hxxps://github[.]com/Da2dalus/The-MALWARE-Repo

Resubmissions

24/02/2025, 02:19

250224-cscjgayrdl 8

24/02/2025, 02:15

24/02/2025, 02:13

24/02/2025, 02:06

24/02/2025, 01:57

24/02/2025, 01:53

Analysis

max time kernel
72s
max time network
161s
platform
windows11-21h2_x64
resource
win11-20250217-en
resource tags

arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system
submitted
24/02/2025, 02:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo

Score

8^/10

defense_evasion discovery persistence privilege_escalation upx

Malware Config

Signatures

Downloads MZ/PE file 1 IoCs

flow	pid	Process
24	3324	chrome.exe

Executes dropped EXE 1 IoCs

pid	Process
1744	VeryFun.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
24	raw.githubusercontent.com
16	raw.githubusercontent.com
23	raw.githubusercontent.com

AutoIT Executable 16 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/4252-378-0x0000000000F00000-0x000000000109C000-memory.dmp	autoit_exe
behavioral1/memory/4012-383-0x0000000000720000-0x0000000000814000-memory.dmp	autoit_exe
behavioral1/memory/2980-404-0x0000000000C10000-0x0000000000D1C000-memory.dmp	autoit_exe
behavioral1/memory/1744-414-0x0000000000800000-0x0000000000E3D000-memory.dmp	autoit_exe
behavioral1/memory/1744-415-0x0000000000800000-0x0000000000E3D000-memory.dmp	autoit_exe
behavioral1/memory/1252-418-0x0000000000700000-0x000000000080C000-memory.dmp	autoit_exe
behavioral1/memory/3940-423-0x0000000000BA0000-0x0000000000CAC000-memory.dmp	autoit_exe
behavioral1/memory/1744-446-0x0000000000800000-0x0000000000E3D000-memory.dmp	autoit_exe
behavioral1/memory/796-470-0x0000000001000000-0x000000000110C000-memory.dmp	autoit_exe
behavioral1/memory/1744-497-0x0000000000800000-0x0000000000E3D000-memory.dmp	autoit_exe
behavioral1/memory/1744-855-0x0000000000800000-0x0000000000E3D000-memory.dmp	autoit_exe
behavioral1/memory/1744-884-0x0000000000800000-0x0000000000E3D000-memory.dmp	autoit_exe
behavioral1/memory/1744-915-0x0000000000800000-0x0000000000E3D000-memory.dmp	autoit_exe
behavioral1/memory/1744-934-0x0000000000800000-0x0000000000E3D000-memory.dmp	autoit_exe
behavioral1/memory/1744-944-0x0000000000800000-0x0000000000E3D000-memory.dmp	autoit_exe
behavioral1/memory/1744-945-0x0000000000800000-0x0000000000E3D000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1744 set thread context of 4252	1744	VeryFun.exe	107
PID 1744 set thread context of 4012	1744	VeryFun.exe	108

UPX packed file 30 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x002800000002acad-357.dat	upx
behavioral1/memory/1744-375-0x0000000000800000-0x0000000000E3D000-memory.dmp	upx
behavioral1/memory/4252-376-0x0000000000F00000-0x000000000109C000-memory.dmp	upx
behavioral1/memory/4252-377-0x0000000000F00000-0x000000000109C000-memory.dmp	upx
behavioral1/memory/4252-378-0x0000000000F00000-0x000000000109C000-memory.dmp	upx
behavioral1/memory/4012-379-0x0000000000720000-0x0000000000814000-memory.dmp	upx
behavioral1/memory/4012-383-0x0000000000720000-0x0000000000814000-memory.dmp	upx
behavioral1/memory/4012-382-0x0000000000720000-0x0000000000814000-memory.dmp	upx
behavioral1/memory/2980-402-0x0000000000C10000-0x0000000000D1C000-memory.dmp	upx
behavioral1/memory/2980-403-0x0000000000C10000-0x0000000000D1C000-memory.dmp	upx
behavioral1/memory/2980-404-0x0000000000C10000-0x0000000000D1C000-memory.dmp	upx
behavioral1/memory/1744-414-0x0000000000800000-0x0000000000E3D000-memory.dmp	upx
behavioral1/memory/1744-415-0x0000000000800000-0x0000000000E3D000-memory.dmp	upx
behavioral1/memory/1252-416-0x0000000000700000-0x000000000080C000-memory.dmp	upx
behavioral1/memory/1252-418-0x0000000000700000-0x000000000080C000-memory.dmp	upx
behavioral1/memory/1252-417-0x0000000000700000-0x000000000080C000-memory.dmp	upx
behavioral1/memory/3940-421-0x0000000000BA0000-0x0000000000CAC000-memory.dmp	upx
behavioral1/memory/3940-422-0x0000000000BA0000-0x0000000000CAC000-memory.dmp	upx
behavioral1/memory/3940-423-0x0000000000BA0000-0x0000000000CAC000-memory.dmp	upx
behavioral1/memory/1744-446-0x0000000000800000-0x0000000000E3D000-memory.dmp	upx
behavioral1/memory/796-468-0x0000000001000000-0x000000000110C000-memory.dmp	upx
behavioral1/memory/796-469-0x0000000001000000-0x000000000110C000-memory.dmp	upx
behavioral1/memory/796-470-0x0000000001000000-0x000000000110C000-memory.dmp	upx
behavioral1/memory/1744-497-0x0000000000800000-0x0000000000E3D000-memory.dmp	upx
behavioral1/memory/1744-855-0x0000000000800000-0x0000000000E3D000-memory.dmp	upx
behavioral1/memory/1744-884-0x0000000000800000-0x0000000000E3D000-memory.dmp	upx
behavioral1/memory/1744-915-0x0000000000800000-0x0000000000E3D000-memory.dmp	upx
behavioral1/memory/1744-934-0x0000000000800000-0x0000000000E3D000-memory.dmp	upx
behavioral1/memory/1744-944-0x0000000000800000-0x0000000000E3D000-memory.dmp	upx
behavioral1/memory/1744-945-0x0000000000800000-0x0000000000E3D000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\System.ini	VeryFun.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\VeryFun.exe:Zone.Identifier	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 1 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	cmd.exe

