asyncrat | e96a0c1bc5f720d7f0a53f72e5bb424163c943c24a437b1065957a79f5872675

Resubmissions

16-12-2024 09:53

241216-lw48bsvpfy 10

16-12-2024 09:15

241216-k739qsvmgp 10

Analysis

max time kernel
558s
max time network
451s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
16-12-2024 09:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

nj230708full.pdf.exe
Size

2.6MB
MD5

bd216fdea8517b5beb003e0ac03f536e
SHA1

a3f3d4395b74da605bb1e068c846ccb531213f38
SHA256

e96a0c1bc5f720d7f0a53f72e5bb424163c943c24a437b1065957a79f5872675
SHA512

57dadcbd826b9d2cd99e82d1ba5ada998219378d9c1782388de06c9a2dddc754ec32ca89682cc56e5f38dd55e1a57ce5bd5cb2482ba655ecbbd76206f353d694
SSDEEP

49152:ztJyfM3mq+li7JeXVn2GljPUXSrVFADPtMieH5nqwTs8X3jkXcMt:JUKmzi7Je4GljPUCrzAiieZq8IX3t

Score

10^/10

asyncrat stormkitty discovery execution rat stealer

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 7 IoCs

resource	yara_rule
behavioral1/memory/4276-421-0x0000000000620000-0x000000000086A000-memory.dmp	family_stormkitty
behavioral1/memory/2532-458-0x0000000000900000-0x0000000000B4A000-memory.dmp	family_stormkitty
behavioral1/memory/2500-628-0x0000000000DA0000-0x0000000000FEA000-memory.dmp	family_stormkitty
behavioral1/memory/4860-638-0x0000000000D00000-0x0000000000F4A000-memory.dmp	family_stormkitty
behavioral1/memory/2504-649-0x0000000000F10000-0x000000000115A000-memory.dmp	family_stormkitty
behavioral1/memory/4236-654-0x0000000000B70000-0x0000000000DBA000-memory.dmp	family_stormkitty
behavioral1/memory/4340-659-0x0000000001100000-0x000000000134A000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 3592 created 3292	3592	Briefing.pif	52
PID 3592 created 3292	3592	Briefing.pif	52

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IsabellaGuard.url	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IsabellaGuard.url	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
3592	Briefing.pif
4392	Wihnup.exe
2424	Wihnup.exe
1096	Wihnup.exe
3584	Wihnup.exe
2604	Wihnup.exe
3836	IsabellaGuard.scr
5064	Wihnup.exe
4720	Wihnup.exe
3948	Wihnup.exe
2732	Wihnup.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
1928	tasklist.exe
3184	tasklist.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\PennRemark	nj230708full.pdf.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wihnup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wihnup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wihnup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wihnup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wihnup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wihnup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wihnup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Briefing.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nj230708full.pdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wihnup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IsabellaGuard.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe

Delays execution with timeout.exe 9 IoCs

evasion

pid	Process
2044	timeout.exe
1860	timeout.exe
4252	timeout.exe
1940	timeout.exe
4220	timeout.exe
232	timeout.exe
3924	timeout.exe
1996	timeout.exe
2092	timeout.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 10 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4960	schtasks.exe
2500	schtasks.exe
3152	schtasks.exe
3200	schtasks.exe
2008	schtasks.exe
1512	schtasks.exe
1080	schtasks.exe
3528	schtasks.exe
1684	schtasks.exe
2716	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3592	Briefing.pif
3592	Briefing.pif
3592	Briefing.pif
3592	Briefing.pif
3592	Briefing.pif
3592	Briefing.pif
3592	Briefing.pif
3592	Briefing.pif
3592	Briefing.pif
3592	Briefing.pif
3592	Briefing.pif
3592	Briefing.pif
3592	Briefing.pif
3592	Briefing.pif
3592	Briefing.pif
3592	Briefing.pif
3592	Briefing.pif
3592	Briefing.pif
3592	Briefing.pif
3592	Briefing.pif
3592	Briefing.pif
3592	Briefing.pif
3592	Briefing.pif
3592	Briefing.pif
3592	Briefing.pif
3592	Briefing.pif
3592	Briefing.pif
3592	Briefing.pif
3592	Briefing.pif
3592	Briefing.pif
3592	Briefing.pif
3592	Briefing.pif
3592	Briefing.pif
3592	Briefing.pif
3592	Briefing.pif
3592	Briefing.pif
4276	MSBuild.exe
4276	MSBuild.exe
4276	MSBuild.exe
4276	MSBuild.exe
4276	MSBuild.exe
4276	MSBuild.exe
4276	MSBuild.exe
4276	MSBuild.exe
4276	MSBuild.exe
4276	MSBuild.exe
4276	MSBuild.exe
4276	MSBuild.exe
4276	MSBuild.exe
4276	MSBuild.exe
4276	MSBuild.exe
4276	MSBuild.exe
4276	MSBuild.exe
3592	Briefing.pif
3592	Briefing.pif
3592	Briefing.pif
3592	Briefing.pif
3592	Briefing.pif
3592	Briefing.pif
2136	msedge.exe
2136	msedge.exe
4200	msedge.exe
4200	msedge.exe
2532	MSBuild.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
4200	msedge.exe
4200	msedge.exe
4788	msedge.exe
4788	msedge.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	1928	tasklist.exe
Token: SeDebugPrivilege	3184	tasklist.exe
Token: SeDebugPrivilege	4276	MSBuild.exe
Token: SeDebugPrivilege	2532	MSBuild.exe
Token: SeDebugPrivilege	2500	MSBuild.exe
Token: SeDebugPrivilege	1192	MSBuild.exe
Token: SeDebugPrivilege	4860	MSBuild.exe
Token: SeDebugPrivilege	1040	MSBuild.exe
Token: SeDebugPrivilege	2504	MSBuild.exe
Token: SeDebugPrivilege	4236	MSBuild.exe
Token: SeDebugPrivilege	4340	MSBuild.exe

Suspicious use of FindShellTrayWindow 58 IoCs

pid	Process
3592	Briefing.pif
3592	Briefing.pif
3592	Briefing.pif
4200	msedge.exe
4200	msedge.exe
4200	msedge.exe
4200	msedge.exe
4200	msedge.exe
4200	msedge.exe
4200	msedge.exe
4200	msedge.exe
4200	msedge.exe
4200	msedge.exe
4200	msedge.exe
4200	msedge.exe
4200	msedge.exe
4200	msedge.exe
4200	msedge.exe
4200	msedge.exe
4200	msedge.exe
4200	msedge.exe
4200	msedge.exe
4200	msedge.exe
4200	msedge.exe
4200	msedge.exe
4200	msedge.exe
4200	msedge.exe
4200	msedge.exe
4200	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
3836	IsabellaGuard.scr
3836	IsabellaGuard.scr
3836	IsabellaGuard.scr

