lumma | cbdf4c005fe6b2942c3e295264612adf301b864b2424d2e3a6426192803071a8

Analysis

max time kernel
430s
max time network
434s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
03-01-2025 19:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GlоbаlСhеаts.zip
Size

56.7MB
MD5

e35dc7e72b59a48c2650421ef6c439ee
SHA1

8bc3afd7b968f9c6e6c54a197560ae4b85e70277
SHA256

cbdf4c005fe6b2942c3e295264612adf301b864b2424d2e3a6426192803071a8
SHA512

f12d8eaf91e77d9f2429b05dc9b7a446158aab728388111ea24fd4506103f530783aac6409f65b12df0f014c2f19b17256c6d015ce00bc80c2a340c68edaa633
SSDEEP

1572864:YN74yONRNcQYLQASeroCHgAaGCfohaKOXo617:g74DHNnYZxrZHcfLKOYg

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://hummskitnj.buzz/api

https://cashfuzysao.buzz/api

https://appliacnesot.buzz/api

https://screwamusresz.buzz/api

https://inherineau.buzz/api

https://scentniej.buzz/api

https://rebuildeso.buzz/api

https://prisonyfork.buzz/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Executes dropped EXE 10 IoCs

pid	Process
1568	GlоbаlChеаts.exe
4184	Award.com
3200	GlоbаlChеаts.exe
5576	Award.com
4720	GlоbаlChеаts.exe
5336	GlоbаlChеаts.exe
5812	GlоbаlChеаts.exe
2536	Award.com
4008	Award.com
4040	Award.com

Enumerates processes with tasklist 1 TTPs 10 IoCs

discovery

Process Discovery

T1057

pid	Process
5316	tasklist.exe
4824	tasklist.exe
2592	tasklist.exe
6068	tasklist.exe
6120	tasklist.exe
3560	tasklist.exe
5164	tasklist.exe
5360	tasklist.exe
5764	tasklist.exe
5848	tasklist.exe

Drops file in Windows directory 40 IoCs

description	ioc	Process
File opened for modification	C:\Windows\PrisonGotta	GlоbаlChеаts.exe
File opened for modification	C:\Windows\PharmaceuticalsTb	GlоbаlChеаts.exe
File opened for modification	C:\Windows\StudiedFetish	GlоbаlChеаts.exe
File opened for modification	C:\Windows\PrisonGotta	GlоbаlChеаts.exe
File opened for modification	C:\Windows\BedroomsDryer	GlоbаlChеаts.exe
File opened for modification	C:\Windows\BedroomsDryer	GlоbаlChеаts.exe
File opened for modification	C:\Windows\BoldDramatically	GlоbаlChеаts.exe
File opened for modification	C:\Windows\BedroomsDryer	GlоbаlChеаts.exe
File opened for modification	C:\Windows\StudiedFetish	GlоbаlChеаts.exe
File opened for modification	C:\Windows\NeilEvans	GlоbаlChеаts.exe
File opened for modification	C:\Windows\BoldDramatically	GlоbаlChеаts.exe
File opened for modification	C:\Windows\NeilEvans	GlоbаlChеаts.exe
File opened for modification	C:\Windows\PharmaceuticalsTb	GlоbаlChеаts.exe
File opened for modification	C:\Windows\StudiedFetish	GlоbаlChеаts.exe
File opened for modification	C:\Windows\BedroomsDryer	GlоbаlChеаts.exe
File opened for modification	C:\Windows\KenoGuyana	GlоbаlChеаts.exe
File opened for modification	C:\Windows\KenoGuyana	GlоbаlChеаts.exe
File opened for modification	C:\Windows\KenoGuyana	GlоbаlChеаts.exe
File opened for modification	C:\Windows\NosIc	GlоbаlChеаts.exe
File opened for modification	C:\Windows\NeilEvans	GlоbаlChеаts.exe
File opened for modification	C:\Windows\KenoGuyana	GlоbаlChеаts.exe
File opened for modification	C:\Windows\NeilEvans	GlоbаlChеаts.exe
File opened for modification	C:\Windows\PrisonGotta	GlоbаlChеаts.exe
File opened for modification	C:\Windows\PharmaceuticalsTb	GlоbаlChеаts.exe
File opened for modification	C:\Windows\BedroomsDryer	GlоbаlChеаts.exe
File opened for modification	C:\Windows\BoldDramatically	GlоbаlChеаts.exe
File opened for modification	C:\Windows\BoldDramatically	GlоbаlChеаts.exe
File opened for modification	C:\Windows\NosIc	GlоbаlChеаts.exe
File opened for modification	C:\Windows\PrisonGotta	GlоbаlChеаts.exe
File opened for modification	C:\Windows\StudiedFetish	GlоbаlChеаts.exe
File opened for modification	C:\Windows\NosIc	GlоbаlChеаts.exe
File opened for modification	C:\Windows\NosIc	GlоbаlChеаts.exe
File opened for modification	C:\Windows\NosIc	GlоbаlChеаts.exe
File opened for modification	C:\Windows\StudiedFetish	GlоbаlChеаts.exe
File opened for modification	C:\Windows\PharmaceuticalsTb	GlоbаlChеаts.exe
File opened for modification	C:\Windows\PharmaceuticalsTb	GlоbаlChеаts.exe
File opened for modification	C:\Windows\BoldDramatically	GlоbаlChеаts.exe
File opened for modification	C:\Windows\KenoGuyana	GlоbаlChеаts.exe
File opened for modification	C:\Windows\PrisonGotta	GlоbаlChеаts.exe
File opened for modification	C:\Windows\NeilEvans	GlоbаlChеаts.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 61 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GlоbаlChеаts.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Award.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GlоbаlChеаts.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Award.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GlоbаlChеаts.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GlоbаlChеаts.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Award.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GlоbаlChеаts.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Award.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Award.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings	7zFM.exe
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
4184	Award.com
4184	Award.com
4184	Award.com
4184	Award.com
4184	Award.com
4184	Award.com
5576	Award.com
5576	Award.com
5576	Award.com
5576	Award.com
5576	Award.com
5576	Award.com
2536	Award.com
2536	Award.com
2536	Award.com
2536	Award.com
2536	Award.com
2536	Award.com
4008	Award.com
4008	Award.com
4008	Award.com
4008	Award.com
4008	Award.com
4008	Award.com
4040	Award.com
4040	Award.com
4040	Award.com
4040	Award.com
4040	Award.com
4040	Award.com