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VeryFun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Winword.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	Winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	Winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	Winword.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3835819470-2031661444-2626789713-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133848364433204656"	chrome.exe

Modifies registry class 11 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3835819470-2031661444-2626789713-1000_Classes\apk_auto_file\shell\edit	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3835819470-2031661444-2626789713-1000_Classes\apk_auto_file\shell	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3835819470-2031661444-2626789713-1000_Classes\apk_auto_file\shell\edit\command\ = "\"C:\\Program Files\\Microsoft Office\\root\\Office16\\Winword.exe\" /n \"%1\""	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3835819470-2031661444-2626789713-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3835819470-2031661444-2626789713-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3835819470-2031661444-2626789713-1000_Classes\.apk	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3835819470-2031661444-2626789713-1000_Classes\.apk\ = "apk_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3835819470-2031661444-2626789713-1000_Classes\apk_auto_file\shell\edit\command	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3835819470-2031661444-2626789713-1000_Classes\apk_auto_file\shell\edit\ = "@C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\oregres.dll,-1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3835819470-2031661444-2626789713-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3835819470-2031661444-2626789713-1000_Classes\apk_auto_file	OpenWith.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\VeryFun.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\mobelejen.apk:Zone.Identifier	chrome.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1580	Winword.exe
1580	Winword.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
488	chrome.exe
488	chrome.exe
2832	AcroRd32.exe
2832	AcroRd32.exe
2832	AcroRd32.exe
2832	AcroRd32.exe
2832	AcroRd32.exe
2832	AcroRd32.exe
2832	AcroRd32.exe
2832	AcroRd32.exe
2832	AcroRd32.exe
2832	AcroRd32.exe
2832	AcroRd32.exe
2832	AcroRd32.exe
2832	AcroRd32.exe
2832	AcroRd32.exe
2832	AcroRd32.exe
2832	AcroRd32.exe
2832	AcroRd32.exe
2832	AcroRd32.exe
2832	AcroRd32.exe
2832	AcroRd32.exe
1744	VeryFun.exe
1744	VeryFun.exe
1744	VeryFun.exe
1744	VeryFun.exe
1744	VeryFun.exe
1744	VeryFun.exe
1744	VeryFun.exe
1744	VeryFun.exe
1744	VeryFun.exe
1744	VeryFun.exe
1744	VeryFun.exe
1744	VeryFun.exe
1744	VeryFun.exe
1744	VeryFun.exe
1744	VeryFun.exe
1744	VeryFun.exe
1744	VeryFun.exe
1744	VeryFun.exe
1744	VeryFun.exe
1744	VeryFun.exe
1744	VeryFun.exe
1744	VeryFun.exe
1744	VeryFun.exe
1744	VeryFun.exe
1744	VeryFun.exe
1744	VeryFun.exe
1744	VeryFun.exe
1744	VeryFun.exe
1744	VeryFun.exe
1744	VeryFun.exe
1744	VeryFun.exe
1744	VeryFun.exe
1744	VeryFun.exe
1744	VeryFun.exe
1744	VeryFun.exe
1744	VeryFun.exe
1744	VeryFun.exe
1744	VeryFun.exe
1744	VeryFun.exe
1744	VeryFun.exe
1744	VeryFun.exe
1744	VeryFun.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4836	OpenWith.exe
2804	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
488	chrome.exe
488	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	488	chrome.exe
Token: SeCreatePagefilePrivilege	488	chrome.exe
Token: SeShutdownPrivilege	488	chrome.exe
Token: SeCreatePagefilePrivilege	488	chrome.exe
Token: SeShutdownPrivilege	488	chrome.exe
Token: SeCreatePagefilePrivilege	488	chrome.exe
Token: SeShutdownPrivilege	488	chrome.exe
Token: SeCreatePagefilePrivilege	488	chrome.exe
Token: SeShutdownPrivilege	488	chrome.exe
Token: SeCreatePagefilePrivilege	488	chrome.exe
Token: SeShutdownPrivilege	488	chrome.exe
Token: SeCreatePagefilePrivilege	488	chrome.exe
Token: SeShutdownPrivilege	488	chrome.exe
Token: SeCreatePagefilePrivilege	488	chrome.exe
Token: SeShutdownPrivilege	488	chrome.exe
Token: SeCreatePagefilePrivilege	488	chrome.exe
Token: SeShutdownPrivilege	488	chrome.exe
Token: SeCreatePagefilePrivilege	488	chrome.exe
Token: SeShutdownPrivilege	488	chrome.exe
Token: SeCreatePagefilePrivilege	488	chrome.exe
Token: SeShutdownPrivilege	488	chrome.exe
Token: SeCreatePagefilePrivilege	488	chrome.exe
Token: SeShutdownPrivilege	488	chrome.exe
Token: SeCreatePagefilePrivilege	488	chrome.exe
Token: SeShutdownPrivilege	488	chrome.exe
Token: SeCreatePagefilePrivilege	488	chrome.exe
Token: SeShutdownPrivilege	488	chrome.exe
Token: SeCreatePagefilePrivilege	488	chrome.exe
Token: SeShutdownPrivilege	488	chrome.exe
Token: SeCreatePagefilePrivilege	488	chrome.exe
Token: SeShutdownPrivilege	488	chrome.exe
Token: SeCreatePagefilePrivilege	488	chrome.exe
Token: SeShutdownPrivilege	488	chrome.exe
Token: SeCreatePagefilePrivilege	488	chrome.exe
Token: SeShutdownPrivilege	488	chrome.exe
Token: SeCreatePagefilePrivilege	488	chrome.exe
Token: SeShutdownPrivilege	488	chrome.exe
Token: SeCreatePagefilePrivilege	488	chrome.exe
Token: SeShutdownPrivilege	488	chrome.exe
Token: SeCreatePagefilePrivilege	488	chrome.exe
Token: SeShutdownPrivilege	488	chrome.exe
Token: SeCreatePagefilePrivilege	488	chrome.exe
Token: SeShutdownPrivilege	488	chrome.exe
Token: SeCreatePagefilePrivilege	488	chrome.exe
Token: SeShutdownPrivilege	488	chrome.exe
Token: SeCreatePagefilePrivilege	488	chrome.exe
Token: SeShutdownPrivilege	488	chrome.exe
Token: SeCreatePagefilePrivilege	488	chrome.exe
Token: SeShutdownPrivilege	488	chrome.exe
Token: SeCreatePagefilePrivilege	488	chrome.exe
Token: SeShutdownPrivilege	488	chrome.exe
Token: SeCreatePagefilePrivilege	488	chrome.exe
Token: SeShutdownPrivilege	488	chrome.exe
Token: SeCreatePagefilePrivilege	488	chrome.exe
Token: SeShutdownPrivilege	488	chrome.exe
Token: SeCreatePagefilePrivilege	488	chrome.exe
Token: SeShutdownPrivilege	488	chrome.exe
Token: SeCreatePagefilePrivilege	488	chrome.exe
Token: SeShutdownPrivilege	488	chrome.exe
Token: SeCreatePagefilePrivilege	488	chrome.exe
Token: SeShutdownPrivilege	488	chrome.exe
Token: SeCreatePagefilePrivilege	488	chrome.exe
Token: SeShutdownPrivilege	488	chrome.exe
Token: SeCreatePagefilePrivilege	488	chrome.exe

