guloader | 59d6b1004c591e6f62bb86d29afa064d1dc7605c5c516afc042e59faf584f7d5

Analysis

max time kernel
11s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
07/04/2025, 07:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DHL SHIPPING DELIVERY DOCUMENTS AND INVOICE.scr.exe
Size

681KB
MD5

1e2741f2f68609ad56a73fcf592e167e
SHA1

481f7d22ba7546db8915991569bf8072f1f2d3e7
SHA256

59d6b1004c591e6f62bb86d29afa064d1dc7605c5c516afc042e59faf584f7d5
SHA512

d17ebaf198e7458f061b606e2bd913f1f71c6e9ddbee4881096a386191fb65197561e2a782ad64cc59c830e4915cab0d28fb7c05719a05ec389e4df46cd80458
SSDEEP

12288:XOQIRQ7v8lpyiaxF6JQiQsoi4inmLiqBHNBmO8J4yW7TPjci1Ghd6BjnhDmCnr9:PEpy/qJQooPDLrHnmQysjcbohDPnJ

Score

10^/10

guloader remcos host-1 credential_access discovery downloader persistence rat stealer

Malware Config

Extracted

Family

remcos

Botnet

Host-1

176.65.144.154:7070

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-CTQRUZ
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Guloader family
guloader
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Detected Nirsoft tools 4 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral1/memory/2008-1264-0x0000000000400000-0x000000000047D000-memory.dmp	Nirsoft
behavioral1/memory/1184-1269-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral1/memory/988-1271-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/2008-1266-0x0000000000400000-0x000000000047D000-memory.dmp	Nirsoft

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral1/memory/1184-1269-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 2 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral1/memory/2008-1264-0x0000000000400000-0x000000000047D000-memory.dmp	WebBrowserPassView
behavioral1/memory/2008-1266-0x0000000000400000-0x000000000047D000-memory.dmp	WebBrowserPassView

Uses browser remote debugging 2 TTPs 10 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
1348	msedge.exe
4532	msedge.exe
3880	Chrome.exe
5052	Chrome.exe
4748	Chrome.exe
3648	Chrome.exe
5032	Chrome.exe
1956	Chrome.exe
4728	Chrome.exe
1528	msedge.exe

Executes dropped EXE 2 IoCs

pid	Process
5912	Genopretter.scr
3552	Genopretter.scr

Loads dropped DLL 7 IoCs

pid	Process
2584	DHL SHIPPING DELIVERY DOCUMENTS AND INVOICE.scr.exe
2584	DHL SHIPPING DELIVERY DOCUMENTS AND INVOICE.scr.exe
5912	Genopretter.scr
5912	Genopretter.scr
3916	Genopretter.scr
3552	Genopretter.scr
3552	Genopretter.scr

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Cynias = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Plumpening123\\Genopretter.scr"	Genopretter.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Cynias = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Plumpening123\\Genopretter.scr"	DHL SHIPPING DELIVERY DOCUMENTS AND INVOICE.scr.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 38 IoCs

Web Service

T1102

flow	ioc
218	drive.google.com
168	drive.google.com
185	drive.google.com
187	drive.google.com
193	drive.google.com
197	drive.google.com
206	drive.google.com
210	drive.google.com
224	drive.google.com
191	drive.google.com
212	drive.google.com
226	drive.google.com
37	drive.google.com
189	drive.google.com
198	drive.google.com
27	drive.google.com
204	drive.google.com
26	drive.google.com
148	drive.google.com
162	drive.google.com
52	drive.google.com
66	drive.google.com
111	drive.google.com
164	drive.google.com
220	drive.google.com
222	drive.google.com
131	drive.google.com
160	drive.google.com
170	drive.google.com
183	drive.google.com
195	drive.google.com
166	drive.google.com
179	drive.google.com
181	drive.google.com
202	drive.google.com
208	drive.google.com
214	drive.google.com
216	drive.google.com

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
2584	DHL SHIPPING DELIVERY DOCUMENTS AND INVOICE.scr.exe
6100	DHL SHIPPING DELIVERY DOCUMENTS AND INVOICE.scr.exe
5912	Genopretter.scr
3916	Genopretter.scr

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\resources\0409\Kliks.ini	DHL SHIPPING DELIVERY DOCUMENTS AND INVOICE.scr.exe
File opened for modification	C:\Windows\resources\0409\Kliks.ini	Genopretter.scr
File opened for modification	C:\Windows\resources\0409\Kliks.ini	Genopretter.scr

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DHL SHIPPING DELIVERY DOCUMENTS AND INVOICE.scr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Genopretter.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Genopretter.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Genopretter.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DHL SHIPPING DELIVERY DOCUMENTS AND INVOICE.scr.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2584	DHL SHIPPING DELIVERY DOCUMENTS AND INVOICE.scr.exe
6100	DHL SHIPPING DELIVERY DOCUMENTS AND INVOICE.scr.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x0007000000024261-353.dat	nsis_installer_1
behavioral1/files/0x0007000000024261-353.dat	nsis_installer_2

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2584	DHL SHIPPING DELIVERY DOCUMENTS AND INVOICE.scr.exe
5912	Genopretter.scr

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2584 wrote to memory of 6100	2584	DHL SHIPPING DELIVERY DOCUMENTS AND INVOICE.scr.exe	91
PID 2584 wrote to memory of 6100	2584	DHL SHIPPING DELIVERY DOCUMENTS AND INVOICE.scr.exe	91
PID 2584 wrote to memory of 6100	2584	DHL SHIPPING DELIVERY DOCUMENTS AND INVOICE.scr.exe	91
PID 2584 wrote to memory of 6100	2584	DHL SHIPPING DELIVERY DOCUMENTS AND INVOICE.scr.exe	91
PID 5644 wrote to memory of 5912	5644	cmd.exe	96
PID 5644 wrote to memory of 5912	5644	cmd.exe	96
PID 5644 wrote to memory of 5912	5644	cmd.exe	96
PID 5912 wrote to memory of 3916	5912	Genopretter.scr	99
PID 5912 wrote to memory of 3916	5912	Genopretter.scr	99
PID 5912 wrote to memory of 3916	5912	Genopretter.scr	99
PID 5912 wrote to memory of 3916	5912	Genopretter.scr	99
PID 5252 wrote to memory of 3552	5252	cmd.exe	103
PID 5252 wrote to memory of 3552	5252	cmd.exe	103
PID 5252 wrote to memory of 3552	5252	cmd.exe	103