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4788	7zFM.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeRestorePrivilege	4788	7zFM.exe
Token: 35	4788	7zFM.exe
Token: SeDebugPrivilege	4904	firefox.exe
Token: SeDebugPrivilege	4904	firefox.exe
Token: SeSecurityPrivilege	4788	7zFM.exe
Token: SeSecurityPrivilege	4788	7zFM.exe
Token: SeSecurityPrivilege	4788	7zFM.exe
Token: SeSecurityPrivilege	4788	7zFM.exe
Token: SeDebugPrivilege	3560	tasklist.exe
Token: SeDebugPrivilege	5164	tasklist.exe
Token: SeDebugPrivilege	5360	tasklist.exe
Token: SeDebugPrivilege	5316	tasklist.exe
Token: SeDebugPrivilege	5764	tasklist.exe
Token: SeDebugPrivilege	4824	tasklist.exe
Token: SeDebugPrivilege	5848	tasklist.exe
Token: SeDebugPrivilege	2592	tasklist.exe
Token: SeDebugPrivilege	6068	tasklist.exe
Token: SeDebugPrivilege	6120	tasklist.exe

Suspicious use of FindShellTrayWindow 43 IoCs

pid	Process
4788	7zFM.exe
4904	firefox.exe
4904	firefox.exe
4904	firefox.exe
4904	firefox.exe
4904	firefox.exe
4904	firefox.exe
4904	firefox.exe
4904	firefox.exe
4904	firefox.exe
4904	firefox.exe
4904	firefox.exe
4904	firefox.exe
4904	firefox.exe
4904	firefox.exe
4904	firefox.exe
4904	firefox.exe
4904	firefox.exe
4904	firefox.exe
4904	firefox.exe
4904	firefox.exe
4904	firefox.exe
4788	7zFM.exe
4788	7zFM.exe
4788	7zFM.exe
4788	7zFM.exe
4788	7zFM.exe
4788	7zFM.exe
4184	Award.com
4184	Award.com
4184	Award.com
5576	Award.com
5576	Award.com
5576	Award.com
2536	Award.com
2536	Award.com
2536	Award.com
4008	Award.com
4008	Award.com
4008	Award.com
4040	Award.com
4040	Award.com
4040	Award.com

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
4184	Award.com
4184	Award.com
4184	Award.com
5576	Award.com
5576	Award.com
5576	Award.com
2536	Award.com
2536	Award.com
2536	Award.com
4008	Award.com
4008	Award.com
4008	Award.com
4040	Award.com
4040	Award.com
4040	Award.com