Suspicious use of SendNotifyMessage 30 IoCs

pid	Process
3592	Briefing.pif
3592	Briefing.pif
3592	Briefing.pif
4200	msedge.exe
4200	msedge.exe
4200	msedge.exe
4200	msedge.exe
4200	msedge.exe
4200	msedge.exe
4200	msedge.exe
4200	msedge.exe
4200	msedge.exe
4200	msedge.exe
4200	msedge.exe
4200	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
3836	IsabellaGuard.scr
3836	IsabellaGuard.scr
3836	IsabellaGuard.scr

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2912 wrote to memory of 1972	2912	nj230708full.pdf.exe	77
PID 2912 wrote to memory of 1972	2912	nj230708full.pdf.exe	77
PID 2912 wrote to memory of 1972	2912	nj230708full.pdf.exe	77
PID 1972 wrote to memory of 1928	1972	cmd.exe	79
PID 1972 wrote to memory of 1928	1972	cmd.exe	79
PID 1972 wrote to memory of 1928	1972	cmd.exe	79
PID 1972 wrote to memory of 3884	1972	cmd.exe	80
PID 1972 wrote to memory of 3884	1972	cmd.exe	80
PID 1972 wrote to memory of 3884	1972	cmd.exe	80
PID 1972 wrote to memory of 3184	1972	cmd.exe	82
PID 1972 wrote to memory of 3184	1972	cmd.exe	82
PID 1972 wrote to memory of 3184	1972	cmd.exe	82
PID 1972 wrote to memory of 4120	1972	cmd.exe	83
PID 1972 wrote to memory of 4120	1972	cmd.exe	83
PID 1972 wrote to memory of 4120	1972	cmd.exe	83
PID 1972 wrote to memory of 4812	1972	cmd.exe	84
PID 1972 wrote to memory of 4812	1972	cmd.exe	84
PID 1972 wrote to memory of 4812	1972	cmd.exe	84
PID 1972 wrote to memory of 3212	1972	cmd.exe	85
PID 1972 wrote to memory of 3212	1972	cmd.exe	85
PID 1972 wrote to memory of 3212	1972	cmd.exe	85
PID 1972 wrote to memory of 3700	1972	cmd.exe	86
PID 1972 wrote to memory of 3700	1972	cmd.exe	86
PID 1972 wrote to memory of 3700	1972	cmd.exe	86
PID 1972 wrote to memory of 3592	1972	cmd.exe	87
PID 1972 wrote to memory of 3592	1972	cmd.exe	87
PID 1972 wrote to memory of 3592	1972	cmd.exe	87
PID 1972 wrote to memory of 1364	1972	cmd.exe	88
PID 1972 wrote to memory of 1364	1972	cmd.exe	88
PID 1972 wrote to memory of 1364	1972	cmd.exe	88
PID 3592 wrote to memory of 4844	3592	Briefing.pif	89
PID 3592 wrote to memory of 4844	3592	Briefing.pif	89
PID 3592 wrote to memory of 4844	3592	Briefing.pif	89
PID 3592 wrote to memory of 4500	3592	Briefing.pif	91
PID 3592 wrote to memory of 4500	3592	Briefing.pif	91
PID 3592 wrote to memory of 4500	3592	Briefing.pif	91
PID 4844 wrote to memory of 1080	4844	cmd.exe	93
PID 4844 wrote to memory of 1080	4844	cmd.exe	93
PID 4844 wrote to memory of 1080	4844	cmd.exe	93
PID 3592 wrote to memory of 4276	3592	Briefing.pif	94
PID 3592 wrote to memory of 4276	3592	Briefing.pif	94
PID 3592 wrote to memory of 4276	3592	Briefing.pif	94
PID 3592 wrote to memory of 4276	3592	Briefing.pif	94
PID 3592 wrote to memory of 4276	3592	Briefing.pif	94
PID 4276 wrote to memory of 3688	4276	MSBuild.exe	95
PID 4276 wrote to memory of 3688	4276	MSBuild.exe	95
PID 4276 wrote to memory of 3688	4276	MSBuild.exe	95
PID 4276 wrote to memory of 4156	4276	MSBuild.exe	96
PID 4276 wrote to memory of 4156	4276	MSBuild.exe	96
PID 4276 wrote to memory of 4156	4276	MSBuild.exe	96
PID 4156 wrote to memory of 232	4156	cmd.exe	99
PID 4156 wrote to memory of 232	4156	cmd.exe	99
PID 4156 wrote to memory of 232	4156	cmd.exe	99
PID 3688 wrote to memory of 4960	3688	cmd.exe	100
PID 3688 wrote to memory of 4960	3688	cmd.exe	100
PID 3688 wrote to memory of 4960	3688	cmd.exe	100
PID 4156 wrote to memory of 4392	4156	cmd.exe	101
PID 4156 wrote to memory of 4392	4156	cmd.exe	101
PID 4156 wrote to memory of 4392	4156	cmd.exe	101
PID 3592 wrote to memory of 2532	3592	Briefing.pif	103
PID 3592 wrote to memory of 2532	3592	Briefing.pif	103
PID 3592 wrote to memory of 2532	3592	Briefing.pif	103
PID 3592 wrote to memory of 2532	3592	Briefing.pif	103
PID 4200 wrote to memory of 4404	4200	msedge.exe	107

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3292
- C:\Users\Admin\AppData\Local\Temp\nj230708full.pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\nj230708full.pdf.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2912
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy Remarks Remarks.cmd & Remarks.cmd
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1972
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1928
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa opssvc"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3884
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3184
  - - C:\Windows\SysWOW64\findstr.exe
      findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4120
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 717274
      4⤵
      System Location Discovery: System Language Discovery
      PID:4812
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V "PositionFlagsMalaysiaMissouri" Clips
      4⤵
      System Location Discovery: System Language Discovery
      PID:3212
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b ..\Auditor + ..\Suite + ..\Stat + ..\Docs + ..\Islamic + ..\Sufficient + ..\Fought + ..\Petition + ..\Slight + ..\Computational + ..\Recruitment + ..\R + ..\Upset + ..\Principal + ..\Textiles + ..\Breed + ..\Peace + ..\Drinks + ..\Judicial + ..\Abandoned + ..\Morocco + ..\Berkeley + ..\Marks + ..\Remember + ..\Freebsd + ..\Pty + ..\Writings + ..\Fi + ..\Radio + ..\Workplace T
      4⤵
      System Location Discovery: System Language Discovery
      PID:3700
  - - C:\Users\Admin\AppData\Local\Temp\717274\Briefing.pif
      Briefing.pif T
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:3592
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4276
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Wihnup" /tr '"C:\Users\Admin\AppData\Roaming\Wihnup.exe"' & exit
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3688
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Wihnup" /tr '"C:\Users\Admin\AppData\Roaming\Wihnup.exe"'
        7⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:4960
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpE445.tmp.bat""
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4156
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        7⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:232
        
