lumma | hxxps://www[.]mediafire[.]com/folder/a7ri6eoc4wl99/Global%D0%A1h%D0%B5%D0%B0ts

Analysis

max time kernel
292s
max time network
291s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-01-2025 06:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.mediafire.com/folder/a7ri6eoc4wl99/Global%D0%A1h%D0%B5%D0%B0ts

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://hummskitnj.buzz/api

https://cashfuzysao.buzz/api

https://appliacnesot.buzz/api

https://screwamusresz.buzz/api

https://inherineau.buzz/api

https://scentniej.buzz/api

https://rebuildeso.buzz/api

https://prisonyfork.buzz/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	GlоbаlChеаts.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	GlоbаlChеаts.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	GlоbаlChеаts.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	GlоbаlChеаts.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	GlоbаlChеаts.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	GlоbаlChеаts.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	GlоbаlChеаts.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	GlоbаlChеаts.exe

Executes dropped EXE 16 IoCs

pid	Process
5588	GlоbаlChеаts.exe
5728	GlоbаlChеаts.exe
3568	GlоbаlChеаts.exe
5948	GlоbаlChеаts.exe
700	GlоbаlChеаts.exe
5520	Award.com
2688	GlоbаlChеаts.exe
2760	Award.com
1576	Award.com
5968	GlоbаlChеаts.exe
2868	GlоbаlChеаts.exe
1804	Award.com
1564	Award.com
1028	Award.com
2356	Award.com
1692	Award.com

Enumerates processes with tasklist 1 TTPs 16 IoCs

discovery

Process Discovery

T1057

pid	Process
264	tasklist.exe
1128	tasklist.exe
6124	tasklist.exe
6052	tasklist.exe
5740	tasklist.exe
5812	tasklist.exe
6028	tasklist.exe
5276	tasklist.exe
5756	tasklist.exe
3648	tasklist.exe
556	tasklist.exe
5980	tasklist.exe
3404	tasklist.exe
4836	tasklist.exe
6000	tasklist.exe
5900	tasklist.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\StudiedFetish	GlоbаlChеаts.exe
File opened for modification	C:\Windows\BedroomsDryer	GlоbаlChеаts.exe
File opened for modification	C:\Windows\NosIc	GlоbаlChеаts.exe
File opened for modification	C:\Windows\BedroomsDryer	GlоbаlChеаts.exe
File opened for modification	C:\Windows\NosIc	GlоbаlChеаts.exe
File opened for modification	C:\Windows\NeilEvans	GlоbаlChеаts.exe
File opened for modification	C:\Windows\KenoGuyana	GlоbаlChеаts.exe
File opened for modification	C:\Windows\StudiedFetish	GlоbаlChеаts.exe
File opened for modification	C:\Windows\NosIc	GlоbаlChеаts.exe
File opened for modification	C:\Windows\BoldDramatically	GlоbаlChеаts.exe
File opened for modification	C:\Windows\KenoGuyana	GlоbаlChеаts.exe
File opened for modification	C:\Windows\StudiedFetish	GlоbаlChеаts.exe
File opened for modification	C:\Windows\PrisonGotta	GlоbаlChеаts.exe
File opened for modification	C:\Windows\BedroomsDryer	GlоbаlChеаts.exe
File opened for modification	C:\Windows\NosIc	GlоbаlChеаts.exe
File opened for modification	C:\Windows\PharmaceuticalsTb	GlоbаlChеаts.exe
File opened for modification	C:\Windows\NosIc	GlоbаlChеаts.exe
File opened for modification	C:\Windows\PharmaceuticalsTb	GlоbаlChеаts.exe
File opened for modification	C:\Windows\NeilEvans	GlоbаlChеаts.exe
File opened for modification	C:\Windows\StudiedFetish	GlоbаlChеаts.exe
File opened for modification	C:\Windows\BedroomsDryer	GlоbаlChеаts.exe
File opened for modification	C:\Windows\PharmaceuticalsTb	GlоbаlChеаts.exe
File opened for modification	C:\Windows\BoldDramatically	GlоbаlChеаts.exe
File opened for modification	C:\Windows\NeilEvans	GlоbаlChеаts.exe
File opened for modification	C:\Windows\PharmaceuticalsTb	GlоbаlChеаts.exe
File opened for modification	C:\Windows\StudiedFetish	GlоbаlChеаts.exe
File opened for modification	C:\Windows\NeilEvans	GlоbаlChеаts.exe
File opened for modification	C:\Windows\NosIc	GlоbаlChеаts.exe
File opened for modification	C:\Windows\PrisonGotta	GlоbаlChеаts.exe
File opened for modification	C:\Windows\KenoGuyana	GlоbаlChеаts.exe
File opened for modification	C:\Windows\PrisonGotta	GlоbаlChеаts.exe
File opened for modification	C:\Windows\BoldDramatically	GlоbаlChеаts.exe
File opened for modification	C:\Windows\StudiedFetish	GlоbаlChеаts.exe
File opened for modification	C:\Windows\PrisonGotta	GlоbаlChеаts.exe
File opened for modification	C:\Windows\BedroomsDryer	GlоbаlChеаts.exe
File opened for modification	C:\Windows\KenoGuyana	GlоbаlChеаts.exe
File opened for modification	C:\Windows\KenoGuyana	GlоbаlChеаts.exe
File opened for modification	C:\Windows\NeilEvans	GlоbаlChеаts.exe
File opened for modification	C:\Windows\BedroomsDryer	GlоbаlChеаts.exe
File opened for modification	C:\Windows\BedroomsDryer	GlоbаlChеаts.exe
File opened for modification	C:\Windows\NeilEvans	GlоbаlChеаts.exe
File opened for modification	C:\Windows\KenoGuyana	GlоbаlChеаts.exe
File opened for modification	C:\Windows\PrisonGotta	GlоbаlChеаts.exe
File opened for modification	C:\Windows\BoldDramatically	GlоbаlChеаts.exe
File opened for modification	C:\Windows\BoldDramatically	GlоbаlChеаts.exe
File opened for modification	C:\Windows\StudiedFetish	GlоbаlChеаts.exe
File opened for modification	C:\Windows\BedroomsDryer	GlоbаlChеаts.exe
File opened for modification	C:\Windows\PharmaceuticalsTb	GlоbаlChеаts.exe
File opened for modification	C:\Windows\PrisonGotta	GlоbаlChеаts.exe
File opened for modification	C:\Windows\PharmaceuticalsTb	GlоbаlChеаts.exe
File opened for modification	C:\Windows\PrisonGotta	GlоbаlChеаts.exe
File opened for modification	C:\Windows\KenoGuyana	GlоbаlChеаts.exe
File opened for modification	C:\Windows\PharmaceuticalsTb	GlоbаlChеаts.exe
File opened for modification	C:\Windows\BoldDramatically	GlоbаlChеаts.exe
File opened for modification	C:\Windows\BoldDramatically	GlоbаlChеаts.exe
File opened for modification	C:\Windows\PharmaceuticalsTb	GlоbаlChеаts.exe
File opened for modification	C:\Windows\BoldDramatically	GlоbаlChеаts.exe
File opened for modification	C:\Windows\NeilEvans	GlоbаlChеаts.exe
File opened for modification	C:\Windows\NosIc	GlоbаlChеаts.exe
File opened for modification	C:\Windows\PrisonGotta	GlоbаlChеаts.exe
File opened for modification	C:\Windows\NosIc	GlоbаlChеаts.exe
File opened for modification	C:\Windows\KenoGuyana	GlоbаlChеаts.exe
File opened for modification	C:\Windows\NeilEvans	GlоbаlChеаts.exe
File opened for modification	C:\Windows\StudiedFetish	GlоbаlChеаts.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GlоbаlChеаts.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GlоbаlChеаts.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Award.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GlоbаlChеаts.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GlоbаlChеаts.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GlоbаlChеаts.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Award.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Award.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GlоbаlChеаts.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Award.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Award.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Award.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
744	msedge.exe
744	msedge.exe
3972	msedge.exe
3972	msedge.exe
428	identity_helper.exe
428	identity_helper.exe
6024	msedge.exe
6024	msedge.exe
5520	Award.com
5520	Award.com
5520	Award.com
5520	Award.com
5520	Award.com
5520	Award.com
5268	msedge.exe
5268	msedge.exe
5268	msedge.exe
5268	msedge.exe
2760	Award.com
2760	Award.com
2760	Award.com
2760	Award.com
2760	Award.com
2760	Award.com
1576	Award.com
1576	Award.com
1576	Award.com
1576	Award.com
1576	Award.com
1576	Award.com
1564	Award.com
1564	Award.com
1564	Award.com
1564	Award.com
1564	Award.com
1564	Award.com
1028	Award.com
1028	Award.com
1028	Award.com
1028	Award.com
1028	Award.com
1028	Award.com
2356	Award.com
2356	Award.com
2356	Award.com
2356	Award.com
2356	Award.com
2356	Award.com
1692	Award.com
1692	Award.com
1692	Award.com
1692	Award.com
1692	Award.com
1692	Award.com