C:\Users\Admin\AppData\Local\Temp\DHL SHIPPING DELIVERY DOCUMENTS AND INVOICE.scr.exe
"C:\Users\Admin\AppData\Local\Temp\DHL SHIPPING DELIVERY DOCUMENTS AND INVOICE.scr.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2584
- C:\Users\Admin\AppData\Local\Temp\DHL SHIPPING DELIVERY DOCUMENTS AND INVOICE.scr.exe
  "C:\Users\Admin\AppData\Local\Temp\DHL SHIPPING DELIVERY DOCUMENTS AND INVOICE.scr.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:6100
- - C:\Program Files\Google\Chrome\Application\Chrome.exe
    --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --headless --remote-debugging-port=9222 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    PID:3880
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffd1d8dcf8,0x7fffd1d8dd04,0x7fffd1d8dd10
      4⤵
      PID:4044
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --noerrdialogs --field-trial-handle=2052,i,9557181347474341572,18032959068045721010,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2044 /prefetch:3
      4⤵
      PID:892
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=gpu-process --headless --string-annotations --noerrdialogs --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1956,i,9557181347474341572,18032959068045721010,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=1948 /prefetch:2
      4⤵
      PID:1864
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --noerrdialogs --field-trial-handle=2328,i,9557181347474341572,18032959068045721010,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2324 /prefetch:8
      4⤵
      PID:5984
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --string-annotations --noerrdialogs --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3252,i,9557181347474341572,18032959068045721010,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3248 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:4748
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --string-annotations --noerrdialogs --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3276,i,9557181347474341572,18032959068045721010,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3272 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:5052
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --noerrdialogs --field-trial-handle=4816,i,9557181347474341572,18032959068045721010,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4808 /prefetch:8
      4⤵
      PID:1800
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --noerrdialogs --field-trial-handle=4912,i,9557181347474341572,18032959068045721010,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4908 /prefetch:8
      4⤵
      PID:1164
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --string-annotations --noerrdialogs --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=4272,i,9557181347474341572,18032959068045721010,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3604 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:5032
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --string-annotations --noerrdialogs --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4976,i,9557181347474341572,18032959068045721010,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5028 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:3648
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --string-annotations --noerrdialogs --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=1992,i,9557181347474341572,18032959068045721010,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=1788 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:4728
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --string-annotations --noerrdialogs --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=4940,i,9557181347474341572,18032959068045721010,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5652 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:1956
- - C:\Windows\SysWOW64\recover.exe
    C:\Windows\SysWOW64\recover.exe /stext "C:\Users\Admin\AppData\Local\Temp\doqqpofsxywkbqjursfligwetgzz"
    3⤵
    PID:2008
- - C:\Windows\SysWOW64\recover.exe
    C:\Windows\SysWOW64\recover.exe /stext "C:\Users\Admin\AppData\Local\Temp\oqeiqhqllhopdexyjcaellqnumjizrn"
    3⤵
    PID:1184
- - C:\Windows\SysWOW64\recover.exe
    C:\Windows\SysWOW64\recover.exe /stext "C:\Users\Admin\AppData\Local\Temp\ykjb"
    3⤵
    PID:988
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --headless --remote-debugging-port=9222 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    PID:1528
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x25c,0x260,0x264,0x258,0x26c,0x7fffd106f208,0x7fffd106f214,0x7fffd106f220
      4⤵
      PID:4660
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --noerrdialogs --always-read-main-dll --field-trial-handle=2664,i,7648512150374901358,2255048981778165417,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=2660 /prefetch:3
      4⤵
      PID:4644
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --noerrdialogs --always-read-main-dll --field-trial-handle=2680,i,7648512150374901358,2255048981778165417,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=2672 /prefetch:8
      4⤵
      PID:4760
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --headless --string-annotations --noerrdialogs --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2632,i,7648512150374901358,2255048981778165417,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=2624 /prefetch:2
      4⤵
      PID:5340
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --instant-process --pdf-upsell-enabled --remote-debugging-port=9222 --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3600,i,7648512150374901358,2255048981778165417,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=3596 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:1348
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --pdf-upsell-enabled --remote-debugging-port=9222 --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4328,i,7648512150374901358,2255048981778165417,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=4324 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:4532
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --noerrdialogs --always-read-main-dll --field-trial-handle=4364,i,7648512150374901358,2255048981778165417,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=4788 /prefetch:8
      4⤵
      PID:764
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --noerrdialogs --always-read-main-dll --field-trial-handle=4960,i,7648512150374901358,2255048981778165417,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=4956 /prefetch:8
      4⤵
      PID:2032
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --noerrdialogs --always-read-main-dll --field-trial-handle=5056,i,7648512150374901358,2255048981778165417,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=5016 /prefetch:8
      4⤵
      PID:628
  - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --noerrdialogs --always-read-main-dll --field-trial-handle=5620,i,7648512150374901358,2255048981778165417,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=4904 /prefetch:8
      4⤵
      PID:5236
  - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --noerrdialogs --always-read-main-dll --field-trial-handle=5620,i,7648512150374901358,2255048981778165417,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=4904 /prefetch:8
      4⤵
      PID:3432
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --noerrdialogs --always-read-main-dll --field-trial-handle=5724,i,7648512150374901358,2255048981778165417,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=5720 /prefetch:8
      4⤵
      PID:2816
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --noerrdialogs --always-read-main-dll --field-trial-handle=6008,i,7648512150374901358,2255048981778165417,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=5988 /prefetch:8
      4⤵
      PID:1784
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --noerrdialogs --always-read-main-dll --field-trial-handle=5680,i,7648512150374901358,2255048981778165417,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=5716 /prefetch:8
      4⤵
      PID:5612
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --noerrdialogs --always-read-main-dll --field-trial-handle=6136,i,7648512150374901358,2255048981778165417,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=6032 /prefetch:8
      4⤵
      PID:4584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
1⤵
- Suspicious use of WriteProcessMemory
PID:5644
- C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
  C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:5912
- - C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
    C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
    3⤵
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:3916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
1⤵
- Suspicious use of WriteProcessMemory
PID:5252
- C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
  C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:3552
- - C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
    C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
    3⤵
    PID:3032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
1⤵
PID:3896
- C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
  C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
  2⤵
  PID:4240
- - C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
    C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
    3⤵
    PID:6056

