490a00008bd53d85fb92e379b0

SHA256
1e5efb5f1d78a4cc269cb116307e9d767fc5ad8a18e6cf95c81c61d7b1da5c66

SHA512
d92f995f9e096ecc0a7b8b4aca336aeef0e7b919fe7fe008169f0b87da84d018971ba5728141557d42a0fc562a25191bd85e0d7354c401b09e8b62cdc44b6dcd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7d23ed80c030b2dd9a3c846a2f95a5de

SHA1
eaa9261e3d2eb403d3770ae7f13e12b3175f9611

SHA256
420b0e142bef0fb84ee4cdb1ba956dff5f06ff555ea0359e549ee6bbfc1bb11d

SHA512
287e529468d85cfe3476e74b9e6442d0fe8f1831c9f9bf33022ea6531726a9e96af519f751479374a32bd132cd33e5979b35e7b479521bf0237a6c2faeb19fed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
67ab62204edfe39ceac43a0b62b1fa64

SHA1
af76c5cfae2d6cba603ee4eaf4e9fb34e93fb7ef

SHA256
e3ad07f614470a0170ca0f13fcc3c02364639de7548b26f6bee894bd0d1a5d8f

SHA512
cbfb1184c945a6920941c1b92929e1233e8886c909a44c6fb30179c66134bf667ad5a1de3ab5eb1bf1458ae3308d4530d46fe1f6bf2811aebbd20ffaeecd4701

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5d6963c312009daa7793b70508b16707

SHA1
20dd6e9f599accf80a981bac023c2161f1a162b8

SHA256
6ee334ad6e91b27eef372f5cb9560752795e9791aaee62729b73544742ad08fd

SHA512
0cc8ad69b3588ff5b47d2f4a67511047bc497688149e9361b189127e8dabd5bdc4c1f7eb05782e67464f7c4aa90c3e8deb27206d0ac66280e8a6f4f7847e29fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
6241695cf12b12f692a319eda4068d14

SHA1
ba52375384b1b7a838390646eb731b7b2bbc7173

SHA256
b8d31262797508e5825291092c6c10943c3d1c0dae189f925445bf4abad94300

SHA512
87fe4a9c012edd2c1105e8ac62582db0c30a269c733842e261f07370f24270ac5e8bbeb2b6198a5b469f643a18c0c6de531bd465bd743f6c2e7cc83e32da4937

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
4564ecfde690a4983ce75783699acb2e

SHA1
9d47f1db554f9b12479917d8054f01099499e996

SHA256
891e94822151379f6df4e42e741fc3002c9eb153be1173ede7c4fd4bbe3c59b2

SHA512
8c371c6071a45584313fb8e7f7d935e769a679acaf8b2229648ee0a0fd7d813e2c55327a32bf3909602a389008d44a6c79facbc16f69a5759c3090186f7418d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d88326053accc9177103b16c6d64b389

SHA1
a8043143b6f9a771a02937cf09e6c4adc87b6fe4

SHA256
1fc81ecacbad4877a5b661463f6c25575f46829f326f6036d3181949e596a493

SHA512
e162bc21ac8de42948c56b35756db21c523d6201d775e81f7cc99ea56358c1bd324b777e8194884e1ee0aeb59d4cc5e6ae6880db36586611e49576fce4760849

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdobeSFX.log

Filesize
1KB

MD5
12e59c25f04ae88b3c88df040d276043

SHA1
5094db7894c91cc88c3260ff7570fc5d3f875bc0

SHA256
ad8948d2a6f1718f4ada56ce340e4a97742dc6aa3920e1a94c6f83bfca07b235

SHA512
ac91911f1806417c3f00c61edb91ef1534b34f7b3297022be7ac2a84de89d2f31ad67a3b325a269ece7dfb2051f24502d86af30e23f03fccafe642d4bf75d027

Download Submit
C:\Users\Admin\AppData\Local\Temp\JavaDeployReg.log

Filesize
13KB

MD5
c3831ecb6ef5618e3561a56759e9e101

SHA1
2a7a1d0f19b2090f282d0de1f82c91a03475af46

SHA256
00e6531b4c4974dd54a58a6f144fe173f86e3202d0724426b433cb781c6947ee

SHA512
9e97da4cb0578a99ddc63555439f5b9c1d09e4fbbb102783cce2b5ed24a0abc9c64a587a793e4745f99abff5a24fd28dc5a021f4e7e816f1bf56bd4740304d01