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4904	firefox.exe
5924	OpenWith.exe
5924	OpenWith.exe
5924	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 448 wrote to memory of 4904	448	firefox.exe	81
PID 448 wrote to memory of 4904	448	firefox.exe	81
PID 448 wrote to memory of 4904	448	firefox.exe	81
PID 448 wrote to memory of 4904	448	firefox.exe	81
PID 448 wrote to memory of 4904	448	firefox.exe	81
PID 448 wrote to memory of 4904	448	firefox.exe	81
PID 448 wrote to memory of 4904	448	firefox.exe	81
PID 448 wrote to memory of 4904	448	firefox.exe	81
PID 448 wrote to memory of 4904	448	firefox.exe	81
PID 448 wrote to memory of 4904	448	firefox.exe	81
PID 448 wrote to memory of 4904	448	firefox.exe	81
PID 4904 wrote to memory of 3820	4904	firefox.exe	82
PID 4904 wrote to memory of 3820	4904	firefox.exe	82
PID 4904 wrote to memory of 3820	4904	firefox.exe	82
PID 4904 wrote to memory of 3820	4904	firefox.exe	82
PID 4904 wrote to memory of 3820	4904	firefox.exe	82
PID 4904 wrote to memory of 3820	4904	firefox.exe	82
PID 4904 wrote to memory of 3820	4904	firefox.exe	82
PID 4904 wrote to memory of 3820	4904	firefox.exe	82
PID 4904 wrote to memory of 3820	4904	firefox.exe	82
PID 4904 wrote to memory of 3820	4904	firefox.exe	82
PID 4904 wrote to memory of 3820	4904	firefox.exe	82
PID 4904 wrote to memory of 3820	4904	firefox.exe	82
PID 4904 wrote to memory of 3820	4904	firefox.exe	82
PID 4904 wrote to memory of 3820	4904	firefox.exe	82
PID 4904 wrote to memory of 3820	4904	firefox.exe	82
PID 4904 wrote to memory of 3820	4904	firefox.exe	82
PID 4904 wrote to memory of 3820	4904	firefox.exe	82
PID 4904 wrote to memory of 3820	4904	firefox.exe	82
PID 4904 wrote to memory of 3820	4904	firefox.exe	82
PID 4904 wrote to memory of 3820	4904	firefox.exe	82
PID 4904 wrote to memory of 3820	4904	firefox.exe	82
PID 4904 wrote to memory of 3820	4904	firefox.exe	82
PID 4904 wrote to memory of 3820	4904	firefox.exe	82
PID 4904 wrote to memory of 3820	4904	firefox.exe	82
PID 4904 wrote to memory of 3820	4904	firefox.exe	82
PID 4904 wrote to memory of 3820	4904	firefox.exe	82
PID 4904 wrote to memory of 3820	4904	firefox.exe	82
PID 4904 wrote to memory of 3820	4904	firefox.exe	82
PID 4904 wrote to memory of 3820	4904	firefox.exe	82
PID 4904 wrote to memory of 3820	4904	firefox.exe	82
PID 4904 wrote to memory of 3820	4904	firefox.exe	82
PID 4904 wrote to memory of 3820	4904	firefox.exe	82
PID 4904 wrote to memory of 3820	4904	firefox.exe	82
PID 4904 wrote to memory of 3820	4904	firefox.exe	82
PID 4904 wrote to memory of 3820	4904	firefox.exe	82
PID 4904 wrote to memory of 3820	4904	firefox.exe	82
PID 4904 wrote to memory of 3820	4904	firefox.exe	82
PID 4904 wrote to memory of 3820	4904	firefox.exe	82
PID 4904 wrote to memory of 3820	4904	firefox.exe	82
PID 4904 wrote to memory of 3820	4904	firefox.exe	82
PID 4904 wrote to memory of 3820	4904	firefox.exe	82
PID 4904 wrote to memory of 3820	4904	firefox.exe	82
PID 4904 wrote to memory of 3820	4904	firefox.exe	82
PID 4904 wrote to memory of 3820	4904	firefox.exe	82
PID 4904 wrote to memory of 3820	4904	firefox.exe	82
PID 4904 wrote to memory of 572	4904	firefox.exe	83
PID 4904 wrote to memory of 572	4904	firefox.exe	83
PID 4904 wrote to memory of 572	4904	firefox.exe	83
PID 4904 wrote to memory of 572	4904	firefox.exe	83
PID 4904 wrote to memory of 572	4904	firefox.exe	83
PID 4904 wrote to memory of 572	4904	firefox.exe	83
PID 4904 wrote to memory of 572	4904	firefox.exe	83
PID 4904 wrote to memory of 572	4904	firefox.exe	83

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\GlоbаlСhеаts.zip"
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4788