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:5808

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
1⤵
PID:672
- C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
  C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
  2⤵
  PID:1912
- - C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
    C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
    3⤵
    PID:3296

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
1⤵
PID:1116
- C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
  C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
  2⤵
  PID:2960
- - C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
    C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
    3⤵
    PID:6800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
1⤵
PID:6832
- C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
  C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
  2⤵
  PID:7020
- - C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
    C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
    3⤵
    PID:6796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
1⤵
PID:4840
- C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
  C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
  2⤵
  PID:5312
- - C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
    C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
    3⤵
    PID:4724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
1⤵
PID:5596
- C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
  C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
  2⤵
  PID:3280
- - C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
    C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
    3⤵
    PID:4452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
1⤵
PID:1484
- C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
  C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
  2⤵
  PID:6132
- - C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
    C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
    3⤵
    PID:6636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
1⤵
PID:6508
- C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
  C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
  2⤵
  PID:6700
- - C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
    C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
    3⤵
    PID:2512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
1⤵
PID:3564
- C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
  C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
  2⤵
  PID:4684
- - C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
    C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
    3⤵
    PID:3276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
1⤵
PID:536
- C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
  C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
  2⤵
  PID:6836
- - C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
    C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
    3⤵
    PID:2100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
1⤵
PID:6240
- C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
  C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
  2⤵
  PID:5552
- - C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
    C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
    3⤵
    PID:3636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
1⤵
PID:6464
- C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
  C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
  2⤵
  PID:5180
- - C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
    C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
    3⤵
    PID:3816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
1⤵
PID:3356
- C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
  C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
  2⤵
  PID:5372
- - C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
    C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
    3⤵
    PID:4532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
1⤵
PID:6020
- C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
  C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
  2⤵
  PID:4140
- - C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
    C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
    3⤵
    PID:4520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
1⤵
PID:5520
- C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
  C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
  2⤵
  PID:3956
- - C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
    C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
    3⤵
    PID:4412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
1⤵
PID:4612
- C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
  C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
  2⤵
  PID:6412
- - C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
    C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
    3⤵
    PID:1592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
1⤵
PID:4928
- C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
  C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
  2⤵
  PID:5368
- - C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
    C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
    3⤵
    PID:6348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
1⤵
PID:6324
- C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
  C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
  2⤵
  PID:6680
- - C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
    C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
    3⤵
    PID:6848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
1⤵
PID:7112
- C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
  C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
  2⤵
  PID:404
- - C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
    C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
    3⤵
    PID:6168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
1⤵
PID:5872
- C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
  C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
  2⤵
  PID:7160
- - C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
    C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
    3⤵
    PID:1352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
1⤵
PID:7012
- C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
  C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
  2⤵
  PID:1260
- - C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
    C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
    3⤵
    PID:5304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
1⤵
PID:6836
- C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
  C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
  2⤵
  PID:6428
- - C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
    C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
    3⤵
    PID:2512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
1⤵
PID:2996
- C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
  C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
  2⤵
  PID:220
- - C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
    C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
    3⤵
    PID:920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
1⤵
PID:6160
- C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
  C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
  2⤵
  PID:3584
- - C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
    C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
    3⤵
    PID:4068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
1⤵
PID:1732
- C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
  C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
  2⤵
  PID:6256
- - C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
    C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
    3⤵
    PID:6944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
1⤵
PID:2812
- C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
  C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
  2⤵
  PID:2844
- - C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
    C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
    3⤵
    PID:6804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
1⤵
PID:6652
- C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
  C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
  2⤵
  PID:6436
- - C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
    C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
    3⤵
    PID:6908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
1⤵
PID:6268
- C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
  C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
  2⤵
  PID:6604
- - C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
    C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
    3⤵
    PID:3452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
1⤵
PID:632
- C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
  C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
  2⤵
  PID:4444
- - C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
    C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
    3⤵
    PID:6280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
1⤵
PID:6588
- C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
  C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
  2⤵
  PID:6520
- - C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
    C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
    3⤵
    PID:5276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
1⤵
PID:6112
- C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
  C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
  2⤵
  PID:3984
- - C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
    C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
    3⤵
    PID:1228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
1⤵
PID:5764
- C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
  C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
  2⤵
  PID:1716
- - C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
    C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
    3⤵
    PID:5088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
1⤵
PID:6608
- C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
  C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
  2⤵
  PID:6228
- - C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
    C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
    3⤵
    PID:6492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
1⤵
PID:3084
- C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
  C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr
  2⤵
  PID:6160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Modify Authentication Process

T1556

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Authentication Process

T1556

Modify Registry

T1112

Credential Access

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
63555b9438668590c730df3cf7136208

SHA1
bb4812d06e7b85657312698d8c783df3c05e4016

SHA256
089fa2eaaeeb529cebf9f537f482b54b70926e182efefabdbc72db7fba9dd5a6

SHA512
0d08a2bc7c6ade7ee070973bb39580e3741cc42b5c822548669a678a50b02a81c56334408e2074be184131cd23237578f7c35d2bad86ba8d0b3266d129b35457