Suspicious use of FindShellTrayWindow 47 IoCs

pid	Process
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
4012	cmd.exe
4012	cmd.exe
4012	cmd.exe
4012	cmd.exe
4012	cmd.exe
4012	cmd.exe

Suspicious use of SendNotifyMessage 18 IoCs

pid	Process
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
4012	cmd.exe
4012	cmd.exe
4012	cmd.exe
4012	cmd.exe
4012	cmd.exe
4012	cmd.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
4836	OpenWith.exe
4836	OpenWith.exe
4836	OpenWith.exe
4836	OpenWith.exe
4836	OpenWith.exe
4836	OpenWith.exe
4836	OpenWith.exe
4836	OpenWith.exe
4836	OpenWith.exe
4836	OpenWith.exe
4836	OpenWith.exe
4836	OpenWith.exe
4836	OpenWith.exe
4836	OpenWith.exe
4836	OpenWith.exe
2832	AcroRd32.exe
2832	AcroRd32.exe
2832	AcroRd32.exe
2832	AcroRd32.exe
2804	OpenWith.exe
2804	OpenWith.exe
2804	OpenWith.exe
2804	OpenWith.exe
2804	OpenWith.exe
2804	OpenWith.exe
2804	OpenWith.exe
2804	OpenWith.exe
2804	OpenWith.exe
2804	OpenWith.exe
2804	OpenWith.exe
2804	OpenWith.exe
2804	OpenWith.exe
2804	OpenWith.exe
2804	OpenWith.exe
2804	OpenWith.exe
2804	OpenWith.exe
2804	OpenWith.exe
2804	OpenWith.exe
1580	Winword.exe
1580	Winword.exe
1580	Winword.exe
1580	Winword.exe
1580	Winword.exe
1580	Winword.exe
1580	Winword.exe
1744	VeryFun.exe
4252	cmd.exe
4012	cmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 488 wrote to memory of 2516	488	chrome.exe	78
PID 488 wrote to memory of 2516	488	chrome.exe	78
PID 488 wrote to memory of 4364	488	chrome.exe	79
PID 488 wrote to memory of 4364	488	chrome.exe	79
PID 488 wrote to memory of 4364	488	chrome.exe	79
PID 488 wrote to memory of 4364	488	chrome.exe	79
PID 488 wrote to memory of 4364	488	chrome.exe	79
PID 488 wrote to memory of 4364	488	chrome.exe	79
PID 488 wrote to memory of 4364	488	chrome.exe	79
PID 488 wrote to memory of 4364	488	chrome.exe	79
PID 488 wrote to memory of 4364	488	chrome.exe	79
PID 488 wrote to memory of 4364	488	chrome.exe	79
PID 488 wrote to memory of 4364	488	chrome.exe	79
PID 488 wrote to memory of 4364	488	chrome.exe	79
PID 488 wrote to memory of 4364	488	chrome.exe	79
PID 488 wrote to memory of 4364	488	chrome.exe	79
PID 488 wrote to memory of 4364	488	chrome.exe	79
PID 488 wrote to memory of 4364	488	chrome.exe	79
PID 488 wrote to memory of 4364	488	chrome.exe	79
PID 488 wrote to memory of 4364	488	chrome.exe	79
PID 488 wrote to memory of 4364	488	chrome.exe	79
PID 488 wrote to memory of 4364	488	chrome.exe	79
PID 488 wrote to memory of 4364	488	chrome.exe	79
PID 488 wrote to memory of 4364	488	chrome.exe	79
PID 488 wrote to memory of 4364	488	chrome.exe	79
PID 488 wrote to memory of 4364	488	chrome.exe	79
PID 488 wrote to memory of 4364	488	chrome.exe	79
PID 488 wrote to memory of 4364	488	chrome.exe	79
PID 488 wrote to memory of 4364	488	chrome.exe	79
PID 488 wrote to memory of 4364	488	chrome.exe	79
PID 488 wrote to memory of 4364	488	chrome.exe	79
PID 488 wrote to memory of 4364	488	chrome.exe	79
PID 488 wrote to memory of 3324	488	chrome.exe	80
PID 488 wrote to memory of 3324	488	chrome.exe	80
PID 488 wrote to memory of 4592	488	chrome.exe	81
PID 488 wrote to memory of 4592	488	chrome.exe	81
PID 488 wrote to memory of 4592	488	chrome.exe	81
PID 488 wrote to memory of 4592	488	chrome.exe	81
PID 488 wrote to memory of 4592	488	chrome.exe	81
PID 488 wrote to memory of 4592	488	chrome.exe	81
PID 488 wrote to memory of 4592	488	chrome.exe	81
PID 488 wrote to memory of 4592	488	chrome.exe	81
PID 488 wrote to memory of 4592	488	chrome.exe	81
PID 488 wrote to memory of 4592	488	chrome.exe	81
PID 488 wrote to memory of 4592	488	chrome.exe	81
PID 488 wrote to memory of 4592	488	chrome.exe	81
PID 488 wrote to memory of 4592	488	chrome.exe	81
PID 488 wrote to memory of 4592	488	chrome.exe	81
PID 488 wrote to memory of 4592	488	chrome.exe	81
PID 488 wrote to memory of 4592	488	chrome.exe	81
PID 488 wrote to memory of 4592	488	chrome.exe	81
PID 488 wrote to memory of 4592	488	chrome.exe	81
PID 488 wrote to memory of 4592	488	chrome.exe	81
PID 488 wrote to memory of 4592	488	chrome.exe	81
PID 488 wrote to memory of 4592	488	chrome.exe	81
PID 488 wrote to memory of 4592	488	chrome.exe	81
PID 488 wrote to memory of 4592	488	chrome.exe	81
PID 488 wrote to memory of 4592	488	chrome.exe	81
PID 488 wrote to memory of 4592	488	chrome.exe	81
PID 488 wrote to memory of 4592	488	chrome.exe	81
PID 488 wrote to memory of 4592	488	chrome.exe	81
PID 488 wrote to memory of 4592	488	chrome.exe	81
PID 488 wrote to memory of 4592	488	chrome.exe	81
PID 488 wrote to memory of 4592	488	chrome.exe	81