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeRestorePrivilege	3956	7zG.exe
Token: 35	3956	7zG.exe
Token: SeSecurityPrivilege	3956	7zG.exe
Token: SeSecurityPrivilege	3956	7zG.exe
Token: SeRestorePrivilege	3092	7zG.exe
Token: 35	3092	7zG.exe
Token: SeSecurityPrivilege	3092	7zG.exe
Token: SeSecurityPrivilege	3092	7zG.exe
Token: SeDebugPrivilege	5756	tasklist.exe
Token: SeDebugPrivilege	3404	tasklist.exe
Token: SeDebugPrivilege	264	tasklist.exe
Token: SeDebugPrivilege	3648	tasklist.exe
Token: SeDebugPrivilege	556	tasklist.exe
Token: SeDebugPrivilege	4836	tasklist.exe
Token: SeDebugPrivilege	5980	tasklist.exe
Token: SeDebugPrivilege	6000	tasklist.exe
Token: SeDebugPrivilege	1128	tasklist.exe
Token: SeDebugPrivilege	6052	tasklist.exe
Token: SeDebugPrivilege	5900	tasklist.exe
Token: SeDebugPrivilege	5740	tasklist.exe
Token: SeDebugPrivilege	6124	tasklist.exe
Token: SeDebugPrivilege	5812	tasklist.exe
Token: SeDebugPrivilege	5276	tasklist.exe
Token: SeDebugPrivilege	6028	tasklist.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe

Suspicious use of SendNotifyMessage 45 IoCs

pid	Process
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
5520	Award.com
5520	Award.com
5520	Award.com
2760	Award.com
2760	Award.com
2760	Award.com
1576	Award.com
1576	Award.com
1576	Award.com
1564	Award.com
1564	Award.com
1564	Award.com
1028	Award.com
1028	Award.com
1028	Award.com
2356	Award.com
2356	Award.com
2356	Award.com
1692	Award.com
1692	Award.com
1692	Award.com