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:448
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4904
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1964 -parentBuildID 20240401114208 -prefsHandle 1892 -prefMapHandle 1868 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {43f523e4-b182-4708-a96f-2b029a824e15} 4904 "\\.\pipe\gecko-crash-server-pipe.4904" gpu
    3⤵
    PID:3820
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2364 -parentBuildID 20240401114208 -prefsHandle 2356 -prefMapHandle 2352 -prefsLen 23714 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5f918672-5d53-4505-a2b1-c73b77cf8b28} 4904 "\\.\pipe\gecko-crash-server-pipe.4904" socket
    3⤵
    - Checks processor information in registry
    PID:572
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2772 -childID 1 -isForBrowser -prefsHandle 3228 -prefMapHandle 3236 -prefsLen 23855 -prefMapSize 244658 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {60fde8ee-7248-4cfe-8bb6-0653628c08c0} 4904 "\\.\pipe\gecko-crash-server-pipe.4904" tab
    3⤵
    PID:2184
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3504 -childID 2 -isForBrowser -prefsHandle 2536 -prefMapHandle 2744 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2c5e7d26-a78e-4abd-a88e-217c07b3f348} 4904 "\\.\pipe\gecko-crash-server-pipe.4904" tab
    3⤵
    PID:4960
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4820 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4776 -prefMapHandle 4792 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2b8cbdff-0698-4948-b279-865c9279c41d} 4904 "\\.\pipe\gecko-crash-server-pipe.4904" utility
    3⤵
    - Checks processor information in registry
    PID:3628
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3176 -childID 3 -isForBrowser -prefsHandle 5392 -prefMapHandle 2656 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cf239d19-ec7e-481b-b16e-1f62e942417a} 4904 "\\.\pipe\gecko-crash-server-pipe.4904" tab
    3⤵
    PID:656
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2940 -childID 4 -isForBrowser -prefsHandle 2660 -prefMapHandle 5320 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {26c8e404-80e8-4cc9-803c-1ab6e3ece4d5} 4904 "\\.\pipe\gecko-crash-server-pipe.4904" tab
    3⤵
    PID:748
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5684 -childID 5 -isForBrowser -prefsHandle 5764 -prefMapHandle 5760 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c8f708c1-2665-4c0f-a7cb-7278259db4d8} 4904 "\\.\pipe\gecko-crash-server-pipe.4904" tab
    3⤵
    PID:4868
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5960 -childID 6 -isForBrowser -prefsHandle 5880 -prefMapHandle 5888 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {718d4c59-a498-4909-a96e-a1553803572e} 4904 "\\.\pipe\gecko-crash-server-pipe.4904" tab
    3⤵
    PID:3136
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6060 -childID 7 -isForBrowser -prefsHandle 6140 -prefMapHandle 6136 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {83858fe4-17f8-44c2-85db-ee9179e0768f} 4904 "\\.\pipe\gecko-crash-server-pipe.4904" tab
    3⤵
    PID:2936
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6220 -childID 8 -isForBrowser -prefsHandle 6228 -prefMapHandle 6232 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a4f04857-adbd-4bb9-904e-a9e00206adba} 4904 "\\.\pipe\gecko-crash-server-pipe.4904" tab
    3⤵
    PID:1140
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6400 -childID 9 -isForBrowser -prefsHandle 2864 -prefMapHandle 3616 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1c5875ce-76ea-4961-8544-3628da1f8705} 4904 "\\.\pipe\gecko-crash-server-pipe.4904" tab
    3⤵
    PID:3396
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6508 -childID 10 -isForBrowser -prefsHandle 6516 -prefMapHandle 6520 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6fc79c8a-63d6-4b36-b755-a417083bfb61} 4904 "\\.\pipe\gecko-crash-server-pipe.4904" tab
    3⤵
    PID:2908
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6708 -childID 11 -isForBrowser -prefsHandle 6712 -prefMapHandle 6716 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a8a87a22-fb30-4f76-8aa1-1788f008f1ac} 4904 "\\.\pipe\gecko-crash-server-pipe.4904" tab
    3⤵
    PID:4848
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6900 -childID 12 -isForBrowser -prefsHandle 6904 -prefMapHandle 6908 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {43e878b1-b96f-49a7-8d46-beca330096f2} 4904 "\\.\pipe\gecko-crash-server-pipe.4904" tab
    3⤵
    PID:4304
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7016 -childID 13 -isForBrowser -prefsHandle 7024 -prefMapHandle 7028 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {181b10c0-600c-4373-8fc2-04527537cd5c} 4904 "\\.\pipe\gecko-crash-server-pipe.4904" tab
    3⤵
    PID:2160
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7232 -childID 14 -isForBrowser -prefsHandle 6464 -prefMapHandle 6468 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {018b756a-db85-4648-b618-6f0d645aa5ec} 4904 "\\.\pipe\gecko-crash-server-pipe.4904" tab
    3⤵
    PID:4500
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7276 -childID 15 -isForBrowser -prefsHandle 6604 -prefMapHandle 6736 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e608b5a2-bab4-4441-b5ca-fa16886bf565} 4904 "\\.\pipe\gecko-crash-server-pipe.4904" tab
    3⤵
    PID:2300
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7264 -childID 16 -isForBrowser -prefsHandle 7272 -prefMapHandle 7280 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c43d6342-35eb-47f2-869d-e9e2220c589b} 4904 "\\.\pipe\gecko-crash-server-pipe.4904" tab
    3⤵
    PID:3692
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7532 -childID 17 -isForBrowser -prefsHandle 7360 -prefMapHandle 6260 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {430d0212-4251-4940-8f0c-6e9baa00aacc} 4904 "\\.\pipe\gecko-crash-server-pipe.4904" tab
    3⤵
    PID:4708
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7540 -childID 18 -isForBrowser -prefsHandle 7372 -prefMapHandle 7368 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {df141697-f695-4f6c-a181-575b69c3149e} 4904 "\\.\pipe\gecko-crash-server-pipe.4904" tab
    3⤵
    PID:1596
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7784 -childID 19 -isForBrowser -prefsHandle 7884 -prefMapHandle 7888 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {780b4558-e96d-45de-8e38-7f7e4779663b} 4904 "\\.\pipe\gecko-crash-server-pipe.4904" tab
    3⤵
    PID:812
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7772 -childID 20 -isForBrowser -prefsHandle 7872 -prefMapHandle 7876 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0b01a553-5d2f-4c40-887e-fd0506604787} 4904 "\\.\pipe\gecko-crash-server-pipe.4904" tab
    3⤵
    PID:2432
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8044 -childID 21 -isForBrowser -prefsHandle 8028 -prefMapHandle 7784 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1756a204-63bd-42e2-a852-d976a386b65f} 4904 "\\.\pipe\gecko-crash-server-pipe.4904" tab
    3⤵
    PID:1184
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8160 -childID 22 -isForBrowser -prefsHandle 8148 -prefMapHandle 8144 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {56defd11-8c98-42e0-ab23-b5440a4fa05b} 4904 "\\.\pipe\gecko-crash-server-pipe.4904" tab
    3⤵
    PID:2856

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5924

C:\Users\Admin\Desktop\GlоbаlChеаts.exe
"C:\Users\Admin\Desktop\GlоbаlChеаts.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1568
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c move Reactions Reactions.cmd & Reactions.cmd
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4024
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3560
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3328
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:5164
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5248
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 505603
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4864
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E Bahrain
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2380
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "optional" Holiday
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2760
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 505603\Award.com + Biodiversity + Cir + Clouds + Issues + Treaty + Mentioned + Backup + Bradley + Toner 505603\Award.com
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3060
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Parents + ..\Saddam + ..\Consumers + ..\Print + ..\Mandate + ..\Points w
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5200
- - C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\505603\Award.com
    Award.com w
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:4184
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3928

C:\Users\Admin\Desktop\GlоbаlChеаts.exe
"C:\Users\Admin\Desktop\GlоbаlChеаts.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3200
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c move Reactions Reactions.cmd & Reactions.cmd
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4868
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:5360
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5368
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:5316
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5464
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 505603
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5440
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E Bahrain
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5456
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 505603\Award.com + Biodiversity + Cir + Clouds + Issues + Treaty + Mentioned + Backup + Bradley + Toner 505603\Award.com
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5520
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Parents + ..\Saddam + ..\Consumers + ..\Print + ..\Mandate + ..\Points w
    3⤵
    - System Location Discovery: System Language Discovery
    PID:796
- - C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\505603\Award.com
    Award.com w
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:5576
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1452

C:\Users\Admin\Desktop\GlоbаlChеаts.exe
"C:\Users\Admin\Desktop\GlоbаlChеаts.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4720
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c move Reactions Reactions.cmd & Reactions.cmd
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5704
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:5764
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2464
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:5848
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3620
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 505603
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2328
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E Bahrain
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2352
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 505603\Award.com + Biodiversity + Cir + Clouds + Issues + Treaty + Mentioned + Backup + Bradley + Toner 505603\Award.com
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2680
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Parents + ..\Saddam + ..\Consumers + ..\Print + ..\Mandate + ..\Points w
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4820
- - C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\505603\Award.com
    Award.com w
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2536
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6012

C:\Users\Admin\Desktop\GlоbаlChеаts.exe
"C:\Users\Admin\Desktop\GlоbаlChеаts.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5336
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c move Reactions Reactions.cmd & Reactions.cmd
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5324
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4824
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5840
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2592
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2312
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 505603
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2188
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E Bahrain
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5908
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 505603\Award.com + Biodiversity + Cir + Clouds + Issues + Treaty + Mentioned + Backup + Bradley + Toner 505603\Award.com
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2392
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Parents + ..\Saddam + ..\Consumers + ..\Print + ..\Mandate + ..\Points w
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2476
- - C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\505603\Award.com
    Award.com w
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:4008
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6020

C:\Users\Admin\Desktop\GlоbаlChеаts.exe
"C:\Users\Admin\Desktop\GlоbаlChеаts.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5812
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c move Reactions Reactions.cmd & Reactions.cmd
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5868
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:6068
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6076
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:6120
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6128
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 505603
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2880
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E Bahrain
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4628
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 505603\Award.com + Biodiversity + Cir + Clouds + Issues + Treaty + Mentioned + Backup + Bradley + Toner 505603\Award.com
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3012
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Parents + ..\Saddam + ..\Consumers + ..\Print + ..\Mandate + ..\Points w
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1308
- - C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\505603\Award.com
    Award.com w
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:4040
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\505603\Award.com

Filesize
714KB

MD5
5f5bf7078d95deee7d750a2e67815458

SHA1
fcae690a516245cac3ac3f04f684f637fb018ab4

SHA256
b6c3842c74e136b42d7203ec544f7d0aa275f6041197c344666f4f2cb5c7a586

SHA512
876438c3c7e659aa4e0179f89a1e671f81ae5158d1071b277fc00a6eb8d3d5786a9671801aeb0fcf1bd0140f7286cea0e823d44b22a4ecddf108a69344184f5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\505603\Award.com

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\505603\w

Filesize
456KB

MD5
80a1cfa6775746a932000916c28b8e01

SHA1
d8219894f41ae1c2c33b7dacff58c04129c7c023

SHA256
8b0e1c902c4355e7e0057e6fb4ef5208af1b6712f1f9462c1bd166fd719be126

SHA512
ba387cec96e04a9071bb91d491319d9ec0899703f5747d3ec378bc47422fb3208133c024013db8858d5a8cf2bc620a2826cbbd0fab5ce5fa3e9b2eecc3eb4dd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Backup

Filesize
60KB

MD5
f4b1e6c582ad59caa2d8c6c6bb0554ec

SHA1
c55c17cf43a51ddee5d4ce6808e2a223930d9a81

SHA256
bc610c1aab5d515a17599f0231e8286ff80b0b08f8c5a53d669fe2144462dccd

SHA512
0403e0e30da996c0051a539cbd0d532dff27e13e3618ca29b62e26a7ac3bfe52269b0fea7211f742f0570d38d23762050c7fcabf5aa6a7efa5a40fbdede952d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Bahrain