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/Da2dalus/The-MALWARE-Repo
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffffb79cc40,0x7ffffb79cc4c,0x7ffffb79cc58
  2⤵
  PID:2516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1824,i,4148184334545675285,10231187188396865780,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=1812 /prefetch:2
  2⤵
  PID:4364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2092,i,4148184334545675285,10231187188396865780,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2112 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  PID:3324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2192,i,4148184334545675285,10231187188396865780,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2200 /prefetch:8
  2⤵
  PID:4592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3100,i,4148184334545675285,10231187188396865780,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3144 /prefetch:1
  2⤵
  PID:2056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3124,i,4148184334545675285,10231187188396865780,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3172 /prefetch:1
  2⤵
  PID:4908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4544,i,4148184334545675285,10231187188396865780,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4556 /prefetch:8
  2⤵
  PID:1780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4296,i,4148184334545675285,10231187188396865780,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4840 /prefetch:8
  2⤵
  - NTFS ADS
  PID:576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4704,i,4148184334545675285,10231187188396865780,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4840 /prefetch:8
  2⤵
  PID:2184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5260,i,4148184334545675285,10231187188396865780,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5368 /prefetch:8
  2⤵
  PID:4528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5220,i,4148184334545675285,10231187188396865780,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4784 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:4552
- C:\Users\Admin\Downloads\VeryFun.exe
  "C:\Users\Admin\Downloads\VeryFun.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1744
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4252
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:4012
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    PID:2980
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    PID:1252
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    PID:3940
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    PID:4036
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    PID:796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5492,i,4148184334545675285,10231187188396865780,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4940 /prefetch:1
  2⤵
  PID:2264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=5284,i,4148184334545675285,10231187188396865780,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5360 /prefetch:1
  2⤵
  PID:4064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5636,i,4148184334545675285,10231187188396865780,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5632 /prefetch:8
  2⤵
  PID:684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5656,i,4148184334545675285,10231187188396865780,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5788 /prefetch:8
  2⤵
  PID:840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=4776,i,4148184334545675285,10231187188396865780,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5816 /prefetch:1
  2⤵
  PID:4968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5372,i,4148184334545675285,10231187188396865780,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5216 /prefetch:1
  2⤵
  PID:1624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=3132,i,4148184334545675285,10231187188396865780,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5632 /prefetch:8
  2⤵
  PID:4508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5716,i,4148184334545675285,10231187188396865780,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5292 /prefetch:8
  2⤵
  PID:4708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5464,i,4148184334545675285,10231187188396865780,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=6308 /prefetch:8
  2⤵
  PID:2936

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4168

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3132

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4836
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Downloads\mobelejen.apk"
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2832
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3100
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=19AC58CA2308CB23C3E5B79AABE49EE2 --mojo-platform-channel-handle=1772 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:948
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=05993CB736A263E5F055FE378DC90C32 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=05993CB736A263E5F055FE378DC90C32 --renderer-client-id=2 --mojo-platform-channel-handle=1780 --allow-no-sandbox-job /prefetch:1
      4⤵
      System Location Discovery: System Language Discovery
      PID:4932
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=04F021EC3A84E2508D2EB016504FCF6E --mojo-platform-channel-handle=2336 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:3908
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=1742992BA3A69BDF772CEEAE48E82510 --mojo-platform-channel-handle=2460 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:4720
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=53849F1896FAC66EA7A080E9EEAC13A3 --mojo-platform-channel-handle=2356 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:2760

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2804
- C:\Program Files\Microsoft Office\root\Office16\Winword.exe
  "C:\Program Files\Microsoft Office\root\Office16\Winword.exe" /n "C:\Users\Admin\Downloads\mobelejen.apk"
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:1580

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E0 0x00000000000004D8
1⤵
PID:1532

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:1600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
78141b5ee3900761ee6d382572ce2d08

SHA1
9f5eb898f46a3def6634ec6ee771ddb3adc0114d

SHA256
a57e1b79ba1cda5cb90330e2b73715fecf6905db5d8584f505b84c539b4f8924

SHA512
861f9e239574fbcd2ca298787a15a3e8c0b763696c6653148ac165fe91bcf96196160a061a2d384a6a00da88028468e483ade76dc44be4768c03568fdb61aa26

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
dc64776de7435a324dd9f8da163715e5

SHA1
5746388f85e59e451f685ae89310989caf4a9457

SHA256
61673d2b88edfc14dba57c54f96291f1ed947c6cb1f1aa285bf45e1f1b59af36

SHA512
2ff32fc332e3d53c0562e9bd41dff3d76a1012352124cd81cd0655a2d08fc35622bf0d58be23990cf8f3eae8ed9f86e3d95838166a751907a8c8d8938aa6237a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
234075ffd405bb5254ff338a9705f7da