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3972 wrote to memory of 2828	3972	msedge.exe	84
PID 3972 wrote to memory of 2828	3972	msedge.exe	84
PID 3972 wrote to memory of 544	3972	msedge.exe	85
PID 3972 wrote to memory of 544	3972	msedge.exe	85
PID 3972 wrote to memory of 544	3972	msedge.exe	85
PID 3972 wrote to memory of 544	3972	msedge.exe	85
PID 3972 wrote to memory of 544	3972	msedge.exe	85
PID 3972 wrote to memory of 544	3972	msedge.exe	85
PID 3972 wrote to memory of 544	3972	msedge.exe	85
PID 3972 wrote to memory of 544	3972	msedge.exe	85
PID 3972 wrote to memory of 544	3972	msedge.exe	85
PID 3972 wrote to memory of 544	3972	msedge.exe	85
PID 3972 wrote to memory of 544	3972	msedge.exe	85
PID 3972 wrote to memory of 544	3972	msedge.exe	85
PID 3972 wrote to memory of 544	3972	msedge.exe	85
PID 3972 wrote to memory of 544	3972	msedge.exe	85
PID 3972 wrote to memory of 544	3972	msedge.exe	85
PID 3972 wrote to memory of 544	3972	msedge.exe	85
PID 3972 wrote to memory of 544	3972	msedge.exe	85
PID 3972 wrote to memory of 544	3972	msedge.exe	85
PID 3972 wrote to memory of 544	3972	msedge.exe	85
PID 3972 wrote to memory of 544	3972	msedge.exe	85
PID 3972 wrote to memory of 544	3972	msedge.exe	85
PID 3972 wrote to memory of 544	3972	msedge.exe	85
PID 3972 wrote to memory of 544	3972	msedge.exe	85
PID 3972 wrote to memory of 544	3972	msedge.exe	85
PID 3972 wrote to memory of 544	3972	msedge.exe	85
PID 3972 wrote to memory of 544	3972	msedge.exe	85
PID 3972 wrote to memory of 544	3972	msedge.exe	85
PID 3972 wrote to memory of 544	3972	msedge.exe	85
PID 3972 wrote to memory of 544	3972	msedge.exe	85
PID 3972 wrote to memory of 544	3972	msedge.exe	85
PID 3972 wrote to memory of 544	3972	msedge.exe	85
PID 3972 wrote to memory of 544	3972	msedge.exe	85
PID 3972 wrote to memory of 544	3972	msedge.exe	85
PID 3972 wrote to memory of 544	3972	msedge.exe	85
PID 3972 wrote to memory of 544	3972	msedge.exe	85
PID 3972 wrote to memory of 544	3972	msedge.exe	85
PID 3972 wrote to memory of 544	3972	msedge.exe	85
PID 3972 wrote to memory of 544	3972	msedge.exe	85
PID 3972 wrote to memory of 544	3972	msedge.exe	85
PID 3972 wrote to memory of 544	3972	msedge.exe	85
PID 3972 wrote to memory of 744	3972	msedge.exe	86
PID 3972 wrote to memory of 744	3972	msedge.exe	86
PID 3972 wrote to memory of 2400	3972	msedge.exe	87
PID 3972 wrote to memory of 2400	3972	msedge.exe	87
PID 3972 wrote to memory of 2400	3972	msedge.exe	87
PID 3972 wrote to memory of 2400	3972	msedge.exe	87
PID 3972 wrote to memory of 2400	3972	msedge.exe	87
PID 3972 wrote to memory of 2400	3972	msedge.exe	87
PID 3972 wrote to memory of 2400	3972	msedge.exe	87
PID 3972 wrote to memory of 2400	3972	msedge.exe	87
PID 3972 wrote to memory of 2400	3972	msedge.exe	87
PID 3972 wrote to memory of 2400	3972	msedge.exe	87
PID 3972 wrote to memory of 2400	3972	msedge.exe	87
PID 3972 wrote to memory of 2400	3972	msedge.exe	87
PID 3972 wrote to memory of 2400	3972	msedge.exe	87
PID 3972 wrote to memory of 2400	3972	msedge.exe	87
PID 3972 wrote to memory of 2400	3972	msedge.exe	87
PID 3972 wrote to memory of 2400	3972	msedge.exe	87
PID 3972 wrote to memory of 2400	3972	msedge.exe	87
PID 3972 wrote to memory of 2400	3972	msedge.exe	87
PID 3972 wrote to memory of 2400	3972	msedge.exe	87
PID 3972 wrote to memory of 2400	3972	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://www.mediafire.com/folder/a7ri6eoc4wl99/Global%D0%A1h%D0%B5%D0%B0ts
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9189546f8,0x7ff918954708,0x7ff918954718
  2⤵
  PID:2828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2248,16333554995929411789,1759360536096683971,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2364 /prefetch:2
  2⤵
  PID:544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2248,16333554995929411789,1759360536096683971,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2428 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2248,16333554995929411789,1759360536096683971,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2480 /prefetch:8
  2⤵
  PID:2400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,16333554995929411789,1759360536096683971,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:4892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,16333554995929411789,1759360536096683971,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:1972
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2248,16333554995929411789,1759360536096683971,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6212 /prefetch:8
  2⤵
  PID:5088
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2248,16333554995929411789,1759360536096683971,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6212 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,16333554995929411789,1759360536096683971,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:1
  2⤵
  PID:4236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,16333554995929411789,1759360536096683971,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:1
  2⤵
  PID:1352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,16333554995929411789,1759360536096683971,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,16333554995929411789,1759360536096683971,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:1192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,16333554995929411789,1759360536096683971,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4892 /prefetch:1
  2⤵
  PID:556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,16333554995929411789,1759360536096683971,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6380 /prefetch:1
  2⤵
  PID:4008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,16333554995929411789,1759360536096683971,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6708 /prefetch:1
  2⤵
  PID:4788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,16333554995929411789,1759360536096683971,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:1808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2248,16333554995929411789,1759360536096683971,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3356 /prefetch:8
  2⤵
  PID:1568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,16333554995929411789,1759360536096683971,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3588 /prefetch:1
  2⤵
  PID:5320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2248,16333554995929411789,1759360536096683971,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3360 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2248,16333554995929411789,1759360536096683971,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=7156 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5268