Filesize
477KB

MD5
b3fe268bf1c8c0b920a26dbd554d796a

SHA1
af73ddb6ce068ec0521e69ef187b9de2ff832e1f

SHA256
6c5997d6ff48ad418d436a9a6d0b8e47a49a5bcf66f3ebd1ce16dae1f6ef3811

SHA512
51ebe5849771d96a11720150a9e9715bd624e9b7e99667e379a8debb652966f408d37d2b4f7a04747d8c05d93680d07e38a4b97114ced48d628efba08f320617

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Biodiversity

Filesize
103KB

MD5
052390d31c105bd186e3f8df79614417

SHA1
8efd38a4af6a4c89b360a08aaae65a9b6b0c6187

SHA256
b8ad9b947402de95267b9efaa0a16a30788d3a0d4487d60c132495219ed54717

SHA512
b8451558b2fb992acf5b7e7b298c6e11e0d478c072f62ba99a42f1ceadc4c6d74f11db64742d126c54cc813e87a1bd922e653153c28763d868f8a2f794fe4cb7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Bradley

Filesize
130KB

MD5
122b7252f096128c6718daaf2ff24242

SHA1
f5ea99a8187a749d5e72af1a3f86e161f9252d6d

SHA256
41686a787e07d59c30d2039b9f58785e92c0ea6657b21399f8c563712d7b52df

SHA512
4a5ab596df9d97d48f593def3b156c740c2d7a01fa0af707ed2da89ddcf000409ce60cfea3c4a4d6fbca24d365325286a0391a54c35cd5fb42511803302d3b38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Cir

Filesize
144KB

MD5
c74780be0db2a848b42f5d697d0b19ed

SHA1
9bb89dbd6e662515361d9b522a92b41f22b15646

SHA256
8a4c49528b00edf5d9877624da7a86f0d34976190f619c82f338d1d342aaafc0

SHA512
63a400cd984d109c75bcc9ddd66b5899d2e7b621a766a34d9447f3dc4bb8776b2193bd607a5217a69e430b08abbd17b3fe72bffed8b7161ff007e935f3cc8b4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Clouds

Filesize
103KB

MD5
757e6156f1b1c6cab92e2aea823eec91

SHA1
a53e906823502ac6c0918c27155a33c4e9f15939

SHA256
a9e9919fa3a67063f7629d62e574aa236dc4828c7fcb06565aab94ce67a45d9f

SHA512
a0065038142f6311833f1c2eb8131a212f879dc03d0abc8a0e4817a39b107d81ee55b5e7a3131082e5932b89ea7834345c4ea1a2c20e7aa902ea3415a1818503

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Consumers

Filesize
81KB

MD5
3cb7d0d5abe63b8b9ff9adf74f9f97d1

SHA1
949fb3915f00a2d1d388d332cdb995688b3c3a4d

SHA256
23a45f997d0e21f220451b7ccb82e008775c47be5227b537c3ec04a19f931847

SHA512
ced9fc864b4999407f204ff7a37f9bc7e560f0c37ad4a9c9b90f1d615bed0e5d59ed05201aa33db2d0fe6d3d92d918e542d93721767b2febb89b45447d411e1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Consumers

Filesize
63KB

MD5
e6fcf9ecdb2f77112738490a3e35d489

SHA1
e39776c70c734f44a53ee3e5d81ea1a91b1df6bc

SHA256
e57519f6700b072a4f94323fbfc06f0667caf42c6dfa89c8287f51496826f37b

SHA512
34bf5af055b5ff34754c81ed21bedc5cb1adbc88d63b9886324ef172205dd894d6f0c95b6de5f1f6662a2636456e45e3fadbbd136720bd47e656a8f13139b70f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Holiday

Filesize
2KB

MD5
e8e00d2ba2e5c154a3bdd4fc04d3072d

SHA1
7b942c76a3c3819081de941bcb5e46a8692ea73b

SHA256
6169a7e8e8198562ad6c27221ec3c124d9ce467d2a2ac911965590e7e05542fe

SHA512
11d86db7f11ca7e55186b055f188f55f99a7cd2ef490a2e23f734d330b88e641b8af00f8085a45d4b1f362c25b3a62ba285fe6c843a0c3006286d67088bade0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Issues

Filesize
80KB

MD5
3583465c115971e6ed7e072c2aba31fe

SHA1
70fd64bc43ac01c1dc6dc0c0cb61c91929c5e693

SHA256
b448ec23356d38a1cf952da150b7316eac8236453b397a333e62806199589a48

SHA512
d328a4d711d0111d7af27f5e3c0d10cfc3a608a95ea627f7166f736ae12aee68b06274a4e9dc49abc47e1ffc8ae6e241ad1b990148030c96df768c199d57f652

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Mandate

Filesize
84KB

MD5
f6da7d95db6cebe11e1490b5e8ac1f51

SHA1
3a6af9609a35830a560c9b99b17e2b98f82fa203

SHA256
19c911670c3d2202ffc1b33561befbb4f89ec984ff582aef5f52e3839a6f3c53

SHA512
4265b0e5ecbdee94404c71c43fb2b08a8c83c600700a6bb2ffebed9c4d4ccfff32dac6071ea70db9b8dddc311192991ae85d74a53ac9dc4ff311e93e00f0126d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Mentioned