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B3513D73A177A2707D910183759B389B_D1B2C3FDC4CC18AB2F25B2BB5E2D4A02

Filesize
471B

MD5
c0dbbcb8c13063973855d591e2be11c7

SHA1
bb47a4c34e07a04bffe7bd280dd09dd30b00f8d9

SHA256
843f9d392b82b9a0a936e8f68f67ab2381f065d552e9a00aa0bc1f8a96d571d9

SHA512
2bed576ea4466e8082c7aa9ee34f234832ac54c29eaca135226a6cad19fc3f1ebbfde407431184e4042459da36486b3d6718c83e101c2bc6bdfc8f2aff98e5a9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DDE8B1B7E253A9758EC380BD648952AF_767BFDABB86D2457BE4D67797F01BA7C

Filesize
471B

MD5
aa9b4ed22115231f67bbd9d9e53c3a35

SHA1
b540202305cd2e6621117b086b52c51284134f7f

SHA256
a9e6dfa2d356bed45a658f738669620cfcf06af8f605a12b39116727acf0c0dd

SHA512
8facb334642b218722b3f8ea1ea984ccf50e0eb5443af8edbbb1b3a0fc7aa8e92b4717a45907c34f24e4a361e5292d40b84237dd0523f7f0a2c9c29eb113dbb7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
4bf57942df17abce6b9ed0f963b688b2

SHA1
6c96006feeab3ddcc99c49743ec80668edef6e3c

SHA256
dc62d4b6ad4d3abff1e48d21c071905bb36e52e779b0bd5f7d858cc4310c1ee0

SHA512
ba67a13bc779783e7320eead84374649703cd23e48c3f3db497bb830a3e0bf571f029c80c72cfa0258b58304a096e8bc1be6e2eebe506bbcba0837923a86745e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B3513D73A177A2707D910183759B389B_D1B2C3FDC4CC18AB2F25B2BB5E2D4A02

Filesize
402B

MD5
4243a5df62b3d4544603826c915ad8bb

SHA1
f02c1b15c12d7da9e3e9909a974258472d3bdcb9

SHA256
b297190c8494278dfdf0b0a24ef54fc02b483e9177e4da15d90749c3c2af5bfb

SHA512
9993fff3584b57f6a657fe0322d38eab6891cfef99dd781948728c5f4eb9e1b759abc091f005044b09af96ee15ca041e9b4d6d5fc6a89c54a64e44c1bb3eac8f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DDE8B1B7E253A9758EC380BD648952AF_767BFDABB86D2457BE4D67797F01BA7C

Filesize
406B

MD5
e4100c4b884db7023701ded80cc3d564

SHA1
81868215263ee2634dfb1172289d1086b36a269f

SHA256
09f5c522caa47a75fce21d5f44ff565ee4d206d4383b93766ede77344a4fb5fb

SHA512
61b24692cae7624078dd691ce729ea0290eecb33582a718ef760aa8c56efae92ab5beda8f2cf0f88c02be0a2dde7890640c2b9db5209f90962322057432a4155

Download Submit
C:\Users\Admin\AppData\Local\Algebrization.lnk

Filesize
878B

MD5
624681e1a941513a520a1472609be916

SHA1
a76b5294bf13ddbf5973981cec178f1d3ba2a4d5

SHA256
7dedd576ac1eaa370a58411542528e54b9daf8431aede71a5acd3f3aca22c280

SHA512
244dbee2c6d770346221a7f21604fa682c2487b5162c3a8a08d0b54509745aca16b4acb9fdea599e3e4b4b3cff9bae98fad0fa3ef0108d0b64608341a8d37f22

Download Submit
C:\Users\Admin\AppData\Local\Temp\Plumpening123\Genopretter.scr

Filesize
681KB

MD5
1e2741f2f68609ad56a73fcf592e167e

SHA1
481f7d22ba7546db8915991569bf8072f1f2d3e7

SHA256
59d6b1004c591e6f62bb86d29afa064d1dc7605c5c516afc042e59faf584f7d5

SHA512
d17ebaf198e7458f061b606e2bd913f1f71c6e9ddbee4881096a386191fb65197561e2a782ad64cc59c830e4915cab0d28fb7c05719a05ec389e4df46cd80458

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\674e39ef-0f87-4791-8c68-f13181bda3b4.tmp

Filesize
37KB

MD5
7e17943a2273cb1d8b56e3dbc6dc5ae0

SHA1
426ab9afa122524f04d539651e32ddef0e5d06bb

SHA256
8c81228fb52132e55e859d428e3c7386f39cdeae97764dedcb97e2ed134dd03d

SHA512
b578d96e6b1ea78d2cb50ced01d078f4439b5b718dc6c3af77e291d0b874180c24c5df68146e5600307b5cdbf6faf5e1dca8df84a3c8ff73f883f25aa7fca649

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

Filesize
40B

MD5
ea624eb55de982b70219ade3e8e0c52a

SHA1
8d0a39d5ec7b1c57295ff18b6480e1a280455aef

SHA256
a7d90c7f3f0dffffbb875977f50ad5aaf3f73f2b971e83d58243762113d392e0

SHA512
caca3d5dd46a6c3c7282b7e8c907ba1c689d08caf687023d831fbc39f906361fd9f8a9af56e867a40b43dc9193e9b6e8fb25346d4167b7c4c1677e882eab890b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

Filesize
280B

MD5
94b87a44f436a10e8a9a9a2346c2b2f2

SHA1
27ddf05026255eb6851aa2ee1f32fda2d6cf1764

SHA256
bb58a2ee47fe7c8fe95a2f671365868e9a9cbda85f9014fdb4d98e7eea789f2e

SHA512
7a9e62be16ea77868f94c0ef057335498d892e2e563c49ebd0fc97cb7f148c0917aaa57830ccfbd0c50f42c94e3b0016cd4dbbcc6ffcc4b0eebb041765db04f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