        C:\Users\Admin\AppData\Roaming\Wihnup.exe
        
        "C:\Users\Admin\AppData\Roaming\Wihnup.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4392
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2532
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Wihnup" /tr '"C:\Users\Admin\AppData\Roaming\Wihnup.exe"' & exit
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4800
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Wihnup" /tr '"C:\Users\Admin\AppData\Roaming\Wihnup.exe"'
        7⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2500
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpE72F.tmp.bat""
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3604
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        7⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:3924
        
        C:\Users\Admin\AppData\Roaming\Wihnup.exe
        
        "C:\Users\Admin\AppData\Roaming\Wihnup.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2424
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2500
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Wihnup" /tr '"C:\Users\Admin\AppData\Roaming\Wihnup.exe"' & exit
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2692
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Wihnup" /tr '"C:\Users\Admin\AppData\Roaming\Wihnup.exe"'
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3528
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpE65F.tmp.bat""
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4524
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        7⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:1996
        
        C:\Users\Admin\AppData\Roaming\Wihnup.exe
        
        "C:\Users\Admin\AppData\Roaming\Wihnup.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1096
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        5⤵
        
        PID:4428
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        5⤵
        
        PID:1768
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1192
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Wihnup" /tr '"C:\Users\Admin\AppData\Roaming\Wihnup.exe"' & exit
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:864
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Wihnup" /tr '"C:\Users\Admin\AppData\Roaming\Wihnup.exe"'
        7⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1684
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpE744.tmp.bat""
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4340
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        7⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:2044
        
        C:\Users\Admin\AppData\Roaming\Wihnup.exe
        
        "C:\Users\Admin\AppData\Roaming\Wihnup.exe"
        7⤵
        Executes dropped EXE
        
        PID:3584
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        5⤵
        
        PID:1704
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4860
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Wihnup" /tr '"C:\Users\Admin\AppData\Roaming\Wihnup.exe"' & exit
        6⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Wihnup" /tr '"C:\Users\Admin\AppData\Roaming\Wihnup.exe"'
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2716
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpE740.tmp.bat""
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4600
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        7⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:2092
        
        C:\Users\Admin\AppData\Roaming\Wihnup.exe
        
        "C:\Users\Admin\AppData\Roaming\Wihnup.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2604
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1040
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Wihnup" /tr '"C:\Users\Admin\AppData\Roaming\Wihnup.exe"' & exit
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2264
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Wihnup" /tr '"C:\Users\Admin\AppData\Roaming\Wihnup.exe"'
        7⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2008
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpE72B.tmp.bat""
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4936
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        7⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:1940
        
        C:\Users\Admin\AppData\Roaming\Wihnup.exe
        
        "C:\Users\Admin\AppData\Roaming\Wihnup.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5064
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2504
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Wihnup" /tr '"C:\Users\Admin\AppData\Roaming\Wihnup.exe"' & exit
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4952
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Wihnup" /tr '"C:\Users\Admin\AppData\Roaming\Wihnup.exe"'
        7⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3152
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpE67B.tmp.bat""
        6⤵
        
        PID:384
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        7⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:1860
        
        C:\Users\Admin\AppData\Roaming\Wihnup.exe
        
        "C:\Users\Admin\AppData\Roaming\Wihnup.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4720
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4236
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Wihnup" /tr '"C:\Users\Admin\AppData\Roaming\Wihnup.exe"' & exit
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3132
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Wihnup" /tr '"C:\Users\Admin\AppData\Roaming\Wihnup.exe"'
        7⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3200
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpE5BA.tmp.bat""
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4656
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        7⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:4252
        
        C:\Users\Admin\AppData\Roaming\Wihnup.exe
        
        "C:\Users\Admin\AppData\Roaming\Wihnup.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3948
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4340
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Wihnup" /tr '"C:\Users\Admin\AppData\Roaming\Wihnup.exe"' & exit
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1624
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Wihnup" /tr '"C:\Users\Admin\AppData\Roaming\Wihnup.exe"'
        7⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1512
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpE567.tmp.bat""
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1708
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        7⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:4220
        
        C:\Users\Admin\AppData\Roaming\Wihnup.exe
        
        "C:\Users\Admin\AppData\Roaming\Wihnup.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2732
  - - C:\Windows\SysWOW64\choice.exe
      choice /d y /t 5
      4⤵
      System Location Discovery: System Language Discovery
      PID:1364
- C:\Windows\SysWOW64\cmd.exe
  cmd /c schtasks.exe /create /tn "Employee" /tr "wscript //B 'C:\Users\Admin\AppData\Local\GuardInno Technologies\IsabellaGuard.js'" /sc minute /mo 5 /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4844
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /create /tn "Employee" /tr "wscript //B 'C:\Users\Admin\AppData\Local\GuardInno Technologies\IsabellaGuard.js'" /sc minute /mo 5 /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1080
- C:\Windows\SysWOW64\cmd.exe
  cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IsabellaGuard.url" & echo URL="C:\Users\Admin\AppData\Local\GuardInno Technologies\IsabellaGuard.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IsabellaGuard.url" & exit
  2⤵
  - Drops startup file
  - System Location Discovery: System Language Discovery
  PID:4500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\UnregisterRequest.xht
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4200
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x10c,0x110,0x114,0xdc,0xe0,0x7ffdafc53cb8,0x7ffdafc53cc8,0x7ffdafc53cd8
    3⤵
    PID:4404
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1848,6174226121700789198,4918797743245561148,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1868 /prefetch:2
    3⤵
    PID:664
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1848,6174226121700789198,4918797743245561148,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2328 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2136
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1848,6174226121700789198,4918797743245561148,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2688 /prefetch:8
    3⤵
    PID:3584
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,6174226121700789198,4918797743245561148,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3188 /prefetch:1
    3⤵
    PID:2916
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,6174226121700789198,4918797743245561148,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1
    3⤵
    PID:540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\UnregisterRequest.xht
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4788
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffdafc53cb8,0x7ffdafc53cc8,0x7ffdafc53cd8
    3⤵
    PID:3980
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1944,782094928066776200,11197330973645124406,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1964 /prefetch:2
    3⤵
    PID:3468
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1944,782094928066776200,11197330973645124406,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2376 /prefetch:3
    3⤵
    PID:3888
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1944,782094928066776200,11197330973645124406,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2592 /prefetch:8
    3⤵
    PID:3140
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,782094928066776200,11197330973645124406,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
    3⤵
    PID:4252
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,782094928066776200,11197330973645124406,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
    3⤵
    PID:2716