Filesize
78KB

MD5
f1e272a7bcab469f549691fc85a20e7f

SHA1
7478205fa78a23ad71be67e61f2f7499b2914264

SHA256
4dd1cb5136a723f2c926b3fd3cfbedaf03516c74513da445a93ee2003cf8a215

SHA512
177212c0887cdaf5caaf8a3073218b2f7cba3f38ffd4a524dc6f8afa188e9df4a949e1abc8c4c4019d62178f60ade39c3bc75ddfe52569cf487c672823e2c31c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Parents

Filesize
65KB

MD5
0c669df38669d613d335f496d00d562e

SHA1
090bde5d2de32ec83d0a35774a93c900eb446085

SHA256
70874431186c98e2c8c6cb68c83716c2cc3a6dbf9f7fedf4ff16572e7ec51040

SHA512
63a53502cc410e65aa4b5ac288e796e19b140ae1a191a92d913caafc4abc1d0debe1d15ba421662b297af2084cc290a02e8e49ca976a58caae6623d08cffeadc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Points

Filesize
74KB

MD5
167d3a0fce5bb800dbce79aa6553b4bf

SHA1
26222963e947aac6cf5ff55237c04610d9b6c03e

SHA256
44ebdff83199d47287a35010babd3c219d05bdfbaaab8e6395ccec0180905a3d

SHA512
f0acc4f94009cd525d290277910ecdf1818c080c34f922bc0f1e639cb2316daaf4d8ea69710c0a6a009aad3db756288b8604b43c889e8b54a2de646ad665ddfe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Print

Filesize
76KB

MD5
0c609fb905a4c385ab65ec9930de866f

SHA1
717627ff0b20d695831430fdc16be91bf07ac59a

SHA256
b22d307df159f52433518f42e38c3131e55ff6cf1a6204358b50abab846ee2d7

SHA512
ddcc614160de0ed6352228f82f9a7ce7321603bec99b3f1cf8be85b1c709dcd530a535a10f06472c1fcb3f1b34822abea3a4da19cbd2f8413e77374d32b1b858

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Reactions

Filesize
25KB

MD5
13384638051cfd0facbb47bf2f74a1da

SHA1
da4685cb3c5ee8d2064554f5a96ac1fbf5210447

SHA256
84411c03a9a8828c972751722bcdddc57fbbf9680391055cedf84a7b0d9294f3

SHA512
2602cd0088e60988e47ecb87fda5468b52e3ccb5d20e0aaf5df11c44d27c0e246147ea3e1a6fcd7226f13ac4909309b8e0281d2ada3e0e94f8693afa3889c199

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Saddam

Filesize
76KB

MD5
23adda7020b4d1ba835915f6b892c41d

SHA1
ffe1bcc4fe9e8e0dfccc18c556f0f43b2ce3cb91

SHA256
b0b92533eadaaa6f874eee33087f318fb52fb43a3f6da04efb81a1052ad7d2c8

SHA512
b3455877792638ae7f8a1512c883fdc2d8112113f14b0c48a27e41170148a8425b967c796a0645ce9466860ec6113bcb21bbcc65a43973d2cbf34000a9a29746

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Saddam

Filesize
63KB

MD5
3949c27e205f2f4a94c326bf3b9278f0

SHA1
2cc375a5f98df080dc1a2861e79058d5b96530ae

SHA256
4ab1a1a70501020bc459a2f9d4ec0f03f67ba0c56723827820a54d130dae8d39

SHA512
4b6e56c728d9cb195a8f4d23aab0ab62e279868634422f11549d75c566da11db5e1be20cce1b310e3762758ec10c24f807099f8a6497e9397ae8896ed80242ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Toner

Filesize
80KB

MD5
447f8b3a446ad10a6e43cb7716d191a1

SHA1
f086793f1557702a814dbbe73e976a2dc2c7db83

SHA256
03198d1011838090c926670d0cf4a2c63ca224df930b0d18c60e87d0fdbdb221

SHA512
455f8794026f2818c4c50a146ae40eacaa6926177228d852df7b5eb238b9598c9746c8d12ef94ec01fb475437e925934986f4c084be9852dc16c34f9bb089d82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Treaty

Filesize
144KB

MD5
f966b412f8dfd0576f77fefb550c6014

SHA1
7fe6bee7dccb1ba2cc3320c5e079c8ffb175e2fa

SHA256
6a8f1879670a285417b48dbe8fdb75351d68b0e529a2f1736e812239dc4b8099

SHA512
768cd135f97de4dbb06535db9d97693dd48807b26a50e857413ff6227ca95ee69c266038f83d9f69f7cbb0a689419ff1c5cf57b3e2c95f9834829d7de228af45

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\er3umqpr.default-release\activity-stream.discovery_stream.json