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20241007_092252366.html

Filesize
93KB

MD5
8ae2b4bd6109dbb2c9cc070f57208537

SHA1
cb17fc753c3266399d0871868e70294b52cb951d

SHA256
9ef42f372a7bc362d6d37adff11a949ec8f98bcc1b3091821d2b044e1bb3b0cb

SHA512
d167de6d049d3d0f6f1f97c4a69b090b91bb0a8b8b948f56095a6b569b241b14e7955c5693ab6e92c2a09cd711354dad4218545cf31f0cdb2670c19214b15284

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.27_(x64)_20241007092331.log

Filesize
15KB

MD5
0d60dfc3581efaa08675159a66300cad

SHA1
1f5961059b1ef99bef0d2653c5f3e9eca90be0da

SHA256
66d151dcb2b9eb661cdbee0efacc8e6c113b7c2c7e9ecc20e45202eaab3d919b

SHA512
5e7a27dbdeb87eafe97b1bb1db3cf589ff1ccf46cfbc212d676dbe7f1b60360173a29472de5469122081256e02fed3e2739e117e73ff718dba8636aef1320e3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.27_(x64)_20241007092331_000_dotnet_runtime_6.0.27_win_x64.msi.log

Filesize
551KB

MD5
95f0b005e946dad721f5a9139324e953

SHA1
5079f2e8299a55f3b2185631cb6de34345abfc4b

SHA256
8694fbc8429c102ea3e6dc63885fc1d36b77a2a9693600d3243de914f614dca0

SHA512
f781be03a12d92b2360146f393610b817e370c03c97d490a341193733bbacd3b577d9db38851ee6720e25d6c769bab8984b1a34c9e5e39edf841057af7f15abf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.27_(x64)_20241007092331_001_dotnet_hostfxr_6.0.27_win_x64.msi.log

Filesize
95KB

MD5
86e6e18fe08b801e374baeeef5074e54

SHA1
132d1e1c75353e45b45148fd1aeedbabfd9eaade

SHA256
19e378e604d7764fed796eb901e7e17b0f2436d1b2357b4b27c3c448e3ae208b

SHA512
abd50174480483a2ca978c23ffe8c47ff89929dc4dc586365f0957e9cbaf3774095f8253a614cad74c77f7fe1832541ef31be79b8a789cd8b24ada7cc43f41c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.27_(x64)_20241007092331_002_dotnet_host_6.0.27_win_x64.msi.log

Filesize
105KB

MD5
a05f77d77222dbe4ebcbf59c79f0c11d

SHA1
cb1c2ab3ef234035ba2d6437dd8129e0fef4193e

SHA256
240456fbee8c06ea39b78d1eae2ae6039983527af07bc54ea94eedb8d0f8db0a

SHA512
fbc35930ac55fd94684e0c93f3d34ed9f84e3f0e5040d9a357556f07a8a9a6f232f1e1f4a945303f46bc35c70b1815e758653b98aa1d4585b3b0252a14a5d8ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.27_(x64)_20241007092331_003_windowsdesktop_runtime_6.0.27_win_x64.msi.log

Filesize
847KB

MD5
888fee465fd7707a9118b4929929bdf1

SHA1
0e13bddef6c4a5a30599f400216a9fa359304597

SHA256
6bc0de70a3741489a0a2f3042ba8f9d037742e370794a4fc409187e0c83803ca

SHA512
958a6544bb1999a32e4400ca8df8c76fe1e40650873b580b6c4e99074a23fac62be6f9b1423f4986d56ec1181aeb4371b4b7206a7cbf041c7c42cc454e01c4de

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_7.0.16_(x64)_20241007092410.log