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3004

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1352

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3520

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1996

C:\Windows\system32\wscript.EXE
C:\Windows\system32\wscript.EXE //B "C:\Users\Admin\AppData\Local\GuardInno Technologies\IsabellaGuard.js"
1⤵
PID:4548
- C:\Users\Admin\AppData\Local\GuardInno Technologies\IsabellaGuard.scr
  "C:\Users\Admin\AppData\Local\GuardInno Technologies\IsabellaGuard.scr" "C:\Users\Admin\AppData\Local\GuardInno Technologies\r"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MSBuild.exe.log

Filesize
942B

MD5
98fe0a1fc7758003711d8e3e1ae5fe6b

SHA1
d40c938ab81688aa66bf2b6e603c607c05941362

SHA256
144c877bf9a52869a04022685a90bda90974aa13796121ef61343147e0d2ba45

SHA512
88aa58a64e2133dbdbda01e94cbe5302acdbd6a73161c7dcd25431d2460b4f884380ad52cbb068eb8e8659948b95117924658d917ac3cc7809004dd01176a382

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Wihnup.exe.log

Filesize
841B

MD5
3e1d14e0e2cc17ee1d96b6b63f08b54a

SHA1
fc46ed5e8c8ecfa034f932d60903521e154be600

SHA256
a5b1dee69defc4e1c1f37c2e06a95a445cb747aae04317b30971fe996a69cd2c

SHA512
a6a4e78c6395e20f4897b8d84601aaac900f46d58b4e9859821654a453a3ae67ec91d8fa2756d1ca44bd6590e73ac533dee749b6054100a0f13040bca503884c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
cb557349d7af9d6754aed39b4ace5bee

SHA1
04de2ac30defbb36508a41872ddb475effe2d793

SHA256
cfc24ed7d1c2e2c6585f53db7b39aa2447bf9212487b0a3c8c2a7d8e7e5572ee

SHA512
f0cf51f42d975d720d613d09f201435bf98c6283ae5bc033207f4ada93b15e49743a235a1cfb1b761bde268e2f7f8561aa57619b99bff67a36820bc1a4d0ec4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
aad1d98ca9748cc4c31aa3b5abfe0fed

SHA1
32e8d4d9447b13bc00ec3eb15a88c55c29489495

SHA256
2a07cac05ffcf140a9ad32e58ef51b32ecccf1e3ab5ef4e656770df813a8944e

SHA512
150ebf7e37d20f88b21ab7ea0793afe1d40b00611ed36f0cf1ac1371b656d26f11b08a84dbb958891c79776fae04c9c616e45e2e211d292988a5709857a3bf72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d23c5269aabc44c53a633997cb6fefc6

SHA1
427d433a151e1ebd76ad7bc0ffce6dbc578298e0

SHA256
c73ecbd6f9533946cb0038dfbefd001bbfb5fb1c88b4d9aec35586672771a2b1

SHA512
5904d711a05f17cecaaddd67d00af965264aee5903e0323f0fa2cc343d00d25fa7a8637bfb6b0ac055e94f34769f373b8b54ebcfffbc886e127215ce0617d2b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9f0807009817fcbdc250b8b7b56d5080

SHA1
65532815231f2e6fc80606cc920d75461a0cd8b6

SHA256
1e88fc7e894699e0b3fde977922d98ff3ec06f4c1b24b1d16f1e3a9d7e9a2470

SHA512
bdd7c18ff8c4e6c1e952fb3c222cfc140d55d74c536b8b74428585c090c2b6cc9018da6acd05de9d1f2ebaf151e7765d11eb6077d01d183a0ca30e5100b0b85d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
116KB

MD5
69f2d8995845e5f7ca1242d13123331a

SHA1
c1b535a1ef7c6091204a62458d84e168ecb7c1fc

SHA256
f62b940ac6e6e6c8a1d790ba985e16a52e01c5acd8c3875f7421c71dd8c316e3

SHA512
024f91d1bc3a07c3118a2c04a2717f3deda29378549e414acc88a6fab8ebeacd4b4e7cd7abf914872e14855b8b3af3d8ee34b681bcd3e7effed2d6d197cda7f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache

Filesize
530B

MD5
9bde1bb86739cfb202b0550bb0075299

SHA1
e568bface8ec507776a0ca2521b3f354bb95b4c9

SHA256
0767249491e097073512300b6a910ec6d67d4dbe81b4060f78d5307ea5ffbdaa

SHA512
078033cbd4966463b26d545fe19fbb520fa29ab760e0208d7da6156fa62203b51b1b881cec60a71343056adc45b7ea965de4900fea65977566642714ac199f04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c08d28b17aa41896fd7776e9de575406

SHA1
88ba9534e8f37fbfd4f1dba6953187b8b9868f7a

SHA256
77ca55c4333961224ebb12037704e8ebb2dc7464d1e1b31aff481b71584a601b

SHA512
e02ba5d1183e74efb65ae70433154cf41644b7ce1e4f973e8676bde9d4e666fb4d75a9b38d5109e0b9a1713a14fd5fc6d6aa5c4448b964a21aa00a3757cb41d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
421c08da9fbc9fe5aab6a699e18d1214

SHA1
ca5857418edf030a1d9b1e7ab8bdda96c185a5b3

SHA256
9d7ba43529f9c5837bd5637707049367d2790b6ea5a37a8bd2c85c7e62ab3524

SHA512
e624dbd6147cbbc17d34d45caac47416d5bdfffbc91e60d21cda8ff9240333d2f13d42a225e5c8307a5df130221b1e42200baaeaff12b90e25f9bd54f60cfb43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
40f5348045ecd39091ab66f812c72ede

SHA1
4726058c147e71cfc39085ed9bc374765f901406

SHA256
374d4d1344f1805d6c5c853fb6365ac0a6ac89b2b5250a86aeb7b2f8816dc785

SHA512
26dea05b7bd39d45223f084685abd557ec2aab8a65ebd239014a39d68cfd33c3ab105022839bc90bfaacfcdd07def1ee0621fac704a877a606610c1cf3f576b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e54212da8141517a440b2763fca0ce48

SHA1
1c404a073feb786fd03a4bc452c0b8e5a410fc8d

SHA256
2360c69cbc71e5155326e66c832965cbeac898afc5140168a0b19ae342f39214

SHA512
ee91aea1d579e994ab7ad3c755995cb98f4c680d075b87f1edbbae378bd4e29f2784293939497972e93704d35db9883a8b3a49f7e61a77b3eb382a974605c21a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13378816595605288