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5008

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1464

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2144

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\GlоbаlСhеаts\" -ad -an -ai#7zMap13317:86:7zEvent847
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3956

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\GlоbаlСhеаts\GlоbalСhеаts\" -ad -an -ai#7zMap7591:112:7zEvent10512
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3092

C:\Users\Admin\Downloads\GlоbаlСhеаts\GlоbalСhеаts\GlоbаlChеаts.exe
"C:\Users\Admin\Downloads\GlоbаlСhеаts\GlоbalСhеаts\GlоbаlChеаts.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5588
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c move Reactions Reactions.cmd & Reactions.cmd
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5676
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:5756
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    PID:556
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:3404
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    PID:3032
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 505603
    3⤵
    PID:5652
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E Bahrain
    3⤵
    PID:5900
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "optional" Holiday
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6024
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 505603\Award.com + Biodiversity + Cir + Clouds + Issues + Treaty + Mentioned + Backup + Bradley + Toner 505603\Award.com
    3⤵
    PID:5136
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Parents + ..\Saddam + ..\Consumers + ..\Print + ..\Mandate + ..\Points w
    3⤵
    PID:396
- - C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\505603\Award.com
    Award.com w
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SendNotifyMessage
    PID:5520
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1532

C:\Users\Admin\Downloads\GlоbаlСhеаts\GlоbalСhеаts\GlоbаlChеаts.exe
"C:\Users\Admin\Downloads\GlоbаlСhеаts\GlоbalСhеаts\GlоbаlChеаts.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:5728
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c move Reactions Reactions.cmd & Reactions.cmd
  2⤵
  PID:5828
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:264
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5968
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:3648
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3024
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 505603
    3⤵
    PID:1688
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E Bahrain
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5696
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 505603\Award.com + Biodiversity + Cir + Clouds + Issues + Treaty + Mentioned + Backup + Bradley + Toner 505603\Award.com
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5568
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Parents + ..\Saddam + ..\Consumers + ..\Print + ..\Mandate + ..\Points w
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5096
- - C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\505603\Award.com
    Award.com w
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SendNotifyMessage
    PID:2760
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4852

C:\Users\Admin\Downloads\GlоbаlСhеаts\GlоbalСhеаts\GlоbаlChеаts.exe
"C:\Users\Admin\Downloads\GlоbаlСhеаts\GlоbalСhеаts\GlоbаlChеаts.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3568
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c move Reactions Reactions.cmd & Reactions.cmd
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5908
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:556
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1004
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:6000
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    PID:468
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 505603
    3⤵
    PID:1476
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E Bahrain
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5292
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 505603\Award.com + Biodiversity + Cir + Clouds + Issues + Treaty + Mentioned + Backup + Bradley + Toner 505603\Award.com
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5744
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Parents + ..\Saddam + ..\Consumers + ..\Print + ..\Mandate + ..\Points w
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1600
- - C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\505603\Award.com
    Award.com w
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1804
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    PID:5696

C:\Users\Admin\Downloads\GlоbаlСhеаts\GlоbalСhеаts\GlоbаlChеаts.exe
"C:\Users\Admin\Downloads\GlоbаlСhеаts\GlоbalСhеаts\GlоbаlChеаts.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5948
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c move Reactions Reactions.cmd & Reactions.cmd
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5064
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4836
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    PID:4092
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1128
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6008
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 505603
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1460
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E Bahrain
    3⤵
    PID:4540
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 505603\Award.com + Biodiversity + Cir + Clouds + Issues + Treaty + Mentioned + Backup + Bradley + Toner 505603\Award.com
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4308
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Parents + ..\Saddam + ..\Consumers + ..\Print + ..\Mandate + ..\Points w
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4156
- - C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\505603\Award.com
    Award.com w
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SendNotifyMessage
    PID:1576
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3032

C:\Users\Admin\Downloads\GlоbаlСhеаts\GlоbalСhеаts\GlоbаlChеаts.exe
"C:\Users\Admin\Downloads\GlоbаlСhеаts\GlоbalСhеаts\GlоbаlChеаts.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:700
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c move Reactions Reactions.cmd & Reactions.cmd
  2⤵
  - System Location Discovery: System Language Discovery
  PID:972
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:5980
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4664
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:5900
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6140
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 505603
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5688
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E Bahrain
    3⤵
    PID:5592
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 505603\Award.com + Biodiversity + Cir + Clouds + Issues + Treaty + Mentioned + Backup + Bradley + Toner 505603\Award.com
    3⤵
    PID:1824
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Parents + ..\Saddam + ..\Consumers + ..\Print + ..\Mandate + ..\Points w
    3⤵
    PID:5056
- - C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\505603\Award.com
    Award.com w
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SendNotifyMessage
    PID:1564
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1156