Filesize
15KB

MD5
5993b1a672522d8478784baef740b105

SHA1
7afdfe53ff7507c5429ecf867918da3faab9b750

SHA256
876db63d9f865d7b6328e43c53dd6926e7ba45205ea7281819af124b51ca3edb

SHA512
2ab47f049ff539e09bd2903ecb49c1084f7bb5625d455087040b776b161dbe182fb376d6e5e5192f08cb3c49f480f313ecf1440d77a10930ea3479fdd9e28373

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_7.0.16_(x64)_20241007092410_000_dotnet_runtime_7.0.16_win_x64.msi.log

Filesize
470KB

MD5
b5649c45be2b7a9d2e7eb680b7c70d74

SHA1
93ba37c211fb93f331902791087a5883a8f2077c

SHA256
9e54cc3658faae0bc187fa60cbc09ec8f6f9a1f4aac70d6c15573d34e2c8e54c

SHA512
8083f41a6980cc33ee060136cdfee4769bab4eb134093cd2f86a6cb45ceb7c520d0b36b2e64055cb19bf131fb0858241767b65832d3216fa8b511e210b81bda6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_7.0.16_(x64)_20241007092410_001_dotnet_hostfxr_7.0.16_win_x64.msi.log

Filesize
95KB

MD5
11b7c90649ad1ced32d69013024e7e79

SHA1
fe1b705322c45613f40143315afcc576ea059b28

SHA256
49fa6197d473f56a36b5cdb1b31981c891c54761c80d2abe2c7a0bd350b4525a

SHA512
b888ab4073a7263a485356be7c3fd6489387cfc3ee9d41cdd326f51ad05eb4f83803152a0e16b4cbada6bf25b9a946d4ffdf1325b365b1bf97a942db31b82520

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_7.0.16_(x64)_20241007092410_002_dotnet_host_7.0.16_win_x64.msi.log

Filesize
109KB

MD5
3a39aea15226a22e6cfa93c52e8e450d

SHA1
71618e1d3bba3159deeee692aee158f98751c2ef

SHA256
881adb1b7e651961cbac6a309001e5b875b875efe141df17450407f13e2ba62e

SHA512
e0039ca740b72ebc6221e3041d8534bdb9c86d4c8eb9b7f00e0f8e923168bd332797f2848d215cbafd0a2d1bfaaf01ffa443623dd968f777ff54327200d7ca83

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_7.0.16_(x64)_20241007092410_003_windowsdesktop_runtime_7.0.16_win_x64.msi.log

Filesize
852KB

MD5
d98774126741d9a73e0fe62e5581aaa1

SHA1
366fda2bbb27199c6759b91d037230934c88238e

SHA256
a8b7074fa342342ca6eec3bce94adb83aa7b7601e90e888502803091f9acb4db

SHA512
e804154a256a0861b79e5da1210c2d645e785251325b2b300b5aef7af4b46dd12a9c2182f0570154a0c867e2af6286e46538b230506cc7d750abbe7d40855f63

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_8.0.2_(x64)_20241007092433.log

Filesize
15KB

MD5
8dbc52c4edd1e15d7ae3f65f2a08b018

SHA1
caaf01360acc48e7793fe7aaedc44085328fb700

SHA256
b687b28da66d180ad17807da6e2ba160c6bbb503973fdee61dc6d31752efc1b6

SHA512
45aabbf90b30c6c77eb623ca5ecca15d695e219f5c3ef5e9eff511c05d2db29d57d86cc3480e36e1d7525ad16f8375cfec88490480023d5bbed99c0132b76dba

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_8.0.2_(x64)_20241007092433_000_dotnet_runtime_8.0.2_win_x64.msi.log

Filesize
469KB

MD5
785aedb8f1e9d06473d951f621cc64ce

SHA1
5c5a4bc02fcaf0b86a06a0969ab8a4b7dcb301ea

SHA256
072c619ae849efe74526e6819f472219284718dd8c69d6ecd4207f7a66a0cefd

SHA512
1e85e2e9e39b23324da001e7ce2f9c1ccfc4633340e85df9335ea2855522b7ddad7272b24e649801692d60e9e13d9605a8839ceec03faad624a7f50c26df724d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_8.0.2_(x64)_20241007092433_001_dotnet_hostfxr_8.0.2_win_x64.msi.log