SHA1
2ba4a191ab27ec25ff744308fa2ee4e1e7db3877

SHA256
19728f361a526c8cc8d1731d5cad520e27d287f70fbe85dd6458a7866b80cdb9

SHA512
8616c4bf379bdce16f64570ceec6b7d21596d7f06cf33293234be745fa7470ae06c497df54554a6238f02e6778db60bff033848b47e1f8fe2e4758c99f4871dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
6f76f5fee745264fd3dda02bf5e967df

SHA1
ca92bc39d34f69bc26c00f349073ec4aa4e5fd97

SHA256
be48e7c9df8aa1ea02c01e770724a8ccc804e440a6459ad41239ccdcae8c4aa1

SHA512
0855a2ec9d7ad60c94580ac6eb8954fa439ab640b659524328def67fa964a4ea9479693b1cfda6e020ca07cc5bfaec209aa15d9db708f4b8df48811aaed20f2e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
cdd7baaf05b09f7800299befd0b00f4e

SHA1
ef7d185c44e771f984a30941a80a02153bdc3f86

SHA256
3ef0c6fe432fcfac4dce65cc8044826bdd59d94e9c91643f7954ea760184bfa5

SHA512
5bee22ebd9d134b8e005fd31e30b32ce728a1e2fddc48543b127a433b4c150221da758990ee441ca411f12d80f67d1fa62f875af4b7ed1eae39eea65344b0e5d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
eccf88e2ca4eb211011b133e826dfe7e

SHA1
d14e6e1673f8ddf61d81540f6012c53957cd71d0

SHA256
bcbaa29f9df317c42f58c47e86ce7a6eff258a7df5800b657e2f8e3d5cc1a886

SHA512
91b2d5f924869a788cee4349277e3e3d3d0dacbc92da8d1239ebabe7191159349fbeadcf45531a5470aa033b09060b3756d81e873410e565f1324da5cbbac856

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
f57a7840d5253c8184badecbbeb66ffa

SHA1
5c8a1f4899361a1669cc9a89c15b11f90c56c73a

SHA256
31003225cfaca0397cb109703de805516b49dad6b44443f9470d0fdf53c6846d

SHA512
1436349e02cccbe4ff9a43da99611703d1c75f43077f2257cdd73254565967fa51761edb3a812e09451bb9cf090b862d09271628ef4cc41338f49da6524bdb5a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
08f448027f17e9f341a6b58efef3cf89

SHA1
2d094cf8c26234985e374f0fbd8a512792a2e6af

SHA256
518d2b6f9afd8dfbd1b885cea70c09673df7f6fd6fa075d272814875881ee2bd

SHA512
41a9473840898474254807135740226906ada7fa0ecdec79e2b2cd3157049444cbf6aba5fa8112f00a49f1cd7af40d03828e723b61b800af2f1c57486e0a83b9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
5924f7e5b0752790687ed7e263a12ca1

SHA1
a9b738d07bdf8ae86a30bf8f1f7821d52939d06f

SHA256
b6b3660d742dc51c283cf515a0ace6b61d3d1ed783972072141b3981d29ee89d

SHA512
c4a8d099a94aa74f2aeb42aae2e852c8960e9292967555672a3233e1297be6376630bb96c4f0a72656854e5d06cd382a1f907307806b4573b33b405d74c8f506

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
0a60fcd7f1f724648711a29bb5041bf2

SHA1
6e8662b07b119fb12f132a201deced93b9bb99c8

SHA256
dfc62e2f0f93c04e99be40388378beca6ce377ccac462055aafaf7d1188f2cb0

SHA512
4d5415591f80f70df71abd557f5c53ab8b578914e24b4ee5f595668c3d744443e90502b856ac360d6d44759734fc6909523b9dab6bee2dc150d2ea27bce80f09

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
6467d2e4a208cf93aa51bd24ba668f22

SHA1
84df509deec5d9017d590a1b399696bcfe8bb360

SHA256
6f444af50efb39c4844d5ff5634334e42fce8f6cd80e71f9932d7ad84e1be888

SHA512
4eb73f9c6a1cfd4be786ee6f2c9cb2c12e3a3d1a83d070c69e0cf3e34724d69c8c908127253faa4f45f89bd69f93ef4a260351a6f8ae4bbfc1baef52455fe2c9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\ac9541b2-c801-43be-93fb-9ecdcf6ec6fd.tmp

Filesize
1KB

MD5
12f6a4a76f2a818fd7eec945e8c1e125

SHA1
8a9070a68b474d5c6443ea7b24ce5c432955b198

SHA256
519b46aeb5a7e827519cd9289ae3b080476de8a99324191faaa378ea1d1d6bc3

SHA512
cd12dceb403be08f78c1d4a2d12e5ae0dae36c6387551b80315844fbe0526c0e0f809d5098996d9b74bf0894bddf6b5c202e68603cc367878efae45a5f889650

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Platform Notifications\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
df0c6d4eabba713c16845dd58aa5ce93

SHA1
df8843d328a5fc9e715046f0fc5ae260fb9df3fa

SHA256
a1cbb4c6e1e0cca9f5636aede368f2120f2e594695f1c3374f6286b89cf2074a

SHA512
c0c4d58044e0a7983ae4aff2953aa3c070c78d94365ae466682254fbc902589f7e1e320fe06c0bfafdbd308cb4cdc11c752dc2bd75eaa236c149455ae8c8f6ec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4ddf3d7f6a0426f4035ac22097b26073

SHA1
1b2ebe7af49c055739346d00b6a49c31924aaeba

SHA256
7f48c89fd739b0ed5c89d0b902b49852e888a952622366552bc762d6132bc587

SHA512
f72f7bf322afe8fd92f9682c4ac7d4ea31abdfe79c15d18e38a339279bf696029dab9c720d35562c53170e4a149f1222472bd71ec521e01e42654d561dbaed24

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d782ad263b962365b5c00dd135b71bc9