Filesize
280B

MD5
d49654900c2f636deaadeb2fe177ba5c

SHA1
297f9bc9e6c584600f69853e6408da7b28b98c8c

SHA256
dabe028f56f52ada01c8aba015057456216cca9c20c03844d8b07e46d93144ff

SHA512
62d0b5c6a6e14621d8e4802cb3f0dd84d195a0f7da90ff75dd88e7576634d01dbd7729ee1fd8b116688703317e93150dad4cd007a39d5d11381c40c9f973acce

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

Filesize
280B

MD5
6a6f9d9c34bbc0ccb645d5bdab7fb190

SHA1
d7ae7b44cb2710f7d37ed2c5941934646a487272

SHA256
e92c3be07377e64d26a52d303d6716b25490344a03830a8514dc827a50ee4a36

SHA512
290091055e2c73de0bfbe3bba07f4397fda2df0cd0eb8e76decdb76c7be618fbf0b2a0c926e32210e3b5c2c582045a0b73b575e99fd5c33ae0130bb8090a98d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Extensions\jmjflgjpcpepeafmmgdpfkogkghcpiha\1.2.1_1\_metadata\verified_contents.json

Filesize
1KB

MD5
738e757b92939b24cdbbd0efc2601315

SHA1
77058cbafa625aafbea867052136c11ad3332143

SHA256
d23b2ba94ba22bbb681e6362ae5870acd8a3280fa9e7241b86a9e12982968947

SHA512
dca3e12dd5a9f1802db6d11b009fce2b787e79b9f730094367c9f26d1d87af1ea072ff5b10888648fb1231dd83475cf45594bb0c9915b655ee363a3127a5ffc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Extensions\jmjflgjpcpepeafmmgdpfkogkghcpiha\1.2.1_1\content.js

Filesize
9KB

MD5
3d20584f7f6c8eac79e17cca4207fb79

SHA1
3c16dcc27ae52431c8cdd92fbaab0341524d3092

SHA256
0d40a5153cb66b5bde64906ca3ae750494098f68ad0b4d091256939eea243643

SHA512
315d1b4cc2e70c72d7eb7d51e0f304f6e64ac13ae301fd2e46d585243a6c936b2ad35a0964745d291ae9b317c316a29760b9b9782c88cc6a68599db531f87d59

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\GPUCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\GPUCache\data_1

Filesize
264KB

MD5
d0d388f3865d0523e451d6ba0be34cc4

SHA1
8571c6a52aacc2747c048e3419e5657b74612995

SHA256
902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b

SHA512
376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\GPUCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\GPUCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Network\Network Persistent State

Filesize
2KB

MD5
3b1ccf26f2ee08461d1662a5a32d8c75

SHA1
5dd63dc393d5b2196a45615194393c099c75e997

SHA256
62490d8591f21f5f9f7df547d59c167098d55b2ac6bb5c3064448ddff63ad03a

SHA512
b23aa2f313aacb2f2a1ef62f4d3306148f62d7f2396d8535cca3a341bc282e33a1639eb6695dfb7b9cce4a390e3f9c841636a7b80bb662e888a46f9790e78313

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Preferences

Filesize
11KB

MD5
10209c92da725f060fd3a40a1ff3b53a

SHA1
3a406abbfd61be4daf08110351a99f5ccb94aaca

SHA256
eb1895372aebe8875d54e3b4a7a8c632777ccde49094807387ba3f2cc70d3713

SHA512
25bb4f0718d4ad722a0318180f6b394dc5b58c30bafd08895a6d734140a486f64973a215901f7b90849fde34ba71430119cb8608a778ebe5bcbda989890669dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Secure Preferences

Filesize
15KB

MD5
a18ee37f325752b8da1d72f1185493fa

SHA1
827c22110964bbb5f52c603f3ef20a91b2313570

SHA256
eb1d5d2e158651699c501b7953206e1979a225e28f2938f3722cd6c0505e6295

SHA512
b8d7fa05745602672ed3d4f64243da63dfa84448f6c0d58f1310e15d0eea45118757c0b8786cbaf88750bba2215ca50b0fda83cc3e581b710d43c54621575697

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Secure Preferences

Filesize
32KB

MD5
22cac13ed4aa0ed681914098c00b1e98

SHA1
7a22b86b9fe6d52ec71f9b54422bb505cc46c677

SHA256
b371e9a4b5a446088bb823d1b85b71fd679d808a7337d9312992a9152775d92c

SHA512
c1b35187d2207e7f6c6033140378686cf74ccb666aeb68329d45be034015fa4ff2d5f2583ad8fc6f306425ba4c056aed6eb26aa0bf1dd39e7b87a90a0f30ba09

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Site Characteristics Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\32.png

Filesize
927B

MD5
26496798ba29a454042d60c9633c1e72

SHA1
65977f9cc15dd73026c91b479f1bc678050c8c45

SHA256
af50d64bd3cc7c3d201cb5abf0d76f44737e2a4040741ce178d9765fe440bcc5

SHA512
a4a61f66c712fcd27681073c2f30fda3a98fb6348ac4451d8a8e181e525f4ad8491a09d19c17dfb8f01a53eecbfc3ba25f370afd9df5b2ecb9b613236ecdd3cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\48.png

Filesize
1KB

MD5
815ddced6b03c8a62cb590ea4585fcba

SHA1
9f7e8cce2319b15ec63d89f837a173bd247e6998

SHA256
3339af4538fdfa40bb438469e35f6b7668d5c5ac93db0ef4a9e2fbf9ae884446

SHA512
ec7069b51959572c40dfa02f380b081912053898b4d4f86166b90bd277f9e8271d0fb3f0627e82645052ebe021c2e24698785e5214e82190a2298f32dd879b3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\64.png

Filesize
1KB

MD5
f2222b9d8dea52f5ce7d75378de76037

SHA1
e3b266fca2e5bf8bd82a62791902e879af7ff6fd

SHA256
e895cbcc424d6000a15b21d7cc9dec96deb2403a1469761ba3d9f11528c215b1

SHA512
74b947bc915c89f27954b5d0c8c790316ace581a20f7031aa91af3d95303ff0dd8cb4c87d3746ef2b13f76e0e8bba1b5b4a6916f3230c0514164fb1700640f66