C:\Users\Admin\Downloads\GlоbаlСhеаts\GlоbalСhеаts\GlоbаlChеаts.exe
"C:\Users\Admin\Downloads\GlоbаlСhеаts\GlоbalСhеаts\GlоbаlChеаts.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2688
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c move Reactions Reactions.cmd & Reactions.cmd
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5440
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:6052
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    PID:6068
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:5740
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    PID:2784
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 505603
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3864
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E Bahrain
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5272
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 505603\Award.com + Biodiversity + Cir + Clouds + Issues + Treaty + Mentioned + Backup + Bradley + Toner 505603\Award.com
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1984
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Parents + ..\Saddam + ..\Consumers + ..\Print + ..\Mandate + ..\Points w
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1128
- - C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\505603\Award.com
    Award.com w
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SendNotifyMessage
    PID:1028
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6000

C:\Users\Admin\Downloads\GlоbаlСhеаts\GlоbalСhеаts\GlоbаlChеаts.exe
"C:\Users\Admin\Downloads\GlоbаlСhеаts\GlоbalСhеаts\GlоbаlChеаts.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5968
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c move Reactions Reactions.cmd & Reactions.cmd
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2260
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:5812
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:440
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:6028
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    PID:4880
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 505603
    3⤵
    PID:5884
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E Bahrain
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5784
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 505603\Award.com + Biodiversity + Cir + Clouds + Issues + Treaty + Mentioned + Backup + Bradley + Toner 505603\Award.com
    3⤵
    PID:5896
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Parents + ..\Saddam + ..\Consumers + ..\Print + ..\Mandate + ..\Points w
    3⤵
    - System Location Discovery: System Language Discovery
    PID:772
- - C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\505603\Award.com
    Award.com w
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SendNotifyMessage
    PID:1692
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    PID:5660

C:\Users\Admin\Downloads\GlоbаlСhеаts\GlоbalСhеаts\GlоbаlChеаts.exe
"C:\Users\Admin\Downloads\GlоbаlСhеаts\GlоbalСhеаts\GlоbаlChеаts.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:2868
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c move Reactions Reactions.cmd & Reactions.cmd
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3912
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:6124
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3084
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:5276
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6092
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 505603
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5288
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E Bahrain
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4860
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 505603\Award.com + Biodiversity + Cir + Clouds + Issues + Treaty + Mentioned + Backup + Bradley + Toner 505603\Award.com
    3⤵
    PID:3952
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Parents + ..\Saddam + ..\Consumers + ..\Print + ..\Mandate + ..\Points w
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2680
- - C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\505603\Award.com
    Award.com w
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SendNotifyMessage
    PID:2356
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    PID:5700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bffcefacce25cd03f3d5c9446ddb903d

SHA1
8923f84aa86db316d2f5c122fe3874bbe26f3bab

SHA256
23e7cbbf64c81122c3cb30a0933c10a320e254447771737a326ce37a0694d405

SHA512
761dae5315b35ec0b2fe68019881397f5d2eadba3963aba79a89f8953a0cd705012d7faf3a204a5f36008926b9f614980e333351596b06ce7058d744345ce2e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d22073dea53e79d9b824f27ac5e9813e

SHA1
6d8a7281241248431a1571e6ddc55798b01fa961

SHA256
86713962c3bb287964678b148ee08ea83fb83483dff8be91c8a6085ca560b2a6

SHA512
97152091ee24b6e713b8ec8123cb62511f8a7e8a6c6c3f2f6727d0a60497be28814613b476009b853575d4931e5df950e28a41afbf6707cb672206f1219c4413

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
153e130e15551dcb1ffb39e8b3808bad

SHA1
29d5be867192641b3906b222e822187523203f76

SHA256
d494033ae6afee7b62611b48bb93f1b6c268dcf3bbbbb678afeb636c06f6dd05

SHA512
e1f6342587fbdf93ff30344088fae72e2abdbf5d1f27b9c00f41ddbc79371421d313b6b0065f873df03caabd4214ec4ba2a94e2010003e5b5d78a3ffbfdb7734

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
0d591c93049b252cca414d7cd7ea3621

SHA1
34d2ad87b398e5f4776c0c7e2fc071e75e42f283

SHA256
20358139bc231eb63606e706a0ef56e2524b1f47b797599cfb9c2d148423ea97

SHA512
9974bc7a2c6fbffcf5455064187775e8a73b19e90f01ee07f2ce79eeb87f8c4e3030a14b42692bb540ab33ecc1744e5bad2d402fec2938d199ac75314ef3f29c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
7b5b86d64e40b2602de54e1df5e679ab

SHA1
c3670cd0ed3489e621053343f45abb78555da665

SHA256
2dfb9495927f383feca653b268623e6f73925f5b1b76a3972cad99c65f0ba8d9

SHA512
ddccb03aed12a9d68d01c9722063daeedbad845b4556797fff18dee0b1ba05861c4464b9f8dacf36b55d6d3fda1e7c76e394dc3164b1be604bcbb90d2a59d4a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
3d89d1c605451f4ff4bd1e3c4a0e7fa9