Filesize
95KB

MD5
0f6d9e0d2ff69b7c2348f5c05663bf69

SHA1
fe53081ca4ff482ab4c2a903f4eee80f26c6ff73

SHA256
f16fefe514fda7d9792bd5ce193990cde097b38e9a4195cbbfb2d456159b85bf

SHA512
93e752e62dc6a1f914f94173c396df65fd7fc75e37944885553fa2cbb097f84a539e7ba549b10226ee822dcfd71d360b61a8adcd50c0f58ec164e8bd3acd6852

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_8.0.2_(x64)_20241007092433_002_dotnet_host_8.0.2_win_x64.msi.log

Filesize
109KB

MD5
f3ad5e59a56646c877c0c16323c50745

SHA1
d53b669ac1cec67c9ef2e200304fda3f8a500774

SHA256
4912dce6cae5955ac415208d00cb9f14d900de0d079cb56db5944e67532c461e

SHA512
e3fdafed161e87d6d9c592dfa0c8cab898b9e30fffdf0dec6c4aa551f50e9c53aa8e812c3d4eda5bb932676c6eae7bb42ae5402b6efc3b198ce14c8b251dad7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_8.0.2_(x64)_20241007092433_003_windowsdesktop_runtime_8.0.2_win_x64.msi.log

Filesize
846KB

MD5
585c05999cbb086f5ff2d9759d48bd94

SHA1
fd10e4740e223e433bdd7348e8784184be483796

SHA256
97a3e3fdc38aabe3c0e836059b6c0243911ccbf29da96d3f7cf2b38eb5be8e99

SHA512
7556de75b583cf826467de31c027c48ab10a91e253b598e6605298d2cc050c1b9e9518d1e81e6a7e975a5c0a9ae07a1f82898723ce1cfcce281573176d82e7fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\StructuredQuery.log

Filesize
4KB

MD5
3f2acd8e0a928355b1782fb96c1de853

SHA1
9f7214f5ddaff2094a6c4d94012280f3a5d5678b

SHA256
6252e969151335fa59f05fdca23c55a69dba147c04e5344f62ac5a1fa85127ae

SHA512
6ca73567cb684115df3918919d0a5ff343f7aa01ea2fff6a34d3a17ee200e778903d2ff55202172b666e4dedf593f92994db8ffbc0059d7812169a968629eeb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\UTKBEBLO-20241007-0928.log

Filesize
57KB

MD5
2b901b17b0b2e91f4533839afcb119b6

SHA1
a5cb2b3fe23b18faf3fe8c61abdf259ea9fe7b96

SHA256
fee9a77e3c166414701cd04d1b461889631314b8e736fb98e30ef6958b9caec2

SHA512
175fb33c2e79d79c41e86091809325582c953af417b4da2bce152925b4634b96d23f53665beb73af4715a3c8810c3c1b57f9a0d625bccc0da371bb43e57eba20

Download Submit
C:\Users\Admin\AppData\Local\Temp\UTKBEBLO-20241007-0928a.log

Filesize
180KB

MD5
f419965d3e9b2f6e21245a85917bdf01

SHA1
fbac0b077a55a4926c6eca374bf48d98ea7fa43a

SHA256
3f7939410c879b2cbd03b1f5fb78fffd7c906eebb4cc8f31965382b9b4150622

SHA512
ee3ec8446d5707aeba635511577468995c081067ce2b676ff4d333e085c30400b6e4b13de7fb0759f81ab9383539512c33d21cf0e8874a272c23afcabdbd1d75

Download Submit
C:\Users\Admin\AppData\Local\Temp\aria-debug-2780.log

Filesize
470B

MD5
957840302a5977cc261b9108f2df3ee3

SHA1
b0fa7fbf45d4ae69a2caacd71f17f46e9c619688

SHA256
c9edb7fe5295cb6c67f29f3c1311e29dfe26da825bd0f1627dccaf2153f111f1

SHA512
57791348b65cdb3af44bcc9098aecac5183ca62f50c4490745fbed50202775df85adbc3fa8a8f37f81a968331a9546707b6bdaa617ac0c31370bf5c415ca5354