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Web Applications\Temp\scoped_dir3880_1679822440\Icons\128.png

Filesize
1KB

MD5
396369d945adf93fcba40c33de48d7b2

SHA1
104871c9e3f76f615b3da80e09c513787bf08b2a

SHA256
311b922287618c19e33f3cde7a3150a094215b79f0811e5a862b1ccb4f8298b9

SHA512
5ffe4ba38f16456b25aab3b859e589bb165d847f9e5ecaba80cfceb0d5b86dee8d4280187a5777c2a006a40905e4e5ddc80db9e9bfde365492ceb720ce3607c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Local State

Filesize
46KB

MD5
c83967d08391d75979ec44566830e1af

SHA1
54bf8e2fdbb3618d368837404a16a197c4b15172

SHA256
162d58813f879dda921a7312e7a225a991f05388bc924e70655cf49c66d99c84

SHA512
618c68cc7237164b229fca37ff567886dd7e3cdcd1b56c3a9171b9a06c7ebb97697a759da8e238f5db59fe1789a508b68347c418f90736c938dc2fbc880f8c44

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Local State

Filesize
152KB

MD5
ab6005d87753e619ac0bfe01ad3609c1

SHA1
0b748c4a8f26151603b5e2d625b25f133409a3c5

SHA256
4184e05dfe78635fcc206a048333697abe72118b399db48a780a9bba011c9813

SHA512
2965a728bfef587e46640682db718d49db28b7fd3593543b0ddc35d7c952920b5101fa74f4fbf5e56a52a93c8a9693941ec807c830869d1d14f22f0a153fb892

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\extensions_crx_cache\ghbmnnjooekpmoecnnnilnnbdlolhkhi_1.fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

Filesize
152KB

MD5
dd9bf8448d3ddcfd067967f01e8bf6d7

SHA1
d7829475b2bd6a3baa8fabfaf39af57c6439b35e

SHA256
fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

SHA512
65347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de

Download Submit
C:\Users\Admin\AppData\Local\Temp\c8331e26-7c91-47f9-84fb-0f8c5a63b783.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh594C.tmp\System.dll

Filesize
11KB

MD5
a436db0c473a087eb61ff5c53c34ba27

SHA1
65ea67e424e75f5065132b539c8b2eda88aa0506

SHA256
75ed40311875312617d6711baed0be29fcaee71031ca27a8d308a72b15a51e49

SHA512
908f46a855480af6eacb2fb64de0e60b1e04bbb10b23992e2cf38a4cbebdcd7d3928c4c022d7ad9f7479265a8f426b93eef580afec95570e654c360d62f5e08d

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir1528_338952874\c1d0bb91-a3b4-4b89-80c1-4bbdb546063a.tmp

Filesize
10KB

MD5
78e47dda17341bed7be45dccfd89ac87

SHA1
1afde30e46997452d11e4a2adbbf35cce7a1404f

SHA256
67d161098be68cd24febc0c7b48f515f199dda72f20ae3bbb97fcf2542bb0550

SHA512
9574a66d3756540479dc955c4057144283e09cae11ce11ebce801053bb48e536e67dc823b91895a9e3ee8d3cb27c065d5e9030c39a26cbf3f201348385b418a5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
4df8f635611e0838acd9d76a2ad9c1ec

SHA1
ac907160a921e9353324524906bdfedeac2cfad4

SHA256
06eb8473e34cdaed1ae99ec8dbcf6121d584f05c87303130c1c80e6483253045

SHA512
40c6d92ea6ad7a21943396409ba126c22a045ee65a715f0ca809740acfc9f933778eb2683868dd25a2d48d35769a660b67f7429a477642b81178390b6335773d

Download Submit
C:\Users\Admin\cloggiest\Kalkerendes\puruha.txt

Filesize
221B

MD5
df9fa49faf249915adf6a4d474d70041

SHA1
f92f465b8d49dc1162c686b92f3ebc4de8e488f0

SHA256
68bb8eca2df233e7ff75a034e76084731c55340d46c873e2b7f210b70b39fdd8

SHA512
c68f4546cf60425033e883c380db77f541157eb783345448fe7dcefea0d7f3bbb2128fdead54e0cdee4622dbf7b9382beac8bad1ed670b2c8b70af6b7a289759

Download Submit
C:\Users\Admin\cloggiest\Kalkerendes\superimposition.ini

Filesize
546B

MD5
0aeed7ee73e48ad4e1cf11546eba9853

SHA1
24d27aa2cbf7db35f85d3a2a5ec092001e7d2b1f

SHA256
719cf25fc1742e9f7f8ed4d7debda539f326368ad61993edbef47c5a55acc9ce

SHA512
04ac622a7561f5060b02fb45c1efcd43fcb37cbfbabfc34feebccbcc15ecc915d3b06e0fcd2d8c79a6464b0ff1e038a8e255aab35985be5682e5779904868e96

Download Submit
C:\Users\Admin\cloggiest\Kalkerendes\vekselstrmsgenerator.ini

Filesize
377B

MD5
846c151ef295191156b71ab58b4152f9

SHA1
3435d312cae276a21e3457b5f74c1134847539ad

SHA256
7ec121bad64186adfb8797375af053953c52675a3e9f07596e3d155366e83bac

SHA512
499e6ff994422e93a46d3410bdbfe8c955b62dc8a8650cebb339ea67dc3209b07ff8cf02c7fc3572690f1c670b8d1558d9a6b2c423cd08bc95dbc0cabbcf2d32