SHA1
4d9f3be9fadf23ce9a309b32e9b57c8f2e222c89

SHA256
320f3b507b410ca56e710bd80a56e85a99ed722fbd678a3106534a639dd8c821

SHA512
478a7084e3310c1cc7d6f62537272b2dfae8c7c5d4e4a6e6151fac779a583801c7509dcbd0ed5e3fc2f73bb2c4722d71f48c9ec88428b8814978c7bd8cfc0769

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
55c0a9b9ffdf6094d363f18b5af691c4

SHA1
0a23bf9820f8d1b4b9b02443fa29f5484eae0649

SHA256
443c51f9179ddf4bf02ce5a7d6407f9443746f17f4a59d7780252b854699ff6d

SHA512
bfde1a654326206e1c5866c7ed48690918e0d9bdc858baaeab1bcdc2a90046e44e0acefd1783b14a03d0c62682656a5778e6bbc5b7e11f037940d709369a79d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
e1dc7ae0551b746c2c072b12e9c7c819

SHA1
0a829feb944657414be91705b1fa874a7863d98b

SHA256
bc74526748b478223b84ffd6c06119151bcf311b0c233dcb892f702216529b75

SHA512
774375ab4b4924746c91f51d513ff97559ff94db3197de118ae4b6c6b952f3eb4aba1d996df39981aec21d3bdbd873c96c886b36330491a40548edfb06645711

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f64e8cd689375cc45894a780ad9004dd

SHA1
9d0a6d6a09219e488b17c60a54777529d57e1547

SHA256
b273dd506d93aecb3447a011bffaa8bc379bcc3ff94b41b50986359a099d4453

SHA512
1d7f9e87b8d8dfcf04f569533c2e76b7b0d789ad6fbde12b1c1d07160aa7f4bd41f10817e31f3b08ddb5ede5bcdb03dc349abcddcea19494df25ee086edd5650

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe580068.TMP

Filesize
1KB

MD5
7102bb27098ea9e15abe205d7bc49824

SHA1
4837cdb5e7f2180a62490eab886bda4631cc30dd

SHA256
2f78a4ce1456e3f0ae5d88c7c8c23c04c4ba4a2ef068b46108c11449f027541e

SHA512
82f3dc1c5422cfa46ebf5a2fc5e8213c39f1dc98c56324ba7a5647179dca3a9d15b0516503e5927469b9d2d77fd75c0097be98f2af042710ba1b3d078b6c5c5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
28abc92cbcadbdefe2c3b88c9544f76b

SHA1
248dbb4b5cfbce733557bc43e8920ed1b3e4be79

SHA256
2651dd3bdda69c156b61b2c73d70efcbfeb774e00e9d992a39500094bda91a29

SHA512
d01206d410582555229e6ef8ea89470bbd7dcf1e363f018c566cadb21f2ade1206a915658389b5e07edec50dc33b19dfd5dc4461d33793f51c2ed3b2c488a74d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
b84dbadbdf285ff95b0f7c8289926dc3

SHA1
5e938f711286d799beb20f945e40fd39fb9f3cea

SHA256
536f10ec8058a633673d7039ae397cae60499cad7e177931c2533c22cce9d5e1

SHA512
6890500f7cffcc2f86f6ba35510d387138abf8aa7392767fa4ff0019a0d6fdd9b48b6540576aec14e640cf5aa8f7d845f67f4cf290a8fc4a4107ce0277e31ba6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\505603\Award.com

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\505603\w

Filesize
456KB

MD5
80a1cfa6775746a932000916c28b8e01

SHA1
d8219894f41ae1c2c33b7dacff58c04129c7c023

SHA256
8b0e1c902c4355e7e0057e6fb4ef5208af1b6712f1f9462c1bd166fd719be126

SHA512
ba387cec96e04a9071bb91d491319d9ec0899703f5747d3ec378bc47422fb3208133c024013db8858d5a8cf2bc620a2826cbbd0fab5ce5fa3e9b2eecc3eb4dd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Backup

Filesize
60KB

MD5
f4b1e6c582ad59caa2d8c6c6bb0554ec

SHA1
c55c17cf43a51ddee5d4ce6808e2a223930d9a81

SHA256
bc610c1aab5d515a17599f0231e8286ff80b0b08f8c5a53d669fe2144462dccd

SHA512
0403e0e30da996c0051a539cbd0d532dff27e13e3618ca29b62e26a7ac3bfe52269b0fea7211f742f0570d38d23762050c7fcabf5aa6a7efa5a40fbdede952d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Bahrain

Filesize
477KB

MD5
b3fe268bf1c8c0b920a26dbd554d796a

SHA1
af73ddb6ce068ec0521e69ef187b9de2ff832e1f

SHA256
6c5997d6ff48ad418d436a9a6d0b8e47a49a5bcf66f3ebd1ce16dae1f6ef3811

SHA512
51ebe5849771d96a11720150a9e9715bd624e9b7e99667e379a8debb652966f408d37d2b4f7a04747d8c05d93680d07e38a4b97114ced48d628efba08f320617

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Biodiversity

Filesize
103KB

MD5
052390d31c105bd186e3f8df79614417

SHA1
8efd38a4af6a4c89b360a08aaae65a9b6b0c6187

SHA256
b8ad9b947402de95267b9efaa0a16a30788d3a0d4487d60c132495219ed54717

SHA512
b8451558b2fb992acf5b7e7b298c6e11e0d478c072f62ba99a42f1ceadc4c6d74f11db64742d126c54cc813e87a1bd922e653153c28763d868f8a2f794fe4cb7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Bradley