SHA1
ae85816c2af448ed446c3c06269df5a41376e250

SHA256
99d6075cf942ed20a7abf6677d5c62daf5690bd829c18cf7d8dcb314a59a7d40

SHA512
f4ede302cee786b525b6e1f02248a18827458b332025a0f9fd1c00d2d29688c4dcd1f49944367ce0b71a899c0e68ba492f04de2661c2df42652c43a40bb12716

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
dccc0fb29198accc063d58b3fa3314c5

SHA1
252d81c63d270df66f9a749b63e1c569d0aebf09

SHA256
bdcdd65d742528c258e899473e1a2edcafbf34e4c1173e703678e5ae8b6a5b0b

SHA512
674e5cc6641eb6c7f3ee285270ec02d9728e08218dac99fbcc9782e593940818da8ba0bfd5fa8e10d890afb21b20703389669c5db59c3d306b4b2ab8bccde885

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
0b37fbe6e1fe21d11b5286844c578557

SHA1
b082821a906a8ae53440fbf62cdde98eaedcfb05

SHA256
e9540011770cff38b839543dae4d5e55f7ffad240e20b3bc6090e7ea37df26e3

SHA512
d0080b9797b4588a31dba41f154841cd196c575bafc3dc018ea41f085db2b84defcbf20bbe839713b5deed9b9eee5c2bfb3c4a2f2999debdf34173e2027f8b21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
1dbdde76d6822f7a4a8ab3cb1bd7aa8b

SHA1
feb68a88d1df51dd22dc7894f34ea844be3ea36a

SHA256
fe0877e1c1b2f5911db485a17419a3f08601ac71b2c2a395774e15d3380f661b

SHA512
6f641a56764a8bd05a6e773d8c9cc3dde008411015bc312bb7fe9992fa83fd39ff2dc2a5e4c9993da19af617fd4a698b806db9fc702b28577fd53bc5fb2f8a03

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
e9763cddfb8744d8f06b903def247b5a

SHA1
25f71be0985e83edb21d6cba0aab63baaa00b2bc

SHA256
32d5fabedf7c5d06daf16cae21f42ecf2eac5fc42f5e8b908eae79f990fbc379

SHA512
1426c93dfaa385c4f7266062a06d73e975ad87ca70b85fd4246f47d5062c001ac0d83c4df415809c78ba990b9e7945195cdf8264c9e0de77ed1f72add7c8a326

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
b8922d06a6445a1226c82fb7ea0d1c92

SHA1
078eecf5abb87193d3cca21eadb1cd2cd757d793

SHA256
0667c6ae2ee19eb5dff13318d44742b8faa061f1a021a8e54b7e6c5d1c2dd87f

SHA512
4ffcb0929a427df4aa1d35c1253d2ac99de2f7934c1cefd80d1afbe99b090095f93b1f56b8a603d561a609a9fde7a8f5cd9036d2955ef6438eb4996fed95b5c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
32dc6aac8caccd2b831b6c4994256dba

SHA1
693b8f79ed08f484929f6a6da4ecf1eef410617d

SHA256
e7c579cfdd6d4bb9505cbc2a117e051f04f2042306dbe61e118fa90e940f73f3

SHA512
a4a067fb0e007c16561fb9db10d2f7f7951afc2affb5538a8b7ff3dfbfa583d67d0df3ff3635b97c6ff06bd545c3928645890aaaf328abf1d657818be77c1914

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
68b50e0bac683ed41c4d3d6534ed960f

SHA1
8e8b758e2e4f554049a19cb22705ecf9ea0093cf

SHA256
3845e3d4440efd426e24fe8157002d12a37cfc392d37e757fbed143e2236b882

SHA512
9ffc4bfd08129ffacadfdce93ef7f15c568261fc0dc56bf2a2edaf5c0d2e253d436e52f3dfc4b71ae18708804abfcb4ac73b03343fb278522589e330e5b32cab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\9c95bd9a-c056-4f0e-a83a-0a081d351093\index-dir\the-real-index

Filesize
2KB

MD5
cfa22b98ef9f29dc0203bb9cd36d7520

SHA1
be375a46ecfd964ae71f0279c6a7b3c0d6f0e499

SHA256
f04af92716483d6db9731da35e906dcb0297440a6472b66ea7c1077dc943d49b

SHA512
d7c3c6c26b5da0042401fd26cabca6f51617904a951a86205708d8c463154890297390930231936f09d7f49c5679a514f603ac1d8ffee1bf6aeb2d471d599aee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\9c95bd9a-c056-4f0e-a83a-0a081d351093\index-dir\the-real-index~RFe598524.TMP

Filesize
48B

MD5
34c444b754575c0a69308525e94e9b7e

SHA1
a4909f72cf8ec154d7d93678343ab8bfde54fec0

SHA256
49076ab942694802ea18da8692e1a1c3500710d18ba511590e338a70db25b50d

SHA512
e934fe1fdd794f6e126d31ebde2b43e5c0a6a2c2204b572262dd4cd82929758cfd6b986ccf8a80b847d19904bc3901e68260a39e84953032ce9a9c85aadac107

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
112B

MD5
07a49b37be86b1062bc6df1d7793990c

SHA1
e40dc0b42e6a0354a28a14a326630e7941f66ade

SHA256
7cb90b89a333a726b36b5e24d46d945007c0819623f0fe3236ab506c12a5b942

SHA512
356bf97701139954a3899883868ad463f274c918640eb143a302c1d5e76437ac998b1c7a85053a76a4ee80ecc167b1efe564d353ffdd9c53e30d8adddff7ba45

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
114B

MD5
e5c836cd4cd23336a999986c0a11967e

SHA1
ece97b5d05938f3cf8af93e168990e3136ae6338

SHA256
44e0d190b8fd958258c20371c7ecf9dc6fc0a0b7b376fc540c7b1013325ba188

SHA512
32afa1840da0374a774bf4ed5575df47ae63033f4046e0c3b95dc163b2708e843912e0b4476ffb32eed951f233e7fa9c912199c785cb680ce33f63770c8a3dcf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
176B