Filesize
21KB

MD5
9f09daf9f8e9218f80b5ebbbeffdbb08

SHA1
a688b86bf411c50f55935dad8828d8ff44945317

SHA256
2a20f3eb031ada4cbf66eead9772eee6d1ec965a0f0e25c84667caf78b9faa28

SHA512
205c8a3d8a7e4a2d3a69223239b782178e0d51cf70133788ce96791e1ef26018e658d79cfea7aeb571830551a63dc5f4e6eec443a0cd22fd009871847e376912

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\er3umqpr.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
15KB

MD5
96c542dec016d9ec1ecc4dddfcbaac66

SHA1
6199f7648bb744efa58acf7b96fee85d938389e4

SHA256
7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

SHA512
cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
2370b413b45aaab1d21529423e590c50

SHA1
be3c7588d50ef814b9b36f59415e1a463c3cd4be

SHA256
8809b9adb47b03e209f352b6a4088c58bd55cb27567deec248672a9fe030f26b

SHA512
b792ea12ed65a2a746f475d0e2371b2efc5336417db171aedb4765435cdc2df8fde5ca9d4e89390dd364bf6c8181ae85858d2802c07c406352b86fb25ac85438

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\datareporting\glean\pending_pings\1c5d31db-3972-4b2f-a98e-49393510f499

Filesize
24KB

MD5
c92a58ed53479abc8157bafd2dec71a7

SHA1
cec79897c3c08f7007212793c79da4ab72044d03

SHA256
4d1d933fa4a9888416ad380a51d0b504d7357e40cf37a66ea4db564ecee1ffa4

SHA512
7ea7b8d48d69dacb12d837aaa53c7c69cc54f7dae92d375ce9a11f60b00a8d5020588c9692af13ef03120016c1a34c42f4424a852881c7c78330babfb9359ead

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\datareporting\glean\pending_pings\aba95388-033c-4718-9ee7-f7f5eab0ba1e

Filesize
982B

MD5
33c476ff259499bfd64aea5e55059b1a

SHA1
11c23cff9bb440cf6953456a2a3757c27e0adfda

SHA256
e8bc4c81dcd362880cc439c7d424ceef9c0c97a9907d14939dfc16b799222898

SHA512
870e3056b9d58d1cba8f4813b213d7684b7e100f7a4ea2afe8a70aafd7c7da2347256919a7da44249ba9b0417c8f4b5a1a404483c8e1d76a747e716a9e2e2d44

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\datareporting\glean\pending_pings\baa5dc34-13dd-4e9f-915a-64bb562977b2

Filesize
671B

MD5
76544891d60991ab0a0b36c28a2d3762

SHA1
523991b9f5a31067a78df9032d54af04e7430c0a

SHA256
ec4a63f0c38786a90086155407fd27873762b56c8e8fc299f9a1df95c796aec1

SHA512
71cee78cd9a2b9e1728ef1d1d2624d4748ce6898325f25e22b58bccb00068936102a1952b8589e8ac17fd49bc6e2f15ac95547b7fff7f784fed5c08346977797

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\prefs-1.js

Filesize
10KB

MD5
3811fee32bd79a64a0bdc6512224c5f7

SHA1
0597239dcb8808d0ceaa6ffb2693ebd3d38d585e

SHA256
e2a3ef40666994287aaa19585078f766eb970fb97128789345650c400e242b8c

SHA512
fb663fd23413e9ba1d01dea8cf716e71ee43c13e85ac7aea3b4fce5a7756c05dc85e9968e373b4a0a3452584e28b235a4650fdd99f1ccf35805e9a6027b6ab2b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\prefs.js

Filesize
10KB

MD5
e3710f819091e886b765a6c9257d4704

SHA1
ccc3ee99251f4a4c8cf7461ccd9343b77ba2e685

SHA256
8be43ffa4b77415f02e2eb3819c1ecbd583fbf4049bd86483416cc19c7d5ca46

SHA512
f5e566981a609f3e99c14d98efa13259df6cec38605bda04ada2f4f3e4e0f945acd85a247f20d8cd713a0aa4943cee0e72deb815b5976d279dcae893b6fb16f5

Download Submit
C:\Users\Admin\Desktop\GlоbаlChеаts.exe

Filesize
1.0MB

MD5
a3b68347154010b2449e8e535bd82d94

SHA1
68ba0631b2c552c7ae36685d1b333a3c6e031009

SHA256
420da15f5fae4683dc4d601dd3e0de38325fb61eac4a2910f7edc9801f4f906b

SHA512
dee7a44ab53cc91921561021837e74c978afd06f5e37240d05dc1d8ef76151ec6fa913f1253f53a88bef0e27e4b850e88ea737bff89e78526346f938cdb6c65d

Download Submit
memory/4184-610-0x0000000004CE0000-0x0000000004D37000-memory.dmp

Filesize
348KB

Download
memory/4184-611-0x0000000004CE0000-0x0000000004D37000-memory.dmp

Filesize
348KB

Download
memory/4184-612-0x0000000004CE0000-0x0000000004D37000-memory.dmp

Filesize
348KB

Download
memory/4184-614-0x0000000004CE0000-0x0000000004D37000-memory.dmp

Filesize
348KB

Download
memory/4184-613-0x0000000004CE0000-0x0000000004D37000-memory.dmp

Filesize
348KB

Download