Filesize
130KB

MD5
122b7252f096128c6718daaf2ff24242

SHA1
f5ea99a8187a749d5e72af1a3f86e161f9252d6d

SHA256
41686a787e07d59c30d2039b9f58785e92c0ea6657b21399f8c563712d7b52df

SHA512
4a5ab596df9d97d48f593def3b156c740c2d7a01fa0af707ed2da89ddcf000409ce60cfea3c4a4d6fbca24d365325286a0391a54c35cd5fb42511803302d3b38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Cir

Filesize
144KB

MD5
c74780be0db2a848b42f5d697d0b19ed

SHA1
9bb89dbd6e662515361d9b522a92b41f22b15646

SHA256
8a4c49528b00edf5d9877624da7a86f0d34976190f619c82f338d1d342aaafc0

SHA512
63a400cd984d109c75bcc9ddd66b5899d2e7b621a766a34d9447f3dc4bb8776b2193bd607a5217a69e430b08abbd17b3fe72bffed8b7161ff007e935f3cc8b4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Clouds

Filesize
103KB

MD5
757e6156f1b1c6cab92e2aea823eec91

SHA1
a53e906823502ac6c0918c27155a33c4e9f15939

SHA256
a9e9919fa3a67063f7629d62e574aa236dc4828c7fcb06565aab94ce67a45d9f

SHA512
a0065038142f6311833f1c2eb8131a212f879dc03d0abc8a0e4817a39b107d81ee55b5e7a3131082e5932b89ea7834345c4ea1a2c20e7aa902ea3415a1818503

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Consumers

Filesize
47KB

MD5
9e431908ea18736ee3cabdefe5ceccee

SHA1
7e2e34624ecf03f701aab4831bdd4afc3e4622a5

SHA256
a1cb6ca4d21dd885a362d4581903bc770bd3dc8d405aa88c027de25494c514c5

SHA512
814b80b46d10aa5c8e6c82506fe78cb4b0ad7ea4512b67e910023d37c39947751ec1eb8e0b6b4f2641dd0ad194a55f356d35958a96efed65cd1bdd7aaf2640e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Consumers

Filesize
81KB

MD5
3cb7d0d5abe63b8b9ff9adf74f9f97d1

SHA1
949fb3915f00a2d1d388d332cdb995688b3c3a4d

SHA256
23a45f997d0e21f220451b7ccb82e008775c47be5227b537c3ec04a19f931847

SHA512
ced9fc864b4999407f204ff7a37f9bc7e560f0c37ad4a9c9b90f1d615bed0e5d59ed05201aa33db2d0fe6d3d92d918e542d93721767b2febb89b45447d411e1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Holiday

Filesize
2KB

MD5
e8e00d2ba2e5c154a3bdd4fc04d3072d

SHA1
7b942c76a3c3819081de941bcb5e46a8692ea73b

SHA256
6169a7e8e8198562ad6c27221ec3c124d9ce467d2a2ac911965590e7e05542fe

SHA512
11d86db7f11ca7e55186b055f188f55f99a7cd2ef490a2e23f734d330b88e641b8af00f8085a45d4b1f362c25b3a62ba285fe6c843a0c3006286d67088bade0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Issues

Filesize
80KB

MD5
3583465c115971e6ed7e072c2aba31fe

SHA1
70fd64bc43ac01c1dc6dc0c0cb61c91929c5e693

SHA256
b448ec23356d38a1cf952da150b7316eac8236453b397a333e62806199589a48

SHA512
d328a4d711d0111d7af27f5e3c0d10cfc3a608a95ea627f7166f736ae12aee68b06274a4e9dc49abc47e1ffc8ae6e241ad1b990148030c96df768c199d57f652

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Mandate

Filesize
84KB

MD5
f6da7d95db6cebe11e1490b5e8ac1f51

SHA1
3a6af9609a35830a560c9b99b17e2b98f82fa203

SHA256
19c911670c3d2202ffc1b33561befbb4f89ec984ff582aef5f52e3839a6f3c53

SHA512
4265b0e5ecbdee94404c71c43fb2b08a8c83c600700a6bb2ffebed9c4d4ccfff32dac6071ea70db9b8dddc311192991ae85d74a53ac9dc4ff311e93e00f0126d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Mandate

Filesize
78KB

MD5
d7200f3a96e81b44bf6b5b6359954b00

SHA1
8dd9bacdff1bd0b578dad7b1c0213c4c3da5a96c

SHA256
3173296481c19a9fd5a30434da6706887b649e2011d8064057956c1c77fbd23a

SHA512
aee2f34d8e0fdacf4addb24ccfd9a64dd70c2e4c035740f54cfef0862615619f91f1f7886726e9b890755718ed841b5718a06456a94baa486170776abc00f4a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Mentioned

Filesize
78KB

MD5
f1e272a7bcab469f549691fc85a20e7f

SHA1
7478205fa78a23ad71be67e61f2f7499b2914264

SHA256
4dd1cb5136a723f2c926b3fd3cfbedaf03516c74513da445a93ee2003cf8a215

SHA512
177212c0887cdaf5caaf8a3073218b2f7cba3f38ffd4a524dc6f8afa188e9df4a949e1abc8c4c4019d62178f60ade39c3bc75ddfe52569cf487c672823e2c31c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Parents