MD5
0726977aca28d14b8e378da0a97c33bf

SHA1
6201aa8e26c4ced5b2e996e0964acd822d437171

SHA256
e35733acc8a5559d0df13f67bdd2c1fd94251658347f11b568e0e9a34e8e4b53

SHA512
336fe59ce23d4152a9af639c965f7c1595e068e5692ec279d696944fd1683f0871d78f0526890a1140bbaa029f498e5d9f7e50ddb61df6440dd5c31386b28b06

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe591dee.TMP

Filesize
119B

MD5
95113cd869a9abe5da47d15e18259622

SHA1
a9336af815822fc5779567f23c6c197047d61c11

SHA256
08c0112eeb95b4c6b3c9d342df57305601cabd61a9caab7b5c58c59bc1436b0c

SHA512
f1acaf11dee7816651a90f55b5f4869945db52ef2a2a21d35acac264d183032f3fe32826584d65d34cc7f6f8b373b94feaa1030cbfad6e38ae8f856654673e41

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
7e05d147134e0c1db9b446c1a280cb91

SHA1
abb9398907ea569ad39726706facfc3bb281c6d5

SHA256
b6c9951154a335c2eb1d246c7e5fd020d54fff30334fee302fe24d96546011f3

SHA512
0816a855726445169547cbfff3be1203481c6820a3d978aafea5f0acd8841d5b10c58f8559b0b3725f6f498e5f9b8805bae2f030904533187fb4c121e8c57bc6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp\scoped_dir488_2105453680\Icons Monochrome\16.png

Filesize
214B

MD5
1b3a4d1adc56ac66cd8b46c98f33e41b

SHA1
de87dc114f12e1865922f89ebc127966b0b9a1b7

SHA256
0fb35eacb91ab06f09431370f330ba290725119417f166facaf5f134499978bd

SHA512
ce89a67b088bae8dcd763f9a9b3655ed90485b24646d93de44533744dfcf947c96571e252d1ad80bdec1530ff2b72b012e8fff7178f1b4e957090f0f4c959e0d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp\scoped_dir488_883013468\Shortcuts Menu Icons\Monochrome\0\512.png

Filesize
2KB

MD5
206fd9669027c437a36fbf7d73657db7

SHA1
8dee68de4deac72e86bbb28b8e5a915df3b5f3a5

SHA256
0d17a989f42bc129aca8e755871a7025acb6292ce06ca2437e95bedbc328fa18

SHA512
2c89878ec8466edf1f214d918aefc6a9b3de46d06ffacff4fdb85566560e94068601b1e4377d9d2eabefdc1c7f09eb46b00cf4545e377cc84a69edf8e57e48b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp\scoped_dir488_883013468\Shortcuts Menu Icons\Monochrome\1\512.png

Filesize
10KB

MD5
529a0ad2f85dff6370e98e206ecb6ef9

SHA1
7a4ff97f02962afeca94f1815168f41ba54b0691

SHA256
31db550eb9c0d9afd316dc85cdfd832510e2c48e7d37d4a610c175667a4599c6

SHA512
d00e2d741a0a6321c92a4aab632f8f3bafd33c0e2875f37868e195ed5e7200a647b4c83358edcef5fc7acbc5c57f70410903f39eac76e23e88a342ac5c9c21cd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\d5091690-ed5d-48fb-b72d-9d7d0eef0c42.tmp

Filesize
9KB

MD5
0e01f9f096c26a4388704e9f504eca95

SHA1
298a46b8cde9c2dd331516e1d1e00381eb3c171b

SHA256
7bcf6b5f7bee4d33a740355b1ea1c5eadb2c7f6758696a5f6e6f59d16988fb98

SHA512
5e9c52c830ad073efef3f0f63301f5c4af313c69dad631e8be9078906947cf9740b1bdbdb225b17cf21f08d94d2f3b067128c115169bb83590ecc38e75c51d0e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
123KB

MD5
a7498178ad2465f042c0bdef574ad93a

SHA1
9a10be34dfb85537ac31ce764a17284cb78433a4

SHA256
e5a643315994ef976994b6181dc40a32633d1eae2cfee0d0112c51bbe41310f6

SHA512
b9c12a3df8f72a12f91fa5698a02ec78da4d2f44c3c741a5efe3cb29b8fced61380e9eb54144fff84a4408de03e091cc0cff70a16dc1fc9d153ecbccf2562fb4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
123KB

MD5
3053aac4d6b5700683d7c1a38a4ed90d

SHA1
18659db2296e3e4aff783a35ac2cdffdc547bc04

SHA256
38dad20185ebda4088b1c14a1b77ed1ce2b8d18cfabb0e17c128c5663d089ef4

SHA512
62755acde0e52c926b90e16556ffbdb3c9476b885efdfde2f5c091527f2d5bde4a81cd2d6cdd2c79847e9ed3bb9bfc82d2280432f3f4a984cbd441bae31954a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
123KB

MD5
11f9af961479157607774c6d9ec75632

SHA1
b28fdf18f3ef2ac416e923c2699e538bf88d48cd

SHA256
d7897e80818b644f140de4d55427df72fa34c7869b01082579777667191392ca

SHA512
0cbdcd624b860caa833e805668870b66b799d2b474955d1af089dd6163062e0a3926a870dab558d62740d3d1d665e3a9ac257395bc22fc3ad90e93b79d8dcc1a

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 612179.crdownload

Filesize
3.0MB

MD5
ef7b3c31bc127e64627edd8b89b2ae54

SHA1
310d606ec2f130013cc9d2f38a9cc13a2a34794a

SHA256
8b04fda4bee1806587657da6c6147d3e949aa7d11be1eefb8cd6ef0dba76d387

SHA512
a11eadf40024faeb2cc111b8feee1b855701b3b3f3c828d2da0ae93880897c70c15a0ee3aeb91874e5829b1100e0abafec020e0bf1e82f2b8235e9cc3d289be5

Download Submit
C:\Users\Admin\Downloads\VeryFun.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\mobelejen.apk.crdownload

Filesize
549KB

MD5
45be5a7857a4fa1c5eadd519e9402e8a

SHA1
36feb0809c1853f9a1f6d587302691abd7ce90e9

SHA256
7d59e24f4bdf28a846d21e2608796f7e91389c4778bec75369d7b05e3f8449a5

SHA512
46c869051e0c97b68f4388b87caecd82bf7362110a34ebb28ddc5fcd6c8a0e339eeaafbfce54d22593e245457fae7ec4c36b49a8556d3327ba7f90a40dd96a73

Download Submit
C:\Users\Admin\Downloads\mobelejen.apk:Zone.Identifier

Filesize
225B

MD5
4bac302e722f3c0f85c935b71ec25266

SHA1
f5f7142640304e0866a048c587398ff48f684e50

SHA256
cfe7b3187401a3a97c9bfba76b00d85a6c2da6d383c00ccfef012ddbf43d6bf7

SHA512
dab8ac34ee77725803098c5e934431b73edb8727853926e25cb40c0a8d212c7bbb2bf0da36dbf09d97047109a44f1d26ea15f026b66b0787405bb20b85a5b1b8

Download Submit
memory/796-469-0x0000000001000000-0x000000000110C000-memory.dmp

Filesize
1.0MB

Download
memory/796-468-0x0000000001000000-0x000000000110C000-memory.dmp

Filesize
1.0MB

Download
memory/796-470-0x0000000001000000-0x000000000110C000-memory.dmp

Filesize
1.0MB

Download
memory/1252-416-0x0000000000700000-0x000000000080C000-memory.dmp

Filesize
1.0MB

Download
memory/1252-418-0x0000000000700000-0x000000000080C000-memory.dmp

Filesize
1.0MB

Download
memory/1252-417-0x0000000000700000-0x000000000080C000-memory.dmp

Filesize
1.0MB

Download
memory/1580-338-0x00007FF7CA5D0000-0x00007FF7CA5E0000-memory.dmp

Filesize
64KB

Download
memory/1580-339-0x00007FF7CA5D0000-0x00007FF7CA5E0000-memory.dmp

Filesize
64KB

Download
memory/1580-299-0x00007FF7CA5D0000-0x00007FF7CA5E0000-memory.dmp

Filesize
64KB

Download
memory/1580-302-0x00007FF7CA5D0000-0x00007FF7CA5E0000-memory.dmp

Filesize
64KB

Download
memory/1580-337-0x00007FF7CA5D0000-0x00007FF7CA5E0000-memory.dmp

Filesize
64KB

Download
memory/1580-300-0x00007FF7CA5D0000-0x00007FF7CA5E0000-memory.dmp

Filesize
64KB

Download
memory/1580-340-0x00007FF7CA5D0000-0x00007FF7CA5E0000-memory.dmp

Filesize
64KB

Download
memory/1580-301-0x00007FF7CA5D0000-0x00007FF7CA5E0000-memory.dmp

Filesize
64KB

Download
memory/1580-303-0x00007FF7CA5D0000-0x00007FF7CA5E0000-memory.dmp

Filesize
64KB

Download
memory/1580-304-0x00007FF7C83B0000-0x00007FF7C83C0000-memory.dmp

Filesize
64KB

Download
memory/1580-305-0x00007FF7C83B0000-0x00007FF7C83C0000-memory.dmp

Filesize
64KB

Download
memory/1744-915-0x0000000000800000-0x0000000000E3D000-memory.dmp

Filesize
6.2MB

Download
memory/1744-497-0x0000000000800000-0x0000000000E3D000-memory.dmp

Filesize
6.2MB

Download
memory/1744-945-0x0000000000800000-0x0000000000E3D000-memory.dmp

Filesize
6.2MB

Download
memory/1744-414-0x0000000000800000-0x0000000000E3D000-memory.dmp

Filesize
6.2MB

Download
memory/1744-884-0x0000000000800000-0x0000000000E3D000-memory.dmp

Filesize
6.2MB

Download
memory/1744-855-0x0000000000800000-0x0000000000E3D000-memory.dmp

Filesize
6.2MB

Download
memory/1744-944-0x0000000000800000-0x0000000000E3D000-memory.dmp

Filesize
6.2MB

Download
memory/1744-446-0x0000000000800000-0x0000000000E3D000-memory.dmp

Filesize
6.2MB

Download
memory/1744-934-0x0000000000800000-0x0000000000E3D000-memory.dmp

Filesize
6.2MB

Download
memory/1744-375-0x0000000000800000-0x0000000000E3D000-memory.dmp

Filesize
6.2MB

Download
memory/1744-415-0x0000000000800000-0x0000000000E3D000-memory.dmp

Filesize
6.2MB

Download
memory/2980-403-0x0000000000C10000-0x0000000000D1C000-memory.dmp

Filesize
1.0MB

Download
memory/2980-402-0x0000000000C10000-0x0000000000D1C000-memory.dmp

Filesize
1.0MB

Download
memory/2980-404-0x0000000000C10000-0x0000000000D1C000-memory.dmp

Filesize
1.0MB

Download
memory/3940-422-0x0000000000BA0000-0x0000000000CAC000-memory.dmp

Filesize
1.0MB

Download
memory/3940-421-0x0000000000BA0000-0x0000000000CAC000-memory.dmp

Filesize
1.0MB

Download
memory/3940-423-0x0000000000BA0000-0x0000000000CAC000-memory.dmp

Filesize
1.0MB

Download
memory/4012-379-0x0000000000720000-0x0000000000814000-memory.dmp

Filesize
976KB

Download
memory/4012-383-0x0000000000720000-0x0000000000814000-memory.dmp

Filesize
976KB

Download
memory/4012-382-0x0000000000720000-0x0000000000814000-memory.dmp

Filesize
976KB

Download
memory/4252-384-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/4252-376-0x0000000000F00000-0x000000000109C000-memory.dmp

Filesize
1.6MB

Download
memory/4252-377-0x0000000000F00000-0x000000000109C000-memory.dmp

Filesize
1.6MB

Download
memory/4252-378-0x0000000000F00000-0x000000000109C000-memory.dmp

Filesize
1.6MB

Download
memory/4252-387-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/4252-386-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download