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
6KB

MD5
9c105e0eff54f67c1bd28b6b5924a4d9

SHA1
4912aaecf840fde2dbf1d5ab3cf67c8639660265

SHA256
01c7a1a99fd54497a8a074a5439259656b5f4be63d02d451641baef335c4a89f

SHA512
08a0ce0edf81f4f649f3510c2cf82bcd7aa0a9193583204e2b4dd21dcaea269e785907c9b5843811f9ca5639e6d6d67675d07c6f0314583773de473d4be0adf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt

Filesize
1KB

MD5
c04a510a2bb7738143aade3aa19bab0a

SHA1
c26b13efc2770644cc22cac48700bafa87c448c2

SHA256
16bd7053f51a44ca9f827b4f05a650840c1c745f070ab5572407050b16737b10

SHA512
e021152698b0a91ede31289b4bb2bdc4b37173671006401a55b6fccac44257d49b6fb3a2ea48adfe755bc9fe4518f764ba9eecdbd55895092c1a3ffa85173f75

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI3C2D.txt

Filesize
427KB

MD5
1aaa5a6d307dc929b1d174c6abb4c17f

SHA1
d57cb554a36d1b39730746cb31c36e6b0983b9fa

SHA256
4e1552c34473c3a5a6247719948b874c9e137c3281794663609aa71aafc658e6

SHA512
f9e765a87f4a1521dafb989231e5760aaa945a390d61f140ea86b7cbd42eb1df35f1e44f7618fa5ce41a6881b696a86ea21f5b1d624ced23ef5325b630dabb13

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI3C4E.txt

Filesize
413KB

MD5
43efca4ef47f05b2046d37a5bfb4a564

SHA1
0ec7a768e7036fcff71b40846fc9fe75a449d237

SHA256
a2784ec2d374bb423031320b41bbd10fe8ad0e2fdc8ec2f327332913f81c7b8b

SHA512
c32b24cba40b3431f1c49ede1a6ac647ebaa45227e8d143d124ae459f1674247e26c575b7f256d889739218ceaf72c2739fef6ad9098fb55efc075197d039d0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI3C2D.txt

Filesize
11KB

MD5
117adca3287be411cb5a7c0ef3c85bfa

SHA1
fe9bc39ac5ff7f7e2e47273a15dac8ce68f9ffc1

SHA256
4618e59abc86f7f393ce654888dc8f12075b85a159ec8f62ab733dbb4c1ff983

SHA512
73cfcd2bc536964b6025cc91a612548821207af29744df99c83f93a2b6e7732d0d5d9b2714d565a763a88bf1160868033e0814e756ca8934ae1891b0de2e2138

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI3C4E.txt

Filesize
11KB

MD5
8fc69c1d279baaa6ba201205c935b06c

SHA1
eff8af7bfecaef7654f25f41a5259414147eb5f3

SHA256
e5d33bd6d3f8a0088b768839859e69027b0eddd6cd6fc56f85f58f1913950f1f

SHA512
d832a5d0d8f5c89dddc4a7fe13e7c8a6c0659f6231b833991cecfe6e947b9073a7047b266b1dc037aa8c18a464e23a78cbb99b5042fa7867e61e6699cdfdb439

Download Submit
C:\Users\Admin\AppData\Local\Temp\jawshtml.html

Filesize
13B

MD5
b2a4bc176e9f29b0c439ef9a53a62a1a

SHA1
1ae520cbbf7e14af867232784194366b3d1c3f34

SHA256
7b4f72a40bd21934680f085afe8a30bf85acff1a8365af43102025c4ccf52b73

SHA512
e04b85d8d45d43479abbbe34f57265b64d1d325753ec3d2ecadb5f83fa5822b1d999b39571801ca39fa32e4a0a7caab073ccd003007e5b86dac7b1c892a5de3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
163KB

MD5
7b95083e4f8b89bdf754da4e21f593f1

SHA1
5928baaff6eae60cf01a2248256424350238eb7b

SHA256
ea634151abfdafd63a0949973457e2eef867d39c6e0c6d0d5c66772bca8ac0c8

SHA512
5bed215c7569556d99f66925168ab203928e13bc2db2a20dde92fb399b77622c1a57666c46587b7b0c90533bc4f64f5c2ae155705236b95236d9bfc0f78648c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\mapping.csv

Filesize
120KB

MD5
d3186aada63877a1fe1c2ed4b2e2b77d

SHA1
f66d9307be6cbbb22941c724d2cf6954b41d7bb0

SHA256
2684d360ec473113d922a2738c5c6f6702975e6ac7ee4023258a12ed26c9fefe

SHA512
c94e8aa368a44f1df9f0318ca266f5a6a9140945d55a579dee2fd10aff3d4704a72a216718b35e44429012d68c2bb30a92d5179fbc9fb4b222456a017d8981c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\msedge_installer.log

Filesize
3KB

MD5
dcb8c0c774471aa6538f124d8d060d09

SHA1
566184b972aab39829a3da1c9ab666a1abad7f12

SHA256
2810b5482c58c9052745c66f7f58dfb8094aeaa2802d7b24a2121287f5c1ea27

SHA512
7c98a61a2511596f2deba65a3a6b2dc947500c6f2aeb10a48ff7ee2e6a0856d57341fb44fc3633135f1927f9f3235988d7cd54cc9d6e1b66cc38b4894b2a2868

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBFE5.tmp.bat

Filesize
148B

MD5
e983eaa5397b3da36f461a7f78d21e4f

SHA1
d3326df5a559a31b376004840a0b62b9fad72451

SHA256
4ae386981b698851bee9dc6441f6776fc671a19408ddf2274cca577d65040ed1

SHA512
5aec15f218fed1041004ac6ebe69925b64aae88b2f05fa787c7cb1ace15fba82abfe77a7a8894d206e3f0343e8cde584c7e4edc7a817fe4ec9359fc16b42fe94

Download Submit
C:\Users\Admin\AppData\Local\Temp\wct18E2.tmp

Filesize
63KB

MD5
e516a60bc980095e8d156b1a99ab5eee

SHA1
238e243ffc12d4e012fd020c9822703109b987f6

SHA256
543796a1b343b4ebc0285d89cb8eb70667ac7b513da37495e38003704e9d88d7

SHA512
9b51e99ba20e9da56d1acc24a1cf9f9c9dbdeb742bec034e0ff2bc179a60f4aff249f40344f9ddd43229dcdefa1041940f65afb336d46c175ffeff725c638d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\wct92F9.tmp

Filesize
40.2MB

MD5
fb4aa59c92c9b3263eb07e07b91568b5

SHA1
6071a3e3c4338b90d892a8416b6a92fbfe25bb67

SHA256
e70e80dbbc9baba7ddcee70eda1bb8d0e6612dfb1d93827fe7b594a59f3b48b9

SHA512
60aabbe2fd24c04c33e7892eab64f24f8c335a0dd9822eb01adc5459e850769fc200078c5ccee96c1f2013173bc41f5a2023def3f5fe36e380963db034924ace

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
697B

MD5
517557e324a835630991dff1b60513bf

SHA1
293f55547fe6fe11a6debd1e601eefaaef85ddf3

SHA256
55636b39851d0bfb6741e4b8d01356d24f8f1bb620425a2837a643be9cbe9872

SHA512
799e5d7c03620a007b8a65403a038f233c2d482871e07ebc540cb6b36b8ab184df9931befb6585837183bb954760bf3c2a52f6bfd0cba86d76db036c5925a48a

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 782757.crdownload

Filesize
45KB

MD5
24fbdb6554fadafc115533272b8b6ea0

SHA1
8c874f8ba14f9d3e76cf73d27ae8806495f09519

SHA256
1954e0151deb50691b312e7e8463bd2e798f78ff0d030ce1ef889e0207cc03aa

SHA512
155853c0d8706b372ba9bc6bce5eb58e8bd332fd30900b26c4f3cc7d1e769259bc1c79eeca1ad72830cee06b79500cea12636b865bf8b571c4a790fbb1bbd7da

Download Submit
\??\pipe\LOCAL\crashpad_4080_LLRAVJNCSBOYRAAC

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3504-80-0x0000000000630000-0x0000000000642000-memory.dmp

Filesize
72KB

Download
memory/3504-81-0x0000000005040000-0x00000000050DC000-memory.dmp

Filesize
624KB

Download