Filesize
63KB

MD5
3886f7161ed8faf9057fd397ef24ba7f

SHA1
7f881b31d5f331bd3827e615c18221d84108c702

SHA256
9a5162b47832a635f6bceef34d315b7c8ec7d3ceed87d4bcbce5d738b4dd9c69

SHA512
299072acf0a4e4f19bed3f7b1f96775bb39266a9d383e026fc0dff82bf4b2b23a9f873fd21ef3c565968f5d41700bba6b3b1ff6d0c7e414b674171bbca50e21a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Parents

Filesize
65KB

MD5
0c669df38669d613d335f496d00d562e

SHA1
090bde5d2de32ec83d0a35774a93c900eb446085

SHA256
70874431186c98e2c8c6cb68c83716c2cc3a6dbf9f7fedf4ff16572e7ec51040

SHA512
63a53502cc410e65aa4b5ac288e796e19b140ae1a191a92d913caafc4abc1d0debe1d15ba421662b297af2084cc290a02e8e49ca976a58caae6623d08cffeadc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Points

Filesize
74KB

MD5
167d3a0fce5bb800dbce79aa6553b4bf

SHA1
26222963e947aac6cf5ff55237c04610d9b6c03e

SHA256
44ebdff83199d47287a35010babd3c219d05bdfbaaab8e6395ccec0180905a3d

SHA512
f0acc4f94009cd525d290277910ecdf1818c080c34f922bc0f1e639cb2316daaf4d8ea69710c0a6a009aad3db756288b8604b43c889e8b54a2de646ad665ddfe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Print

Filesize
76KB

MD5
0c609fb905a4c385ab65ec9930de866f

SHA1
717627ff0b20d695831430fdc16be91bf07ac59a

SHA256
b22d307df159f52433518f42e38c3131e55ff6cf1a6204358b50abab846ee2d7

SHA512
ddcc614160de0ed6352228f82f9a7ce7321603bec99b3f1cf8be85b1c709dcd530a535a10f06472c1fcb3f1b34822abea3a4da19cbd2f8413e77374d32b1b858

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Reactions

Filesize
25KB

MD5
13384638051cfd0facbb47bf2f74a1da

SHA1
da4685cb3c5ee8d2064554f5a96ac1fbf5210447

SHA256
84411c03a9a8828c972751722bcdddc57fbbf9680391055cedf84a7b0d9294f3

SHA512
2602cd0088e60988e47ecb87fda5468b52e3ccb5d20e0aaf5df11c44d27c0e246147ea3e1a6fcd7226f13ac4909309b8e0281d2ada3e0e94f8693afa3889c199

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Saddam

Filesize
76KB

MD5
23adda7020b4d1ba835915f6b892c41d

SHA1
ffe1bcc4fe9e8e0dfccc18c556f0f43b2ce3cb91

SHA256
b0b92533eadaaa6f874eee33087f318fb52fb43a3f6da04efb81a1052ad7d2c8

SHA512
b3455877792638ae7f8a1512c883fdc2d8112113f14b0c48a27e41170148a8425b967c796a0645ce9466860ec6113bcb21bbcc65a43973d2cbf34000a9a29746

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Toner

Filesize
80KB

MD5
447f8b3a446ad10a6e43cb7716d191a1

SHA1
f086793f1557702a814dbbe73e976a2dc2c7db83

SHA256
03198d1011838090c926670d0cf4a2c63ca224df930b0d18c60e87d0fdbdb221

SHA512
455f8794026f2818c4c50a146ae40eacaa6926177228d852df7b5eb238b9598c9746c8d12ef94ec01fb475437e925934986f4c084be9852dc16c34f9bb089d82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Treaty

Filesize
144KB

MD5
f966b412f8dfd0576f77fefb550c6014

SHA1
7fe6bee7dccb1ba2cc3320c5e079c8ffb175e2fa

SHA256
6a8f1879670a285417b48dbe8fdb75351d68b0e529a2f1736e812239dc4b8099

SHA512
768cd135f97de4dbb06535db9d97693dd48807b26a50e857413ff6227ca95ee69c266038f83d9f69f7cbb0a689419ff1c5cf57b3e2c95f9834829d7de228af45

Download Submit
C:\Users\Admin\Downloads\GlоbаlСhеаts\GlоbalСhеаts\GlоbаlChеаts.exe

Filesize
1.0MB

MD5
a3b68347154010b2449e8e535bd82d94

SHA1
68ba0631b2c552c7ae36685d1b333a3c6e031009

SHA256
420da15f5fae4683dc4d601dd3e0de38325fb61eac4a2910f7edc9801f4f906b

SHA512
dee7a44ab53cc91921561021837e74c978afd06f5e37240d05dc1d8ef76151ec6fa913f1253f53a88bef0e27e4b850e88ea737bff89e78526346f938cdb6c65d

Download Submit
memory/5520-718-0x00000000053C0000-0x0000000005417000-memory.dmp

Filesize
348KB

Download
memory/5520-716-0x00000000053C0000-0x0000000005417000-memory.dmp

Filesize
348KB

Download
memory/5520-715-0x00000000053C0000-0x0000000005417000-memory.dmp

Filesize
348KB

Download
memory/5520-714-0x00000000053C0000-0x0000000005417000-memory.dmp

Filesize
348KB

Download
memory/5520-717-0x00000000053C0000-0x0000000005417000-memory.dmp

Filesize
348KB

Download