Download Submit
C:\Users\Admin\cloggiest\Splitternes\unhusked.Dob

Filesize
349KB

MD5
2307a91402317190dada1df5f75e3d5c

SHA1
7c3ddcd013af3e21bdfeaca36f83e95428aac1c3

SHA256
ffebe62c9a829b4fa385d492cee84576011be27cfd0eb67665db887acb21bea8

SHA512
2f987ecd2a2ab6a1fef3a9233fef942babb543c0ee83674effe1773e50630536b3840e83ca8295ad1e8a170bca983f9b94cfd1bc1bd1fa607c1602ce19bef297

Download Submit
C:\Users\Admin\cloggiest\Trotted\Crimson5.ini

Filesize
375B

MD5
fefd9a35a310702723a3d673046254b1

SHA1
033849c240f9fcd9255a34cde30a6f3b97acc4ff

SHA256
721eda7c72fed34d788ca5c5bea531a38a37b6847f936d3df09786f6d28d24e7

SHA512
e819b1f490b44e3c32b90b69a7d8331e66fe35da244f8e65da8f920dcf720749a61da1c61e48d7158d22ae3b70407df8b88cccb56dfe78ca39c79696bd4ed3a5

Download Submit
C:\Users\Admin\cloggiest\Trotted\Hotheadedness.ini

Filesize
493B

MD5
1f9edb2cfd2367032c9e3b638e7dad76

SHA1
1fbdcfcd51c5841d2784e84a7bc43693a60afa0b

SHA256
be333b3dfd62c7f77acce39498692a50f4c36c4b64af42d4612436754d8dc609

SHA512
d66ec947891afa056b5311c2f00123c543148c8ebeedb2771fe4dea1f7a1d57449d0ba273e0b71d93dcd9917bae1c6f291ecb3a92a629ffa2a636e52a7c5695a

Download Submit
C:\Users\Admin\cloggiest\Trotted\Limnologic93.ret

Filesize
286KB

MD5
bf340aa971e3623100292a302943c250

SHA1
719b7edfca3287d4df936516c8bf9080ed09afca

SHA256
8507d30e5ae4f71c895a409d80655779b0861c1443a1d3ee54e6f1721cfd5cf6

SHA512
ea30485e26a9c7509a62899ff2eeeaa42d8ce849a10157e823b57dfe7199554160a57bab1e411b424e123e784d1e69962fc2cac51ca38c0e432d56b8bce686db

Download Submit
C:\Users\Admin\cloggiest\Trotted\clysters.jpg

Filesize
74B

MD5
1f48026df6e9e4aebc2867cb2a07a07d

SHA1
8098b69100ff43d1df93d7d42fead7a6aebe7638

SHA256
994252c8960cf2a4008c57bb64c39a18937638230293db1ca2cbc7bc63fc8ba5

SHA512
4edb34ee05c85efa311df528adc8954273fdfd6ad563aea480befee9e100e79f9492de3f26fd69ebd4bc510096866092dc24213835281d91bf8a9c536a725149

Download Submit
C:\Users\Admin\cloggiest\Trotted\favnfuldes.txt

Filesize
163B

MD5
0d7f6a5fcb30db8babbb2cd925607a22

SHA1
988fbe4366a6a0b2f5a2c472952d6ebab63d901e

SHA256
58f7eff4aafc9466508620b54bf356064b21ef63945c0324afb7d061489b7899

SHA512
8467e06039a80b85b2570e01a210ee328c24d0569610a9ea5acfffb7d7988641d2fec30581073db3d80722b816c02930105e284bb760927520651eef97ff0a93

Download Submit
C:\Users\Admin\cloggiest\Trotted\forfoelger.ini

Filesize
562B

MD5
3396fdf25e9d75c540a151f43c6fe0ae

SHA1
ef4d6b5167ab51bdf5d4f430e600de04082b3043

SHA256
58323aae9a1c4c1e7f149430b9b825aef99120f78de36e8b242dbd99bb983216

SHA512
8d44b957dea2e5d125a3df7b87cb35e346c26c7a870a55a005d28282f5f3f81289f8fd418ddde5b26be679a2e2b927a3dc096a3bbf85444bc6799f8a32debd1e

Download Submit
C:\Users\Admin\cloggiest\Trotted\groveres.txt

Filesize
256B

MD5
d628b011abe78ab3e9c7ff518a320e8d

SHA1
55ebbc975b69fcdd1d186d557060e935cd8e4847

SHA256
487c76cfc8c1d5a8687f92ab452c69ae5cfe929078e915d1f3a29a85b659ebce

SHA512
f61cb012e9e2a8bdea6234d50f5f2fe810c740766f04039cfb75a43560ad6987ee38199a9e5fa3f0ec73a1a44010bc7b9ead0bcd32154c479c332332a540b736

Download Submit
C:\Users\Admin\cloggiest\Trotted\hoplology.gla

Filesize
113KB

MD5
e71df140f8a8254f915149cc48f9a9f0

SHA1
91d901c01db42da9eab967e6f287f2b37626d6c5

SHA256
7fb6612846b8aefe02b1a801bde49697c456958daa28c54cf034c7579aebe5ab

SHA512
be8d02ce5c641218980d26bf50a4d2afedb577c10cfdb6d6fd30a953d15107f79d1e0a70072292ca43887fcf65d6331c35663060f31a665992fb17c3d23f1e11

Download Submit
C:\Users\Admin\cloggiest\Trotted\indoptoges.cuc

Filesize
333KB

MD5
2352d82907e8d627acdfe282178e53c8

SHA1
ba9266a4f426c200c5049856a888683abf94d79a

SHA256
f142feaa33cf82e2d8cb471c96eb0ed34ca44a28b458fe0fdf6d9c631ed42a3b

SHA512
b17f4cd865709106b4d3ff1ac9f3609b6fec3a3693f7fcec30c596edf6124d11f01f6e61474d4da4d88766eb60aab0d66c72fc1c792742e33adb94c5f1fd3c9e