Filesize
1KB

MD5
b74aedd4c8b97fc80575e16f17462b3e

SHA1
448018b6d1bf077b7432168d529c038c0af6c6f5

SHA256
7157660fda325bbb2fb1102d7cf863ab18ffb5da08b9b562d9a95cec02034168

SHA512
4ca9608c136d6677a8eb0dbdf93ff5885554cc59437d867a8c1b274e4c526e3a502a1f1224bc6947443c84910caf0304f25eccb369f72dbdebf490a036ced644

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
347B

MD5
ea9a98736b8ef95b9112005c35c6bccf

SHA1
2c007a0da48053922d27658e8d9183f284c259a2

SHA256
235a641ae9ef43cb435a0daae80d28d1f17f6737d397b954fc94756786837d0b

SHA512
863a137ec12282019d70ba38b3d77f8bb4d93aa6d7315297accc8349e886d20b91e27602df9ec5dfb7386a18d86dbdc5500784d09ba182fe0846f80b9848e348

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
326B

MD5
b97878e5ae4b389cab50ce8f0b063748

SHA1
2c4aa324390384a0e41195046c36783d10eb5d6c

SHA256
d28231caf043a6173b98a6b6dadfc39a8f87a435a8aa66e4fb0e46bdbb23094e

SHA512
ef059b58595794e304e4f0991b3c55f67223fc333c11868d6dcb69d5083fda263d0a7d9f11d82d460bcd30cba563b38558870e73b64305aeca9d405c9e5f6815

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

Filesize
128KB

MD5
b4b77b4fbfc216cb0a07aeedc6710909

SHA1
69c88f05b48ee0b919c397408b7f248c49d1e091

SHA256
9df80454ffa055dd0e812d333a99b49f5df71b5f537134d761a8bce859aa45b9

SHA512
773250572679a0e077f4384af3fa41c85d7669e5b7f17b11b2efaab01295508de18beff8822a3af7f854d54c9919ff4ca24691d9450abcb047ddc77ecb38f6a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

Filesize
319B

MD5
cd13e2da13f26b935b40ca8387a38933

SHA1
d171699f6f3ccc04cc56389fb0af20c6888e9f24

SHA256
709acee5b6308ce22970ffcac89471bdfc452ce8b3e96d0e0262cce319ec5ac3

SHA512
58e9bed82281e37b6b44ab7b461eead0e6977f5ed802f906c32897b421534f27a289577a06f07ea21f96ec55c2f0ee2cb84ccdb2c30c8d54420bbd209715639a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

Filesize
337B

MD5
b88a39594da98ae09b66991ead9ac0ef

SHA1
e3018fb544d3bdf84a5ce3ab845742953ff8df8f

SHA256
ea1b005701d996646e08525df911b2f2f8181e4f123636994b824e3ccecf8d6c

SHA512
82f526bb3f852c75aee4a18f49188b62def9880b801e600863b7e3de5e6420a6abef47976c9688f982865abe2842833ce1f8d1122a71d19e92c4762ba3224724

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
b29bcf9cd0e55f93000b4bb265a9810b

SHA1
e662b8c98bd5eced29495dbe2a8f1930e3f714b8

SHA256
f53ab2877a33ef4dbde62f23f0cbfb572924a80a3921f47fc080d680107064b4

SHA512
e15f515e4177d38d6bb83a939a0a8f901ce64dffe45e635063161497d527fbddaf2b1261195fde90b72b4c3e64ac0a0500003faceffcc749471733c9e83eb011

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
294300e6ebd0a8a690b4993aac6f8618

SHA1
b71ab226ddc314f2f005a13a9bb6434197a94985

SHA256
1b3fb31da6f4e4b95e4b17c8f3714bc8261854af52abbf6db1b1f6e289402b50

SHA512
86300559d9d8c4bcf00a2219de274d32be0f7d03c5f9650547badb71b68b1ecd182f0dc57c0e0bf857185412d5ab976ae41da80faed4183143e544e9c4a3a643

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
203f8e90904dea68867ab86155a96bfa

SHA1
cd3346679763c7b21ccb9fafea91157a4f81e523

SHA256
db675d3995b0a3f37d135f7f7f88b628e527640fa373e87213bd8c43b78224a8

SHA512
c0b5c6d87f352c5b7e0730b34416ee53d4e5f96817636eab584d1945af1ff9c27ba4992b3a3c32d02e8a05c7a6e0561c061b6ea1b8668365e62c399d13cea06b

Download Submit
C:\Users\Admin\AppData\Local\Temp\717274\Briefing.pif

Filesize
921KB

MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
C:\Users\Admin\AppData\Local\Temp\717274\T

Filesize
2.1MB

MD5
6a16c57c66daf2a5b8ce4a5f050568ef

SHA1
ce7b295e1095f6f1615eaf2ee065685105c99eac

SHA256
817a9d154d06042ea6f7a7fa44db0a56386c44d9a36fcdd4185afe166c9c32d5

SHA512
907d9eafe33bde5535255b811eec5b6c3a1d8e1c6897eec9e404f4af28f3f087b94a4f47a9e7b01452586220165c27a407f4e76f7dd06c464450135b512587d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Abandoned

Filesize
67KB

MD5
18da19c1a6bdce0c460b4f4d1d29d11e

SHA1
04f6e8ffcb297e8ade3be3d8741dc6be840ae33b

SHA256
0f4589de014cd500472959e710b8f4aa30ccbc6c5fae61147808a1d2b8ad01b0

SHA512
5ca40f12585d90a1b0e449688e96d0423cb3118d5ad801c37c219692d7f041cee564acca8af8be83ccbcfbfbbcec4d44d2f0d1ed844776cb26d7149cdb262c22

Download Submit
C:\Users\Admin\AppData\Local\Temp\Auditor

Filesize
73KB

MD5
c9dd3156963812c971c4330538c15475

SHA1
c9d0021f8fbad189ed89bc870d7562603d67f117

SHA256
1162076c38551807146ca2be943ab29320a239c7ae35e07adb30488918cf9a5c

SHA512
bea3cad803c19b323efe74f10a28bbc76e5823ad3cbbdb942b462e2a35d085fcc046b5bb48a5c2b7baad527458a3a7798e4ea5a1c1df993fbd9fe5d658213c40

Download Submit
C:\Users\Admin\AppData\Local\Temp\Berkeley

Filesize
61KB

MD5
3902bfe3c426128f7605d3268db36cf8

SHA1
58a17e8863b5109f0bd825df383ef70daf2b550c

SHA256
7ed7da8a3fc15c0c5bce4dc158e5a201f9bd0838af1a5756676c6aadafbf18ac

SHA512
4369b86a9b7ff550f3d026b8cf2cb6fd86a4a48c8031cf5a9f53dfa642194b6f14bcb62057839cb54c98755a937dfde76bec053d5d06d4f12ab160f50f053f6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Breed

Filesize
80KB

MD5
7b85a8a8162983834481c2fc3977d6cc

SHA1
30404d1d4dfbe3374aeac976fed5ded2904cdad1

SHA256
8ca02a9a6593a3bc55fdc3be6c10653ba260befc660a5e6681e0e2b82c38711f

SHA512
27baf5390eadd9ea56bb51a75938ca12887b1cf858f4581d96c2ea8b4a866fd01e39b73f4f9173b95915b00c66d14c15e62bc4bac9ff0887b28a96abdc991f1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Clips

Filesize
15KB

MD5
57c78b68607609bc35b7d1cacee2d640

SHA1
00af00543169e85208f329d5a72c8094698d6a30

SHA256
638a6d42410c7ba571b50e1362ff409d6398bfc927ff2e59d2677f91c9e7206f

SHA512
262520e6a314161508d2fa81c1590d2f7378c3da15241a6b5dcb85ff20365f65a95fa8f15814c9e11f43eef70ee192645e80894bb5e6e969342e523628564469

Download Submit
C:\Users\Admin\AppData\Local\Temp\Computational

Filesize
67KB

MD5
b4dccf25fc88fa917a3c8adebe421b48

SHA1
c6f9abab8dbe51cb506b4de5efd66e3d652d9738

SHA256
b53f6ea9bd037fe2e37548e8f86ade76b24bd96784fff770a5b16d8681708801

SHA512
6b3cb87554ef4892d7ffada22792d2be15899ea41d6f7dc2adfcc49a320ab6198b94e7d60a498ed90ce89f7c0a72cc30af224cadb7e048be38bab27d0b5cb866

Download Submit
C:\Users\Admin\AppData\Local\Temp\Docs

Filesize
68KB

MD5
4a6384a47df8ae1a3e249cc4267f77de

SHA1
ab05c902702cd9183d2c1d470ad5a5e4f51615c0

SHA256
3a3b4cecbbad4a93725cd9ff55a80e35dd1915d18faee7b6746ebdd049801dc8

SHA512
aeace828eab93114bc3ce245415129274b846366d604fc1992c3cf7d316aef9122c214bbcb26d9899151f3553fb58f2fb2636efd33202108ec1069f6bf9265b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Drinks

Filesize
77KB

MD5
82f11e57b5a9009de28a97cd1735b6a3

SHA1
fd2a5c51290b11fb66391e94fe976cc1512f350b

SHA256
4556265567c0239879eca2df7e73a88185a70527cb83497c636493d9521c8db4

SHA512
ec47b2a263d3636508d153eb4e3d04050f6323ca1f5fbf53dfb40a3bf2da7ebbd271eb69e06317804f5f8f673c3f9084af6ba0140a29bffdbafe81ba361c5364

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fi

Filesize
87KB

MD5
e85921ec65740070d67cdd40549386fc

SHA1
460505e79c5c6a8b42889fe6ba53662c6fb92fb2

SHA256
06fe58bae3a43f1de0c6fe2bc93f85f84f9af0fe9592be31f07a26b2572e454c

SHA512
f1d55a2550244788e2ba5869f629adce329830ca0eb3e28f7f3c3441f4c7b32706860eae3e63ae07ea81f643b1179b0e9b0c95745c290516c022598e38612787

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fought

Filesize
69KB

MD5
9b34585894eb1ccdcd82b169006576ec

SHA1
e7ae9f1530c731e810e163260c9a9866dc8a3a28

SHA256
fd42916f715812f39b907a28f5aec9b77c4948ca050a65f2be6828a3c42cb8d0

SHA512
d6bd33599fbd5bde5e5ae84e8179f87b8c9a5412d8612bd8329f87dcbee9ad8d9e064fe3a6f516333beff2c6e8692b3617c68682c17be22b271f1fd958871ba8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Freebsd

Filesize
86KB

MD5
dfbfd7310e2dcdbb9a4a505f1cc3effb

SHA1
ee6f84566c3661996545dc3e094b10c36c91646f

SHA256
4945f470c9a6ffc50a4b89c1c61e733f03d06703e6aafbf13608df267554dfb0

SHA512
381097a8cafbb7f7d3e110afc0d202f25a1e5868aea9c9829b4d877ea5367ebe663da57f4127b0a2490547badbbbab8426eed461e5a0401a9498dba87a5146a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Islamic

Filesize
88KB

MD5
a772dd8dff2b5b0adc48e248482fcf37

SHA1
f31ecba21d5955bd3db62a0ee43a1f70fbe9c867

SHA256
d8283ad6f03e09b6df2790c9e1fe9a6eac19337dd340c81fe129b8e1d66530d8

SHA512
8febb5daca59b8825970fce3324ab93045a8f406c59cf91df5227c693e7cfe2e434659398a6e884d79c6e288c6af84939aa8363859b4ea15554e6d6834e4fa3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Judicial

Filesize
90KB

MD5
896532d212f45cafd8788647f58ce42f

SHA1
168ba160fb14ae66180138f03f269b34915d012e

SHA256
71c77a0c4e572d7290eba86941f04a740441429ff354fa2c9cbbdf8a79eff34f

SHA512
5280cfa0f40a9c23b40b385837dc1b02556a3d660b685f24106c440617f11ed50378543df281cea6bf7ac7ee10fe02b948645eff24f54d36cc36832badce2c8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Marks

Filesize
62KB

MD5
735197be3eea32cf6383951c62c35613

SHA1
93690fc284ad422d344b85cc7b089b0a651bb59b

SHA256
074c900354fc81a5b32e3bb1b920445dbcb213b41a31735aa0be98f362bd8861

SHA512
a2f3edc573376c3f7135282d73f8f4e69c9551840fa4c30197b758dcae0743eedbdb64a5d83ff70eeffa1ca53f84c48e498234a71080ae44a16ef3dcaca37d04

Download Submit
C:\Users\Admin\AppData\Local\Temp\Morocco

Filesize
74KB

MD5
cc57dbf4daece475d7ab8dcbc8d8f56d

SHA1
c31fc58ab9d86e69b3659afb15e5e626412a06da

SHA256
e616e843609c56443ed9af172579ead8b2c0cff92284eec494d8843d96475627

SHA512
a6a7c14a1f3481f6d6df76e720080f6ae381ba8809518141fd3965e1c82845a3b92fff7ab71ce27229a088871b14ab69661635f64d119a2e57ef654c6a0ce227

Download Submit
C:\Users\Admin\AppData\Local\Temp\Peace

Filesize
88KB

MD5
44718b0d9cf17639c3c67a385319956b

SHA1
194b64dbf82abe34f83671a79dea9c0d9c14f346

SHA256
31038f4a3a516d38c9b5bdfb872ac67fef3759745a4201d53526a1cd792a82a8

SHA512
c634e3f9d9c711a56f72d89205914ec8086beff6b2ff02c0358b11a3ce7633b9c3a420e9beb41dcc728edc4e35e86d3562552babd6a00cb3e094d7db9addfefc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Petition

Filesize
72KB

MD5
940dcd93266c885c245f0bb43848a82a

SHA1
f4c265da0aab95031446c382de1dfb6a33547a4b

SHA256
45fb600e9e36eea5c30cb6a41b1e693a533dd4805c687059ff3529eb6e40538b

SHA512
0a776a5a7309e3497f502eb2c6cbeb21fe3af67c28157d5ff353edec2262c013ccc79204c2e207645c0647ba4c14157d2aa55f271ef9e23bd2ceba8d100481c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Principal

Filesize
67KB

MD5
39038c8d2bcae0ee7248712c8f76f2ac

SHA1
2081469f02daa1fb6ec92041695800c38fb7672f

SHA256
b4fefc16a5d54c809c7fd250afeaf15f334c5b9aec634db49d854f2881b04a39

SHA512
b34c563a4a6f68ba7f4facaa418c7c615cf82777e6af2621e6d18a50616988d99d7bfa34265d10127e572beaa82f1eeab5ceba09c82f649068328bf76d49c5ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pty

Filesize
57KB

MD5
d97d8500cd803acfcb2c25d234a50118

SHA1
de934752632cd51db7975280d8d8aaed17de50ba

SHA256
d9f10397fdc297971c8962f34b5db38c8f4cafe54b6eb58f144095879bccf23b

SHA512
04ba974a85c8861d3d59b71e1d21edb3a20f30cf8afc7db20f41f1f62a4c411647d224d75145e6ed784805d2a94b32fc54adfdc64af511da081c4ed1b03cfddd

Download Submit
C:\Users\Admin\AppData\Local\Temp\R

Filesize
61KB

MD5
637589d295f6c230bd08ccbcb4e7e20b

SHA1
1882592646a956a9b29818d2da15a84b3b9fe75e

SHA256
d7906db911ca0193e8d1e9572f22854a8f04777d34be7aa9bc15e4ee97824b8a

SHA512
77e9381c3c26a10349c27568b4c2d63708efcbdc31eb49246b8332500b1beaf632726aa3ee2602bb91dfb1457d8eb910492f9da73d13390de71696216bafe424

Download Submit
C:\Users\Admin\AppData\Local\Temp\Radio

Filesize
82KB

MD5
b521d7fa82a96a9e37a487e321129a4b

SHA1
96b24fa878f58e9b5f3e275a4ec9922d1b09bdb6

SHA256
b4cb548251f03db83eba1ce5cf4503659a31410d6949068dc8dfe0cf43cd00fa

SHA512
258ae0c06a46ecdd272f05fdf81186a1dbf8b6f670393e8730e45ca836ff685e12771d04cf00a087c51dcf404ff6e7e3994b38cdb8ee8e3b137a58dd05373d2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Recruitment

Filesize
60KB

MD5
a69710ad34f4bf7c0932cb24b9e0ed02

SHA1
586d0c24209158024044314eda5147f55cdf8151

SHA256
06b90db0f9c2439cb3e64bef36149ebce3243109bdef48ee01cdbf4c4d66c2f7

SHA512
304a5a34983616954f8d65e15c69353195ede7a5ca14b4999d4006c164583f574f9fe90e2138da56e610f1a9958b6e5bf9b3f4b5e13a9f24a87a865f308d0692

Download Submit
C:\Users\Admin\AppData\Local\Temp\Reflects

Filesize
906KB

MD5
d0c7b81f3b20301582a8df4c51a5655a

SHA1
9148ec2cf20061ae80a9e38df791e7051d5453fd

SHA256
842d02703c597877661b6ac434547d6d490fe6c10deff3e7532c6b3d95c52186

SHA512
c0ae6d4b3f533d2634cceb2454833443364608f1646600c306a13e8b1e81deee77b0664b263146bce594bb55b9606d9e3d2474126518a939ae2f21d5c7b05a24

Download Submit
C:\Users\Admin\AppData\Local\Temp\Remarks

Filesize
17KB

MD5
2b45fc31b2859f9e44bb3fd335c15394

SHA1
13fb50e19fdf5f8a4dd2132419be321e71f2800e

SHA256
ee96a8343930cb044f37982401528d91a7766e6dee0e88d3b82379fbc7f7b00e

SHA512
3138578f4fcb46f4eb80a4222b4ab0b0c802551da5fee9efda5c9e4251b0e4aafaf59b63eb974f54c858aeee497a377fdb81bf8ad8e6508af121f359fb038d37

Download Submit
C:\Users\Admin\AppData\Local\Temp\Remember

Filesize
88KB

MD5
f799d842d9351d2c86f0db882599dfba

SHA1
bcf6b430952aad9f0cc6096e98d63ccac7a2540c

SHA256
8f64f1856cda02ae9276e6ce7b5b64aec5d4939af919b9b7f79e5540d8b7abe1

SHA512
e2bb382115efb7075a60c2aa79684a29f3b0cef121e0dcf56f9f7f27bba9e0a29138497bd0335110d4e9ba2b041923bbdbe7d40f4e6738d7c4bf98c646400a38

Download Submit
C:\Users\Admin\AppData\Local\Temp\Slight

Filesize
56KB

MD5
996f9b329e5283c05e6e9cfa66d3a63f

SHA1
cd24010d87b4d5623b095214c620ae2cd75d049c

SHA256
f9d3852383fb0594426f488afc52e361570c6b8155b3c30e84f05c2bcb94dc6d

SHA512
259242a94650baa21d1bc64bea1b6306d0937c079bf91052a0b3af13f693a54519b6d21871e9af576475832146b436ed33ac12be1a3c0ff0933c5c1e4164639c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Stat

Filesize
63KB

MD5
0e8173eef663ba40991fb667600ecf95

SHA1
18a548686ccd5c544b02bb7dde5cf914e5166084

SHA256
7b667b26889182e04c5e436eb7083e1c3847c0a3066fb5e778cc77357ef6632d

SHA512
9c859f1deb29fba79a9e108df0a3c9199fa0d0439272bdae690f273a3c373de0171d3211713e3a03f8de245c8f703acd63b2721c244c2a4567a19dea0731cc4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sufficient

Filesize
98KB

MD5
7645204a3617032fb1f45eb0a93b66b7

SHA1
2e2f69385b9df56b6217b5dfdc1608bd73f58bf4

SHA256
25e5d95b5c8814c9f21c6d18b6e13d1969795c6d7ccc88751caa969abf1dc678

SHA512
7cab09f66bf7b8e38cd85f7180860c57d9fa63c020f508d6b7805765d55b3f0d96d31a360753c1a0f94fcaa0b101077076d95197a6a85d4646f220c4adb4d96b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Suite

Filesize
69KB

MD5
7af81514cb520c518e7f3c4bb743227a

SHA1
0f500950bcab9037ad12e47fe53a15d057ffb383

SHA256
af11f6ce725b3a38bcdf8d7bc0251762c4b360f13fd1dd9d5e7f6f0a9e432610

SHA512
f51565d012871e44d707c67ad7bd9318abf1a1a4197dcfd61d027135f452cd8ca1cda67581084e0f56391c52307a81d2b04d179347b9e482daf979a79216e7d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Textiles

Filesize
53KB

MD5
556ada8916c5bcb381534f3bd45bfcd9

SHA1
128995a8410d03643287b89a96d41096b0a51a0d

SHA256
9b93972c61a346d132b7a7e99461f6d1e1c7abe4f84fa08f47118bfdc60fe2f9

SHA512
55263f77498ecdd5de07356baea52771c201a56dacee6ef2e7e6d5e4f6734a829ecd351207609d3f53643748048c812268f46c11e4e4f283b09738d81a25ea95

Download Submit
C:\Users\Admin\AppData\Local\Temp\Upset

Filesize
66KB

MD5
e8443d7b438842b8a6b236a9b9fd55f1

SHA1
2963fb03777c344809df505c141feecbd0ce0246

SHA256
23eefa138447816ed41edfbf1d065a38ddf1d501a024a25f2d2c4a8275ac3a60

SHA512
3c6e8a01bf609f08593bbcf1a4b317a5b12a3ba64ad4dccb4abeeefb2d9b1590e446d7a7fbe1d826e2e59e5b6d3de44dba7632530f4b738a702006f9f05ae14a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Workplace

Filesize
1KB

MD5
d851f9ac6b3a85cc5867a8fb505ca14b

SHA1
9bddc727f55d63d1c65f196fa421970b9f670334

SHA256
2c36b36bd475f5ba2926eb570d2bbadc8a248ea0f21a15b82511c737e3ec1358

SHA512
2f8fa47349f1136eeaa3a5bc6ccb78945dae1c475eedded3b1ac01d035f28b920f7f6f50292a86ce9e7cdc4ffd1743ae28989359adf9bc727012a39bbf97f129

Download Submit
C:\Users\Admin\AppData\Local\Temp\Writings

Filesize
91KB

MD5
7a9c73df748595a4c8234e8af5b0659d

SHA1
8153a322dfca222e0bfd795fc18a2679314e22e9

SHA256
d233c7dabd1eabdb771671cfce90075e817edc868492e14d560f51b99d337b4c

SHA512
650fd7e05f2aabcad60864a1be9e3293d503bc993712461443510eccf0477a3b9f754871ad2183f69a2b38f4238e3a0b1baaadab97dcce00af0670fa96c1abdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE445.tmp.bat

Filesize
150B

MD5
fa817aa2f114bb9b78248d7139939ca4

SHA1
be9afa61ae40790a11ad02044419e53d9afef0fb

SHA256
cfb08c5ead59e4e9e7b00757e32d1355f77746c29cde9aafd195e607860ea9e8

SHA512
fab0034f9f4ea4b5e3ae96925d9bb7dc3ea9d61f3a25accf053769f28dbce6f4468ad31d744f52be6ea9db213240a2048ee91db7086b2e5462379dd9478324d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE72F.tmp.bat

Filesize
150B

MD5
034da285ce03906f538aa3e996d43f8b

SHA1
b4cd5c220cd5e0a06a022a0123f1bc9dcbaffa64

SHA256
c2402976c08773f908906f5c5cfce3e3e8e3403a31eceb360bb031527bd013d9

SHA512
7832d9dc1f9559daf3ed1a8afc9dd4bf2a9daa3d992d34e24833bbbbf5c9be33fbe19dc4914961a9705c52c955a3679096d47d1a17dab3305e67428764195afc

Download Submit
C:\Users\Admin\AppData\Roaming\DataLogs\DataLogs.conf

Filesize
8B

MD5
cf759e4c5f14fe3eec41b87ed756cea8

SHA1
c27c796bb3c2fac929359563676f4ba1ffada1f5

SHA256
c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

SHA512
c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

Download Submit
C:\Users\Admin\AppData\Roaming\Wihnup.exe

Filesize
256KB

MD5
d10a3cfcc08aae3a7234498f213cf89e

SHA1
ccae4469a3a05fcb6e7af33019ca5357e5406dda

SHA256
0da56bd07a486818b7735761001cc1d3ca5af645f369a3c206bcb6719fefff06

SHA512
90a4a68b45113360d732ccac7698c74aa550c05d9883d287b808982800fce1a24abf69cf06b0f017babd647cafd3ca10aa894c59e6dab8ba1ff34c639bdf6427

Download Submit
memory/2500-628-0x0000000000DA0000-0x0000000000FEA000-memory.dmp

Filesize
2.3MB

Download
memory/2504-649-0x0000000000F10000-0x000000000115A000-memory.dmp

Filesize
2.3MB

Download
memory/2532-458-0x0000000000900000-0x0000000000B4A000-memory.dmp

Filesize
2.3MB

Download
memory/4236-654-0x0000000000B70000-0x0000000000DBA000-memory.dmp

Filesize
2.3MB

Download
memory/4276-422-0x0000000005480000-0x0000000005A26000-memory.dmp

Filesize
5.6MB

Download
memory/4276-421-0x0000000000620000-0x000000000086A000-memory.dmp

Filesize
2.3MB

Download
memory/4340-659-0x0000000001100000-0x000000000134A000-memory.dmp

Filesize
2.3MB

Download
memory/4392-432-0x00000000006C0000-0x0000000000700000-memory.dmp

Filesize
256KB

Download
memory/4392-433-0x0000000002A90000-0x0000000002AAA000-memory.dmp

Filesize
104KB

Download
memory/4392-434-0x0000000005120000-0x000000000527A000-memory.dmp

Filesize
1.4MB

Download
memory/4860-638-0x0000000000D00000-0x0000000000F4A000-memory.dmp

Filesize
2.3MB

Download