Download Submit
C:\Users\Admin\cloggiest\Trotted\korrektheders.ini

Filesize
346B

MD5
7330e4a8ff82a2de0f1e54d11da15900

SHA1
8cd3e9c69bb90c030ff77f5068ff37373572538f

SHA256
37d4f55b5031eac881b83f02c4b86d555904dafa5ce9fe03a22d34d716cbc3c5

SHA512
de7cf93028f13e57a705a0c6367cfb9d89160638ecad7da0d12faaeff992801b78559f00fb3370587221470539ebeb85878e5c549cb506ccd844eb56c676ae6b

Download Submit
C:\Users\Admin\cloggiest\Trotted\labella.txt

Filesize
452B

MD5
1533e7d3f37937c06e81845f5c5f7fcb

SHA1
c94f80c8f556ad842411dcfdbc898cb303250e80

SHA256
cb9c51c1f1600ed6a1273103b4f6168d5c3e7fac599706ef81e2f52b92815af9

SHA512
49406536216cb8986800a05dd39a908fc3f30f22b8f2f99ed7b14227c5083574aa46ffae7da13faf902b042ec145c2446d834832db0a976ad98af5eede996d38

Download Submit
C:\Users\Admin\cloggiest\Trotted\unliteralized.kle

Filesize
18KB

MD5
6aa051e0590321647fbcb85281e4072c

SHA1
cd6173e5159de5de37ad3bb6ad1480e1072970ed

SHA256
62977dc00e7ac315d6d38e63d2a95fe7e4ce3ff3b9b7fdba99e3dced02ca6898

SHA512
ae6fbfac1a913883f2913f777b45a0ab6e46d4ff36b4abe89bdf8ada1746dd67bf7af8babae067e913d1ea618bd1598b84eb105e463ac90a1fc0d90b6ca67621

Download Submit
C:\Windows\Resources\0409\Kliks.ini

Filesize
35B

MD5
0c00b5f2cc22c0156b4ec2c0cc5123cf

SHA1
da32e0c02c6add2ea7f03a1c28a1503d43c6b7da

SHA256
2bb24c9a9a7561436ba37e5453403850b49660abe279fc8ea522df3c8047ce03

SHA512
dbeb264ec8959d3f96a90f1263640d044a44fbc7baaeb9804c401b978102d435bf182d35037ed98c2acc5d75f769acd451f7bb41de155482d6676943b11795fb

Download Submit
memory/988-1268-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/988-1270-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/988-1271-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1184-1265-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1184-1269-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1184-1267-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2008-1264-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2008-1266-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2584-348-0x00000000041C0000-0x0000000006A23000-memory.dmp

Filesize
40.4MB

Download
memory/2584-352-0x00000000041C0000-0x0000000006A23000-memory.dmp

Filesize
40.4MB

Download
memory/2584-350-0x0000000010004000-0x0000000010005000-memory.dmp

Filesize
4KB

Download
memory/2584-349-0x0000000077C21000-0x0000000077D41000-memory.dmp

Filesize
1.1MB

Download
memory/3032-1637-0x00000000016E0000-0x0000000003F43000-memory.dmp

Filesize
40.4MB

Download
memory/3032-1638-0x0000000000480000-0x00000000016D4000-memory.dmp

Filesize
18.3MB

Download
memory/3032-1127-0x00000000016E0000-0x0000000003F43000-memory.dmp

Filesize
40.4MB

Download
memory/3296-3168-0x0000000000480000-0x00000000016D4000-memory.dmp

Filesize
18.3MB

Download
memory/3296-3167-0x00000000016E0000-0x0000000003F43000-memory.dmp

Filesize
40.4MB

Download
memory/3916-739-0x00000000016E0000-0x0000000003F43000-memory.dmp

Filesize
40.4MB

Download
memory/3916-1171-0x0000000000480000-0x00000000016D4000-memory.dmp

Filesize
18.3MB

Download
memory/3916-1155-0x00000000016E0000-0x0000000003F43000-memory.dmp

Filesize
40.4MB

Download
memory/6056-1636-0x00000000016E0000-0x0000000003F43000-memory.dmp

Filesize
40.4MB

Download
memory/6056-2492-0x00000000016E0000-0x0000000003F43000-memory.dmp

Filesize
40.4MB

Download
memory/6056-2494-0x0000000000480000-0x00000000016D4000-memory.dmp

Filesize
18.3MB

Download
memory/6100-1316-0x0000000035680000-0x0000000035699000-memory.dmp

Filesize
100KB

Download
memory/6100-1132-0x0000000034910000-0x0000000034944000-memory.dmp

Filesize
208KB

Download
memory/6100-2225-0x0000000000480000-0x00000000016D4000-memory.dmp

Filesize
18.3MB

Download
memory/6100-1128-0x0000000034910000-0x0000000034944000-memory.dmp

Filesize
208KB

Download
memory/6100-806-0x00000000016E0000-0x0000000003F43000-memory.dmp

Filesize
40.4MB

Download
memory/6100-1131-0x0000000034910000-0x0000000034944000-memory.dmp

Filesize
208KB

Download
memory/6100-746-0x0000000000480000-0x00000000016D4000-memory.dmp

Filesize
18.3MB

Download
memory/6100-3200-0x0000000000480000-0x00000000016D4000-memory.dmp

Filesize
18.3MB

Download
memory/6100-1312-0x0000000035680000-0x0000000035699000-memory.dmp

Filesize
100KB

Download
memory/6100-1315-0x0000000035680000-0x0000000035699000-memory.dmp

Filesize
100KB

Download
memory/6100-1136-0x0000000000480000-0x00000000016D4000-memory.dmp

Filesize
18.3MB

Download
memory/6796-3520-0x00000000016E0000-0x0000000003F43000-memory.dmp

Filesize
40.4MB

Download
memory/6800-3118-0x00000000016E0000-0x0000000003F43000-memory.dmp

Filesize
40.4MB

Download
memory/6800-3522-0x0000000000480000-0x00000000016D4000-memory.dmp

Filesize
18.3MB

Download
memory/6800-3521-0x00000000016E0000-0x0000000003F43000-memory.dmp

Filesize
40.4MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads